Add pnpm toolchain for build + attest

.github/workflows/test.yml

@@ -65,19 +65,53 @@ jobs:
         shell: bash
         run: ./bin/test
 
+  build:
+    name: Build Kettle
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+      - run: cargo build --release
+      - uses: actions/upload-artifact@v7
+        with:
+          name: kettle
+          path: target/release/kettle
+          if-no-files-found: error
+
   build-projects:
+    needs: [build]
     name: Build ${{ matrix.project }} with Kettle
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        project:
-          - burntsushi/ripgrep
-          - eza-community/eza
+        project: [ripgrep, eza, openclaw]
+        include:
+          - project: ripgrep
+            owner: burntsushi
+            toolchain: rust
+          - project: eza
+            owner: eza-community
+            toolchain: nix
+          - project: openclaw
+            owner: openclaw
+            toolchain: pnpm
     steps:
-      - uses: actions/checkout@v6
+      - name: Check out ${{ matrix.project }}
+        uses: actions/checkout@v6
+        with:
+          repository: "${{ matrix.owner }}/${{ matrix.project }}"
       - uses: actions-rust-lang/setup-rust-toolchain@v1
+        if: ${{ matrix.toolchain == 'rust' }}
       - uses: cachix/install-nix-action@v31
+        if: ${{ matrix.toolchain == 'nix' }}
         with:
           github_access_token: ${{ secrets.GITHUB_TOKEN }}
-      - run: bin/kettle-build ${{ matrix.project }}
+      - uses: pnpm/action-setup@v4
+        if: ${{ matrix.toolchain == 'pnpm' }}
+      - uses: actions/download-artifact@v8
+        with:
+          name: kettle
+      - run: |
+          chmod +x kettle
+          ./kettle build $GITHUB_WORKSPACE

Cargo.toml

@@ -66,6 +66,8 @@ clap-verbosity-flag = { version = "3.0.4", default-features = false, features =
 ] }
 tracing-subscriber = { version = "=0.3.19", features = ["tracing"] }
 shadow-rs = { version = "1.7.1", default-features = false }
+serde_yaml = "0.9.34"
+pretty_assertions = "1.4.1"
 
 [dev-dependencies]
 tempfile = "3"

PLAN.md

@@ -1,53 +1,11 @@
-# kettle.rs
+# Plans
 
-- [x] `kettle` command
-  - [x] set up a rust project
-  - [x] set up clap
-  - [x] format help output
+Future work items tracked here.
 
-- [x] `kettle verify` command
-  - [x] import verify code from attestation-rs
-  - [x] fetch AMD cert chain, check signature
-  - [x] parse provenance.json files for cargo and nix
-  - [x] validate attestation checksum matches provenance.json checksum
-  - [x] print tables of build info and verification results
-  - [x] print AMD cert chain verify result
-  - [x] print VCEK verify result
-  - [x] print sev-snp report verify result
-  - [x] print report data checksum verify result
-  - [x] print provenance checksum verify result
-  - [x] verify artifacts against provenance.json checksums
-  - [x] print launch measurements, guest_svn, policy, version, and vmpl
-  - [x] print git commit sha
-  - [x] print detailed error message after table with expected and actual checksums
+---
 
-- [x] `kettle build` command
-  - [x] collect provenance data
-    - [x] collect git repo data commit_hash, tree_hash, git_binary_hash, repository_url
-  - [x] handle cargo build
-    - [x] collect lockfile hash
-    - [x] collect rustc + cargo binary info (path, hash, version)
-    - [x] run `cargo build --locked --release`
-    - [x] collect exectutables from target/release/* (path, hash, name)
-  - [x] handle nix build
-    - [x] collect lockfile hash
-    - [x] collect nix binary info (path, hash, version)
-    - [x] run `nix build`
-    - [x] collect exectutable info (path, hash, name)
-  - [x] generate provenance.json file
+## Update Cargo lockfile parser to track checksums for git and path packages
 
-- [x] `kettle attest` command
-  - [x] generate attestation from provenance and build result
-    - [x] hash provenance for checksum
-    - [x] call attest with custom data of provenance checksum
-    - [x] write the results into `evidence.json`
+Cargo.lock doesn't innately provide checksums for packages that are provided from git repos or from paths on disk. We want to skip workspace members (since those files are part of the current git repo), but fetch git commit shas from git repositories or paths on disk. We also want to fail if there is a dependency with a path on disk but the git repository at that path is dirty, since that would mean inputs that aren't tracked by the git sha.
 
-## future work
-
-- [ ] toolchain for python packages
-- [ ] toolchain for go binaries
-- [ ] `kettle verify-source` BUILD_PATH SOURCE_PATH\
-      # verifies that SOURCE_PATH was used to create BUILD_PATH
-  - [ ] verify git commit against provenance
-  - [ ] verify lockfile against provenance
-  - [ ] verify entire merkle tree against provenance
+After we track checksums for git repository dependencies and path dependencies outside the project's git repository, we should error on any cargo dependencies that don't have a checksum or git commit sha.

bin/integration-test

@@ -3,5 +3,4 @@ set -euo pipefail
 
 set -x
 
-cargo nextest run
 cargo nextest run --features attest --ignored all

bin/kettle-build

@@ -10,5 +10,7 @@ fi
 DIR="/tmp/$(basename "$REPO")"
 set +x
 
-git clone "https://github.com/$REPO" "$DIR"
+if [[ ! -d "$DIR" ]]; then
+   git clone --depth=1 "https://github.com/$REPO" "$DIR"
+fi
 cargo run --release -- build "$DIR"

regenerated.json

@@ -0,0 +1,93 @@
+{
+  "_type": "https://in-toto.io/Statement/v1",
+  "predicate": {
+    "buildDefinition": {
+      "buildType": "https://lunal.dev/kettle/pnpm@v1",
+      "externalParameters": {
+        "buildCommand": "pnpm build",
+        "source": {
+          "digest": {
+            "gitCommit": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
+            "gitTree": "f6e5d4c3b2a1f6e5d4c3b2a1f6e5d4c3b2a1f6e5"
+          },
+          "uri": "https://github.com/example/openclaw.git"
+        }
+      },
+      "internalParameters": {
+        "lockfileHash": {
+          "sha256": "c0ffee00deadbeef1234567890abcdef1234567890abcdef1234567890abcdef"
+        },
+        "toolchain": {
+          "pnpm": {
+            "digest": {
+              "sha256": "def456def456def456def456def456def456def456def456def456def456def4"
+            },
+            "version": "8.15.4"
+          },
+          "node": {
+            "digest": {
+              "sha256": "abc123abc123abc123abc123abc123abc123abc123abc123abc123abc123abc1"
+            },
+            "version": "v18.12.0"
+          },
+          "kettle": {
+            "digest": {
+              "sha256": "be54407b39e0d0680fafbc0f6eeac1cc0b91292589e1284ae307f950652bccad"
+            },
+            "version": "kettle 0.1.0"
+          }
+        }
+      },
+      "resolvedDependencies": [
+        {
+          "digest": {
+            "sha256": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+          },
+          "name": "@types/node",
+          "uri": "pkg:npm/%40types/node@20.11.5"
+        },
+        {
+          "digest": {
+            "sha256": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
+          },
+          "name": "semver",
+          "uri": "pkg:npm/semver@7.6.0"
+        },
+        {
+          "digest": {
+            "sha256": "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
+          },
+          "name": "typescript",
+          "uri": "pkg:npm/typescript@5.4.3"
+        }
+      ]
+    },
+    "runDetails": {
+      "builder": {
+        "id": "https://lunal.dev/kettle-tee/v1"
+      },
+      "byproducts": [
+        {
+          "digest": {
+            "sha256": "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
+          },
+          "name": "input_merkle_root"
+        }
+      ],
+      "metadata": {
+        "invocationId": "build-20260316-120000-openclaw1",
+        "startedOn": "2026-03-16T12:00:00.000000+00:00",
+        "finishedOn": "2026-03-16T12:01:00.000000+00:00"
+      }
+    }
+  },
+  "predicateType": "https://slsa.dev/provenance/v1",
+  "subject": [
+    {
+      "digest": {
+        "sha256": "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"
+      },
+      "name": "dist.tar.gz"
+    }
+  ]
+}