test(acceptance-tests): add tests for provenance (#6755)

## What's the problem this PR addresses?

<!-- Describe the rationale of your PR. -->
<!-- Link all issues that it closes. (Closes/Resolves #xxxx.) -->

Follow-up #6750: add tests

## How did you fix it?

<!-- A detailed description of your implementation. -->

New npm publish acceptance tests that verifies the provenance statement
validity

## Checklist

<!--- Don't worry if you miss something, chores are automatically
tested. -->
<!--- This checklist exists to help you remember doing the chores when
you submit a PR. -->
<!--- Put an `x` in all the boxes that apply. -->
- [ ] I have read the [Contributing
Guide](https://yarnpkg.com/advanced/contributing).

<!-- See
https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released
for more details. -->
<!-- Check with `yarn version check` and fix with `yarn version check
-i` -->
- [ ] I have set the packages that need to be released for my changes to
be effective.

<!-- The "Testing chores" workflow validates that your PR follows our
guidelines. -->
<!-- If it doesn't pass, click on it to see details as to what your PR
might be missing. -->
- [ ] I will check that all automated PR checks pass before the PR gets
reviewed.

---------

Co-authored-by: Maël Nison <[email protected]>

Author: GauBen

.github/workflows/integration-workflow.yml

@@ -241,6 +241,11 @@ jobs:
     runs-on: ${{matrix.platform[0]}}-${{matrix.platform[1]}}
     needs: build
 
+    # Permission required to produce a valid provenance statement during the tests
+    # Only run inside the main repository; this may fail in master since it doesn't run in PRs from forks
+    permissions:
+      id-token: write
+
     steps:
     - uses: actions/checkout@v4
 

.pnp.cjs

@@ -25,6 +25,7 @@
     "pkg-tests-fixtures": "workspace:^",
     "semver": "^7.1.2",
     "serve-static": "^1.14.1",
+    "sigstore": "^3.1.0",
     "super-resolve": "^1.0.0",
     "tar-fs": "^1.16.0",
     "tslib": "^2.4.0"

packages/acceptance-tests/pkg-tests-core/package.json

@@ -13,6 +13,7 @@ import os                                          from 'os';
 import pem                                         from 'pem';
 import semver                                      from 'semver';
 import serveStatic                                 from 'serve-static';
+import * as sigstore                               from 'sigstore';
 import stream                                      from 'stream';
 import * as t                                      from 'typanion';
 import {promisify}                                 from 'util';
@@ -569,6 +570,15 @@ export const startPackageServer = ({type}: {type: keyof typeof packageServerUrls
         if (typeof body.versions[version].gitHead !== `undefined` && name === `githead-forbidden`)
           return processError(response, 400, `Unexpected gitHead`);
 
+        if (name === `provenance-required`) {
+          try {
+            const bundle = JSON.parse(body._attachments[`${name}-${version}.sigstore`].data);
+            sigstore.verify(bundle);
+          } catch (error) {
+            return processError(response, 400, (error as Error).message);
+          }
+        }
+
         response.writeHead(200, {[`Content-Type`]: `application/json`});
         return response.end(rawData);
       });

packages/acceptance-tests/pkg-tests-core/sources/utils/tests.ts

@@ -1,6 +1,8 @@
 import {npath, xfs} from '@yarnpkg/fslib';
 
-export {};
+const {
+  tests: {testIf},
+} = require(`pkg-tests-core`);
 
 const {
   exec: {execFile},
@@ -86,4 +88,29 @@ describe(`publish`, () =>   {
       },
     });
   }));
+
+  testIf(
+    () => !!process.env.ACTIONS_ID_TOKEN_REQUEST_URL,
+    `should publish a package with a valid provenance statement`,
+    makeTemporaryEnv({
+      name: `provenance-required`,
+      version: `1.0.0`,
+    }, async ({run}) => {
+      await run(`install`);
+
+      const githubEnv = Object.fromEntries(
+        Object.entries(process.env).filter(([key]) => (
+          key.startsWith(`ACTIONS_`) || key.startsWith(`GITHUB_`) || key.startsWith(`RUNNER_`)),
+        ),
+      );
+
+      await run(`npm`, `publish`, {
+        env: {
+          ...githubEnv,
+          YARN_NPM_AUTH_TOKEN: validLogins.fooUser.npmAuthToken,
+          YARN_NPM_PUBLISH_PROVENANCE: `true`,
+        },
+      });
+    }),
+  );
 });

packages/acceptance-tests/pkg-tests-specs/sources/commands/publish.test.ts

@@ -16872,6 +16872,7 @@ pem@dexus/pem:
     pkg-tests-fixtures: "workspace:^"
     semver: "npm:^7.1.2"
     serve-static: "npm:^1.14.1"
+    sigstore: "npm:^3.1.0"
     super-resolve: "npm:^1.0.0"
     tar-fs: "npm:^1.16.0"
     tslib: "npm:^2.4.0"