ESD-1629: emit WASM artifact integrity hashes from the publish workflow#519
ESD-1629: emit WASM artifact integrity hashes from the publish workflow#519Phil-Browne wants to merge 5 commits into
Conversation
Compute the SHA-256 (hex) of the uncompressed megaport.wasm and the sha384 SRI of wasm_exec.js, surface both in the run's step summary labeled with the version prefix, and attest megaport.wasm with build provenance. The hashes feed the Portal's client-side WASM integrity check (SEC-8095); they are taken over the pre-brotli bytes the browser sees after the Content-Encoding: br decode, never the .br object.
There was a problem hiding this comment.
Pull request overview
This PR enhances the manual WASM publish GitHub Actions workflow by generating integrity reference values and adding a build-provenance attestation for the published WebAssembly artifact, enabling downstream consumers (e.g., the Portal) to verify they are loading the intended megaport.wasm release.
Changes:
- Adds an explicit “Compute integrity hashes” step to emit a SHA-256 (hex) for the uncompressed
megaport.wasmand an SRI (sha384-<base64>) value forwasm_exec.js. - Adds a pinned
actions/attest-build-provenancestep and the requiredattestations: writepermission for provenance attestation. - Extends the workflow step summary to include copy/paste-ready integrity values scoped to the published version.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #519 +/- ##
=======================================
Coverage 79.29% 79.29%
=======================================
Files 193 193
Lines 18683 18683
=======================================
Hits 14814 14814
Misses 2820 2820
Partials 1049 1049 🚀 New features to boost your workflow:
|
|
Reviewed for the SEC-8095 audit. The workflow is correct and CI is green. Nothing below blocks merge; they are hardening and audit notes. Verified
Findings (non-blocking)
Minor: the wasm SHA-256-hex vs js SHA-384-SRI split is intentional (streaming wasm instantiation has no integrity attribute); a one-line comment would stop it reading as an oversight. |
penzeliz-megaport
left a comment
There was a problem hiding this comment.
Reviewed for correctness; findings noted in comments are non-blocking. LGTM.
Adds the attestation verify recipe and a note on the wasm/br subject mismatch, an integrity.json sidecar so the hashes are re-verifiable without re-hashing, a comment explaining the hex-vs-SRI split, and an audit-scope note that attestation proves origin, not approval.
|
Thanks for the thorough review. Verified the three points independently:
Addressed the four hardening notes:
Left the |
Extends the WASM publish workflow to emit integrity reference values and attest the artifact, so the Portal can verify the
megaport.wasmit loads from media.megaport.com is the one we published (SEC-8095).megaport.wasmand thesha384-<base64>SRI ofwasm_exec.js.actions/attest-build-provenancestep (SHA-pinned, same version asrelease.yaml) formegaport.wasm, plusattestations: writeon the job.The hash is taken over the pre-brotli bytes, i.e. what the browser sees after the
Content-Encoding: brdecode, not the.brobject. Verifying the deployed artifact withgh attestation verifymust therefore be done against the br-decoded bytes, not the raw CDN object.No change to the S3 publish, cache-control, or any Portal/web-monorepo code.
Relates to SEC-8095. Blocks the Portal WASM-loader integrity check.