Skip to content

feat: build environment attestation for SLSA provenance#59

Merged
avrabe merged 1 commit intomainfrom
feat/build-environment-attestation
Mar 18, 2026
Merged

feat: build environment attestation for SLSA provenance#59
avrabe merged 1 commit intomainfrom
feat/build-environment-attestation

Conversation

@avrabe
Copy link
Contributor

@avrabe avrabe commented Mar 18, 2026

Summary

  • BuildEnvironment module auto-captures toolchain versions (rustc, cargo, Bazel, wasm-tools), Nix flake lock hash, and host platform
  • SLSA integration: to_slsa_internal_params() produces JSON for SLSA BuildDefinition.internalParameters
  • CLI: wsc build-env subcommand with --json (machine-readable) and --from-env (CI override via WSC_* vars)
  • Rivet artifacts: REQ-13, CD-19, CV-27

Example output

Build Environment Attestation
=============================
  rustc:       rustc 1.90.0 (1159e78c4 2025-09-14)
  cargo:       cargo 1.90.0 (840b83a10 2025-07-30)
  bazel:       8.5.1
  wasm-tools:  wasm-tools 1.245.1
  nix lock:    d92a66d453c3e442c15...
  platform:    aarch64-macos
  os:          Darwin 25.3.0

  [reproducible: nix flake lock pinned]

Test plan

  • cargo check — workspace compiles
  • cargo test -p wsc -- build_env:: — 9/9 tests pass
  • cargo run -p wsc-cli -- build-env — CLI works
  • cargo run -p wsc-cli -- build-env --json — JSON output valid
  • CI cargo + bazel builds pass

Closes #49

🤖 Generated with Claude Code

@avrabe @claude
feat: add build environment attestation for SLSA provenance
896c2d4 
Implement BuildEnvironment module that auto-captures toolchain versions
(rustc, cargo, Bazel, wasm-tools), Nix flake lock hash, and host
platform for embedding in SLSA provenance internal parameters.

- BuildEnvironment::capture() — auto-detect from PATH and config files
- BuildEnvironment::from_env_vars() — CI override via WSC_* env vars
- to_slsa_internal_params() — JSON for SLSA BuildDefinition
- CLI: `wsc build-env` subcommand with --json and --from-env flags
- 9 unit tests

Rivet: REQ-13, CD-19, CV-27

Implements: FEAT-4
Closes: #49

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@avrabe avrabe merged commit d349b25 into main Mar 18, 2026
12 checks passed
@avrabe avrabe deleted the feat/build-environment-attestation branch March 18, 2026 07:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Attest build environment configuration (Bazel version, Nix hash, toolchain versions)

1 participant

@avrabe