tools/bazel-vet - third_party/github/bazelbuild/bazel-central-registry - Git at Google

 #!/usr/bin/env bash
 # Proof-of-concept program to verify provenance attestations for direct module dependencies

 set -o errexit -o nounset -o pipefail

 # Minimum required version: https://github.com/cli/cli/releases/tag/v2.49.0
 REQUIRED_GH_VERSION="2.49.0"

 # Check if gh is available
 if ! command -v gh &> /dev/null; then
     echo "Error: GitHub CLI (gh) is not installed or not in your PATH."
     exit 1
 fi

 # Get installed gh version (strip 'gh version ' prefix)
 INSTALLED_VERSION=$(gh --version | head -n 1 | awk '{print $3}')

 # Function to compare versions
 version_ge() {
     # returns 0 if $1 >= $2
     [[ "$(printf '%s\n' "$1" "$2" | sort -V | head -n 1)" == "$2" ]]
 }

 # Compare versions
 if ! version_ge "$INSTALLED_VERSION" "$REQUIRED_GH_VERSION"; then
     echo "Error: gh version $REQUIRED_GH_VERSION or higher is required for the 'attestation' subcommand. Found version: $INSTALLED_VERSION"
     exit 1
 fi

 yellow='\033[0;33m'
 bold_blue='\033[1;34m'
 reset='\033[0m'

 # List direct dependency module names
 bazel mod deps --depth 1 '<root>' --output json | jq '.dependencies[] | .name' --raw-output | while IFS= read -r module; do
     echo "┌────────────────────────────────────────────"

     # Find the module's source URL
     source_url=$(bazel mod show_repo "$module" | grep 'urls = \[' | sed -E 's/.*urls = \[(.*)\],/\1/' | tr -d '"' | tr -d ' ')
     org=$(echo "$source_url" | sed -E 's|https://github.com/([^/]+)/.*|\1|')
     echo -e "| ${bold_blue}Verifying ${org}/${module} ${reset}[fetched from $source_url] ..."

     # Download the file
     release_artifact=$(mktemp)
     curl --fail --silent --show-error --location "$source_url" --output "$release_artifact"

     # Are there attestations for it?
     # This is a clumsy way to detect, by attempting a download. Perhaps it can be improved by calling the GH API manually.
     if ! 2>&1 >/dev/null gh attestation download "$release_artifact" --owner "${org}"; then
         echo -e "| ⚠️  ${yellow}Warning: no attestations found for this module, skipping.${reset}"
         echo "└────────────────────────────────────────────"
         continue
     fi
     # cleanup the file that was downloaded
     rm sha256:*.jsonl

     # Perform the verification
     gh attestation verify "$release_artifact" --owner "${org}" --signer-repo bazel-contrib/.github
     echo "└────────────────────────────────────────────"
 done
	#!/usr/bin/env bash
	# Proof-of-concept program to verify provenance attestations for direct module dependencies

	set -o errexit -o nounset -o pipefail

	# Minimum required version: https://github.com/cli/cli/releases/tag/v2.49.0
	REQUIRED_GH_VERSION="2.49.0"

	# Check if gh is available
	if ! command -v gh &> /dev/null; then
	echo "Error: GitHub CLI (gh) is not installed or not in your PATH."
	exit 1
	fi

	# Get installed gh version (strip 'gh version ' prefix)
	INSTALLED_VERSION=$(gh --version \| head -n 1 \| awk '{print $3}')

	# Function to compare versions
	version_ge() {
	# returns 0 if $1 >= $2
	[[ "$(printf '%s\n' "$1" "$2" \| sort -V \| head -n 1)" == "$2" ]]
	}

	# Compare versions
	if ! version_ge "$INSTALLED_VERSION" "$REQUIRED_GH_VERSION"; then
	echo "Error: gh version $REQUIRED_GH_VERSION or higher is required for the 'attestation' subcommand. Found version: $INSTALLED_VERSION"
	exit 1
	fi

	yellow='\033[0;33m'
	bold_blue='\033[1;34m'
	reset='\033[0m'

	# List direct dependency module names
	bazel mod deps --depth 1 '<root>' --output json \| jq '.dependencies[] \| .name' --raw-output \| while IFS= read -r module; do
	echo "┌────────────────────────────────────────────"

	# Find the module's source URL
	source_url=$(bazel mod show_repo "$module" \| grep 'urls = \[' \| sed -E 's/.urls = \[(.)\],/\1/' \| tr -d '"' \| tr -d ' ')
	org=$(echo "$source_url" \| sed -E 's\|https://github.com/([^/]+)/.*\|\1\|')
	echo -e "\| ${bold_blue}Verifying ${org}/${module} ${reset}[fetched from $source_url] ..."

	# Download the file
	release_artifact=$(mktemp)
	curl --fail --silent --show-error --location "$source_url" --output "$release_artifact"

	# Are there attestations for it?
	# This is a clumsy way to detect, by attempting a download. Perhaps it can be improved by calling the GH API manually.
	if ! 2>&1 >/dev/null gh attestation download "$release_artifact" --owner "${org}"; then
	echo -e "\| ⚠️ ${yellow}Warning: no attestations found for this module, skipping.${reset}"
	echo "└────────────────────────────────────────────"
	continue
	fi
	# cleanup the file that was downloaded
	rm sha256:*.jsonl

	# Perform the verification
	gh attestation verify "$release_artifact" --owner "${org}" --signer-repo bazel-contrib/.github
	echo "└────────────────────────────────────────────"
	done