fix(lockfile): resolve SLSA provenance URLs deterministically for all platforms

[cameronbrill]

Summary

i was noticing differences in SLSA provenance urls in mise.lock generated from mise lock on my laptop (mac-arm64) vs in CI (linux-x64) (i.e. the lockfile generated on my mac had SLSA provenance URLs for mac-arm64 binaries, but mise lock in CI was updating mise.lock to add SLSA provenance URLs for respective linux-x64 binaries)

• GitHub backend: resolve provenance asset URL from already-fetched release metadata during detection (not just current-platform verification), so all platforms get Slsa { url: Some(url) } consistently
• Aqua backend: add resolve_slsa_url() that resolves provenance URLs for any target platform using cached release data or template URL construction
• Both backends: on lock-time verification failure, keep detected provenance instead of clearing to None — consistent with cross-platform detection-only trust model

Fixes non-deterministic mise lock output where SLSA provenance was provenance = "slsa" (short form) for cross-platform entries but expanded with URL for the current platform only.

Test plan

• New e2e test test_lockfile_provenance_determinism_slow verifies cross-platform entries get expanded provenance form and byte-for-byte determinism across runs
• Existing test_lockfile_provenance and test_lockfile_provenance_upgrade pass
• New unit tests for serialization consistency and merge behavior

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR fixes non-deterministic mise lock output by ensuring SLSA provenance URLs are resolved for all target platforms (not just the current host platform). The aqua backend gains a new resolve_slsa_url() helper that fetches provenance URLs without downloading, and the GitHub backend now captures browser_download_url during the existing detection phase rather than returning Slsa { url: None }.

All security concerns from previous review rounds have been addressed: both backends still set provenance = None on lock-time verification failure, preserving install-time re-verification behavior.

Confidence Score: 5/5

Safe to merge — correctness concerns from prior rounds are resolved; only P2 observations remain.

Both previous P0/P1 security findings (lock-time failure silently bypassing install-time reverification) are addressed: both backends still set provenance = None on verification error. The slsa_pkg vs pkg change in asset_strs is a subtle behavioral delta but is semantically more correct and covered by the slow e2e test. The per-platform API call in the aqua path is a performance trade-off acceptable for a lock-time operation.

src/backend/aqua.rs — the resolve_slsa_url slsa_pkg/pkg substitution warrants a quick sanity check for tools with cross-repo SLSA configs.

Important Files Changed

Filename	Overview
src/backend/aqua.rs	Introduces resolve_slsa_url() split from run_slsa_check(); called once per platform during lock. Note that asset_strs now uses slsa_pkg instead of pkg (a subtle behavioral change), and the per-platform GitHub API call is not cached.
src/backend/github.rs	Detection now captures browser_download_url from already-fetched release assets, cleanly resolving SLSA URL without extra API calls. Verification failure path unchanged.
src/lockfile.rs	Adds two focused unit tests covering the all-platforms-get-URL scenario and None-provenance-preserves-existing-URL merge behavior.
e2e/lockfile/test_lockfile_provenance_determinism_slow	New slow e2e test validates expanded provenance form on both current and cross-platform entries and byte-for-byte determinism across runs. Uses standard detect_platform helper correctly.

Sequence Diagram

sequenceDiagram
    participant User
    participant MiseLock as mise lock
    participant AquaBackend
    participant GitHubBackend
    participant GitHubAPI

    User->>MiseLock: mise lock --platform linux-x64,macos-arm64

    loop For each platform
        MiseLock->>AquaBackend: get_platform_info(target_os, target_arch)
        AquaBackend->>AquaBackend: detect_provenance_type() → Slsa{url:None}
        AquaBackend->>GitHubAPI: resolve_slsa_url() [github_release_asset]
        GitHubAPI-->>AquaBackend: provenance download URL
        AquaBackend->>AquaBackend: provenance = Slsa{url:Some(url)}
        alt target.is_current()
            AquaBackend->>AquaBackend: verify_provenance_at_lock_time()
            alt verification ok
                AquaBackend->>AquaBackend: provenance = Some(verified)
            else verification failed
                AquaBackend->>AquaBackend: provenance = None (force install-time reverify)
            end
        end
        AquaBackend-->>MiseLock: PlatformInfo{provenance: Slsa{url:Some(...)}}

        MiseLock->>GitHubBackend: get_platform_info(target_os, target_arch)
        GitHubBackend->>GitHubAPI: get_release (once, already fetched)
        GitHubAPI-->>GitHubBackend: release assets
        GitHubBackend->>GitHubBackend: detect_provenance_type() → Slsa{url:Some(browser_download_url)}
        alt target.is_current()
            GitHubBackend->>GitHubBackend: verify_provenance_at_lock_time()
            alt verification ok
                GitHubBackend->>GitHubBackend: provenance = Some(verified)
            else verification failed
                GitHubBackend->>GitHubBackend: provenance = None
            end
        end
        GitHubBackend-->>MiseLock: PlatformInfo{provenance: Slsa{url:Some(...)}}
    end

    MiseLock->>MiseLock: write mise.lock (all platforms have expanded provenance URL)
    MiseLock-->>User: deterministic mise.lock

Loading

_{Reviews (6): Last reviewed commit: "fix(lockfile): warn when SLSA provenance..." | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request significantly improves SLSA provenance handling in mise lockfiles, focusing on ensuring deterministic lockfile generation across different platforms. Key changes include the introduction of a resolve_slsa_url function in src/backend/aqua.rs to proactively resolve provenance URLs for all target platforms, updates to src/backend/github.rs to include download URLs in detected provenance, and refined error handling to retain detected provenance even if lock-time verification fails. New end-to-end and unit tests have been added to validate these enhancements. A high-severity issue was identified in src/backend/aqua.rs, where the resolve_slsa_url function incorrectly uses the original pkg object instead of the slsa_pkg with resolved repository information when calling asset_strs and url methods, which could lead to incorrect provenance URL resolution.

[jdx]

The silent .ok() on resolve_slsa_url (aqua.rs ~line 665) swallows errors without any indication. If resolution fails for a cross-platform entry, it silently falls back to Slsa { url: None } — which is the short form and defeats the purpose of this PR. Consider adding a warn!() so users know why their lockfile isn't fully deterministic.

This comment was generated by Claude Code.

[cameronbrill]

The silent .ok() on resolve_slsa_url (aqua.rs ~line 665) swallows errors without any indication. If resolution fails for a cross-platform entry, it silently falls back to Slsa { url: None } — which is the short form and defeats the purpose of this PR. Consider adding a warn!() so users know why their lockfile isn't fully deterministic.

This comment was generated by Claude Code.

addressed