Context
generate_provenance (pacquet/crates/publish/src/provenance_gen.rs, added in #12691) builds the SLSA provenance statement, fetches a sigstore-audience OIDC token, and signs it:
let bundle = SigningContext::production()
.signer(token)
.sign_raw_statement(&statement_bytes)
.await?;
The statement-building (build_statement, github_statement, gitlab_statement) and the token-fetch (fetch_sigstore_token) sit behind the Sys dependency-injection seam and are unit-tested. But the generate_provenance orchestrator and the signing step are uncovered, because the sigstore client (SigningContext::production() → real Fulcio/Rekor) is not injectable.
Ask
Either:
- (a) introduce a DI seam for the signing step — a capability on the
Host provider that returns the bundle — so generate_provenance can be unit-tested with a fake signer (mirroring how pnpm mocks sigstore in its provenance tests); or
- (b) add an opt-in integration test against sigstore's staging instance.
(a) is preferred, matching the rest of the publish crate's DI test strategy.
Note for implementers
Add/port the corresponding pacquet publish provenance tests in the same PR as the seam/harness — don't land the plumbing without the coverage.
Refs: #12691, roadmap #11633.
Written by an agent (Claude Code).
Context
generate_provenance(pacquet/crates/publish/src/provenance_gen.rs, added in #12691) builds the SLSA provenance statement, fetches a sigstore-audience OIDC token, and signs it:The statement-building (
build_statement,github_statement,gitlab_statement) and the token-fetch (fetch_sigstore_token) sit behind theSysdependency-injection seam and are unit-tested. But thegenerate_provenanceorchestrator and the signing step are uncovered, because the sigstore client (SigningContext::production()→ real Fulcio/Rekor) is not injectable.Ask
Either:
Hostprovider that returns the bundle — sogenerate_provenancecan be unit-tested with a fake signer (mirroring how pnpm mocks sigstore in its provenance tests); or(a) is preferred, matching the rest of the publish crate's DI test strategy.
Note for implementers
Add/port the corresponding
pacquet publishprovenance tests in the same PR as the seam/harness — don't land the plumbing without the coverage.Refs: #12691, roadmap #11633.
Written by an agent (Claude Code).