feat: publish network audit evidence contract

.github/workflows/ci.yml

@@ -27,8 +27,12 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
-      - uses: GoCodeAlone/setup-wfctl@v1
+      - uses: GoCodeAlone/setup-wfctl@bcd880980f5bbe8d192d0c20ff6279d25331f956
         with:
-          version: v0.63.1
+          version: v0.64.7
       - name: Validate plugin contract
-        run: wfctl plugin validate-contract .
+        run: wfctl plugin validate-contract --require-contract-kind message .
+      - name: Verify wfctl action pin
+        run: ./scripts/check-wfctl-action-pin.sh --workflow .github/workflows/ci.yml --workflow .github/workflows/release.yml --workflow .github/workflows/release-candidate.yml --wfctl-version v0.64.7
+      - name: Verify proto descriptors
+        run: ./scripts/check-proto.sh

.github/workflows/release.yml

@@ -15,11 +15,11 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
-      - uses: GoCodeAlone/setup-wfctl@v1
+      - uses: GoCodeAlone/setup-wfctl@bcd880980f5bbe8d192d0c20ff6279d25331f956
         with:
-          version: v0.63.1
+          version: v0.64.7
       - name: Validate plugin contract for publish (pre-build)
-        run: wfctl plugin validate-contract --for-publish --tag "${{ github.ref_name }}" .
+        run: wfctl plugin validate-contract --require-contract-kind message --for-publish --tag "${{ github.ref_name }}" .
       - uses: goreleaser/goreleaser-action@v7
         with:
           distribution: goreleaser
@@ -30,9 +30,9 @@ jobs:
       - name: Verify shipped plugin.json carries tag (post-build)
         run: |
           if [ -f .release/plugin.json ]; then
-            wfctl plugin validate-contract --for-publish --tag "${{ github.ref_name }}" --release-dir .release .
+            wfctl plugin validate-contract --require-contract-kind message --for-publish --tag "${{ github.ref_name }}" --release-dir .release .
           else
-            wfctl plugin validate-contract --for-publish --tag "${{ github.ref_name }}" --release-dir . .
+            wfctl plugin validate-contract --require-contract-kind message --for-publish --tag "${{ github.ref_name }}" --release-dir . .
           fi
       # workflow#765: runtime truth-check via plugin verify-capabilities.
       # Spawns the built plugin binary, calls PluginService.GetManifest via raw gRPC,

.goreleaser.yaml

@@ -26,6 +26,10 @@ archives:
     name_template: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
     files:
       - plugin.json
+      - plugin.contracts.json
+      - descriptors/network_audit.pb
+      - proto/workflow_plugin_compute_core/protocol/v1/network_audit.proto
+      - proto/workflow_plugin_compute_core/protocol/v1/network_audit.fields.json
       - LICENSE
 
 checksum:

buf.gen.yaml

@@ -0,0 +1,6 @@
+version: v2
+plugins:
+  - local: protoc-gen-go
+    out: .
+    opt:
+      - module=github.com/GoCodeAlone/workflow-plugin-compute-core

buf.yaml

@@ -0,0 +1,9 @@
+version: v2
+modules:
+  - path: proto
+lint:
+  use:
+    - STANDARD
+breaking:
+  use:
+    - FILE

descriptors/network_audit.pb

@@ -0,0 +1,48 @@
+
+½
+<workflow_plugin_compute_core/protocol/v1/network_audit.proto(workflow_plugin_compute_core.protocol.v1"–
+NetworkAuditRecord)
+protocol_version
 
(	RprotocolVersion
+	record_id 
(	RrecordId
+task_id 
(	RtaskId
+lease_id 
(	RleaseId
+	worker_id 
(	RworkerIdb
+provider 
(2F.workflow_plugin_compute_core.protocol.v1.NetworkAuditProviderEvidenceRproviderc
+destination 
(2A.workflow_plugin_compute_core.protocol.v1.NetworkAuditDestinationRdestinationj
+resource_usage 
(2C.workflow_plugin_compute_core.protocol.v1.NetworkAuditResourceUsageRresourceUsage`
+labels	 (2H.workflow_plugin_compute_core.protocol.v1.NetworkAuditRecord.LabelsEntryRlabels/
+started_at_unix_nano
+ 
(RstartedAtUnixNano1
+finished_at_unix_nano 
(RfinishedAtUnixNano1
+observed_at_unix_nano 
(RobservedAtUnixNano9
+LabelsEntry
+key
 
(	Rkey
+value 
(	Rvalue:8
"€
+NetworkAuditProviderEvidence
+provider_id
 
(	R
+providerId
+plugin_name 
(	R
+pluginName%
+plugin_version 
(	RpluginVersion
+contract_id 
(	R
+contractId)
+contract_version 
(	RcontractVersion+
+descriptor_digest 
(	RdescriptorDigest"C
+NetworkAuditDestination
+kind
 
(	Rkind
+value 
(	Rvalue"À
+NetworkAuditResourceUsage
+
+cpu_millis
 
(R	cpuMillis
+
+gpu_millis 
(R	gpuMillis(
+max_memory_bytes 
(RmaxMemoryBytes(
+network_rx_bytes 
(RnetworkRxBytes(
+network_tx_bytes 
(RnetworkTxBytes'
+workspace_bytes 
(RworkspaceBytes!
+output_bytes 
(RoutputBytes
+	limit_hit 
(	RlimitHit"a
+NetworkAuditValidationIssue
+code
 
(	Rcode
+field 
(	Rfield
+message 
(	RmessageBDZBgithub.com/GoCodeAlone/workflow-plugin-compute-core/protocol/pb;pbbproto3

plugin.contracts.json

@@ -1,4 +1,22 @@
 {
-    "version": "1",
-    "contracts": []
+  "version": "1",
+  "descriptorSetRef": "descriptors/network_audit.pb",
+  "contracts": [
+    {
+      "kind": "message",
+      "contractType": "compute.network_audit_evidence.v1",
+      "mode": "strict",
+      "protoPackage": "workflow_plugin_compute_core.protocol.v1",
+      "messageNames": [
+        "workflow_plugin_compute_core.protocol.v1.NetworkAuditRecord",
+        "workflow_plugin_compute_core.protocol.v1.NetworkAuditDestination",
+        "workflow_plugin_compute_core.protocol.v1.NetworkAuditProviderEvidence",
+        "workflow_plugin_compute_core.protocol.v1.NetworkAuditResourceUsage",
+        "workflow_plugin_compute_core.protocol.v1.NetworkAuditValidationIssue"
+      ],
+      "goImportPath": "github.com/GoCodeAlone/workflow-plugin-compute-core/protocol/pb",
+      "schemaDigest": "sha256:cd5005817dab1b5cbfe18c7fe3f640680ddf2109c59278d32ecc78fd55bde9d7",
+      "protocolVersion": "compute.v1alpha1"
+    }
+  ]
 }

plugin.json

@@ -7,7 +7,7 @@
   "type": "external",
   "tier": "community",
   "private": false,
-  "minEngineVersion": "0.62.0",
+  "minEngineVersion": "0.64.7",
   "keywords": [
     "compute",
     "protocol",

proto/workflow_plugin_compute_core/protocol/v1/network_audit.fields.json

@@ -0,0 +1,46 @@
+{
+  "package": "workflow_plugin_compute_core.protocol.v1",
+  "messages": {
+    "NetworkAuditRecord": {
+      "1": "protocol_version",
+      "2": "record_id",
+      "3": "task_id",
+      "4": "lease_id",
+      "5": "worker_id",
+      "6": "provider",
+      "7": "destination",
+      "8": "resource_usage",
+      "9": "labels",
+      "10": "started_at_unix_nano",
+      "11": "finished_at_unix_nano",
+      "12": "observed_at_unix_nano"
+    },
+    "NetworkAuditProviderEvidence": {
+      "1": "provider_id",
+      "2": "plugin_name",
+      "3": "plugin_version",
+      "4": "contract_id",
+      "5": "contract_version",
+      "6": "descriptor_digest"
+    },
+    "NetworkAuditDestination": {
+      "1": "kind",
+      "2": "value"
+    },
+    "NetworkAuditResourceUsage": {
+      "1": "cpu_millis",
+      "2": "gpu_millis",
+      "3": "max_memory_bytes",
+      "4": "network_rx_bytes",
+      "5": "network_tx_bytes",
+      "6": "workspace_bytes",
+      "7": "output_bytes",
+      "8": "limit_hit"
+    },
+    "NetworkAuditValidationIssue": {
+      "1": "code",
+      "2": "field",
+      "3": "message"
+    }
+  }
+}

proto/workflow_plugin_compute_core/protocol/v1/network_audit.proto

@@ -0,0 +1,51 @@
+syntax = "proto3";
+
+package workflow_plugin_compute_core.protocol.v1;
+
+option go_package = "github.com/GoCodeAlone/workflow-plugin-compute-core/protocol/pb;pb";
+
+message NetworkAuditRecord {
+  string protocol_version = 1;
+  string record_id = 2;
+  string task_id = 3;
+  string lease_id = 4;
+  string worker_id = 5;
+  NetworkAuditProviderEvidence provider = 6;
+  NetworkAuditDestination destination = 7;
+  NetworkAuditResourceUsage resource_usage = 8;
+  map<string, string> labels = 9;
+  int64 started_at_unix_nano = 10;
+  int64 finished_at_unix_nano = 11;
+  int64 observed_at_unix_nano = 12;
+}
+
+message NetworkAuditProviderEvidence {
+  string provider_id = 1;
+  string plugin_name = 2;
+  string plugin_version = 3;
+  string contract_id = 4;
+  string contract_version = 5;
+  string descriptor_digest = 6;
+}
+
+message NetworkAuditDestination {
+  string kind = 1;
+  string value = 2;
+}
+
+message NetworkAuditResourceUsage {
+  int64 cpu_millis = 1;
+  int64 gpu_millis = 2;
+  int64 max_memory_bytes = 3;
+  int64 network_rx_bytes = 4;
+  int64 network_tx_bytes = 5;
+  int64 workspace_bytes = 6;
+  int64 output_bytes = 7;
+  string limit_hit = 8;
+}
+
+message NetworkAuditValidationIssue {
+  string code = 1;
+  string field = 2;
+  string message = 3;
+}

protocol/network_audit_metadata_test.go

@@ -0,0 +1,95 @@
+package protocol_test
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/GoCodeAlone/workflow-plugin-compute-core/protocol"
+)
+
+func TestNetworkAuditStaticMessageContractMetadata(t *testing.T) {
+	data, err := os.ReadFile(filepath.Join("..", "plugin.contracts.json"))
+	if err != nil {
+		t.Fatalf("read plugin.contracts.json: %v", err)
+	}
+	var contracts struct {
+		DescriptorSetRef string `json:"descriptorSetRef"`
+		Contracts        []struct {
+			Kind            string   `json:"kind"`
+			ContractType    string   `json:"contractType"`
+			Mode            string   `json:"mode"`
+			ProtoPackage    string   `json:"protoPackage"`
+			MessageNames    []string `json:"messageNames"`
+			GoImportPath    string   `json:"goImportPath"`
+			SchemaDigest    string   `json:"schemaDigest"`
+			ProtocolVersion string   `json:"protocolVersion"`
+		} `json:"contracts"`
+	}
+	if err := json.Unmarshal(data, &contracts); err != nil {
+		t.Fatalf("parse plugin.contracts.json: %v", err)
+	}
+	if contracts.DescriptorSetRef != "descriptors/network_audit.pb" {
+		t.Fatalf("descriptorSetRef = %q", contracts.DescriptorSetRef)
+	}
+	var found bool
+	for _, contract := range contracts.Contracts {
+		if contract.ContractType != "compute.network_audit_evidence.v1" {
+			continue
+		}
+		found = true
+		if contract.Kind != "message" || contract.Mode != "strict" {
+			t.Fatalf("unexpected contract kind/mode: %#v", contract)
+		}
+		if contract.ProtoPackage != "workflow_plugin_compute_core.protocol.v1" {
+			t.Fatalf("protoPackage = %q", contract.ProtoPackage)
+		}
+		if contract.GoImportPath != "github.com/GoCodeAlone/workflow-plugin-compute-core/protocol/pb" {
+			t.Fatalf("goImportPath = %q", contract.GoImportPath)
+		}
+		if contract.SchemaDigest != protocol.NetworkAuditDescriptorDigest() {
+			t.Fatalf("schemaDigest = %q, want %q", contract.SchemaDigest, protocol.NetworkAuditDescriptorDigest())
+		}
+		if contract.ProtocolVersion != protocol.NetworkAuditProtocolVersion {
+			t.Fatalf("protocolVersion = %q", contract.ProtocolVersion)
+		}
+		wantMessages := map[string]bool{
+			"workflow_plugin_compute_core.protocol.v1.NetworkAuditRecord":          false,
+			"workflow_plugin_compute_core.protocol.v1.NetworkAuditDestination":     false,
+			"workflow_plugin_compute_core.protocol.v1.NetworkAuditValidationIssue": false,
+		}
+		for _, name := range contract.MessageNames {
+			if _, ok := wantMessages[name]; ok {
+				wantMessages[name] = true
+			}
+		}
+		for name, ok := range wantMessages {
+			if !ok {
+				t.Fatalf("messageNames missing %s: %#v", name, contract.MessageNames)
+			}
+		}
+	}
+	if !found {
+		t.Fatal("compute.network_audit_evidence.v1 message contract not found")
+	}
+}
+
+func TestNetworkAuditReleaseArchiveIncludesContractArtifacts(t *testing.T) {
+	data, err := os.ReadFile(filepath.Join("..", ".goreleaser.yaml"))
+	if err != nil {
+		t.Fatalf("read .goreleaser.yaml: %v", err)
+	}
+	body := string(data)
+	for _, want := range []string{
+		"plugin.contracts.json",
+		"descriptors/network_audit.pb",
+		"proto/workflow_plugin_compute_core/protocol/v1/network_audit.proto",
+		"proto/workflow_plugin_compute_core/protocol/v1/network_audit.fields.json",
+	} {
+		if !strings.Contains(body, want) {
+			t.Fatalf(".goreleaser.yaml archive files missing %s", want)
+		}
+	}
+}