Cache bottle attestations

Library/Homebrew/attestation.rb

@@ -189,6 +189,13 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
       attestation
     end
 
+    ATTESTATION_CACHE_DIRECTORY = T.let((HOMEBREW_CACHE/"attestation").freeze, Pathname)
+
+    sig { params(bottle: Bottle).returns(Pathname) }
+    def self.cached_attestation_path(bottle)
+      ATTESTATION_CACHE_DIRECTORY/bottle.filename.attestation_json(bottle.resource.checksum.hexdigest)
+    end
+
     ATTESTATION_MAX_RETRIES = 5
 
     # Verifies the given bottle against a cryptographic attestation of build provenance
@@ -203,6 +210,16 @@ def self.check_attestation(bottle, signing_repo, signing_workflow = nil, subject
     # @api private
     sig { params(bottle: Bottle).returns(T::Hash[T.untyped, T.untyped]) }
     def self.check_core_attestation(bottle)
+      cached_attestation = cached_attestation_path(bottle)
+
+      if cached_attestation.exist?
+        begin
+          return JSON.parse(cached_attestation.read)
+        rescue JSON::ParserError
+          cached_attestation.unlink
+        end
+      end
+
       begin
         # Ideally, we would also constrain the signing workflow here, but homebrew-core
         # currently uses multiple signing workflows to produce bottles
@@ -216,6 +233,8 @@ def self.check_core_attestation(bottle)
         # workflow, which would then be our sole identity. However, GitHub's
         # attestations currently do not include reusable workflow state by default.
         attestation = check_attestation bottle, HOMEBREW_CORE_REPO
+        ATTESTATION_CACHE_DIRECTORY.mkpath
+        cached_attestation.atomic_write attestation.to_json
         return attestation
       rescue MissingAttestationError
         odebug "falling back on backfilled attestation for #{bottle}"
@@ -257,6 +276,8 @@ def self.check_core_attestation(bottle)
         end
       end
 
+      ATTESTATION_CACHE_DIRECTORY.mkpath
+      cached_attestation.atomic_write backfill_attestation.to_json
       backfill_attestation
     rescue InvalidAttestationError
       @attestation_retry_count ||= T.let(Hash.new(0), T.nilable(T::Hash[Bottle, Integer]))

Library/Homebrew/cleanup.rb

@@ -62,6 +62,8 @@ def stale?(entry, scrub: false)
           stale_cask?(pathname, scrub)
         when :gh_actions_artifact
           stale_gh_actions_artifact?(pathname, scrub)
+        when :attestation
+          stale_attestation?(pathname, scrub)
         else
           stale_formula?(pathname, scrub)
         end
@@ -76,6 +78,13 @@ def stale_gh_actions_artifact?(pathname, scrub)
         scrub || prune?(pathname, GH_ACTIONS_ARTIFACT_CLEANUP_DAYS)
       end
 
+      ATTESTATION_CLEANUP_DAYS = 3
+
+      sig { params(pathname: Pathname, scrub: T::Boolean).returns(T::Boolean) }
+      def stale_attestation?(pathname, scrub)
+        scrub || prune?(pathname, ATTESTATION_CLEANUP_DAYS)
+      end
+
       sig { params(pathname: Pathname, scrub: T::Boolean).returns(T::Boolean) }
       def stale_api_source?(pathname, scrub)
         return true if scrub
@@ -381,11 +390,13 @@ def cache_files
       cask_files = (cache/"Cask").directory? ? (cache/"Cask").children : []
       api_source_files = (cache/"api-source").glob("*/*/*/*/*") # `<org>/<repo>/<git_head>/<type>/<token>.rb`
       gh_actions_artifacts = (cache/"gh-actions-artifact").directory? ? (cache/"gh-actions-artifact").children : []
+      attestations = (cache/"attestation").directory? ? (cache/"attestation").children : []
 
       files.map { |path| { path:, type: nil } } +
         cask_files.map { |path| { path:, type: :cask } } +
         api_source_files.map { |path| { path:, type: :api_source } } +
-        gh_actions_artifacts.map { |path| { path:, type: :gh_actions_artifact } }
+        gh_actions_artifacts.map { |path| { path:, type: :gh_actions_artifact } } +
+        attestations.map { |path| { path:, type: :attestation } }
     end
 
     def cleanup_empty_api_source_directories(directory = cache/"api-source")

Library/Homebrew/software_spec.rb

@@ -332,6 +332,11 @@ def json
       "#{name}--#{version}.#{tag}.bottle.json"
     end
 
+    sig { params(checksum: String).returns(String) }
+    def attestation_json(checksum)
+      "#{checksum}-#{name}--#{version}.#{tag}.attestation.json"
+    end
+
     def url_encode
       ERB::Util.url_encode("#{name}-#{version}#{extname}")
     end