bazel: download pseudo-version tool instead of "go build" (#1629)

Required for bootstrapping bazel stamping since we cannot use "bazel build" during the workspace_status command.
Adds a small script that builds the pseudo-version tool in bazel (without stamping) and uploads it to the mirror.
On the first bazel build with stamping, the pseudo-version tool is downloaded.

bazel/ci/BUILD.bazel

@@ -461,6 +461,7 @@ multirun(
         ":govulncheck",
         ":deps_mirror_check",
         ":proto_targets_check",
+        "//hack/pseudo-version:pseudo_version_tool_freshness",
     ] + select({
         "@io_bazel_rules_go//go/platform:darwin_arm64": [
             ":shellcheck_noop_warning",

hack/pseudo-version/BUILD.bazel

@@ -1,4 +1,12 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_cross_binary", "go_library")
+load("//bazel/sh:def.bzl", "sh_template")
+
+platforms = [
+    "darwin_amd64",
+    "darwin_arm64",
+    "linux_amd64",
+    "linux_arm64",
+]
 
 go_library(
     name = "pseudo-version_lib",
@@ -21,3 +29,27 @@ go_binary(
     pure = "on",
     visibility = ["//visibility:public"],
 )
+
+[
+    go_cross_binary(
+        name = "pseudo_version_%s" % platform,
+        platform = "@io_bazel_rules_go//go/toolchain:" + platform,
+        target = ":pseudo-version",
+        visibility = ["//visibility:public"],
+    )
+    for platform in platforms
+]
+
+sh_template(
+    name = "pseudo_version_tool_freshness",
+    data = [
+        ":pseudo_version_" + platform
+        for platform in platforms
+    ],
+    substitutions = {
+        "@@PSEUDO_VERSION_%s@@" % platform: "$(rootpath :pseudo_version_%s)" % platform
+        for platform in platforms
+    },
+    template = "pseudo_version_tool_freshness.sh.in",
+    visibility = ["//visibility:public"],
+)

hack/pseudo-version/pseudo_version_tool_freshness.sh.in

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# This script checks if the pseudo-version tool hashes are up-to-date.
+
+###### script header ######
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1
+
+# shellcheck source=../../bazel/sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+declare -A pseudo_version_tools
+pseudo_version_tools["darwin_amd64"]="$(realpath @@PSEUDO_VERSION_darwin_amd64@@)"
+pseudo_version_tools["darwin_arm64"]="$(realpath @@PSEUDO_VERSION_darwin_arm64@@)"
+pseudo_version_tools["linux_amd64"]="$(realpath @@PSEUDO_VERSION_linux_amd64@@)"
+pseudo_version_tools["linux_arm64"]="$(realpath @@PSEUDO_VERSION_linux_arm64@@)"
+
+cd "${BUILD_WORKING_DIRECTORY}"
+
+###### script body ######
+
+platforms=(
+  darwin_amd64
+  darwin_arm64
+  linux_amd64
+  linux_arm64
+)
+
+for platform in "${platforms[@]}"; do
+  computed_hash=$(sha256sum "${pseudo_version_tools[$platform]}" | cut -d' ' -f1)
+  # compare hash to saved hash in ${BUILD_WORKSPACE_DIRECTORY}/tools/pseudo_version_${platform}.sha256
+  saved_hash=$(cat "${BUILD_WORKSPACE_DIRECTORY}/tools/pseudo_version_${platform}.sha256")
+  if [[ ${computed_hash} != "${saved_hash}" ]]; then
+    echo "Error: pseudo-version tool hash for ${platform} does not match saved hash"
+    echo "Computed hash: ${computed_hash}"
+    echo "Saved hash: ${saved_hash}"
+    exit 1
+  fi
+done

tools/pseudo_version_darwin_amd64.sha256

@@ -0,0 +1 @@
+4fc4f0293bdc482fdea8ce69765c7df3aed9de6a957b582a5cc233f5ccaffcfe

tools/pseudo_version_darwin_arm64.sha256

@@ -0,0 +1 @@
+99e96fe96e6a2ff4b8d739cb4f115718273fcbde0f4e724e0fef2cc2ad6de182

tools/pseudo_version_linux_amd64.sha256

@@ -0,0 +1 @@
+4c24a368eb0a6765428f03873abd45b76f56090e621d8a61a9d9aa65a8b41c48

tools/pseudo_version_linux_arm64.sha256

@@ -0,0 +1 @@
+bae495a19253e0cc3aac66a7e327768e50b65646a802085418cc237ceaa198c4

tools/update-pseudo-version-tool.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+shopt -s inherit_errexit
+
+platforms=(
+  darwin_amd64
+  darwin_arm64
+  linux_amd64
+  linux_arm64
+)
+bucket=cdn-constellation-backend
+
+dir=$(mktemp -d -t constellation-XXXXXXXXXX)
+trap 'rm -rf "${dir}"' EXIT
+
+bazel build --config nostamp "//hack/pseudo-version:all"
+workspace_dir=$(git rev-parse --show-toplevel)
+
+for platform in "${platforms[@]}"; do
+  echo "Building for ${platform}..."
+  target="//hack/pseudo-version:pseudo_version_${platform}"
+  cp "$(bazel cquery --config nostamp --output=files "${target}")" "${dir}/pseudo_version_${platform}"
+  sha256="$(sha256sum "${dir}/pseudo_version_${platform}" | cut -d ' ' -f 1)"
+  echo "${platform} ${sha256}" | tee -a "${dir}/checksums.txt"
+  aws s3 cp "${dir}/pseudo_version_${platform}" "s3://${bucket}/constellation/cas/sha256/${sha256}"
+  echo "${sha256}" > "${workspace_dir}/tools/pseudo_version_${platform}.sha256"
+done
+
+cat "${dir}/checksums.txt"

tools/workspace_status.sh

@@ -6,10 +6,51 @@ shopt -s inherit_errexit
 SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
 REPOSITORY_ROOT="${REPOSITORY_ROOT:-$(cd "${SCRIPT_DIR}" && git rev-parse --show-toplevel)}"
 
+goos() {
+  case "$(uname -sr)" in
+  Darwin*) echo 'darwin' ;;
+  Linux*) echo 'linux' ;;
+  *)
+    echo 'Unknown OS' >&2
+    exit 1
+    ;;
+  esac
+}
+
+goarch() {
+  case $(uname -m) in
+  x86_64) echo 'amd64' ;;
+  arm) echo 'arm64' ;; # this is slightly simplified, but we only care about arm64
+  *)
+    echo 'Unknown arch' >&2
+    exit 1
+    ;;
+  esac
+}
+
 ensure_pseudo_version_tool() {
   if [[ ! -f "${REPOSITORY_ROOT}/tools/pseudo-version" ]]; then
-    go build -o "${REPOSITORY_ROOT}/tools/pseudo-version" "${REPOSITORY_ROOT}"/hack/pseudo-version >&2
+    get_pseudo_version_tool
   fi
+  expected=$(cat "${REPOSITORY_ROOT}/tools/pseudo_version_$(goos)_$(goarch).sha256")
+  if ! sha256sum -c --status <(echo "${expected}  ${REPOSITORY_ROOT}/tools/pseudo-version"); then
+    get_pseudo_version_tool
+  fi
+}
+
+get_pseudo_version_tool() {
+  out="${REPOSITORY_ROOT}/tools/pseudo-version"
+  hash=$(cat "${REPOSITORY_ROOT}/tools/pseudo_version_$(goos)_$(goarch).sha256")
+  url=https://cdn.confidential.cloud/constellation/cas/sha256/${hash}
+  if command -v curl &> /dev/null; then
+    curl -fsSL "${url}" -o "${out}"
+  elif command -v wget &> /dev/null; then
+    wget -q -O "${out}" "${url}"
+  else
+    echo "curl or wget is required to download the pseudo-version tool" >&2
+    exit 1
+  fi
+  chmod +x "${out}"
 }
 
 pseudo_version() {