infra: fall back to Rekor integratedTime for build age

paulbalaji · paulbalaji · commit f92a69ceb100 · 2026-04-23T17:19:45.000+01:00
GitHub's attest-build-provenance action does not populate
predicate.runDetails.metadata.finishedOn in the SLSA v1 payload, so
the parser was always missing build age. Fall back to the Rekor
transparency-log integratedTime (seconds since epoch) from the
attestation bundle's verification material, which is signed within
seconds of the build completing.
diff --git a/typescript/infra/src/utils/attestation.ts b/typescript/infra/src/utils/attestation.ts
@@ -67,7 +67,9 @@ function extractFinishedOn(rawJson: string): Date | undefined {
     const parsed = JSON.parse(rawJson);
     const entries = Array.isArray(parsed) ? parsed : [parsed];
     for (const entry of entries) {
-      const candidates: unknown[] = [
+      // 1. SLSA provenance predicate (if present — not populated by
+      //    GitHub's attest-build-provenance, but other producers may)
+      const statementCandidates: unknown[] = [
         entry?.verificationResult?.statement,
         entry?.statement,
       ];
@@ -76,17 +78,37 @@ function extractFinishedOn(rawJson: string): Date | undefined {
         entry?.bundle?.dsseEnvelope?.payload;
       if (typeof dssePayload === 'string') {
         try {
-          candidates.push(
+          statementCandidates.push(
             JSON.parse(Buffer.from(dssePayload, 'base64').toString('utf8')),
           );
         } catch {
           // ignore, next candidate
         }
       }
-      for (const c of candidates) {
+      for (const c of statementCandidates) {
         const date = readFinishedOn(c);
         if (date) return date;
       }
+
+      // 2. Rekor transparency-log integratedTime — when the attestation
+      //    was signed (typically within seconds of build completion).
+      const tlogEntries =
+        entry?.attestation?.bundle?.verificationMaterial?.tlogEntries ??
+        entry?.bundle?.verificationMaterial?.tlogEntries;
+      if (Array.isArray(tlogEntries)) {
+        for (const t of tlogEntries) {
+          const raw = t?.integratedTime;
+          const seconds =
+            typeof raw === 'string'
+              ? Number(raw)
+              : typeof raw === 'number'
+                ? raw
+                : NaN;
+          if (Number.isFinite(seconds) && seconds > 0) {
+            return new Date(seconds * 1000);
+          }
+        }
+      }
     }
   } catch {
     // ignore - treated as "verified but age unknown"
