bump actions/attest from 1.4.0 to 1.4.1 (#209)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.github/dependabot.yml

@@ -9,6 +9,8 @@ updates:
         update-types:
           - minor
           - patch
+    ignore:
+      - dependency-name: 'actions/attest-build-provenance'
 
   - package-ecosystem: npm
     directory: /

.github/workflows/ci.yml

@@ -50,7 +50,8 @@ jobs:
     name: Test attest-provenance action
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      attestations: write
+      contents: read
       id-token: write
 
     steps:
@@ -68,4 +69,3 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Dump output
         run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
-

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v6
+        uses: super-linter/super-linter/slim@v7
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*
@@ -46,4 +46,6 @@ jobs:
           TYPESCRIPT_DEFAULT_STYLE: prettier
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JAVASCRIPT_STANDARD: false
+          VALIDATE_TYPESCRIPT_STANDARD: false
           VALIDATE_JSCPD: false
+          VALIDATE_YAML_PRETTIER: false

README.md

@@ -1,6 +1,6 @@
 # `actions/attest-build-provenance`
 
-Generate signed build provenace attestations for workflow artifacts. Internally
+Generate signed build provenance attestations for workflow artifacts. Internally
 powered by the [@actions/attest][1] package.
 
 Attestations bind some subject (a named artifact along with its digest) to a
@@ -16,9 +16,12 @@ Once the attestation has been created and signed, it will be uploaded to the GH
 attestations API and associated with the repository from which the workflow was
 initiated.
 
-Attestations can be verified using the `attestation` command in the [GitHub
+Attestations can be verified using the [`attestation` command in the GitHub
 CLI][5].
 
+See [Using artifact attestations to establish provenance for builds][9] for more
+information on artifact attestations.
+
 ## Usage
 
 Within the GitHub Actions workflow which builds some artifact you would like to
@@ -29,12 +32,12 @@ attest:
    ```yaml
    permissions:
      id-token: write
-     contents: write # TODO: Update this
+     attestations: write
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
-   permission is necessary to persist the attestation. The `contents` permission
-   is necessary to persist the attestation.
+   necessary to request a Sigstore signing certificate. The `attestations`
+   permission is necessary to persist the attestation.
 
 1. Add the following to your workflow after your artifact has been built:
 
@@ -44,7 +47,7 @@ attest:
        subject-path: '<PATH TO ARTIFACT>'
    ```
 
-   The `subject-path` parameter should identity the artifact for which you want
+   The `subject-path` parameter should identify the artifact for which you want
    to generate an attestation.
 
 ### Inputs
@@ -55,10 +58,11 @@ See [action.yml](action.yml)
 - uses: actions/attest-build-provenance@v1
   with:
     # Path to the artifact serving as the subject of the attestation. Must
-    # specify exactly one of "subject-path" or "subject-digest".
+    # specify exactly one of "subject-path" or "subject-digest". May contain a
+    # glob pattern or list of paths (total subject count cannot exceed 2500).
     subject-path:
 
-    # SHA256 digest of the subject for for the attestation. Must be in the form
+    # SHA256 digest of the subject for the attestation. Must be in the form
     # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
     # of "subject-path" or "subject-digest".
     subject-digest:
@@ -73,6 +77,10 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to attach a list of generated attestations to the workflow run
+    # summary page. Defaults to true.
+    show-summary:
+
     # The GitHub token used to make authenticated API requests. Default is
     # ${{ github.token }}
     github-token:
@@ -94,6 +102,15 @@ If multiple subjects are being attested at the same time, each attestation will
 be written to the output file on a separate line (using the [JSON Lines][7]
 format).
 
+## Attestation Limits
+
+### Subject Limits
+
+No more than 2500 subjects can be attested at the same time. Subjects will be
+processed in batches 50. After the initial group of 50, each subsequent batch
+will incur an exponentially increasing amount of delay (capped at 1 minute of
+delay per batch) to avoid overwhelming the attestation API.
+
 ## Examples
 
 ### Identify Subject by Path
@@ -112,7 +129,8 @@ jobs:
   build:
     permissions:
       id-token: write
-      contents: write
+      contents: read
+      attestations: write
 
     steps:
       - name: Checkout
@@ -125,7 +143,7 @@ jobs:
           subject-path: '${{ github.workspace }}/my-app'
 ```
 
-### Identify Subjects by Wildcard
+### Identify Multiple Subjects
 
 If you are generating multiple artifacts, you can generate a provenance
 attestation for each by using a wildcard in the `subject-path` input.
@@ -139,6 +157,23 @@ attestation for each by using a wildcard in the `subject-path` input.
 For supported wildcards along with behavior and documentation, see
 [@actions/glob][8] which is used internally to search for files.
 
+Alternatively, you can explicitly list multiple subjects with either a comma or
+newline delimited list:
+
+```yaml
+- uses: actions/attest-build-provenance@v1
+  with:
+    subject-path: 'dist/foo, dist/bar'
+```
+
+```yaml
+- uses: actions/attest-build-provenance@v1
+  with:
+    subject-path: |
+      dist/foo
+      dist/bar
+```
+
 ### Container Image
 
 When working with container images you can invoke the action with the
@@ -150,6 +185,9 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
 "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
 the specific image being attested is identified by the supplied digest.
 
+Attestation bundles are stored in the OCI registry according to the [Cosign
+Bundle Specification][10].
+
 > **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
 > registry portion of the image name.
 
@@ -166,7 +204,8 @@ jobs:
     permissions:
       id-token: write
       packages: write
-      contents: write
+      contents: read
+      attestations: write
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}
@@ -200,8 +239,11 @@ jobs:
 [2]: https://github.com/in-toto/attestation/tree/main/spec/v1
 [3]: https://slsa.dev/spec/v1.0/provenance
 [4]: https://www.sigstore.dev/
-[5]: https://cli.github.com/
+[5]: https://cli.github.com/manual/gh_attestation_verify
 [6]:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
 [7]: https://jsonlines.org/
 [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
+[9]:
+  https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
+[10]: https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md

RELEASE.md

@@ -28,3 +28,11 @@ otherwise, skip directly to step #5.
    ```shell
    gh release create vX.X.X
    ```
+
+1. Move (or create) the major version tag to point to the same commit tagged
+   above:
+
+   ```shell
+   git tag -fa vX -m "vX"
+   git push origin vX --force
+   ```

__tests__/__snapshots__/main.test.ts.snap

@@ -1,9 +1,48 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`main successfully run main 1`] = `
+exports[`main when a non-default OIDC issuer is used successfully run main 1`] = `
 {
   "buildDefinition": {
-    "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
+    "buildType": "https://actions.github.io/buildtypes/workflow/v1",
+    "externalParameters": {
+      "workflow": {
+        "path": ".github/workflows/main.yml",
+        "ref": "main",
+        "repository": "https://example-01.ghe.com/owner/repo",
+      },
+    },
+    "internalParameters": {
+      "github": {
+        "event_name": "push",
+        "repository_id": "repo-id",
+        "repository_owner_id": "owner-id",
+        "runner_environment": "github-hosted",
+      },
+    },
+    "resolvedDependencies": [
+      {
+        "digest": {
+          "gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
+        },
+        "uri": "git+https://example-01.ghe.com/owner/repo@refs/heads/main",
+      },
+    ],
+  },
+  "runDetails": {
+    "builder": {
+      "id": "https://example-01.ghe.com/owner/shared/.github/workflows/build.yml@main",
+    },
+    "metadata": {
+      "invocationId": "https://example-01.ghe.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
+    },
+  },
+}
+`;
+
+exports[`main when the default OIDC issuer is used successfully run main 1`] = `
+{
+  "buildDefinition": {
+    "buildType": "https://actions.github.io/buildtypes/workflow/v1",
     "externalParameters": {
       "workflow": {
         "path": ".github/workflows/main.yml",
@@ -16,6 +55,7 @@ exports[`main successfully run main 1`] = `
         "event_name": "push",
         "repository_id": "repo-id",
         "repository_owner_id": "owner-id",
+        "runner_environment": "github-hosted",
       },
     },
     "resolvedDependencies": [
@@ -29,7 +69,7 @@ exports[`main successfully run main 1`] = `
   },
   "runDetails": {
     "builder": {
-      "id": "https://github.com/actions/runner/github-hosted",
+      "id": "https://github.com/owner/shared/.github/workflows/build.yml@main",
     },
     "metadata": {
       "invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt",

__tests__/main.test.ts

@@ -1,8 +1,9 @@
 import * as core from '@actions/core'
+import * as jose from 'jose'
+import nock from 'nock'
 import * as main from '../src/main'
 
-// Mock the GitHub Actions core library
-jest.mock('@actions/core')
+// Mock the GitHub Actions core library functions
 const setOutputMock = jest.spyOn(core, 'setOutput')
 const setFailedMock = jest.spyOn(core, 'setFailed')
 
@@ -11,9 +12,11 @@ setFailedMock.mockImplementation(() => {})
 
 describe('main', () => {
   let outputs = {} as Record<string, string>
+  const originalEnv = process.env
 
   beforeEach(() => {
     jest.resetAllMocks()
+
     setOutputMock.mockImplementation((key, value) => {
       outputs[key] = value
     })
@@ -21,40 +24,134 @@ describe('main', () => {
 
   afterEach(() => {
     outputs = {}
-  })
-
-  it('successfully run main', async () => {
-    const originalEnv = process.env
-    process.env = {
-      ...originalEnv,
-      GITHUB_REPOSITORY: 'owner/repo',
-      GITHUB_REF: 'refs/heads/main',
-      GITHUB_SHA: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
-      GITHUB_WORKFLOW_REF: 'owner/repo/.github/workflows/main.yml@main',
-      GITHUB_SERVER_URL: 'https://github.com',
-      GITHUB_EVENT_NAME: 'push',
-      GITHUB_REPOSITORY_ID: 'repo-id',
-      GITHUB_REPOSITORY_OWNER_ID: 'owner-id',
-      GITHUB_RUN_ID: 'run-id',
-      GITHUB_RUN_ATTEMPT: 'run-attempt',
-      RUNNER_ENVIRONMENT: 'github-hosted'
-    }
-
-    // Run the main function
-    await main.run()
-
-    // Verify that outputs were set correctly
-    expect(setOutputMock).toHaveBeenCalledTimes(2)
-
-    // Use the expected object in the test assertion
-    expect(outputs['predicate']).toMatchSnapshot()
-
-    expect(setOutputMock).toHaveBeenNthCalledWith(
-      2,
-      'predicate-type',
-      'https://slsa.dev/provenance/v1'
-    )
-
     process.env = originalEnv
   })
+
+  describe('when the default OIDC issuer is used', () => {
+    const issuer = 'https://token.actions.githubusercontent.com'
+    const audience = 'nobody'
+    const jwksPath = '/.well-known/jwks.json'
+    const tokenPath = '/token'
+
+    const claims = {
+      iss: issuer,
+      aud: 'nobody',
+      repository: 'owner/repo',
+      ref: 'refs/heads/main',
+      sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+      workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
+      job_workflow_ref: 'owner/shared/.github/workflows/build.yml@main',
+      event_name: 'push',
+      repository_id: 'repo-id',
+      repository_owner_id: 'owner-id',
+      run_id: 'run-id',
+      run_attempt: 'run-attempt',
+      runner_environment: 'github-hosted'
+    }
+
+    beforeEach(async () => {
+      process.env = {
+        ...originalEnv,
+        ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
+        ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
+        GITHUB_SERVER_URL: 'https://github.com',
+        GITHUB_REPOSITORY: claims.repository
+      }
+
+      // Generate JWT signing key
+      const key = await jose.generateKeyPair('PS256')
+
+      // Create JWK, JWKS, and JWT
+      const kid = '12345'
+      const jwk = await jose.exportJWK(key.publicKey)
+      const jwks = { keys: [{ ...jwk, kid }] }
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({ alg: 'PS256', kid })
+        .sign(key.privateKey)
+
+      // Mock OpenID configuration and JWKS endpoints
+      nock(issuer)
+        .get('/.well-known/openid-configuration')
+        .reply(200, { jwks_uri: `${issuer}${jwksPath}` })
+      nock(issuer).get(jwksPath).reply(200, jwks)
+
+      // Mock OIDC token endpoint for populating the provenance
+      nock(issuer).get(tokenPath).query({ audience }).reply(200, { value: jwt })
+    })
+
+    it('successfully run main', async () => {
+      // Run the main function
+      await main.run()
+
+      // Verify that outputs were set correctly
+      expect(setOutputMock).toHaveBeenCalledTimes(2)
+
+      expect(outputs['predicate']).toMatchSnapshot()
+      expect(outputs['predicate-type']).toBe('https://slsa.dev/provenance/v1')
+    })
+  })
+
+  describe('when a non-default OIDC issuer is used', () => {
+    const issuer = 'https://token.actions.example-01.ghe.com'
+    const audience = 'nobody'
+    const jwksPath = '/.well-known/jwks.json'
+    const tokenPath = '/token'
+
+    const claims = {
+      iss: issuer,
+      aud: 'nobody',
+      repository: 'owner/repo',
+      ref: 'refs/heads/main',
+      sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+      workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
+      job_workflow_ref: 'owner/shared/.github/workflows/build.yml@main',
+      event_name: 'push',
+      repository_id: 'repo-id',
+      repository_owner_id: 'owner-id',
+      run_id: 'run-id',
+      run_attempt: 'run-attempt',
+      runner_environment: 'github-hosted'
+    }
+
+    beforeEach(async () => {
+      process.env = {
+        ...originalEnv,
+        ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
+        ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
+        GITHUB_SERVER_URL: 'https://example-01.ghe.com',
+        GITHUB_REPOSITORY: claims.repository
+      }
+
+      // Generate JWT signing key
+      const key = await jose.generateKeyPair('PS256')
+
+      // Create JWK, JWKS, and JWT
+      const kid = '12345'
+      const jwk = await jose.exportJWK(key.publicKey)
+      const jwks = { keys: [{ ...jwk, kid }] }
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({ alg: 'PS256', kid })
+        .sign(key.privateKey)
+
+      // Mock OpenID configuration and JWKS endpoints
+      nock(issuer)
+        .get('/.well-known/openid-configuration')
+        .reply(200, { jwks_uri: `${issuer}${jwksPath}` })
+      nock(issuer).get(jwksPath).reply(200, jwks)
+
+      // Mock OIDC token endpoint for populating the provenance
+      nock(issuer).get(tokenPath).query({ audience }).reply(200, { value: jwt })
+    })
+
+    it('successfully run main', async () => {
+      // Run the main function
+      await main.run()
+
+      // Verify that outputs were set correctly
+      expect(setOutputMock).toHaveBeenCalledTimes(2)
+
+      expect(outputs['predicate']).toMatchSnapshot()
+      expect(outputs['predicate-type']).toBe('https://slsa.dev/provenance/v1')
+    })
+  })
 })

action.yml

@@ -1,12 +1,16 @@
 name: 'Attest Build Provenance'
 description: 'Generate provenance attestations for build artifacts'
 author: 'GitHub'
+branding:
+  color: 'blue'
+  icon: 'lock'
 
 inputs:
   subject-path:
     description: >
-      Path to the artifact for which provenance will be generated. Must specify
-      exactly one of "subject-path" or "subject-digest".
+      Path to the artifact serving as the subject of the attestation. Must
+      specify exactly one of "subject-path" or "subject-digest". May contain a
+      glob pattern or list of paths (total subject count cannot exceed 2500).
     required: false
   subject-digest:
     description: >
@@ -26,6 +30,12 @@ inputs:
       and that the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  show-summary:
+    description: >
+      Whether to attach a list of generated attestations to the workflow run
+      summary page. Defaults to true.
+    default: true
+    required: false
   github-token:
     description: >
       The GitHub token used to make authenticated API requests.
@@ -40,9 +50,9 @@ outputs:
 runs:
   using: 'composite'
   steps:
-    - uses: actions/attest-build-provenance/predicate@56a361a16034268025aa760d300531128e298f1c # predicate@0.1.0
+    - uses: actions/attest-build-provenance/predicate@d58ddf9f241cd8163408934540d01c3335864d64 # predicate@1.1.2
       id: generate-build-provenance-predicate
-    - uses: actions/attest@14e407ca15f1b08f4869fc058b059f7f1e434df6 # v0.1.0
+    - uses: actions/attest@67422f5511b7ff725f4dbd6fb9bd2cd925c65a8d # v1.4.1
       id: attest
       with:
         subject-path: ${{ inputs.subject-path }}
@@ -51,4 +61,5 @@ runs:
         predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
         predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
         push-to-registry: ${{ inputs.push-to-registry }}
+        show-summary: ${{ inputs.show-summary }}
         github-token: ${{ inputs.github-token }}

dist/licenses.txt

@@ -231,6 +231,31 @@ The above copyright notice and this permission notice (including the next paragr
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 
+@octokit/plugin-retry
+MIT
+MIT License
+
+Copyright (c) 2018 Octokit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
 @octokit/request
 MIT
 The MIT License
@@ -1107,6 +1132,28 @@ Apache-2.0
 
 agent-base
 MIT
+(The MIT License)
+
+Copyright (c) 2013 Nathan Rajlich <nathan@tootallnate.net>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 aggregate-error
 MIT
@@ -1351,6 +1398,30 @@ Apache-2.0
    limitations under the License.
 
 
+bottleneck
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2014 Simon Grondin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
 brace-expansion
 MIT
 MIT License
@@ -1654,6 +1725,31 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
+jose
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2018 Filip Skokan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
 jsbn
 MIT
 Licensing
@@ -2057,6 +2153,25 @@ will be liable to anyone for any damages related to this
 software or this license, under any kind of legal claim.***
 
 
+proc-log
+ISC
+The ISC License
+
+Copyright (c) GitHub, Inc.
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+
 promise-retry
 MIT
 Copyright (c) 2014 IndigoUnited
@@ -2199,6 +2314,28 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 socks-proxy-agent
 MIT
+(The MIT License)
+
+Copyright (c) 2013 Nathan Rajlich <nathan@tootallnate.net>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 sprintf-js
 BSD-3-Clause

package.json

@@ -1,21 +1,21 @@
 {
-  "name": "typescript-action",
-  "description": "GitHub Actions TypeScript template",
-  "version": "0.0.0",
+  "name": "actions/attest-build-provenance",
+  "description": "Generate signed build provenance attestations",
+  "version": "1.1.2",
   "author": "",
   "private": true,
-  "homepage": "https://github.com/actions/typescript-action",
+  "homepage": "https://github.com/actions/attest-build-provenance",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/actions/typescript-action.git"
+    "url": "git+https://github.com/actions/attest-build-provenance.git"
   },
   "bugs": {
-    "url": "https://github.com/actions/typescript-action/issues"
+    "url": "https://github.com/actions/attest-build-provenance/issues"
   },
   "keywords": [
     "actions",
-    "node",
-    "setup"
+    "attestation",
+    "provenance"
   ],
   "exports": {
     ".": "./dist/index.js"
@@ -30,7 +30,7 @@
     "format:check": "prettier --check **/*.ts",
     "lint:eslint": "npx eslint . -c ./.github/linters/.eslintrc.yml",
     "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
-    "lint": "npm run lint:eslint && npm run lint:markdown", 
+    "lint": "npm run lint:eslint && npm run lint:markdown",
     "package": "ncc build src/index.ts --license licenses.txt",
     "package:watch": "npm run package -- --watch",
     "test": "jest",
@@ -70,25 +70,27 @@
     ]
   },
   "dependencies": {
-    "@actions/attest": "^1.0.0",
+    "@actions/attest": "^1.3.1",
     "@actions/core": "^1.10.1"
   },
   "devDependencies": {
     "@types/jest": "^29.5.12",
-    "@types/node": "^20.11.24",
-    "@typescript-eslint/eslint-plugin": "^7.0.0",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@types/node": "^22.4.0",
+    "@typescript-eslint/eslint-plugin": "^7.17.0",
+    "@typescript-eslint/parser": "^7.18.0",
     "@vercel/ncc": "^0.38.1",
     "eslint": "^8.57.0",
-    "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-jest": "^27.9.0",
-    "eslint-plugin-jsonc": "^2.13.0",
-    "eslint-plugin-prettier": "^5.1.3",
+    "eslint-plugin-github": "^5.0.1",
+    "eslint-plugin-jest": "^28.8.0",
+    "eslint-plugin-jsonc": "^2.16.0",
+    "eslint-plugin-prettier": "^5.2.1",
     "jest": "^29.7.0",
-    "markdownlint-cli": "^0.39.0",
-    "prettier": "^3.2.5",
+    "jose": "^5.6.3",
+    "markdownlint-cli": "^0.41.0",
+    "nock": "^13.5.4",
+    "prettier": "^3.3.3",
     "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.1.2",
-    "typescript": "^5.3.3"
+    "ts-jest": "^29.2.4",
+    "typescript": "^5.5.4"
   }
 }

src/main.ts

@@ -1,14 +1,21 @@
 import { buildSLSAProvenancePredicate } from '@actions/attest'
 import * as core from '@actions/core'
 
+const VALID_SERVER_URLS = [
+  'https://github.com',
+  new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
+] as const
+
 /**
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
  */
 export async function run(): Promise<void> {
   try {
+    const issuer = getIssuer()
+
     // Calculate subject from inputs and generate provenance
-    const predicate = buildSLSAProvenancePredicate(process.env)
+    const predicate = await buildSLSAProvenancePredicate(issuer)
 
     core.setOutput('predicate', predicate.params)
     core.setOutput('predicate-type', predicate.type)
@@ -18,3 +25,21 @@ export async function run(): Promise<void> {
     core.setFailed(error.message)
   }
 }
+
+// Derive the current OIDC issuer based on the server URL
+function getIssuer(): string {
+  const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'
+
+  // Ensure the server URL is a valid GitHub server URL
+  if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
+    throw new Error(`Invalid server URL: ${serverURL}`)
+  }
+
+  let host = new URL(serverURL).hostname
+
+  if (host === 'github.com') {
+    host = 'githubusercontent.com'
+  }
+
+  return `https://token.actions.${host}`
+}