bump predicate from 1.1.2 to 1.1.3 (#226)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.github/dependabot.yml

@@ -10,7 +10,7 @@ updates:
           - minor
           - patch
     ignore:
-      - dependency-name: "actions/attest-build-provenance"
+      - dependency-name: 'actions/attest-build-provenance'
 
   - package-ecosystem: npm
     directory: /

.github/workflows/ci.yml

@@ -69,4 +69,3 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Dump output
         run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
-

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v6
+        uses: super-linter/super-linter/slim@v7
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*
@@ -48,3 +48,4 @@ jobs:
           VALIDATE_JAVASCRIPT_STANDARD: false
           VALIDATE_TYPESCRIPT_STANDARD: false
           VALIDATE_JSCPD: false
+          VALIDATE_YAML_PRETTIER: false

.github/workflows/prober-github.yml

@@ -0,0 +1,17 @@
+name: GitHub Sigstore Prober
+
+on:
+  workflow_dispatch:
+  schedule:
+    # run every 5 minutes, as often as Github Actions allows
+    - cron: '*/5 * * * *'
+
+jobs:
+  prober:
+    permissions:
+      attestations: write
+      id-token: write
+    secrets: inherit
+    uses: ./.github/workflows/prober.yml
+    with:
+      sigstore: github

.github/workflows/prober-public-good.yml

@@ -0,0 +1,17 @@
+name: Public-Good Sigstore Prober
+
+on:
+  workflow_dispatch:
+  schedule:
+    # run every 5 minutes, as often as Github Actions allows
+    - cron: '*/5 * * * *'
+
+jobs:
+  prober:
+    permissions:
+      attestations: write
+      id-token: write
+    secrets: inherit
+    uses: ./.github/workflows/prober.yml
+    with:
+      sigstore: public-good

.github/workflows/prober.yml

@@ -0,0 +1,84 @@
+name: Prober Workflow
+
+on:
+  workflow_call:
+    inputs:
+      sigstore:
+        description: 'Which Sigstore instance to use for signing'
+        required: true
+        type: string
+
+jobs:
+  probe:
+    runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Request OIDC Token
+        run: |
+          curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
+            -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
+            -H "Accept: application/json; api-version=2.0" \
+            -H "Content-Type: application/json" \
+            --silent | jq -r '.value' | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson'
+
+      - name: Create artifact
+        run: |
+          date > artifact
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v1
+        env:
+          INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
+        with:
+          subject-path: artifact
+
+      - name: Verify build artifact
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: "artifact"
+
+      - name: Report attestation prober success
+        if: ${{ success() }}
+        uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
+        with:
+          api-key: "${{ secrets.DATADOG_API_KEY }}"
+          service-checks: |
+            - check: "attestation-integration.actions.prober"
+              status: 0
+              host_name: github.com
+              tags:
+                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
+                - "service:${{ secrets.CATALOG_SERVICE }}"
+                - "deployed_to:production"
+                - "env:production"
+                - "repo:${{ github.repository }}"
+                - "team:${{ secrets.TEAM }}"
+                - "sigstore:${{ inputs.sigstore }}"
+
+      - name: Report attestation prober failure
+        if: ${{ failure() }}
+        uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
+        with:
+          api-key: "${{ secrets.DATADOG_API_KEY }}"
+          service-checks: |
+            - check: "attestation-integration.actions.prober"
+              message: "${{ github.repository_owner }} failed prober check"
+              status: 2
+              host_name: github.com
+              tags:
+                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
+                - "service:${{ secrets.CATALOG_SERVICE }}"
+                - "deployed_to:production"
+                - "env:production"
+                - "repo:${{ github.repository }}"
+                - "team:${{ secrets.TEAM }}"
+                - "sigstore:${{ inputs.sigstore }}"

action.yml

@@ -50,9 +50,9 @@ outputs:
 runs:
   using: 'composite'
   steps:
-    - uses: actions/attest-build-provenance/predicate@d58ddf9f241cd8163408934540d01c3335864d64 # predicate@1.1.2
+    - uses: actions/attest-build-provenance/predicate@f1185f1959cdaeda41a7f5a7b43cbe6b58a7a793 # predicate@1.1.3
       id: generate-build-provenance-predicate
-    - uses: actions/attest@2da0b136720d14f01f4dbeeafd1d5a4d76cbe21d # v1.4.0
+    - uses: actions/attest@67422f5511b7ff725f4dbd6fb9bd2cd925c65a8d # v1.4.1
       id: attest
       with:
         subject-path: ${{ inputs.subject-path }}

dist/licenses.txt

@@ -1798,7 +1798,7 @@ lru-cache
 ISC
 The ISC License
 
-Copyright (c) Isaac Z. Schlueter and Contributors
+Copyright (c) 2010-2023 Isaac Z. Schlueter and Contributors
 
 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
@@ -2517,22 +2517,3 @@ ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
-yallist
-ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter and Contributors
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package-lock.json

@@ -1,35 +1,35 @@
 {
   "name": "actions/attest-build-provenance",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "actions/attest-build-provenance",
-      "version": "1.1.2",
+      "version": "1.1.3",
       "license": "MIT",
       "dependencies": {
-        "@actions/attest": "^1.3.1",
+        "@actions/attest": "^1.4.2",
         "@actions/core": "^1.10.1"
       },
       "devDependencies": {
         "@types/jest": "^29.5.12",
-        "@types/node": "^22.1.0",
+        "@types/node": "^22.5.2",
         "@typescript-eslint/eslint-plugin": "^7.17.0",
         "@typescript-eslint/parser": "^7.18.0",
         "@vercel/ncc": "^0.38.1",
         "eslint": "^8.57.0",
         "eslint-plugin-github": "^5.0.1",
-        "eslint-plugin-jest": "^28.7.0",
+        "eslint-plugin-jest": "^28.8.1",
         "eslint-plugin-jsonc": "^2.16.0",
         "eslint-plugin-prettier": "^5.2.1",
         "jest": "^29.7.0",
-        "jose": "^5.6.3",
+        "jose": "^5.8.0",
         "markdownlint-cli": "^0.41.0",
-        "nock": "^13.5.4",
+        "nock": "^13.5.5",
         "prettier": "^3.3.3",
         "prettier-eslint": "^16.3.0",
-        "ts-jest": "^29.2.4",
+        "ts-jest": "^29.2.5",
         "typescript": "^5.5.4"
       },
       "engines": {
@@ -45,13 +45,13 @@
       }
     },
     "node_modules/@actions/attest": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.3.1.tgz",
-      "integrity": "sha512-4q09+4QvNROKHsjpusyRhtmUz8kHpFg45n5LqJAYrMQh8mU5O5t9shpGU3Z44rtUebgBTH8Ge0lTzLxfUOVvHw==",
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.4.2.tgz",
+      "integrity": "sha512-VCE5xFPexHc/iBD77b5Rip1ClYFF5j6vE7HxNxFga4OUnRwM6gXdObcz4cDRJsyp6ud4BgEqFUJYNinMnpPYMQ==",
       "dependencies": {
         "@actions/core": "^1.10.1",
         "@actions/github": "^6.0.0",
-        "@actions/http-client": "^2.2.1",
+        "@actions/http-client": "^2.2.3",
         "@octokit/plugin-retry": "^6.0.1",
         "@sigstore/bundle": "^2.3.2",
         "@sigstore/sign": "^2.3.2",
@@ -77,9 +77,9 @@
       }
     },
     "node_modules/@actions/http-client": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz",
-      "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==",
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
+      "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
       "dependencies": {
         "tunnel": "^0.0.6",
         "undici": "^5.25.4"
@@ -1671,12 +1671,12 @@
       "dev": true
     },
     "node_modules/@types/node": {
-      "version": "22.1.0",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.1.0.tgz",
-      "integrity": "sha512-AOmuRF0R2/5j1knA3c6G3HOk523Ga+l+ZXltX8SF1+5oqcXijjfTd8fY3XRZqSihEu9XhtQnKYLmkFaoxgsJHw==",
+      "version": "22.5.2",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.5.2.tgz",
+      "integrity": "sha512-acJsPTEqYqulZS/Yp/S3GgeE6GZ0qYODUR8aVr/DkhHQ8l9nd4j5x1/ZJy9/gHrRlFMqkO6i0I3E27Alu4jjPg==",
       "dev": true,
       "dependencies": {
-        "undici-types": "~6.13.0"
+        "undici-types": "~6.19.2"
       }
     },
     "node_modules/@types/stack-utils": {
@@ -3491,9 +3491,9 @@
       }
     },
     "node_modules/eslint-plugin-jest": {
-      "version": "28.7.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-jest/-/eslint-plugin-jest-28.7.0.tgz",
-      "integrity": "sha512-fzPGN7awL2ftVRQh/bsCi+16ArUZWujZnD1b8EGJqy8nr4//7tZ3BIdc/9edcJBtB3hpci3GtdMNFVDwHU0Eag==",
+      "version": "28.8.1",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-jest/-/eslint-plugin-jest-28.8.1.tgz",
+      "integrity": "sha512-G46XMyYu6PtSNJUkQ0hsPjzXYpzq/O4vpCciMizTKRJG8kNsRreGoMRDG6H9FIB/xVgfFuclVnuX4XRvFUzrZQ==",
       "dev": true,
       "dependencies": {
         "@typescript-eslint/utils": "^6.0.0 || ^7.0.0 || ^8.0.0"
@@ -5466,9 +5466,9 @@
       }
     },
     "node_modules/jose": {
-      "version": "5.6.3",
-      "resolved": "https://registry.npmjs.org/jose/-/jose-5.6.3.tgz",
-      "integrity": "sha512-1Jh//hEEwMhNYPDDLwXHa2ePWgWiFNNUadVmguAAw2IJ6sj9mNxV5tGXJNqlMkJAybF6Lgw1mISDxTePP/187g==",
+      "version": "5.8.0",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-5.8.0.tgz",
+      "integrity": "sha512-E7CqYpL/t7MMnfGnK/eg416OsFCVUrU/Y3Vwe7QjKhu/BkS1Ms455+2xsqZQVN57/U2MHMBvEb5SrmAZWAIntA==",
       "funding": {
         "url": "https://github.com/sponsors/panva"
       }
@@ -6193,9 +6193,9 @@
       }
     },
     "node_modules/nock": {
-      "version": "13.5.4",
-      "resolved": "https://registry.npmjs.org/nock/-/nock-13.5.4.tgz",
-      "integrity": "sha512-yAyTfdeNJGGBFxWdzSKCBYxs5FxLbCg5X5Q4ets974hcQzG1+qCxvIyOo4j2Ry6MUlhWVMX4OoYDefAIIwupjw==",
+      "version": "13.5.5",
+      "resolved": "https://registry.npmjs.org/nock/-/nock-13.5.5.tgz",
+      "integrity": "sha512-XKYnqUrCwXC8DGG1xX4YH5yNIrlh9c065uaMZZHUoeUUINTOyt+x/G+ezYk0Ft6ExSREVIs+qBJDK503viTfFA==",
       "dev": true,
       "dependencies": {
         "debug": "^4.1.0",
@@ -7132,12 +7132,9 @@
       "optional": true
     },
     "node_modules/semver": {
-      "version": "7.6.0",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.0.tgz",
-      "integrity": "sha512-EnwXhrlwXMk9gKu5/flx5sv/an57AkRplG3hTK68W7FRDN+k+OWBj65M7719OkA82XLBxrcX0KSHj+X5COhOVg==",
-      "dependencies": {
-        "lru-cache": "^6.0.0"
-      },
+      "version": "7.6.3",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
+      "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
       "bin": {
         "semver": "bin/semver.js"
       },
@@ -7145,20 +7142,6 @@
         "node": ">=10"
       }
     },
-    "node_modules/semver/node_modules/lru-cache": {
-      "version": "6.0.0",
-      "license": "ISC",
-      "dependencies": {
-        "yallist": "^4.0.0"
-      },
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/semver/node_modules/yallist": {
-      "version": "4.0.0",
-      "license": "ISC"
-    },
     "node_modules/set-function-length": {
       "version": "1.2.2",
       "resolved": "https://registry.npmjs.org/set-function-length/-/set-function-length-1.2.2.tgz",
@@ -7634,20 +7617,20 @@
       }
     },
     "node_modules/ts-jest": {
-      "version": "29.2.4",
-      "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.4.tgz",
-      "integrity": "sha512-3d6tgDyhCI29HlpwIq87sNuI+3Q6GLTTCeYRHCs7vDz+/3GCMwEtV9jezLyl4ZtnBgx00I7hm8PCP8cTksMGrw==",
+      "version": "29.2.5",
+      "resolved": "https://registry.npmjs.org/ts-jest/-/ts-jest-29.2.5.tgz",
+      "integrity": "sha512-KD8zB2aAZrcKIdGk4OwpJggeLcH1FgrICqDSROWqlnJXGCXK4Mn6FcdK2B6670Xr73lHMG1kHw8R87A0ecZ+vA==",
       "dev": true,
       "dependencies": {
-        "bs-logger": "0.x",
+        "bs-logger": "^0.2.6",
         "ejs": "^3.1.10",
-        "fast-json-stable-stringify": "2.x",
+        "fast-json-stable-stringify": "^2.1.0",
         "jest-util": "^29.0.0",
         "json5": "^2.2.3",
-        "lodash.memoize": "4.x",
-        "make-error": "1.x",
-        "semver": "^7.5.3",
-        "yargs-parser": "^21.0.1"
+        "lodash.memoize": "^4.1.2",
+        "make-error": "^1.3.6",
+        "semver": "^7.6.3",
+        "yargs-parser": "^21.1.1"
       },
       "bin": {
         "ts-jest": "cli.js"
@@ -7875,9 +7858,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "6.13.0",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.13.0.tgz",
-      "integrity": "sha512-xtFJHudx8S2DSoujjMd1WeWvn7KKWFRESZTMeL1RptAYERu29D6jphMjjY+vn96jvN3kVPDNxU/E13VTaXj6jg==",
+      "version": "6.19.6",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.6.tgz",
+      "integrity": "sha512-e/vggGopEfTKSvj4ihnOLTsqhrKRN3LeO6qSN/GxohhuRv8qH9bNQ4B8W7e/vFL+0XTnmHPB4/kegunZGA4Org==",
       "dev": true
     },
     "node_modules/unique-filename": {

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest-build-provenance",
   "description": "Generate signed build provenance attestations",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest-build-provenance",
@@ -70,27 +70,27 @@
     ]
   },
   "dependencies": {
-    "@actions/attest": "^1.3.1",
+    "@actions/attest": "^1.4.2",
     "@actions/core": "^1.10.1"
   },
   "devDependencies": {
     "@types/jest": "^29.5.12",
-    "@types/node": "^22.1.0",
+    "@types/node": "^22.5.2",
     "@typescript-eslint/eslint-plugin": "^7.17.0",
     "@typescript-eslint/parser": "^7.18.0",
     "@vercel/ncc": "^0.38.1",
     "eslint": "^8.57.0",
     "eslint-plugin-github": "^5.0.1",
-    "eslint-plugin-jest": "^28.7.0",
+    "eslint-plugin-jest": "^28.8.1",
     "eslint-plugin-jsonc": "^2.16.0",
     "eslint-plugin-prettier": "^5.2.1",
     "jest": "^29.7.0",
-    "jose": "^5.6.3",
+    "jose": "^5.8.0",
     "markdownlint-cli": "^0.41.0",
-    "nock": "^13.5.4",
+    "nock": "^13.5.5",
     "prettier": "^3.3.3",
     "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.2.4",
+    "ts-jest": "^29.2.5",
     "typescript": "^5.5.4"
   }
 }

src/main.ts

@@ -1,21 +1,14 @@
 import { buildSLSAProvenancePredicate } from '@actions/attest'
 import * as core from '@actions/core'
 
-const VALID_SERVER_URLS = [
-  'https://github.com',
-  new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
-] as const
-
 /**
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
  */
 export async function run(): Promise<void> {
   try {
-    const issuer = getIssuer()
-
     // Calculate subject from inputs and generate provenance
-    const predicate = await buildSLSAProvenancePredicate(issuer)
+    const predicate = await buildSLSAProvenancePredicate()
 
     core.setOutput('predicate', predicate.params)
     core.setOutput('predicate-type', predicate.type)
@@ -25,21 +18,3 @@ export async function run(): Promise<void> {
     core.setFailed(error.message)
   }
 }
-
-// Derive the current OIDC issuer based on the server URL
-function getIssuer(): string {
-  const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'
-
-  // Ensure the server URL is a valid GitHub server URL
-  if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
-    throw new Error(`Invalid server URL: ${serverURL}`)
-  }
-
-  let host = new URL(serverURL).hostname
-
-  if (host === 'github.com') {
-    host = 'githubusercontent.com'
-  }
-
-  return `https://token.actions.${host}`
-}