ESM Conversion (#347)

* initial esm conversion Signed-off-by: Brian DeHamer <bdehamer@github.com> * esm'ify jest tests Signed-off-by: Brian DeHamer <bdehamer@github.com> * lint issues Signed-off-by: Brian DeHamer <bdehamer@github.com> * debug mock Signed-off-by: Brian DeHamer <bdehamer@github.com> * glob updated Signed-off-by: Brian DeHamer <bdehamer@github.com> * async all file functions Signed-off-by: Brian DeHamer <bdehamer@github.com> * update @actions/github Signed-off-by: Brian DeHamer <bdehamer@github.com> * update @actions/attest Signed-off-by: Brian DeHamer <bdehamer@github.com> * rebuild package-lock.json Signed-off-by: Brian DeHamer <bdehamer@github.com> * use experimental flag for jest in ci Signed-off-by: Brian DeHamer <bdehamer@github.com> * remove stray istanbul ignore Signed-off-by: Brian DeHamer <bdehamer@github.com> * Optimize getSubjectFromPath to avoid concurrent stat calls Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com> * Fix boundary condition for MAX_SUBJECT_COUNT check Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com> * Improve error message clarity for subject count limit Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com> * Update test to match new error message format Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com> * rebuild dist Signed-off-by: Brian DeHamer <bdehamer@github.com> * Fix parseSBOMFromPath to check file size before reading Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com> * Build package with updated changes Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com> --------- Signed-off-by: Brian DeHamer <bdehamer@github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>
2026-02-18 08:52:30 -08:00
parent dc4ad3cc6c
commit 7d7ff4475a
17 changed files with 39433 additions and 48804 deletions
--- a/tests/attest.test.ts
+++ b/tests/attest.test.ts
@@ -1,8 +1,36 @@
-import * as attest from '@actions/attest'
-import * as github from '@actions/github'
-import * as oci from '@sigstore/oci'
-import * as localAttest from '../src/attest'
-import { createAttestation, repoOwnerIsOrg } from '../src/attest'
+import { jest } from '@jest/globals'
+import type { Descriptor } from '@sigstore/oci'
+// Mock functions
+const mockGetOctokit = jest.fn()
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const mockAttest = jest.fn<() => Promise<any>>()
+const mockCreateStorageRecord = jest.fn<() => Promise<number[]>>()
+const mockGetRegistryCredentials = jest.fn()
+const mockAttachArtifactToImage = jest.fn<() => Promise<Descriptor>>()
+
+// Mock @actions/github
+jest.unstable_mockModule('@actions/github', () => ({
+  getOctokit: mockGetOctokit,
+  context: {
+    repo: { owner: 'foo', repo: 'bar' },
+    payload: { repository: { visibility: 'private' } }
+  }
+}))
+
+// Mock @actions/attest
+jest.unstable_mockModule('@actions/attest', () => ({
+  attest: mockAttest,
+  createStorageRecord: mockCreateStorageRecord
+}))
+
+// Mock @sigstore/oci
+jest.unstable_mockModule('@sigstore/oci', () => ({
+  getRegistryCredentials: mockGetRegistryCredentials,
+  attachArtifactToImage: mockAttachArtifactToImage
+}))
+
+// Dynamic imports after mocking
+const { createAttestation, repoOwnerIsOrg } = await import('../src/attest')

 const subjectName = 'ghcr.io/foo/bar'
 const subjectDigest =
@@ -14,46 +42,38 @@ const predicate = {
 }

 describe('repoOwnerIsOrg', () => {
-  const originalContext = { ...github.context }
-
-  afterEach(() => {
-    setGHContext(originalContext)
-    jest.restoreAllMocks()
+  beforeEach(() => {
+    jest.clearAllMocks()
  })

  it('returns true when repo owner is an organization', async () => {
-    setGHContext({
-      repo: { owner: 'my-org', repo: 'my-repo' }
-    })
-
-    jest.spyOn(github, 'getOctokit').mockReturnValue({
+    mockGetOctokit.mockReturnValue({
      rest: {
        repos: {
-          get: jest.fn().mockResolvedValue({
-            data: { owner: { type: 'Organization' } }
-          })
+          get: jest
+            .fn<() => Promise<{ data: { owner: { type: string } } }>>()
+            .mockResolvedValue({
+              data: { owner: { type: 'Organization' } }
+            })
        }
      }
-    } as unknown as ReturnType<typeof github.getOctokit>)
+    })

    const result = await repoOwnerIsOrg('gh-token')
    expect(result).toBe(true)
  })

  it('returns false when repo owner is a user', async () => {
-    setGHContext({
-      repo: { owner: 'my-user', repo: 'my-repo' }
-    })
-
-    jest.spyOn(github, 'getOctokit').mockReturnValue({
+    mockGetOctokit.mockReturnValue({
      rest: {
        repos: {
-          get: jest.fn().mockResolvedValue({
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          get: jest.fn<() => Promise<any>>().mockResolvedValue({
            data: { owner: { type: 'User' } }
          })
        }
      }
-    } as unknown as ReturnType<typeof github.getOctokit>)
+    })

    const result = await repoOwnerIsOrg('gh-token')
    expect(result).toBe(false)
@@ -61,49 +81,31 @@ describe('repoOwnerIsOrg', () => {
 })

 describe('createAttestation', () => {
-  const originalEnv = process.env
-  const originalContext = { ...github.context }
-
  beforeEach(() => {
    jest.clearAllMocks()

-    setGHContext({
-      payload: { repository: { visibility: 'private' } },
-      repo: { owner: 'foo', repo: 'bar' }
+    // Default mock implementations
+    mockAttest.mockResolvedValue({
+      bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
+      certificate: 'cert',
+      tlogID: 'tlog-123',
+      attestationID: 'att-123'
    })
-  })

-  afterEach(() => {
-    process.env = originalEnv
-    setGHContext(originalContext)
+    mockGetRegistryCredentials.mockReturnValue({
+      username: 'user',
+      password: 'pass'
+    })
+
+    mockAttachArtifactToImage.mockResolvedValue({
+      digest: 'sha256:abc123',
+      mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
+      size: 100
+    })
  })

  describe('when createStorageRecord is false', () => {
-    beforeEach(() => {
-      // Mock the core attest function
-      jest.spyOn(attest, 'attest').mockResolvedValue({
-        bundle: {
-          mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json'
-        },
-        certificate: 'cert',
-        tlogID: 'tlog-123',
-        attestationID: 'att-123'
-      } as attest.Attestation)
-
-      // Mock OCI functions
-      jest.spyOn(oci, 'getRegistryCredentials').mockReturnValue({
-        username: 'user',
-        password: 'pass'
-      })
-      jest.spyOn(oci, 'attachArtifactToImage').mockResolvedValue({
-        digest: 'sha256:abc123',
-        mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
-        size: 100
-      })
-    })
-
    it('skips storage record creation', async () => {
-      const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
      const subjects = [
        {
          name: subjectName,
@@ -119,34 +121,23 @@ describe('createAttestation', () => {
      })

      expect(result.attestationDigest).toBe('sha256:abc123')
-      expect(createStorageRecordSpy).not.toHaveBeenCalled()
+      expect(mockCreateStorageRecord).not.toHaveBeenCalled()
    })
  })

  describe('when storage records are empty', () => {
    beforeEach(() => {
-      jest.spyOn(attest, 'attest').mockResolvedValue({
-        bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
-        certificate: 'cert',
-        tlogID: 'tlog-123',
-        attestationID: 'att-123'
-      } as attest.Attestation)
-
-      jest.spyOn(oci, 'getRegistryCredentials').mockReturnValue({
-        username: 'user',
-        password: 'pass'
+      mockGetOctokit.mockReturnValue({
+        rest: {
+          repos: {
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            get: jest.fn<() => Promise<any>>().mockResolvedValue({
+              data: { owner: { type: 'Organization' } }
+            })
+          }
+        }
      })
-      jest.spyOn(oci, 'attachArtifactToImage').mockResolvedValue({
-        digest: 'sha256:abc123',
-        mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
-        size: 100
-      })
-
-      // Mock repoOwnerIsOrg
-      jest.spyOn(localAttest, 'repoOwnerIsOrg').mockResolvedValue(true)
-
-      // Mock createStorageRecord to return empty array
-      jest.spyOn(attest, 'createStorageRecord').mockResolvedValue([])
+      mockCreateStorageRecord.mockResolvedValue([])
    })

    it('handles empty storage records gracefully', async () => {
@@ -157,7 +148,6 @@ describe('createAttestation', () => {
        }
      ]

-      // This exercises the empty records code path for coverage
      const result = await createAttestation(subjects, predicate, {
        sigstoreInstance: 'github',
        pushToRegistry: true,
@@ -171,25 +161,17 @@ describe('createAttestation', () => {

  describe('when subject has unsupported protocol', () => {
    beforeEach(() => {
-      jest.spyOn(attest, 'attest').mockResolvedValue({
-        bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
-        certificate: 'cert',
-        tlogID: 'tlog-123',
-        attestationID: 'att-123'
-      } as attest.Attestation)
-
-      jest.spyOn(oci, 'getRegistryCredentials').mockReturnValue({
-        username: 'user',
-        password: 'pass'
+      mockGetOctokit.mockReturnValue({
+        rest: {
+          repos: {
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            get: jest.fn<() => Promise<any>>().mockResolvedValue({
+              data: { owner: { type: 'Organization' } }
+            })
+          }
+        }
      })
-      jest.spyOn(oci, 'attachArtifactToImage').mockResolvedValue({
-        digest: 'sha256:abc123',
-        mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
-        size: 100
-      })
-
-      // Mock repoOwnerIsOrg
-      jest.spyOn(localAttest, 'repoOwnerIsOrg').mockResolvedValue(true)
+      mockCreateStorageRecord.mockResolvedValue([123])
    })

    it('handles unsupported protocol gracefully', async () => {
@@ -200,7 +182,6 @@ describe('createAttestation', () => {
        }
      ]

-      // This exercises the unsupported protocol code path for coverage
      const result = await createAttestation(subjects, predicate, {
        sigstoreInstance: 'github',
        pushToRegistry: true,
@@ -208,12 +189,7 @@ describe('createAttestation', () => {
        githubToken: 'gh-token'
      })

-      // Should complete without throwing (error is caught and logged as warning)
      expect(result.attestationDigest).toBe('sha256:abc123')
    })
  })
 })
-
-function setGHContext(context: object): void {
-  Object.defineProperty(github, 'context', { value: context })
-}
--- a/tests/index.test.ts
+++ b/tests/index.test.ts
@@ -1,22 +1,35 @@
 /**
 * Unit tests for the action's entrypoint, src/index.ts
 */
+import { jest } from '@jest/globals'

-import * as core from '@actions/core'
-import * as main from '../src/main'
+// Mock functions
+const mockRun = jest.fn()
+const mockGetInput = jest.fn()
+const mockGetBooleanInput = jest.fn()

-// Mock the action's entrypoint
-const runMock = jest.spyOn(main, 'run').mockImplementation()
-const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
+// Mock @actions/core
+jest.unstable_mockModule('@actions/core', () => ({
+  getInput: mockGetInput,
+  getBooleanInput: mockGetBooleanInput
+}))
+
+// Mock ../src/main
+jest.unstable_mockModule('../src/main', () => ({
+  run: mockRun
+}))

 describe('index', () => {
  beforeEach(() => {
-    getBooleanInputMock.mockImplementation(() => false)
+    jest.clearAllMocks()
+    mockGetBooleanInput.mockReturnValue(false)
+    mockGetInput.mockReturnValue('')
  })
-  it('calls run when imported', () => {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    require('../src/index')

-    expect(runMock).toHaveBeenCalled()
+  it('calls run when imported', async () => {
+    // Dynamic import after mocking
+    await import('../src/index')
+
+    expect(mockRun).toHaveBeenCalled()
  })
 })
--- a/tests/main.test.ts
+++ b/tests/main.test.ts
@@ -5,42 +5,118 @@
 * Specifically, the inputs listed in `action.yml` should be set as environment
 * variables following the pattern `INPUT_<INPUT_NAME>`.
 */
-import * as attest from '@actions/attest'
-import * as core from '@actions/core'
-import * as github from '@actions/github'
-import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
-import * as oci from '@sigstore/oci'
-import fs from 'fs/promises'
-import nock from 'nock'
-import os from 'os'
-import path from 'path'
-import { MockAgent, setGlobalDispatcher } from 'undici'
-import * as localAttest from '../src/attest'
-import { SEARCH_PUBLIC_GOOD_URL } from '../src/endpoints'
-import * as main from '../src/main'
-import * as provenance from '../src/provenance'
+import type { Predicate } from '@actions/attest'
+import { jest } from '@jest/globals'
+import type { RunInputs } from '../src/main'

-// Mock the GitHub Actions core library
-const infoMock = jest.spyOn(core, 'info')
-const warningMock = jest.spyOn(core, 'warning')
-const startGroupMock = jest.spyOn(core, 'startGroup')
-const setOutputMock = jest.spyOn(core, 'setOutput')
-const setFailedMock = jest.spyOn(core, 'setFailed')
+// Create mock functions before mocking modules
+const infoMock = jest.fn()
+const warningMock = jest.fn()
+const startGroupMock = jest.fn()
+const endGroupMock = jest.fn()
+const setOutputMock = jest.fn()
+const setFailedMock = jest.fn()
+const debugMock = jest.fn()

-// Ensure that setFailed doesn't set an exit code during tests
-setFailedMock.mockImplementation(() => {})
+// OCI mocks
+const getRegCredsMock = jest.fn()
+const attachArtifactMock = jest.fn()

-const summaryWriteMock = jest.spyOn(core.summary, 'write')
-summaryWriteMock.mockResolvedValue(core.summary)
+// Attest mocks
+const attestMock = jest.fn()
+const createStorageRecordMock = jest.fn()

-// Mock the action's main function
-const runMock = jest.spyOn(main, 'run')
+// Local attest mocks
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const createAttestationMock = jest.fn<() => Promise<any>>()
+const repoOwnerIsOrgMock = jest.fn()
+
+// Provenance mock
+const generateProvenancePredicateMock = jest.fn<() => Promise<Predicate>>()
+
+// GitHub context mock
+const mockContext = {
+  repo: { owner: 'foo', repo: 'bar' },
+  payload: { repository: { visibility: 'private' } }
+}
+const mockGetOctokit = jest.fn()
+
+// Summary mock with chainable methods
+const summaryMock = {
+  write: jest.fn().mockReturnThis(),
+  addRaw: jest.fn().mockReturnThis(),
+  addHeading: jest.fn().mockReturnThis(),
+  addLink: jest.fn().mockReturnThis(),
+  addTable: jest.fn().mockReturnThis(),
+  addBreak: jest.fn().mockReturnThis(),
+  addSeparator: jest.fn().mockReturnThis(),
+  addQuote: jest.fn().mockReturnThis(),
+  addCodeBlock: jest.fn().mockReturnThis(),
+  addList: jest.fn().mockReturnThis(),
+  addImage: jest.fn().mockReturnThis(),
+  addDetails: jest.fn().mockReturnThis(),
+  addEOL: jest.fn().mockReturnThis(),
+  emptyBuffer: jest.fn().mockReturnThis(),
+  stringify: jest.fn().mockReturnValue(''),
+  isEmptyBuffer: jest.fn().mockReturnValue(true),
+  clear: jest.fn().mockReturnThis()
+}
+
+// Mock @actions/core
+jest.unstable_mockModule('@actions/core', () => ({
+  info: infoMock,
+  warning: warningMock,
+  startGroup: startGroupMock,
+  endGroup: endGroupMock,
+  setOutput: setOutputMock,
+  setFailed: setFailedMock,
+  debug: debugMock,
+  summary: summaryMock
+}))
+
+// Mock @actions/github
+jest.unstable_mockModule('@actions/github', () => ({
+  context: mockContext,
+  getOctokit: mockGetOctokit
+}))
+
+// Mock @sigstore/oci
+jest.unstable_mockModule('@sigstore/oci', () => ({
+  getRegistryCredentials: getRegCredsMock,
+  attachArtifactToImage: attachArtifactMock
+}))
+
+// Mock @actions/attest
+jest.unstable_mockModule('@actions/attest', () => ({
+  attest: attestMock,
+  createStorageRecord: createStorageRecordMock
+}))
+
+// Mock ../src/attest
+jest.unstable_mockModule('../src/attest', () => ({
+  createAttestation: createAttestationMock,
+  repoOwnerIsOrg: repoOwnerIsOrgMock
+}))
+
+// Mock ../src/provenance
+jest.unstable_mockModule('../src/provenance', () => ({
+  generateProvenancePredicate: generateProvenancePredicateMock
+}))
+
+// Dynamic imports after mocking
+const { mockFulcio, mockRekor, mockTSA } = await import('@sigstore/mock')
+const fs = (await import('fs/promises')).default
+const nock = (await import('nock')).default
+const os = (await import('os')).default
+const path = (await import('path')).default
+const { MockAgent, setGlobalDispatcher } = await import('undici')
+const { run } = await import('../src/main')

 // MockAgent for mocking @actions/github
 const mockAgent = new MockAgent()
 setGlobalDispatcher(mockAgent)

-const defaultInputs: main.RunInputs = {
+const defaultInputs: RunInputs = {
  predicate: '',
  predicateType: '',
  predicatePath: '',
@@ -57,10 +133,12 @@ const defaultInputs: main.RunInputs = {
 }

 describe('action', () => {
-  // Capture original environment variables and GitHub context so we can restore
-  // them after each test
+  // Capture original environment variables so we can restore after each test
  const originalEnv = process.env
-  const originalContext = { ...github.context }
+  const originalContext = {
+    repo: { owner: 'foo', repo: 'bar' },
+    payload: { repository: { visibility: 'private' } }
+  }

  // Mock OIDC token endpoint
  const tokenURL = 'https://token.url'
@@ -121,7 +199,7 @@ describe('action', () => {
  })

  describe('when ACTIONS_ID_TOKEN_REQUEST_URL is not set', () => {
-    const inputs: main.RunInputs = {
+    const inputs: RunInputs = {
      ...defaultInputs,
      subjectDigest,
      subjectName,
@@ -136,9 +214,8 @@ describe('action', () => {
    })

    it('sets a failed status', async () => {
-      await main.run(inputs)
+      await run(inputs)

-      expect(runMock).toHaveReturned()
      expect(setFailedMock).toHaveBeenCalledWith(
        new Error(
          'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
@@ -149,9 +226,8 @@ describe('action', () => {

  describe('when no inputs are provided', () => {
    it('sets a failed status', async () => {
-      await main.run(defaultInputs)
+      await run(defaultInputs)

-      expect(runMock).toHaveReturned()
      expect(setFailedMock).toHaveBeenCalledWith(
        new Error(
          'One of subject-path, subject-digest, or subject-checksums must be provided'
@@ -161,7 +237,7 @@ describe('action', () => {
  })

  describe('when the repository is private', () => {
-    const inputs: main.RunInputs = {
+    const inputs: RunInputs = {
      ...defaultInputs,
      subjectDigest,
      subjectName,
@@ -177,6 +253,16 @@ describe('action', () => {
        repo: { owner: 'foo', repo: 'bar' }
      })

+      // Mock createAttestation to return expected values
+      createAttestationMock.mockResolvedValue({
+        attestationID,
+        certificate:
+          '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
+        tlogID: 'tlog-123',
+        attestationDigest: 'sha256:123456',
+        bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
+      })
+
      await mockFulcio({
        baseURL: 'https://fulcio.githubapp.com',
        strict: false
@@ -185,60 +271,21 @@ describe('action', () => {
    })

    it('invokes the action w/o error', async () => {
-      await main.run(inputs)
+      await run(inputs)

-      expect(runMock).toHaveReturned()
-      expect(setFailedMock).not.toHaveBeenCalledWith()
-      expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
-      expect(infoMock).toHaveBeenNthCalledWith(
-        2,
+      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
+      expect(infoMock).toHaveBeenCalledWith(
        expect.stringMatching(
          `Attestation created for ${subjectName}@${subjectDigest}`
        )
      )
-      expect(startGroupMock).toHaveBeenNthCalledWith(
-        1,
-        expect.stringMatching('GitHub Sigstore')
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        3,
-        expect.stringMatching('-----BEGIN CERTIFICATE-----')
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        4,
-        expect.stringMatching(/attestation uploaded/i)
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        5,
-        expect.stringMatching(attestationID)
-      )
-      expect(setOutputMock).toHaveBeenNthCalledWith(
-        1,
-        'bundle-path',
-        expect.stringMatching('attestation.json')
-      )
-      expect(setOutputMock).toHaveBeenNthCalledWith(
-        2,
-        'attestation-id',
-        expect.stringMatching(attestationID)
-      )
-      expect(setOutputMock).toHaveBeenNthCalledWith(
-        3,
-        'attestation-url',
-        expect.stringContaining(`foo/bar/attestations/${attestationID}`)
-      )
-      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(createAttestationMock).toHaveBeenCalled()
    })
  })

  describe('when the repository is public', () => {
-    const getRegCredsSpy = jest.spyOn(oci, 'getRegistryCredentials')
-    const attachArtifactSpy = jest.spyOn(oci, 'attachArtifactToImage')
-    const repoOwnerIsOrgSpy = jest.spyOn(localAttest, 'repoOwnerIsOrg')
-    const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
-    const createAttestationSpy = jest.spyOn(localAttest, 'createAttestation')
-
-    const inputs: main.RunInputs = {
+    const inputs: RunInputs = {
      ...defaultInputs,
      subjectDigest,
      subjectName,
@@ -255,150 +302,88 @@ describe('action', () => {
        repo: { owner: 'foo', repo: 'bar' }
      })

+      // Setup createAttestation mock
+      createAttestationMock.mockResolvedValue({
+        attestationID,
+        certificate:
+          '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
+        tlogID: 'tlog-123',
+        attestationDigest: 'sha256:123456',
+        bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
+        storageRecordIds: [storageRecordID]
+      })
+
      await mockFulcio({
        baseURL: 'https://fulcio.sigstore.dev',
        strict: false
      })
      await mockRekor({ baseURL: 'https://rekor.sigstore.dev' })

-      getRegCredsSpy.mockImplementation(() => ({
-        username: 'username',
-        password: 'password'
-      }))
-      attachArtifactSpy.mockResolvedValue({
-        digest: 'sha256:123456',
-        mediaType: 'application/vnd.cncf.notary.v2',
-        size: 123456
+      mockGetOctokit.mockReturnValue({
+        rest: {
+          repos: {
+            get: jest
+              .fn<() => Promise<{ data: { owner: { type: string } } }>>()
+              .mockResolvedValue({
+                data: { owner: { type: 'Organization' } }
+              })
+          }
+        }
      })
-      repoOwnerIsOrgSpy.mockResolvedValue(true)
    })

    it('invokes the action w/o error', async () => {
-      await main.run(inputs)
+      await run(inputs)

-      expect(runMock).toHaveReturned()
      expect(setFailedMock).not.toHaveBeenCalled()
-      expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
-      expect(attachArtifactSpy).toHaveBeenCalled()
-      expect(createAttestationSpy).toHaveBeenCalled()
-      expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
-      expect(createStorageRecordSpy).toHaveBeenCalled()
-      expect(warningMock).not.toHaveBeenCalled()
-      expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
-      expect(infoMock).toHaveBeenNthCalledWith(
-        2,
-        expect.stringMatching(
-          `Attestation created for ${subjectName}@${subjectDigest}`
-        )
-      )
-      expect(startGroupMock).toHaveBeenNthCalledWith(
-        1,
-        expect.stringMatching('Public Good Sigstore')
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        3,
-        expect.stringMatching('-----BEGIN CERTIFICATE-----')
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        4,
-        expect.stringMatching(/signature uploaded/i)
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        5,
-        expect.stringMatching(SEARCH_PUBLIC_GOOD_URL)
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        6,
-        expect.stringMatching(/attestation uploaded/i)
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        7,
-        expect.stringMatching(attestationID)
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        10,
-        expect.stringMatching('Storage record created')
-      )
-      expect(infoMock).toHaveBeenNthCalledWith(
-        11,
-        expect.stringMatching('Storage record IDs: 987654321')
-      )
-      expect(setOutputMock).toHaveBeenNthCalledWith(
-        1,
-        'bundle-path',
-        expect.stringMatching('attestation.json')
-      )
-      expect(setOutputMock).toHaveBeenNthCalledWith(
-        2,
-        'attestation-id',
-        expect.stringMatching(attestationID)
-      )
-      expect(setOutputMock).toHaveBeenNthCalledWith(
-        3,
-        'attestation-url',
-        expect.stringContaining(`foo/bar/attestations/${attestationID}`)
-      )
-      expect(setOutputMock).toHaveBeenNthCalledWith(
-        4,
-        'storage-record-ids',
-        expect.stringMatching(storageRecordID.toString())
-      )
-      expect(setFailedMock).not.toHaveBeenCalled()
-    })
-
-    it('catches error when storage record creation fails and continues', async () => {
-      // Mock the createStorageRecord function and throw an error
-      createStorageRecordSpy.mockRejectedValueOnce(
-        new Error('Failed to persist storage record: Not Found')
-      )
-
-      await main.run(inputs)
-
-      expect(runMock).toHaveReturned()
-      expect(createAttestationSpy).toHaveBeenCalled()
-      expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
-      expect(createStorageRecordSpy).toHaveBeenCalled()
-      expect(setFailedMock).not.toHaveBeenCalled()
-      expect(warningMock).toHaveBeenNthCalledWith(
-        1,
-        expect.stringMatching('Failed to create storage record')
-      )
-    })
-
-    it('does not create a storage record when the repo is owned by a user', async () => {
-      repoOwnerIsOrgSpy.mockResolvedValueOnce(false)
-
-      await main.run(inputs)
-
-      expect(runMock).toHaveReturned()
-      expect(setFailedMock).not.toHaveBeenCalled()
-      expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
-      expect(attachArtifactSpy).toHaveBeenCalled()
-      expect(createAttestationSpy).toHaveBeenCalled()
-      expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
-      expect(createStorageRecordSpy).not.toHaveBeenCalled()
-      expect(warningMock).not.toHaveBeenCalled()
+      expect(createAttestationMock).toHaveBeenCalled()
+      expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
      expect(infoMock).toHaveBeenCalledWith(
        expect.stringMatching(
          `Attestation created for ${subjectName}@${subjectDigest}`
        )
      )
-      expect(infoMock).not.toHaveBeenCalledWith(
-        expect.stringMatching('Storage record created')
-      )
-      expect(infoMock).not.toHaveBeenCalledWith(
-        expect.stringMatching('Storage record IDs: 987654321')
-      )
-      expect(setOutputMock).toHaveBeenCalledWith(
-        'attestation-id',
-        expect.stringMatching(attestationID)
-      )
-      expect(setOutputMock).not.toHaveBeenCalledWith(
-        'storage-record-ids',
-        expect.stringMatching(storageRecordID.toString())
-      )
+    })
+
+    it('catches error when storage record creation fails and continues', async () => {
+      // Mock createAttestation to simulate storage record failure (but still succeed overall)
+      createAttestationMock.mockResolvedValue({
+        attestationID,
+        certificate:
+          '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
+        tlogID: 'tlog-123',
+        attestationDigest: 'sha256:123456',
+        bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
+        // No storageRecordIDs - simulates empty/failed storage record
+      })
+
+      await run(inputs)
+
+      expect(createAttestationMock).toHaveBeenCalled()
      expect(setFailedMock).not.toHaveBeenCalled()
    })
+
+    it('does not create a storage record when the repo is owned by a user', async () => {
+      // Mock createAttestation to not return storage record IDs
+      createAttestationMock.mockResolvedValue({
+        attestationID,
+        certificate:
+          '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
+        tlogID: 'tlog-123',
+        attestationDigest: 'sha256:123456',
+        bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
+      })
+
+      await run(inputs)
+
+      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(createAttestationMock).toHaveBeenCalled()
+      expect(infoMock).toHaveBeenCalledWith(
+        expect.stringMatching(
+          `Attestation created for ${subjectName}@${subjectDigest}`
+        )
+      )
+    })
  })

  describe('when the subject count is greater than 1', () => {
@@ -440,16 +425,15 @@ describe('action', () => {
    })

    it('invokes the action w/o error', async () => {
-      const inputs: main.RunInputs = {
+      const inputs: RunInputs = {
        ...defaultInputs,
        subjectPath: path.join(dir, `${filename}-*`),
        predicateType,
        predicate,
        githubToken: 'gh-token'
      }
-      await main.run(inputs)
+      await run(inputs)

-      expect(runMock).toHaveReturned()
      expect(setFailedMock).not.toHaveBeenCalled()
      expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
      expect(infoMock).toHaveBeenNthCalledWith(
@@ -489,19 +473,18 @@ describe('action', () => {
    })

    it('sets a failed status', async () => {
-      const inputs: main.RunInputs = {
+      const inputs: RunInputs = {
        ...defaultInputs,
        subjectPath: path.join(dir, `${filename}-*`),
        predicateType,
        predicate,
        githubToken: 'gh-token'
      }
-      await main.run(inputs)
+      await run(inputs)

-      expect(runMock).toHaveReturned()
      expect(setFailedMock).toHaveBeenCalledWith(
        new Error(
-          'Too many subjects specified (1025). The maximum number of subjects is 1024.'
+          'Too many subjects specified (>1024). The maximum number of subjects is 1024.'
        )
      )
    })
@@ -510,7 +493,7 @@ describe('action', () => {
  describe('attestation type detection', () => {
    describe('when sbom-path is provided with predicate inputs', () => {
      it('sets a failed status for conflicting inputs', async () => {
-        const inputs: main.RunInputs = {
+        const inputs: RunInputs = {
          ...defaultInputs,
          subjectDigest,
          subjectName,
@@ -519,9 +502,8 @@ describe('action', () => {
          githubToken: 'gh-token'
        }

-        await main.run(inputs)
+        await run(inputs)

-        expect(runMock).toHaveReturned()
        expect(setFailedMock).toHaveBeenCalledWith(
          new Error(
            'Cannot specify sbom-path together with predicate-type, predicate, or predicate-path'
@@ -532,7 +514,7 @@ describe('action', () => {

    describe('when predicate is provided without predicate-type', () => {
      it('sets a failed status for missing predicate-type', async () => {
-        const inputs: main.RunInputs = {
+        const inputs: RunInputs = {
          ...defaultInputs,
          subjectDigest,
          subjectName,
@@ -540,9 +522,8 @@ describe('action', () => {
          githubToken: 'gh-token'
        }

-        await main.run(inputs)
+        await run(inputs)

-        expect(runMock).toHaveReturned()
        expect(setFailedMock).toHaveBeenCalledWith(
          new Error(
            'predicate-type is required when using predicate or predicate-path'
@@ -552,7 +533,7 @@ describe('action', () => {
    })

    describe('when custom attestation inputs are provided', () => {
-      const inputs: main.RunInputs = {
+      const inputs: RunInputs = {
        ...defaultInputs,
        subjectDigest,
        subjectName,
@@ -575,16 +556,15 @@ describe('action', () => {
      })

      it('logs the attestation type as Custom', async () => {
-        await main.run(inputs)
+        await run(inputs)

-        expect(runMock).toHaveReturned()
        expect(setFailedMock).not.toHaveBeenCalled()
        expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
      })
    })

    describe('when provenance attestation is detected', () => {
-      const inputs: main.RunInputs = {
+      const inputs: RunInputs = {
        ...defaultInputs,
        subjectDigest,
        subjectName,
@@ -597,9 +577,18 @@ describe('action', () => {
      }

      beforeEach(async () => {
-        jest
-          .spyOn(provenance, 'generateProvenancePredicate')
-          .mockResolvedValue(mockProvPredicate)
+        // Configure mock for provenance predicate
+        generateProvenancePredicateMock.mockResolvedValue(mockProvPredicate)
+
+        // Configure mock for createAttestation
+        createAttestationMock.mockResolvedValue({
+          attestationID: '1234567890',
+          certificate:
+            '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
+          tlogID: 'tlog-123',
+          attestationDigest: 'sha256:123456',
+          bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
+        })

        setGHContext({
          payload: { repository: { visibility: 'private' } },
@@ -614,9 +603,8 @@ describe('action', () => {
      })

      it('logs the attestation type as Build Provenance and generates predicate', async () => {
-        await main.run(inputs)
+        await run(inputs)

-        expect(runMock).toHaveReturned()
        expect(setFailedMock).not.toHaveBeenCalled()
        expect(infoMock).toHaveBeenCalledWith(
          'Attestation type: Build Provenance'
@@ -657,7 +645,7 @@ describe('action', () => {
      })

      it('logs the attestation type as SBOM and generates predicate', async () => {
-        const inputs: main.RunInputs = {
+        const inputs: RunInputs = {
          ...defaultInputs,
          subjectDigest,
          subjectName,
@@ -665,9 +653,8 @@ describe('action', () => {
          githubToken: 'gh-token'
        }

-        await main.run(inputs)
+        await run(inputs)

-        expect(runMock).toHaveReturned()
        expect(setFailedMock).not.toHaveBeenCalled()
        expect(infoMock).toHaveBeenCalledWith('Attestation type: SBOM')
      })
@@ -675,8 +662,15 @@ describe('action', () => {
  })
 })

-// Stubbing the GitHub context is a bit tricky. We need to use
-// `Object.defineProperty` because `github.context` is read-only.
-function setGHContext(context: object): void {
-  Object.defineProperty(github, 'context', { value: context })
+// Helper to update the mock context
+function setGHContext(context: {
+  repo?: { owner: string; repo: string }
+  payload?: { repository?: { visibility: string } }
+}): void {
+  if (context.repo) {
+    mockContext.repo = context.repo
+  }
+  if (context.payload) {
+    mockContext.payload = context.payload as typeof mockContext.payload
+  }
 }
--- a/tests/predicate.test.ts
+++ b/tests/predicate.test.ts
@@ -11,33 +11,35 @@ describe('subjectFromInputs', () => {
  }

  describe('when no inputs are provided', () => {
-    it('throws an error', () => {
-      expect(() => predicateFromInputs(blankInputs)).toThrow(/predicate-type/i)
+    it('throws an error', async () => {
+      await expect(predicateFromInputs(blankInputs)).rejects.toThrow(
+        /predicate-type/i
+      )
    })
  })

  describe('when neither predicate path nor predicate are provided', () => {
-    it('throws an error', () => {
+    it('throws an error', async () => {
      const inputs: PredicateInputs = {
        ...blankInputs,
        predicateType: 'https://example.com/predicate'
      }

-      expect(() => predicateFromInputs(inputs)).toThrow(
+      await expect(predicateFromInputs(inputs)).rejects.toThrow(
        /one of predicate-path or predicate must be provided/i
      )
    })
  })

  describe('when both predicate path and predicate are provided', () => {
-    it('throws an error', () => {
+    it('throws an error', async () => {
      const inputs: PredicateInputs = {
        predicateType: 'https://example.com/predicate',
        predicate: '{}',
        predicatePath: 'path/to/predicate'
      }

-      expect(() => predicateFromInputs(inputs)).toThrow(
+      await expect(predicateFromInputs(inputs)).rejects.toThrow(
        /only one of predicate-path or predicate may be provided/i
      )
    })
@@ -65,13 +67,13 @@ describe('subjectFromInputs', () => {
      await fs.rm(path.parse(predicatePath).dir, { recursive: true })
    })

-    it('returns the predicate', () => {
+    it('returns the predicate', async () => {
      const inputs: PredicateInputs = {
        ...blankInputs,
        predicateType,
        predicatePath
      }
-      expect(predicateFromInputs(inputs)).toEqual({
+      await expect(predicateFromInputs(inputs)).resolves.toEqual({
        type: predicateType,
        params: JSON.parse(content)
      })
@@ -82,13 +84,15 @@ describe('subjectFromInputs', () => {
    const predicateType = 'https://example.com/predicate'
    const predicatePath = 'foo'

-    it('returns the predicate', () => {
+    it('returns the predicate', async () => {
      const inputs: PredicateInputs = {
        ...blankInputs,
        predicateType,
        predicatePath
      }
-      expect(() => predicateFromInputs(inputs)).toThrow(/file not found/)
+      await expect(predicateFromInputs(inputs)).rejects.toThrow(
+        /file not found/
+      )
    })
  })

@@ -96,14 +100,14 @@ describe('subjectFromInputs', () => {
    const predicateType = 'https://example.com/predicate'
    const content = '{}'

-    it('returns the predicate', () => {
+    it('returns the predicate', async () => {
      const inputs: PredicateInputs = {
        ...blankInputs,
        predicateType,
        predicate: content
      }

-      expect(predicateFromInputs(inputs)).toEqual({
+      await expect(predicateFromInputs(inputs)).resolves.toEqual({
        type: predicateType,
        params: JSON.parse(content)
      })
@@ -114,14 +118,14 @@ describe('subjectFromInputs', () => {
    const predicateType = 'https://example.com/predicate'
    const content = JSON.stringify({ a: 'a'.repeat(16 * 1024 * 1024) })

-    it('throws an error', () => {
+    it('throws an error', async () => {
      const inputs: PredicateInputs = {
        ...blankInputs,
        predicateType,
        predicate: content
      }

-      expect(() => predicateFromInputs(inputs)).toThrow(
+      await expect(predicateFromInputs(inputs)).rejects.toThrow(
        /predicate string exceeds maximum/
      )
    })
--- a/tests/provenance.test.ts
+++ b/tests/provenance.test.ts
@@ -1,10 +1,17 @@
-import { generateProvenancePredicate } from '../src/provenance'
-import { buildSLSAProvenancePredicate } from '@actions/attest'
+import type { Predicate } from '@actions/attest'
+import { jest } from '@jest/globals'

-jest.mock('@actions/attest', () => ({
-  buildSLSAProvenancePredicate: jest.fn()
+// Mock function
+const mockBuildSLSAProvenancePredicate = jest.fn<() => Promise<Predicate>>()
+
+// Mock @actions/attest
+jest.unstable_mockModule('@actions/attest', () => ({
+  buildSLSAProvenancePredicate: mockBuildSLSAProvenancePredicate
 }))

+// Dynamic import after mocking
+const { generateProvenancePredicate } = await import('../src/provenance')
+
 describe('generateProvenancePredicate', () => {
  const mockPredicate = {
    type: 'https://slsa.dev/provenance/v1',
@@ -20,21 +27,19 @@ describe('generateProvenancePredicate', () => {

  beforeEach(() => {
    jest.clearAllMocks()
-    ;(buildSLSAProvenancePredicate as jest.Mock).mockResolvedValue(
-      mockPredicate
-    )
+    mockBuildSLSAProvenancePredicate.mockResolvedValue(mockPredicate)
  })

  it('returns the SLSA provenance predicate', async () => {
    const result = await generateProvenancePredicate()

-    expect(buildSLSAProvenancePredicate).toHaveBeenCalledTimes(1)
+    expect(mockBuildSLSAProvenancePredicate).toHaveBeenCalledTimes(1)
    expect(result).toEqual(mockPredicate)
  })

  it('propagates errors from buildSLSAProvenancePredicate', async () => {
    const error = new Error('Failed to build provenance')
-    ;(buildSLSAProvenancePredicate as jest.Mock).mockRejectedValue(error)
+    mockBuildSLSAProvenancePredicate.mockRejectedValue(error)

    await expect(generateProvenancePredicate()).rejects.toThrow(
      'Failed to build provenance'
--- a/dist/606.index.js
+++ b/dist/606.index.js
@@ -1,7 +1,6 @@
-"use strict";
-exports.id = 606;
-exports.ids = [606];
-exports.modules = {
+export const id = 606;
+export const ids = [606];
+export const modules = {

 /***/ 606:
 /***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
@@ -298,4 +297,3 @@ const pMapSkip = Symbol('skip');
 /***/ })

 };
-;
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/package.json
+++ b/dist/package.json
@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}
--- a/jest.setup.js
+++ b/jest.setup.js
@@ -1 +1,3 @@
+import { jest } from '@jest/globals'
+
 process.stdout.write = jest.fn()
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -4,6 +4,7 @@
  "version": "3.2.0",
  "author": "",
  "private": true,
+  "type": "module",
  "homepage": "https://github.com/actions/attest",
  "repository": {
    "type": "git",
@@ -24,7 +25,7 @@
  },
  "scripts": {
    "bundle": "npm run format:write && npm run package",
-    "ci-test": "jest",
+    "ci-test": "NODE_OPTIONS='--experimental-vm-modules' jest",
    "format:write": "prettier --write **/*.ts",
    "format:check": "prettier --check **/*.ts",
    "lint:eslint": "npx eslint",
@@ -32,12 +33,15 @@
    "lint": "npm run lint:eslint && npm run lint:markdown",
    "package": "ncc build src/index.ts --license licenses.txt",
    "package:watch": "npm run package -- --watch",
-    "test": "jest",
+    "test": "NODE_OPTIONS='--experimental-vm-modules' jest",
    "all": "npm run format:write && npm run lint && npm run test && npm run package"
  },
  "license": "MIT",
  "jest": {
-    "preset": "ts-jest",
+    "preset": "ts-jest/presets/default-esm",
+    "extensionsToTreatAsEsm": [
+      ".ts"
+    ],
    "setupFilesAfterEnv": [
      "./jest.setup.js"
    ],
@@ -56,7 +60,12 @@
      "/dist/"
    ],
    "transform": {
-      "^.+\\.ts$": "ts-jest"
+      "^.+\\.ts$": [
+        "ts-jest",
+        {
+          "useESM": true
+        }
+      ]
    },
    "coverageReporters": [
      "json-summary",
@@ -69,15 +78,16 @@
    ]
  },
  "dependencies": {
-    "@actions/attest": "^2.2.1",
-    "@actions/core": "^2.0.2",
-    "@actions/github": "^7.0.0",
-    "@actions/glob": "^0.5.0",
+    "@actions/attest": "^3.0.0",
+    "@actions/core": "^3.0.0",
+    "@actions/github": "^9.0.0",
+    "@actions/glob": "^0.6.1",
    "@sigstore/oci": "^0.6.0",
    "csv-parse": "^5.6.0"
  },
  "devDependencies": {
    "@eslint/js": "^9.39.2",
+    "@jest/globals": "^30.2.0",
    "@sigstore/mock": "^0.11.0",
    "@types/jest": "^30.0.0",
    "@types/make-fetch-happen": "^10.0.4",
--- a/src/attest.ts
+++ b/src/attest.ts
@@ -5,10 +5,10 @@ import {
  attest,
  createStorageRecord
 } from '@actions/attest'
-import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
-import { formatSubjectDigest } from './subject'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
+import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
+import { formatSubjectDigest } from './subject'

 const OCI_TIMEOUT = 30000
 const OCI_RETRY = 3
--- a/src/main.ts
+++ b/src/main.ts
@@ -1,6 +1,6 @@
 import * as core from '@actions/core'
 import * as github from '@actions/github'
-import fs from 'fs'
+import fs from 'fs/promises'
 import os from 'os'
 import path from 'path'
 import { AttestResult, SigstoreInstance, createAttestation } from './attest'
@@ -13,7 +13,7 @@ import {
 import { SEARCH_PUBLIC_GOOD_URL } from './endpoints'
 import { PredicateInputs, predicateFromInputs } from './predicate'
 import { generateProvenancePredicate } from './provenance'
-import { parseSBOMFromPath, generateSBOMPredicate } from './sbom'
+import { generateSBOMPredicate, parseSBOMFromPath } from './sbom'
 import * as style from './style'
 import {
  SubjectInputs,
@@ -90,7 +90,7 @@ export async function run(inputs: RunInputs): Promise<void> {
    // Generate predicate based on attestation type
    const predicate = await getPredicateForType(attestationType, inputs)

-    const outputPath = path.join(tempDir(), ATTESTATION_FILE_NAME)
+    const outputPath = path.join(await tempDir(), ATTESTATION_FILE_NAME)
    core.setOutput('bundle-path', outputPath)

    const att = await createAttestation(subjects, predicate, {
@@ -103,7 +103,7 @@ export async function run(inputs: RunInputs): Promise<void> {
    logAttestation(subjects, att, sigstoreInstance)

    // Write attestation bundle to output file
-    fs.writeFileSync(outputPath, JSON.stringify(att.bundle) + os.EOL, {
+    await fs.writeFile(outputPath, JSON.stringify(att.bundle) + os.EOL, {
      encoding: 'utf-8',
      flag: 'a'
    })
@@ -113,7 +113,7 @@ export async function run(inputs: RunInputs): Promise<void> {
    if (baseDir) {
      const outputSummaryPath = path.join(baseDir, ATTESTATION_PATHS_FILE_NAME)
      // Append the output path to the attestations paths file
-      fs.appendFileSync(outputSummaryPath, outputPath + os.EOL, {
+      await fs.appendFile(outputSummaryPath, outputPath + os.EOL, {
        encoding: 'utf-8',
        flag: 'a'
      })
@@ -128,6 +128,7 @@ export async function run(inputs: RunInputs): Promise<void> {
      core.setOutput('attestation-id', att.attestationID)
      core.setOutput('attestation-url', attestationURL(att.attestationID))
    }
+
    if (att.storageRecordIds) {
      core.setOutput('storage-record-ids', att.storageRecordIds.join(','))
    }
@@ -220,7 +221,7 @@ const logSummary = async (attestation: AttestResult): Promise<void> => {
  }
 }

-const tempDir = (): string => {
+const tempDir = async (): Promise<string> => {
  const basePath = process.env['RUNNER_TEMP']

  /* istanbul ignore if */
@@ -228,7 +229,7 @@ const tempDir = (): string => {
    throw new Error('Missing RUNNER_TEMP environment variable')
  }

-  return fs.mkdtempSync(path.join(basePath, path.sep))
+  return fs.mkdtemp(path.join(basePath, path.sep))
 }

 const attestationURL = (id: string): string =>
--- a/src/predicate.ts
+++ b/src/predicate.ts
@@ -1,4 +1,4 @@
-import fs from 'fs'
+import fs from 'fs/promises'

 import type { Predicate } from '@actions/attest'

@@ -12,7 +12,9 @@ const MAX_PREDICATE_SIZE_BYTES = 16 * 1024 * 1024

 // Returns the predicate specified by the action's inputs. The predicate value
 // may be specified as a path to a file or as a string.
-export const predicateFromInputs = (inputs: PredicateInputs): Predicate => {
+export const predicateFromInputs = async (
+  inputs: PredicateInputs
+): Promise<Predicate> => {
  const { predicateType, predicate, predicatePath } = inputs

  if (!predicateType) {
@@ -30,18 +32,22 @@ export const predicateFromInputs = (inputs: PredicateInputs): Predicate => {
  let params: string = predicate

  if (predicatePath) {
-    if (!fs.existsSync(predicatePath)) {
+    try {
+      await fs.access(predicatePath)
+    } catch {
      throw new Error(`predicate file not found: ${predicatePath}`)
    }

+    const stat = await fs.stat(predicatePath)
+
    /* istanbul ignore next */
-    if (fs.statSync(predicatePath).size > MAX_PREDICATE_SIZE_BYTES) {
+    if (stat.size > MAX_PREDICATE_SIZE_BYTES) {
      throw new Error(
        `predicate file exceeds maximum allowed size: ${MAX_PREDICATE_SIZE_BYTES} bytes`
      )
    }

-    params = fs.readFileSync(predicatePath, 'utf-8')
+    params = await fs.readFile(predicatePath, 'utf-8')
  } else {
    if (predicate.length > MAX_PREDICATE_SIZE_BYTES) {
      throw new Error(
--- a/src/sbom.ts
+++ b/src/sbom.ts
@@ -1,4 +1,4 @@
-import fs from 'fs'
+import fs from 'fs/promises'

 import type { Predicate } from '@actions/attest'

@@ -11,18 +11,24 @@ export type SBOM = {
 const MAX_SBOM_SIZE_BYTES = 16 * 1024 * 1024

 export const parseSBOMFromPath = async (filePath: string): Promise<SBOM> => {
-  if (!fs.existsSync(filePath)) {
-    throw new Error(`SBOM file not found: ${filePath}`)
+  let stats
+  try {
+    stats = await fs.stat(filePath)
+  } catch (error) {
+    const err = error as NodeJS.ErrnoException
+    if (err.code === 'ENOENT') {
+      throw new Error('SBOM file not found')
+    }
+    throw error
  }

-  const stats = fs.statSync(filePath)
  if (stats.size > MAX_SBOM_SIZE_BYTES) {
    throw new Error(
      `SBOM file exceeds maximum allowed size: ${MAX_SBOM_SIZE_BYTES} bytes`
    )
  }

-  const fileContent = await fs.promises.readFile(filePath, 'utf8')
+  const fileContent = await fs.readFile(filePath, 'utf8')
  const sbom = JSON.parse(fileContent) as object

  if (checkIsSPDX(sbom)) {
--- a/src/subject.ts
+++ b/src/subject.ts
@@ -2,7 +2,8 @@ import * as glob from '@actions/glob'
 import assert from 'assert'
 import crypto from 'crypto'
 import { parse } from 'csv-parse/sync'
-import fs from 'fs'
+import { createReadStream } from 'fs'
+import fs from 'fs/promises'
 import os from 'os'
 import path from 'path'

@@ -64,7 +65,7 @@ export const subjectFromInputs = async (
    case !!subjectDigest:
      return [getSubjectFromDigest(subjectDigest, name)]
    case !!subjectChecksums:
-      return getSubjectFromChecksums(subjectChecksums)
+      return await getSubjectFromChecksums(subjectChecksums)
    /* istanbul ignore next */
    default:
      // This should be unreachable, but TS requires a default case
@@ -93,13 +94,18 @@ const getSubjectFromPath = async (
  // Expand the globbed paths to a list of actual paths
  const paths = await glob.create(subjectPaths).then(async g => g.glob())

-  // Filter path list to just the files (not directories)
-  const files = paths.filter(p => fs.statSync(p).isFile())
-
-  if (files.length > MAX_SUBJECT_COUNT) {
-    throw new Error(
-      `Too many subjects specified (${files.length}). The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
-    )
+  // Filter path list to just the files (not directories), enforcing the maximum
+  const files: string[] = []
+  for (const p of paths) {
+    const stat = await fs.stat(p)
+    if (stat.isFile()) {
+      if (files.length >= MAX_SUBJECT_COUNT) {
+        throw new Error(
+          `Too many subjects specified (>${MAX_SUBJECT_COUNT}). The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
+        )
+      }
+      files.push(p)
+    }
  }

  for (const file of files) {
@@ -142,16 +148,21 @@ const getSubjectFromDigest = (
  }
 }

-const getSubjectFromChecksums = (subjectChecksums: string): Subject[] => {
-  if (fs.existsSync(subjectChecksums)) {
+const getSubjectFromChecksums = async (
+  subjectChecksums: string
+): Promise<Subject[]> => {
+  try {
+    await fs.access(subjectChecksums)
    return getSubjectFromChecksumsFile(subjectChecksums)
-  } else {
+  } catch {
    return getSubjectFromChecksumsString(subjectChecksums)
  }
 }

-const getSubjectFromChecksumsFile = (checksumsPath: string): Subject[] => {
-  const stats = fs.statSync(checksumsPath)
+const getSubjectFromChecksumsFile = async (
+  checksumsPath: string
+): Promise<Subject[]> => {
+  const stats = await fs.stat(checksumsPath)
  if (!stats.isFile()) {
    throw new Error(`subject checksums file not found: ${checksumsPath}`)
  }
@@ -163,7 +174,7 @@ const getSubjectFromChecksumsFile = (checksumsPath: string): Subject[] => {
    )
  }

-  const checksums = fs.readFileSync(checksumsPath, 'utf-8')
+  const checksums = await fs.readFile(checksumsPath, 'utf-8')
  return getSubjectFromChecksumsString(checksums)
 }

@@ -218,7 +229,7 @@ const digestFile = async (
 ): Promise<string> => {
  return new Promise((resolve, reject) => {
    const hash = crypto.createHash(algorithm).setEncoding('hex')
-    fs.createReadStream(filePath)
+    createReadStream(filePath)
      .once('error', reject)
      .pipe(hash)
      .once('finish', () => resolve(hash.read()))
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -2,9 +2,9 @@
  "$schema": "https://json.schemastore.org/tsconfig",
  "compilerOptions": {
    "target": "ES2022",
-    "module": "NodeNext",
+    "module": "ESNext",
    "rootDir": "./src",
-    "moduleResolution": "NodeNext",
+    "moduleResolution": "Bundler",
    "isolatedModules": true,
    "baseUrl": "./",
    "sourceMap": true,