refactor core attestation logic (#73)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer
2024-05-28 11:00:03 -07:00
committed by GitHub
parent 3ff4eb4c69
commit faa6467995
5 changed files with 250 additions and 154 deletions

15
__tests__/style.test.ts Normal file
View File

@@ -0,0 +1,15 @@
import { highlight, mute } from '../src/style'
describe('style', () => {
describe('highlight', () => {
it('adds cyan color to the string', () => {
expect(highlight('foo')).toBe('\x1B[36mfoo\x1B[39m')
})
})
describe('mute', () => {
it('adds gray color to the string', () => {
expect(mute('foo')).toBe('\x1B[38;5;244mfoo\x1B[39m')
})
})
})

174
dist/index.js generated vendored
View File

@@ -79896,6 +79896,63 @@ function wrappy (fn, cb) {
}
/***/ }),
/***/ 26056:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.createAttestation = void 0;
const attest_1 = __nccwpck_require__(74113);
const oci_1 = __nccwpck_require__(47353);
const OCI_TIMEOUT = 2000;
const OCI_RETRY = 3;
const createAttestation = async (subject, predicate, opts) => {
// Sign provenance w/ Sigstore
const attestation = await (0, attest_1.attest)({
subjectName: subject.name,
subjectDigest: subject.digest,
predicateType: predicate.type,
predicate: predicate.params,
sigstore: opts.sigstoreInstance,
token: opts.githubToken
});
const subDigest = subjectDigest(subject);
const result = {
...attestation,
subjectName: subject.name,
subjectDigest: subDigest
};
if (opts.pushToRegistry) {
const credentials = (0, oci_1.getRegistryCredentials)(subject.name);
const artifact = await (0, oci_1.attachArtifactToImage)({
credentials,
imageName: subject.name,
imageDigest: subDigest,
artifact: Buffer.from(JSON.stringify(attestation.bundle)),
mediaType: attestation.bundle.mediaType,
annotations: {
'dev.sigstore.bundle.content': 'dsse-envelope',
'dev.sigstore.bundle.predicateType': predicate.type
},
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
});
// Add the attestation's digest to the result
result.attestationDigest = artifact.digest;
}
return result;
};
exports.createAttestation = createAttestation;
// Returns the subject's digest as a formatted string of the form
// "<algorithm>:<digest>".
const subjectDigest = (subject) => {
const alg = Object.keys(subject.digest).sort()[0];
return `${alg}:${subject.digest[alg]}`;
};
/***/ }),
/***/ 69112:
@@ -80000,22 +80057,17 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.run = void 0;
const attest_1 = __nccwpck_require__(74113);
const core = __importStar(__nccwpck_require__(42186));
const github = __importStar(__nccwpck_require__(95438));
const oci_1 = __nccwpck_require__(47353);
const fs_1 = __importDefault(__nccwpck_require__(57147));
const os_1 = __importDefault(__nccwpck_require__(22037));
const path_1 = __importDefault(__nccwpck_require__(71017));
const attest_1 = __nccwpck_require__(26056);
const endpoints_1 = __nccwpck_require__(69112);
const predicate_1 = __nccwpck_require__(72103);
const style = __importStar(__nccwpck_require__(41583));
const subject_1 = __nccwpck_require__(95206);
const COLOR_CYAN = '\x1B[36m';
const COLOR_GRAY = '\x1B[38;5;244m';
const COLOR_DEFAULT = '\x1B[39m';
const ATTESTATION_FILE_NAME = 'attestation.jsonl';
const OCI_TIMEOUT = 2000;
const OCI_RETRY = 3;
/* istanbul ignore next */
const logHandler = (level, ...args) => {
// Send any HTTP-related log events to the GitHub Actions debug log
@@ -80047,6 +80099,7 @@ async function run(inputs) {
});
const predicate = (0, predicate_1.predicateFromInputs)(inputs);
const outputPath = path_1.default.join(tempDir(), ATTESTATION_FILE_NAME);
core.setOutput('bundle-path', outputPath);
const subjectChunks = chunkArray(subjects, inputs.batchSize);
let chunkCount = 0;
// Generate attestations for each subject serially, working in batches
@@ -80059,31 +80112,21 @@ async function run(inputs) {
core.info(`Processing subject batch ${chunkCount}/${subjectChunks.length}`);
}
for (const subject of subjectChunk) {
const att = await createAttestation(subject, predicate, {
const att = await (0, attest_1.createAttestation)(subject, predicate, {
sigstoreInstance,
pushToRegistry: inputs.pushToRegistry,
githubToken: inputs.githubToken
});
atts.push(att);
logAttestation(att, sigstoreInstance);
// Write attestation bundle to output file
fs_1.default.writeFileSync(outputPath, JSON.stringify(att.bundle) + os_1.default.EOL, {
encoding: 'utf-8',
flag: 'a'
});
if (att.attestationID) {
atts.push({ subject, attestationID: att.attestationID });
}
}
}
if (atts.length > 0) {
core.summary.addHeading(
/* istanbul ignore next */
atts.length > 1 ? 'Attestations Created' : 'Attestation Created', 3);
for (const { subject, attestationID } of atts) {
core.summary.addLink(`${subject.name}@${subjectDigest(subject)}`, attestationURL(attestationID));
}
core.summary.write();
}
core.setOutput('bundle-path', outputPath);
logSummary(atts);
}
catch (err) {
// Fail the workflow run if an error occurs
@@ -80092,7 +80135,7 @@ async function run(inputs) {
/* istanbul ignore if */
if (err instanceof Error && 'cause' in err) {
const innerErr = err.cause;
core.info(mute(innerErr instanceof Error ? innerErr.toString() : `${innerErr}`));
core.info(style.mute(innerErr instanceof Error ? innerErr.toString() : `${innerErr}`));
}
}
finally {
@@ -80100,53 +80143,40 @@ async function run(inputs) {
}
}
exports.run = run;
const createAttestation = async (subject, predicate, opts) => {
// Sign provenance w/ Sigstore
const attestation = await (0, attest_1.attest)({
subjectName: subject.name,
subjectDigest: subject.digest,
predicateType: predicate.type,
predicate: predicate.params,
sigstore: opts.sigstoreInstance,
token: opts.githubToken
});
core.info(`Attestation created for ${subject.name}@${subjectDigest(subject)}`);
const instanceName = opts.sigstoreInstance === 'public-good' ? 'Public Good' : 'GitHub';
core.startGroup(highlight(`Attestation signed using certificate from ${instanceName} Sigstore instance`));
// Log details about the attestation to the GitHub Actions run
const logAttestation = (attestation, sigstoreInstance) => {
core.info(`Attestation created for ${attestation.subjectName}@${attestation.subjectDigest}`);
const instanceName = sigstoreInstance === 'public-good' ? 'Public Good' : 'GitHub';
core.startGroup(style.highlight(`Attestation signed using certificate from ${instanceName} Sigstore instance`));
core.info(attestation.certificate);
core.endGroup();
if (attestation.tlogID) {
core.info(highlight('Attestation signature uploaded to Rekor transparency log'));
core.info(style.highlight('Attestation signature uploaded to Rekor transparency log'));
core.info(`${endpoints_1.SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`);
}
if (attestation.attestationID) {
core.info(highlight('Attestation uploaded to repository'));
core.info(style.highlight('Attestation uploaded to repository'));
core.info(attestationURL(attestation.attestationID));
}
if (opts.pushToRegistry) {
const credentials = (0, oci_1.getRegistryCredentials)(subject.name);
const artifact = await (0, oci_1.attachArtifactToImage)({
credentials,
imageName: subject.name,
imageDigest: subjectDigest(subject),
artifact: Buffer.from(JSON.stringify(attestation.bundle)),
mediaType: attestation.bundle.mediaType,
annotations: {
'dev.sigstore.bundle.content': 'dsse-envelope',
'dev.sigstore.bundle.predicateType': core.getInput('predicate-type')
},
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
});
core.info(highlight('Attestation uploaded to registry'));
core.info(`${subject.name}@${artifact.digest}`);
if (attestation.attestationDigest) {
core.info(style.highlight('Attestation uploaded to registry'));
core.info(`${attestation.subjectName}@${attestation.attestationDigest}`);
}
};
// Attach summary information to the GitHub Actions run
const logSummary = (attestations) => {
if (attestations.length > 0) {
core.summary.addHeading(
/* istanbul ignore next */
attestations.length > 1 ? 'Attestations Created' : 'Attestation Created', 3);
for (const { subjectName, subjectDigest, attestationID } of attestations) {
if (attestationID) {
core.summary.addLink(`${subjectName}@${subjectDigest}`, attestationURL(attestationID));
}
}
core.summary.write();
}
return attestation;
};
// Emphasis string using ANSI color codes
const highlight = (str) => `${COLOR_CYAN}${str}${COLOR_DEFAULT}`;
// De-emphasize string using ANSI color codes
/* istanbul ignore next */
const mute = (str) => `${COLOR_GRAY}${str}${COLOR_DEFAULT}`;
const tempDir = () => {
const basePath = process.env['RUNNER_TEMP'];
/* istanbul ignore if */
@@ -80160,12 +80190,6 @@ const tempDir = () => {
const chunkArray = (array, chunkSize) => {
return Array.from({ length: Math.ceil(array.length / chunkSize) }, (_, index) => array.slice(index * chunkSize, (index + 1) * chunkSize));
};
// Returns the subject's digest as a formatted string of the form
// "<algorithm>:<digest>".
const subjectDigest = (subject) => {
const alg = Object.keys(subject.digest).sort()[0];
return `${alg}:${subject.digest[alg]}`;
};
const attestationURL = (id) => `${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/attestations/${id}`;
@@ -80203,6 +80227,26 @@ const predicateFromInputs = (inputs) => {
exports.predicateFromInputs = predicateFromInputs;
/***/ }),
/***/ 41583:
/***/ ((__unused_webpack_module, exports) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.mute = exports.highlight = void 0;
const COLOR_CYAN = '\x1B[36m';
const COLOR_GRAY = '\x1B[38;5;244m';
const COLOR_DEFAULT = '\x1B[39m';
// Emphasis string using ANSI color codes
const highlight = (str) => `${COLOR_CYAN}${str}${COLOR_DEFAULT}`;
exports.highlight = highlight;
// De-emphasize string using ANSI color codes
const mute = (str) => `${COLOR_GRAY}${str}${COLOR_DEFAULT}`;
exports.mute = mute;
/***/ }),
/***/ 95206:

67
src/attest.ts Normal file
View File

@@ -0,0 +1,67 @@
import { Attestation, Predicate, Subject, attest } from '@actions/attest'
import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
const OCI_TIMEOUT = 2000
const OCI_RETRY = 3
export type SigstoreInstance = 'public-good' | 'github'
export type AttestResult = Attestation & {
subjectName: string
subjectDigest: string
attestationDigest?: string
}
export const createAttestation = async (
subject: Subject,
predicate: Predicate,
opts: {
sigstoreInstance: SigstoreInstance
pushToRegistry: boolean
githubToken: string
}
): Promise<AttestResult> => {
// Sign provenance w/ Sigstore
const attestation = await attest({
subjectName: subject.name,
subjectDigest: subject.digest,
predicateType: predicate.type,
predicate: predicate.params,
sigstore: opts.sigstoreInstance,
token: opts.githubToken
})
const subDigest = subjectDigest(subject)
const result: AttestResult = {
...attestation,
subjectName: subject.name,
subjectDigest: subDigest
}
if (opts.pushToRegistry) {
const credentials = getRegistryCredentials(subject.name)
const artifact = await attachArtifactToImage({
credentials,
imageName: subject.name,
imageDigest: subDigest,
artifact: Buffer.from(JSON.stringify(attestation.bundle)),
mediaType: attestation.bundle.mediaType,
annotations: {
'dev.sigstore.bundle.content': 'dsse-envelope',
'dev.sigstore.bundle.predicateType': predicate.type
},
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
})
// Add the attestation's digest to the result
result.attestationDigest = artifact.digest
}
return result
}
// Returns the subject's digest as a formatted string of the form
// "<algorithm>:<digest>".
const subjectDigest = (subject: Subject): string => {
const alg = Object.keys(subject.digest).sort()[0]
return `${alg}:${subject.digest[alg]}`
}

View File

@@ -1,30 +1,20 @@
import { Attestation, Predicate, Subject, attest } from '@actions/attest'
import * as core from '@actions/core'
import * as github from '@actions/github'
import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
import fs from 'fs'
import os from 'os'
import path from 'path'
import { AttestResult, SigstoreInstance, createAttestation } from './attest'
import { SEARCH_PUBLIC_GOOD_URL } from './endpoints'
import { PredicateInputs, predicateFromInputs } from './predicate'
import * as style from './style'
import { SubjectInputs, subjectFromInputs } from './subject'
type SigstoreInstance = 'public-good' | 'github'
type AttestedSubject = { subject: Subject; attestationID: string }
const COLOR_CYAN = '\x1B[36m'
const COLOR_GRAY = '\x1B[38;5;244m'
const COLOR_DEFAULT = '\x1B[39m'
const ATTESTATION_FILE_NAME = 'attestation.jsonl'
const OCI_TIMEOUT = 2000
const OCI_RETRY = 3
export type RunInputs = SubjectInputs &
PredicateInputs & {
pushToRegistry: boolean
githubToken: string
// undocumented
privateSigning: boolean
batchSize: number
batchDelay: number
@@ -55,7 +45,7 @@ export async function run(inputs: RunInputs): Promise<void> {
: 'github'
try {
const atts: AttestedSubject[] = []
const atts: AttestResult[] = []
if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
throw new Error(
'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
@@ -67,7 +57,9 @@ export async function run(inputs: RunInputs): Promise<void> {
downcaseName: inputs.pushToRegistry
})
const predicate = predicateFromInputs(inputs)
const outputPath = path.join(tempDir(), ATTESTATION_FILE_NAME)
core.setOutput('bundle-path', outputPath)
const subjectChunks = chunkArray(subjects, inputs.batchSize)
let chunkCount = 0
@@ -91,36 +83,19 @@ export async function run(inputs: RunInputs): Promise<void> {
pushToRegistry: inputs.pushToRegistry,
githubToken: inputs.githubToken
})
atts.push(att)
logAttestation(att, sigstoreInstance)
// Write attestation bundle to output file
fs.writeFileSync(outputPath, JSON.stringify(att.bundle) + os.EOL, {
encoding: 'utf-8',
flag: 'a'
})
if (att.attestationID) {
atts.push({ subject, attestationID: att.attestationID })
}
}
}
if (atts.length > 0) {
core.summary.addHeading(
/* istanbul ignore next */
atts.length > 1 ? 'Attestations Created' : 'Attestation Created',
3
)
for (const { subject, attestationID } of atts) {
core.summary.addLink(
`${subject.name}@${subjectDigest(subject)}`,
attestationURL(attestationID)
)
}
core.summary.write()
}
core.setOutput('bundle-path', outputPath)
logSummary(atts)
} catch (err) {
// Fail the workflow run if an error occurs
core.setFailed(
@@ -132,7 +107,9 @@ export async function run(inputs: RunInputs): Promise<void> {
if (err instanceof Error && 'cause' in err) {
const innerErr = err.cause
core.info(
mute(innerErr instanceof Error ? innerErr.toString() : `${innerErr}`)
style.mute(
innerErr instanceof Error ? innerErr.toString() : `${innerErr}`
)
)
}
} finally {
@@ -140,31 +117,19 @@ export async function run(inputs: RunInputs): Promise<void> {
}
}
const createAttestation = async (
subject: Subject,
predicate: Predicate,
opts: {
sigstoreInstance: SigstoreInstance
pushToRegistry: boolean
githubToken: string
}
): Promise<Attestation> => {
// Sign provenance w/ Sigstore
const attestation = await attest({
subjectName: subject.name,
subjectDigest: subject.digest,
predicateType: predicate.type,
predicate: predicate.params,
sigstore: opts.sigstoreInstance,
token: opts.githubToken
})
core.info(`Attestation created for ${subject.name}@${subjectDigest(subject)}`)
// Log details about the attestation to the GitHub Actions run
const logAttestation = (
attestation: AttestResult,
sigstoreInstance: SigstoreInstance
): void => {
core.info(
`Attestation created for ${attestation.subjectName}@${attestation.subjectDigest}`
)
const instanceName =
opts.sigstoreInstance === 'public-good' ? 'Public Good' : 'GitHub'
sigstoreInstance === 'public-good' ? 'Public Good' : 'GitHub'
core.startGroup(
highlight(
style.highlight(
`Attestation signed using certificate from ${instanceName} Sigstore instance`
)
)
@@ -173,43 +138,44 @@ const createAttestation = async (
if (attestation.tlogID) {
core.info(
highlight('Attestation signature uploaded to Rekor transparency log')
style.highlight(
'Attestation signature uploaded to Rekor transparency log'
)
)
core.info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`)
}
if (attestation.attestationID) {
core.info(highlight('Attestation uploaded to repository'))
core.info(style.highlight('Attestation uploaded to repository'))
core.info(attestationURL(attestation.attestationID))
}
if (opts.pushToRegistry) {
const credentials = getRegistryCredentials(subject.name)
const artifact = await attachArtifactToImage({
credentials,
imageName: subject.name,
imageDigest: subjectDigest(subject),
artifact: Buffer.from(JSON.stringify(attestation.bundle)),
mediaType: attestation.bundle.mediaType,
annotations: {
'dev.sigstore.bundle.content': 'dsse-envelope',
'dev.sigstore.bundle.predicateType': core.getInput('predicate-type')
},
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
})
core.info(highlight('Attestation uploaded to registry'))
core.info(`${subject.name}@${artifact.digest}`)
if (attestation.attestationDigest) {
core.info(style.highlight('Attestation uploaded to registry'))
core.info(`${attestation.subjectName}@${attestation.attestationDigest}`)
}
return attestation
}
// Emphasis string using ANSI color codes
const highlight = (str: string): string => `${COLOR_CYAN}${str}${COLOR_DEFAULT}`
// Attach summary information to the GitHub Actions run
const logSummary = (attestations: AttestResult[]): void => {
if (attestations.length > 0) {
core.summary.addHeading(
/* istanbul ignore next */
attestations.length > 1 ? 'Attestations Created' : 'Attestation Created',
3
)
// De-emphasize string using ANSI color codes
/* istanbul ignore next */
const mute = (str: string): string => `${COLOR_GRAY}${str}${COLOR_DEFAULT}`
for (const { subjectName, subjectDigest, attestationID } of attestations) {
if (attestationID) {
core.summary.addLink(
`${subjectName}@${subjectDigest}`,
attestationURL(attestationID)
)
}
}
core.summary.write()
}
}
const tempDir = (): string => {
const basePath = process.env['RUNNER_TEMP']
@@ -231,12 +197,5 @@ const chunkArray = <T>(array: T[], chunkSize: number): T[][] => {
)
}
// Returns the subject's digest as a formatted string of the form
// "<algorithm>:<digest>".
const subjectDigest = (subject: Subject): string => {
const alg = Object.keys(subject.digest).sort()[0]
return `${alg}:${subject.digest[alg]}`
}
const attestationURL = (id: string): string =>
`${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/attestations/${id}`

11
src/style.ts Normal file
View File

@@ -0,0 +1,11 @@
const COLOR_CYAN = '\x1B[36m'
const COLOR_GRAY = '\x1B[38;5;244m'
const COLOR_DEFAULT = '\x1B[39m'
// Emphasis string using ANSI color codes
export const highlight = (str: string): string =>
`${COLOR_CYAN}${str}${COLOR_DEFAULT}`
// De-emphasize string using ANSI color codes
export const mute = (str: string): string =>
`${COLOR_GRAY}${str}${COLOR_DEFAULT}`