Bump the npm-development group with 3 updates (#55)

* Bump the npm-development group with 3 updates

Bumps the npm-development group with 3 updates: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) and [markdownlint-cli](https://github.com/igorshubovych/markdownlint-cli).


Updates `@types/node` from 20.12.7 to 20.12.10
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-jest` from 28.3.0 to 28.5.0
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v28.3.0...v28.5.0)

Updates `markdownlint-cli` from 0.39.0 to 0.40.0
- [Release notes](https://github.com/igorshubovych/markdownlint-cli/releases)
- [Commits](https://github.com/igorshubovych/markdownlint-cli/compare/v0.39.0...v0.40.0)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: markdownlint-cli
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
...

Signed-off-by: dependabot[bot] <support@github.com>

* re-generate dist

Signed-off-by: Brian DeHamer <bdehamer@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Brian DeHamer <bdehamer@github.com>

.github/linters/.eslintrc.yml

@@ -41,6 +41,8 @@ rules:
     'eslint-comments/no-unused-disable': 'off',
     'i18n-text/no-en': 'off',
     'import/no-namespace': 'off',
+    'import/no-unresolved':
+      ['error', { 'ignore': ['csv-parse/sync']}],
     'no-console': 'off',
     'no-unused-vars': 'off',
     'prettier/prettier': 'error',

.github/workflows/linter.yml

@@ -47,3 +47,4 @@ jobs:
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JAVASCRIPT_STANDARD: false
           VALIDATE_JSCPD: false
+          VALIDATE_GITHUB_ACTIONS: false

README.md

@@ -18,9 +18,12 @@ Once the attestation has been created and signed, it will be uploaded to the GH
 attestations API and associated with the repository from which the workflow was
 initiated.
 
-Attestations can be verified using the `attestation` command in the [GitHub
+Attestations can be verified using the [`attestation` command in the GitHub
 CLI][5].
 
+See [Using artifact attestations to establish provenance for builds][9] for more
+information on artifact attestations.
+
 ## Usage
 
 Within the GitHub Actions workflow which builds some artifact you would like to
@@ -48,7 +51,7 @@ attest:
        predicate-path: '<PATH TO PREDICATE>'
    ```
 
-   The `subject-path` parameter should identity the artifact for which you want
+   The `subject-path` parameter should identify the artifact for which you want
    to generate an attestation. The `predicate-type` can be any of the the
    [vetted predicate types][3] or a custom value. The `predicate-path`
    identifies a file containg the JSON-encoded predicate parameters.
@@ -61,10 +64,11 @@ See [action.yml](action.yml)
 - uses: actions/attest@v1
   with:
     # Path to the artifact serving as the subject of the attestation. Must
-    # specify exactly one of "subject-path" or "subject-digest".
+    # specify exactly one of "subject-path" or "subject-digest". May contain
+    # a glob pattern or list of paths (total subject count cannot exceed 64).
     subject-path:
 
-    # SHA256 digest of the subject for for the attestation. Must be in the form
+    # SHA256 digest of the subject for the attestation. Must be in the form
     # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
     # of "subject-path" or "subject-digest".
     subject-digest:
@@ -225,8 +229,10 @@ jobs:
 [3]:
   https://github.com/in-toto/attestation/tree/main/spec/predicates#in-toto-attestation-predicates
 [4]: https://www.sigstore.dev/
-[5]: https://cli.github.com/
+[5]: https://cli.github.com/manual/gh_attestation_verify
 [6]:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
 [7]: https://jsonlines.org/
 [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
+[9]:
+  https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

RELEASE.md

@@ -11,6 +11,14 @@ Follow the steps below to tag a new release for the `actions/attest` action.
    gh release create vX.X.X
    ```
 
+1. Move (or create) the major version tag to point to the same commit tagged
+   above:
+
+   ```shell
+   git tag -fa vX -m "vX"
+   git push origin vX --force
+   ```
+
 1. As appropriate, update any actions like
    [`actions/attest-build-provenance`](https://github.com/actions/attest-build-provenance)
    and [`actions/attest-sbom`](https://github.com/actions/attest-sbom) which

__tests__/main.test.ts

@@ -5,12 +5,14 @@
  * Specifically, the inputs listed in `action.yml` should be set as environment
  * variables following the pattern `INPUT_<INPUT_NAME>`.
  */
-
 import * as core from '@actions/core'
 import * as github from '@actions/github'
 import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
 import * as oci from '@sigstore/oci'
+import fs from 'fs/promises'
 import nock from 'nock'
+import os from 'os'
+import path from 'path'
 import { MockAgent, setGlobalDispatcher } from 'undici'
 import { SEARCH_PUBLIC_GOOD_URL } from '../src/endpoints'
 import * as main from '../src/main'
@@ -114,7 +116,9 @@ describe('action', () => {
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
-        expect.stringMatching(/missing "id-token" permission/)
+        new Error(
+          'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
+        )
       )
     })
   })
@@ -129,9 +133,7 @@ describe('action', () => {
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
-        expect.stringMatching(
-          /one of subject-path or subject-digest must be provided/i
-        )
+        new Error('One of subject-path or subject-digest must be provided')
       )
     })
   })
@@ -286,6 +288,54 @@ describe('action', () => {
       expect(setFailedMock).not.toHaveBeenCalled()
     })
   })
+
+  describe('when too many subjects are specified', () => {
+    let dir = ''
+
+    beforeEach(async () => {
+      const filename = 'subject'
+      const content = 'file content'
+
+      // Set-up temp directory
+      const tmpDir = await fs.realpath(os.tmpdir())
+      dir = await fs.mkdtemp(tmpDir + path.sep)
+
+      // Add files for glob testing
+      for (let i = 0; i < 65; i++) {
+        await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
+      }
+
+      // Set the GH context with private repository visibility and a repo owner.
+      setGHContext({
+        payload: { repository: { visibility: 'private' } },
+        repo: { owner: 'foo', repo: 'bar' }
+      })
+
+      // Mock the action's inputs
+      getInputMock.mockImplementation(
+        mockInput({
+          predicate: '{}',
+          'subject-path': path.join(dir, `${filename}-*`)
+        })
+      )
+    })
+
+    afterEach(async () => {
+      // Clean-up temp directory
+      await fs.rm(dir, { recursive: true })
+    })
+
+    it('sets a failed status', async () => {
+      await main.run()
+
+      expect(runMock).toHaveReturned()
+      expect(setFailedMock).toHaveBeenCalledWith(
+        new Error(
+          'Too many subjects specified. The maximum number of subjects is 64.'
+        )
+      )
+    })
+  })
 })
 
 function mockInput(inputs: Record<string, string>): typeof core.getInput {

__tests__/subject.test.ts

@@ -142,6 +142,7 @@ describe('subjectFromInputs', () => {
       // Add files for glob testing
       for (let i = 0; i < 3; i++) {
         await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
+        await fs.writeFile(path.join(dir, `other-${i}`), content)
       }
     })
 
@@ -201,5 +202,104 @@ describe('subjectFromInputs', () => {
         })
       })
     })
+
+    describe('when a file glob is supplied which also matches non-files', () => {
+      beforeEach(async () => {
+        process.env['INPUT_SUBJECT-PATH'] = `${dir}*`
+      })
+
+      it('returns the subjects (excluding non-files)', async () => {
+        const subjects = await subjectFromInputs()
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(7)
+      })
+    })
+
+    describe('when a comma-separated list is supplied', () => {
+      beforeEach(async () => {
+        process.env['INPUT_SUBJECT-PATH'] =
+          `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
+      })
+
+      it('returns the multiple subjects', async () => {
+        const subjects = await subjectFromInputs()
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(2)
+
+        expect(subjects).toContainEqual({
+          name: 'subject-1',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-2',
+          digest: { sha256: expectedDigest }
+        })
+      })
+    })
+
+    describe('when a multi-line list is supplied', () => {
+      beforeEach(async () => {
+        process.env['INPUT_SUBJECT-PATH'] =
+          `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
+      })
+
+      it('returns the multiple subjects', async () => {
+        const subjects = await subjectFromInputs()
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(2)
+
+        expect(subjects).toContainEqual({
+          name: 'subject-0',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-2',
+          digest: { sha256: expectedDigest }
+        })
+      })
+    })
+
+    describe('when a multi-line glob list is supplied', () => {
+      beforeEach(async () => {
+        process.env['INPUT_SUBJECT-PATH'] =
+          `${path.join(dir, 'subject-*')}\n  ${path.join(dir, 'other-*')} `
+      })
+
+      it('returns the multiple subjects', async () => {
+        const subjects = await subjectFromInputs()
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(6)
+
+        expect(subjects).toContainEqual({
+          name: 'subject-0',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-1',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-2',
+          digest: { sha256: expectedDigest }
+        })
+
+        expect(subjects).toContainEqual({
+          name: 'other-0',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'other-1',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'other-2',
+          digest: { sha256: expectedDigest }
+        })
+      })
+    })
   })
 })

action.yml

@@ -1,16 +1,20 @@
 name: 'Generate Generic Attestations'
 description: 'Generate attestations for build artifacts'
 author: 'GitHub'
+branding:
+  color: 'blue'
+  icon: 'link'
 
 inputs:
   subject-path:
     description: >
       Path to the artifact serving as the subject of the attestation. Must
-      specify exactly one of "subject-path" or "subject-digest".
+      specify exactly one of "subject-path" or "subject-digest". May contain a
+      glob pattern or list of paths (total subject count cannot exceed 64).
     required: false
   subject-digest:
     description: >
-      Digest of the subject for for the attestation. Must be in the form
+      Digest of the subject for the attestation. Must be in the form
       "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
       of "subject-path" or "subject-digest".
     required: false
@@ -52,4 +56,4 @@ outputs:
 
 runs:
   using: node20
-  main: ./dist/index.js
+  main: ./dist/index.js

dist/licenses.txt

@@ -1511,6 +1511,31 @@ IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 
+csv-parse
+MIT
+The MIT License (MIT)
+
+Copyright (c) 2010 Adaltas
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+
 debug
 MIT
 (The MIT License)
@@ -2862,6 +2887,25 @@ will be liable to anyone for any damages related to this
 software or this license, under any kind of legal claim.***
 
 
+proc-log
+ISC
+The ISC License
+
+Copyright (c) GitHub, Inc.
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+
 promise-retry
 MIT
 Copyright (c) 2014 IndigoUnited

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest",
   "description": "Generate signed attestations for workflow artifacts",
-  "version": "1.0.0",
+  "version": "1.1.1",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest",
@@ -72,24 +72,25 @@
     "@actions/attest": "^1.2.1",
     "@actions/core": "^1.10.1",
     "@actions/glob": "^0.4.0",
-    "@sigstore/oci": "^0.3.0"
+    "@sigstore/oci": "^0.3.2",
+    "csv-parse": "^5.5.5"
   },
   "devDependencies": {
     "@sigstore/mock": "^0.7.2",
     "@types/jest": "^29.5.12",
     "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^20.12.7",
-    "@typescript-eslint/eslint-plugin": "^7.7.1",
-    "@typescript-eslint/parser": "^7.7.1",
+    "@types/node": "^20.12.10",
+    "@typescript-eslint/eslint-plugin": "^7.8.0",
+    "@typescript-eslint/parser": "^7.8.0",
     "@vercel/ncc": "^0.38.1",
     "eslint": "^8.57.0",
     "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-jest": "^28.2.0",
+    "eslint-plugin-jest": "^28.5.0",
     "eslint-plugin-jsonc": "^2.15.1",
     "eslint-plugin-prettier": "^5.1.3",
     "jest": "^29.7.0",
     "js-yaml": "^4.1.0",
-    "markdownlint-cli": "^0.39.0",
+    "markdownlint-cli": "^0.40.0",
     "nock": "^13.5.4",
     "prettier": "^3.2.5",
     "prettier-eslint": "^16.3.0",

src/main.ts

@@ -13,14 +13,30 @@ type SigstoreInstance = 'public-good' | 'github'
 type AttestedSubject = { subject: Subject; attestationID: string }
 
 const COLOR_CYAN = '\x1B[36m'
+const COLOR_GRAY = '\x1B[38;5;244m'
 const COLOR_DEFAULT = '\x1B[39m'
 const ATTESTATION_FILE_NAME = 'attestation.jsonl'
 
+const MAX_SUBJECT_COUNT = 64
+
+const OCI_TIMEOUT = 2000
+const OCI_RETRY = 3
+
+/* istanbul ignore next */
+const logHandler = (level: string, ...args: unknown[]): void => {
+  // Send any HTTP-related log events to the GitHub Actions debug log
+  if (level === 'http') {
+    core.debug(args.join(' '))
+  }
+}
+
 /**
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
  */
 export async function run(): Promise<void> {
+  process.on('log', logHandler)
+
   // Provenance visibility will be public ONLY if we can confirm that the
   // repository is public AND the undocumented "private-signing" arg is NOT set.
   // Otherwise, it will be private.
@@ -38,8 +54,14 @@ export async function run(): Promise<void> {
       )
     }
 
-    // Calculate subject from inputs and generate provenance
+    // Gather list of subjets
     const subjects = await subjectFromInputs()
+    if (subjects.length > MAX_SUBJECT_COUNT) {
+      throw new Error(
+        `Too many subjects specified. The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
+      )
+    }
+
     const predicate = predicateFromInputs()
     const outputPath = path.join(tempDir(), ATTESTATION_FILE_NAME)
 
@@ -78,14 +100,19 @@ export async function run(): Promise<void> {
   } catch (err) {
     // Fail the workflow run if an error occurs
     core.setFailed(
-      err instanceof Error ? err.message : /* istanbul ignore next */ `${err}`
+      err instanceof Error ? err : /* istanbul ignore next */ `${err}`
     )
 
+    // Log the cause of the error if one is available
     /* istanbul ignore if */
     if (err instanceof Error && 'cause' in err) {
       const innerErr = err.cause
-      core.debug(innerErr instanceof Error ? innerErr.message : `${innerErr}}`)
+      core.info(
+        mute(innerErr instanceof Error ? innerErr.toString() : `${innerErr}`)
+      )
     }
+  } finally {
+    process.removeListener('log', logHandler)
   }
 }
 
@@ -139,7 +166,8 @@ const createAttestation = async (
       annotations: {
         'dev.sigstore.bundle.content': 'dsse-envelope',
         'dev.sigstore.bundle.predicateType': core.getInput('predicate-type')
-      }
+      },
+      fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
     })
     core.info(highlight('Attestation uploaded to registry'))
     core.info(`${subject.name}@${artifact.digest}`)
@@ -148,8 +176,13 @@ const createAttestation = async (
   return attestation
 }
 
+// Emphasis string using ANSI color codes
 const highlight = (str: string): string => `${COLOR_CYAN}${str}${COLOR_DEFAULT}`
 
+// De-emphasize string using ANSI color codes
+/* istanbul ignore next */
+const mute = (str: string): string => `${COLOR_GRAY}${str}${COLOR_DEFAULT}`
+
 const tempDir = (): string => {
   const basePath = process.env['RUNNER_TEMP']
 

src/subject.ts

@@ -1,6 +1,7 @@
 import * as core from '@actions/core'
 import * as glob from '@actions/glob'
 import crypto from 'crypto'
+import { parse } from 'csv-parse/sync'
 import fs from 'fs'
 import path from 'path'
 
@@ -44,14 +45,28 @@ const getSubjectFromPath = async (
   subjectPath: string,
   subjectName?: string
 ): Promise<Subject[]> => {
-  /* eslint-disable-next-line github/no-then */
-  const files = await glob.create(subjectPath).then(async g => g.glob())
+  const subjects: Subject[] = []
 
-  const subjects = files.map(async file => {
-    const name = subjectName || path.parse(file).base
-    const digest = await digestFile(DIGEST_ALGORITHM, file)
-    return { name, digest: { [DIGEST_ALGORITHM]: digest } }
-  })
+  // Parse the list of subject paths
+  const subjectPaths = parseList(subjectPath)
+
+  for (const subPath of subjectPaths) {
+    // Expand the globbed path to a list of files
+    /* eslint-disable-next-line github/no-then */
+    const files = await glob.create(subPath).then(async g => g.glob())
+
+    for (const file of files) {
+      // Skip anything that is NOT a file
+      if (!fs.statSync(file).isFile()) {
+        continue
+      }
+
+      const name = subjectName || path.parse(file).base
+      const digest = await digestFile(DIGEST_ALGORITHM, file)
+
+      subjects.push({ name, digest: { [DIGEST_ALGORITHM]: digest } })
+    }
+  }
 
   if (subjects.length === 0) {
     throw new Error(`Could not find subject at path ${subjectPath}`)
@@ -94,3 +109,20 @@ const digestFile = async (
       .once('finish', () => resolve(hash.read()))
   })
 }
+
+const parseList = (input: string): string[] => {
+  const res: string[] = []
+
+  const records: string[][] = parse(input, {
+    columns: false,
+    relaxQuotes: true,
+    relaxColumnCount: true,
+    skipEmptyLines: true
+  })
+
+  for (const record of records) {
+    res.push(...record)
+  }
+
+  return res.filter(item => item).map(pat => pat.trim())
+}