actions/attest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: actions:v1.2.1
Branches Tags
actions:main
actions:v4 actions:v4.1.0 actions:v4.0.0 actions:v3.2.0 actions:v3.1.0 actions:v3 actions:v3.0.0 actions:v2 actions:v2.4.0 actions:v2.3.0 actions:v2.2.1 actions:v2.2.0 actions:v2.1.0 actions:v2.0.1 actions:v2.0.0 actions:v1 actions:v1.4.1 actions:v1.4.0 actions:v1.3.3 actions:v1.3.2 actions:v1.3.1 actions:v1.3.0 actions:v1.2.1 actions:v1.2.0 actions:v1.1.2 actions:v1.1.1 actions:v1.1.0 actions:v1.0.0 actions:v0.1.1 actions:v0.1.0
..
compare: actions:v1.3.1
Branches Tags
actions:main
actions:v4 actions:v4.1.0 actions:v4.0.0 actions:v3.2.0 actions:v3.1.0 actions:v3 actions:v3.0.0 actions:v2 actions:v2.4.0 actions:v2.3.0 actions:v2.2.1 actions:v2.2.0 actions:v2.1.0 actions:v2.0.1 actions:v2.0.0 actions:v1 actions:v1.4.1 actions:v1.4.0 actions:v1.3.3 actions:v1.3.2 actions:v1.3.1 actions:v1.3.0 actions:v1.2.1 actions:v1.2.0 actions:v1.1.2 actions:v1.1.1 actions:v1.1.0 actions:v1.0.0 actions:v0.1.1 actions:v0.1.0

2 Commits
v1.2.1 ... v1.3.1

Author SHA1 Message Date
Brian DeHamer
0fdba851bc bump @sigstore/oci from 0.3.6 to 0.3.7 (#90) 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-06-13 14:22:50 -07:00
Brian DeHamer
b24527d9cb Bump @actions/attest from 1.2.1 to 1.3.0 (#89) 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-06-12 13:17:25 -07:00
3 changed files with 62 additions and 55 deletions
Expand all files Collapse all files

35
dist/index.js generated vendored
View File

@@ -116,22 +116,16 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.signingEndpoints = exports.SIGSTORE_GITHUB = exports.SIGSTORE_PUBLIC_GOOD = void 0;
exports.signingEndpoints = exports.SIGSTORE_PUBLIC_GOOD = void 0;
const github = __importStar(__nccwpck_require__(95438));
const PUBLIC_GOOD_ID = 'public-good';
const GITHUB_ID = 'github';
const FULCIO_PUBLIC_GOOD_URL = 'https://fulcio.sigstore.dev';
const REKOR_PUBLIC_GOOD_URL = 'https://rekor.sigstore.dev';
const FULCIO_INTERNAL_URL = 'https://fulcio.githubapp.com';
const TSA_INTERNAL_URL = 'https://timestamp.githubapp.com';
exports.SIGSTORE_PUBLIC_GOOD = {
fulcioURL: FULCIO_PUBLIC_GOOD_URL,
rekorURL: REKOR_PUBLIC_GOOD_URL
};
exports.SIGSTORE_GITHUB = {
fulcioURL: FULCIO_INTERNAL_URL,
tsaServerURL: TSA_INTERNAL_URL
};
const signingEndpoints = (sigstore) => {
var _a;
let instance;
@@ -150,10 +144,21 @@ const signingEndpoints = (sigstore) => {
case PUBLIC_GOOD_ID:
return exports.SIGSTORE_PUBLIC_GOOD;
case GITHUB_ID:
return exports.SIGSTORE_GITHUB;
return buildGitHubEndpoints();
}
};
exports.signingEndpoints = signingEndpoints;
function buildGitHubEndpoints() {
const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com';
let host = new URL(serverURL).hostname;
if (host === 'github.com') {
host = 'githubapp.com';
}
return {
fulcioURL: `https://fulcio.${host}`,
tsaServerURL: `https://timestamp.${host}`
};
}
//# sourceMappingURL=endpoints.js.map
/***/ }),
@@ -254,6 +259,7 @@ const REQUIRED_CLAIMS = [
'sha',
'repository',
'event_name',
'job_workflow_ref',
'workflow_ref',
'repository_id',
'repository_owner_id',
@@ -346,8 +352,7 @@ exports.attestProvenance = exports.buildSLSAProvenancePredicate = void 0;
const attest_1 = __nccwpck_require__(46373);
const oidc_1 = __nccwpck_require__(95847);
const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1';
const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner';
const GITHUB_BUILD_TYPE = 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1';
const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1';
const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com';
/**
* Builds an SLSA (Supply Chain Levels for Software Artifacts) provenance
@@ -383,7 +388,8 @@ const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void
github: {
event_name: claims.event_name,
repository_id: claims.repository_id,
repository_owner_id: claims.repository_owner_id
repository_owner_id: claims.repository_owner_id,
runner_environment: claims.runner_environment
}
},
resolvedDependencies: [
@@ -397,7 +403,7 @@ const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void
},
runDetails: {
builder: {
id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}`
id: `${serverURL}/${claims.job_workflow_ref}`
},
metadata: {
invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}`
@@ -478,6 +484,7 @@ const initBundleBuilder = (opts) => {
witnesses.push(new sign_1.RekorWitness({
rekorBaseURL: opts.rekorURL,
entryType: 'dsse',
fetchOnConflict: true,
timeout,
retry
}));
@@ -11751,7 +11758,7 @@ class OCIImage {
// the referrers API but still reports a subjectDigest).
const referrersSupported = await __classPrivateFieldGet(this, _OCIImage_client, "f").pingReferrers();
// Manually update the referrers list if the referrers API is not supported.
if (!referrersSupported) {
if (!artifactDescriptor.subjectDigest || !referrersSupported) {
// Strip subjectDigest from the artifact descriptor (in case it was returned)
/* eslint-disable-next-line @typescript-eslint/no-unused-vars */
const { subjectDigest, ...descriptor } = artifactDescriptor;
@@ -94351,7 +94358,7 @@ exports.parse = parse;
/***/ ((module) => {
"use strict";
module.exports = {"i8":"2.3.1"};
module.exports = {"i8":"2.3.2"};
/***/ }),

76
package-lock.json generated
View File

@@ -1,18 +1,18 @@
{
"name": "actions/attest",
"version": "1.2.1",
"version": "1.3.1",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "actions/attest",
"version": "1.2.1",
"version": "1.3.1",
"license": "MIT",
"dependencies": {
"@actions/attest": "^1.2.1",
"@actions/attest": "^1.3.0",
"@actions/core": "^1.10.1",
"@actions/glob": "^0.4.0",
"@sigstore/oci": "^0.3.6",
"@sigstore/oci": "^0.3.7",
"csv-parse": "^5.5.6"
},
"devDependencies": {
@@ -51,16 +51,16 @@
}
},
"node_modules/@actions/attest": {
"version": "1.2.1",
"resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.2.1.tgz",
"integrity": "sha512-ZLfmO6o2x3UL2BG++oIHMPx5kApWr8Uy1cgiiafXpHgamsqFUPjUtcp0/gpOaXkxUZftdVno7NwBTisw8qr9UA==",
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.3.0.tgz",
"integrity": "sha512-Xmv+HIefU8PMx3q+BwGmL28MLyQ2FF05ROZjH+iuoQ9q43qzmbJmmzou3NBOSspUa1N2nVtirPq7jPj9g8AMEg==",
"dependencies": {
"@actions/core": "^1.10.1",
"@actions/github": "^6.0.0",
"@actions/http-client": "^2.2.1",
"@octokit/plugin-retry": "^6.0.1",
"@sigstore/bundle": "^2.3.0",
"@sigstore/sign": "^2.3.0",
"@sigstore/bundle": "^2.3.2",
"@sigstore/sign": "^2.3.2",
"jsonwebtoken": "^9.0.2",
"jwks-rsa": "^3.1.0"
}
@@ -1689,11 +1689,11 @@
}
},
"node_modules/@sigstore/bundle": {
"version": "2.3.1",
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.1.tgz",
"integrity": "sha512-eqV17lO3EIFqCWK3969Rz+J8MYrRZKw9IBHpSo6DEcEX2c+uzDFOgHE9f2MnyDpfs48LFO4hXmk9KhQ74JzU1g==",
"version": "2.3.2",
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.2.tgz",
"integrity": "sha512-wueKWDk70QixNLB363yHc2D2ItTgYiMTdPwK8D9dKQMR3ZQ0c35IxP5xnwQ8cNLoCgCRcHf14kE+CLIvNX1zmA==",
"dependencies": {
"@sigstore/protobuf-specs": "^0.3.1"
"@sigstore/protobuf-specs": "^0.3.2"
},
"engines": {
"node": "^16.14.0 || >=18.0.0"
@@ -1729,9 +1729,9 @@
}
},
"node_modules/@sigstore/oci": {
"version": "0.3.6",
"resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.6.tgz",
"integrity": "sha512-nv/uHEHj6AbzGcBg1Cs7EsetB0M+N8GW1wYA26KQT6ymirv5UWUtqx9L1hbJjClpQ6/8R0vYXCpunvic2O1jfg==",
"version": "0.3.7",
"resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.7.tgz",
"integrity": "sha512-1JmebwEXil+NVzugFURbC+D3Vzj6WyTI1B+7damUk94dWXamE9cJ057iSo72rupiSozM6N7lVMjtD1c/P5Rrrw==",
"dependencies": {
"make-fetch-happen": "^13.0.1",
"proc-log": "^4.2.0"
@@ -1749,13 +1749,13 @@
}
},
"node_modules/@sigstore/sign": {
"version": "2.3.1",
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.1.tgz",
"integrity": "sha512-YZ71wKIOweC8ViUeZXboz0iPLqMkskxuoeN/D1CEpAyZvEepbX9oRMIoO6a/DxUqO1VEaqmcmmqzSiqtOsvSmw==",
"version": "2.3.2",
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.2.tgz",
"integrity": "sha512-5Vz5dPVuunIIvC5vBb0APwo7qKA4G9yM48kPWJT+OEERs40md5GoUR1yedwpekWZ4m0Hhw44m6zU+ObsON+iDA==",
"dependencies": {
"@sigstore/bundle": "^2.3.0",
"@sigstore/bundle": "^2.3.2",
"@sigstore/core": "^1.0.0",
"@sigstore/protobuf-specs": "^0.3.1",
"@sigstore/protobuf-specs": "^0.3.2",
"make-fetch-happen": "^13.0.1",
"proc-log": "^4.2.0",
"promise-retry": "^2.0.1"
@@ -8666,16 +8666,16 @@
"dev": true
},
"@actions/attest": {
"version": "1.2.1",
"resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.2.1.tgz",
"integrity": "sha512-ZLfmO6o2x3UL2BG++oIHMPx5kApWr8Uy1cgiiafXpHgamsqFUPjUtcp0/gpOaXkxUZftdVno7NwBTisw8qr9UA==",
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.3.0.tgz",
"integrity": "sha512-Xmv+HIefU8PMx3q+BwGmL28MLyQ2FF05ROZjH+iuoQ9q43qzmbJmmzou3NBOSspUa1N2nVtirPq7jPj9g8AMEg==",
"requires": {
"@actions/core": "^1.10.1",
"@actions/github": "^6.0.0",
"@actions/http-client": "^2.2.1",
"@octokit/plugin-retry": "^6.0.1",
"@sigstore/bundle": "^2.3.0",
"@sigstore/sign": "^2.3.0",
"@sigstore/bundle": "^2.3.2",
"@sigstore/sign": "^2.3.2",
"jsonwebtoken": "^9.0.2",
"jwks-rsa": "^3.1.0"
}
@@ -9807,11 +9807,11 @@
"dev": true
},
"@sigstore/bundle": {
"version": "2.3.1",
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.1.tgz",
"integrity": "sha512-eqV17lO3EIFqCWK3969Rz+J8MYrRZKw9IBHpSo6DEcEX2c+uzDFOgHE9f2MnyDpfs48LFO4hXmk9KhQ74JzU1g==",
"version": "2.3.2",
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.2.tgz",
"integrity": "sha512-wueKWDk70QixNLB363yHc2D2ItTgYiMTdPwK8D9dKQMR3ZQ0c35IxP5xnwQ8cNLoCgCRcHf14kE+CLIvNX1zmA==",
"requires": {
"@sigstore/protobuf-specs": "^0.3.1"
"@sigstore/protobuf-specs": "^0.3.2"
}
},
"@sigstore/core": {
@@ -9838,9 +9838,9 @@
}
},
"@sigstore/oci": {
"version": "0.3.6",
"resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.6.tgz",
"integrity": "sha512-nv/uHEHj6AbzGcBg1Cs7EsetB0M+N8GW1wYA26KQT6ymirv5UWUtqx9L1hbJjClpQ6/8R0vYXCpunvic2O1jfg==",
"version": "0.3.7",
"resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.7.tgz",
"integrity": "sha512-1JmebwEXil+NVzugFURbC+D3Vzj6WyTI1B+7damUk94dWXamE9cJ057iSo72rupiSozM6N7lVMjtD1c/P5Rrrw==",
"requires": {
"make-fetch-happen": "^13.0.1",
"proc-log": "^4.2.0"
@@ -9852,13 +9852,13 @@
"integrity": "sha512-c6B0ehIWxMI8wiS/bj6rHMPqeFvngFV7cDU/MY+B16P9Z3Mp9k8L93eYZ7BYzSickzuqAQqAq0V956b3Ju6mLw=="
},
"@sigstore/sign": {
"version": "2.3.1",
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.1.tgz",
"integrity": "sha512-YZ71wKIOweC8ViUeZXboz0iPLqMkskxuoeN/D1CEpAyZvEepbX9oRMIoO6a/DxUqO1VEaqmcmmqzSiqtOsvSmw==",
"version": "2.3.2",
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.2.tgz",
"integrity": "sha512-5Vz5dPVuunIIvC5vBb0APwo7qKA4G9yM48kPWJT+OEERs40md5GoUR1yedwpekWZ4m0Hhw44m6zU+ObsON+iDA==",
"requires": {
"@sigstore/bundle": "^2.3.0",
"@sigstore/bundle": "^2.3.2",
"@sigstore/core": "^1.0.0",
"@sigstore/protobuf-specs": "^0.3.1",
"@sigstore/protobuf-specs": "^0.3.2",
"make-fetch-happen": "^13.0.1",
"proc-log": "^4.2.0",
"promise-retry": "^2.0.1"

6
package.json
View File

@@ -1,7 +1,7 @@
{
"name": "actions/attest",
"description": "Generate signed attestations for workflow artifacts",
"version": "1.2.1",
"version": "1.3.1",
"author": "",
"private": true,
"homepage": "https://github.com/actions/attest",
@@ -69,10 +69,10 @@
]
},
"dependencies": {
"@actions/attest": "^1.2.1",
"@actions/attest": "^1.3.0",
"@actions/core": "^1.10.1",
"@actions/glob": "^0.4.0",
"@sigstore/oci": "^0.3.6",
"@sigstore/oci": "^0.3.7",
"csv-parse": "^5.5.6"
},
"devDependencies": {