improved checksum parsing (#280 )

Signed-off-by: Brian DeHamer <bdehamer@github.com>
Upgrade to Node 24 (#276 )
2025-08-26 16:07:15 -07:00 · 2025-08-26 16:06:47 -07:00 · 2025-08-26 16:05:21 -07:00 · 2025-08-26 15:47:27 -07:00 · 2025-08-14 14:29:58 -07:00 · 2025-08-14 14:27:34 -07:00
19 changed files with 14725 additions and 3351 deletions
--- a/.github/linters/.yaml-lint.yml
+++ b/.github/linters/.yaml-lint.yml
@@ -1,10 +0,0 @@
-rules:
-  document-end: disable
-  document-start:
-    level: warning
-    present: false
-  line-length:
-    level: warning
-    max: 80
-    allow-non-breakable-words: true
-    allow-non-breakable-inline-mappings: true
--- a/.github/linters/tsconfig.json
+++ b/.github/linters/tsconfig.json
@@ -1,9 +0,0 @@
-{
-  "$schema": "https://json.schemastore.org/tsconfig",
-  "extends": "../../tsconfig.json",
-  "compilerOptions": {
-    "noEmit": true
-  },
-  "include": ["../../__tests__/**/*", "../../src/**/*"],
-  "exclude": ["../../dist", "../../node_modules", "../../coverage", "*.json"]
-}
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -28,7 +28,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Setup Node.js
        id: setup-node
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Setup Node.js
        id: setup-node
@@ -58,7 +58,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Calculate subject digest
        id: subject
        env:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -32,7 +32,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Initialize CodeQL
        id: initialize
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -1,54 +0,0 @@
-name: Lint Codebase
-
-on:
-  pull_request:
-    branches:
-      - main
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-  packages: read
-  statuses: write
-
-jobs:
-  lint:
-    name: Lint Codebase
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        id: checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node.js
-        id: setup-node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: .node-version
-          cache: npm
-
-      - name: Install Dependencies
-        id: install
-        run: npm ci
-
-      - name: Lint Codebase
-        id: super-linter
-        uses: super-linter/super-linter/slim@v7.4.0
-        env:
-          DEFAULT_BRANCH: main
-          FILTER_REGEX_EXCLUDE: dist/**/*
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TYPESCRIPT_DEFAULT_STYLE: prettier
-          VALIDATE_ALL_CODEBASE: true
-          VALIDATE_JAVASCRIPT_STANDARD: false
-          VALIDATE_TYPESCRIPT_STANDARD: false
-          VALIDATE_TYPESCRIPT_ES: false
-          VALIDATE_JSCPD: false
-
-      - name: Run eslint
-        run: npm run lint:eslint
--- a/.github/workflows/publish-immutable-actions.yml
+++ b/.github/workflows/publish-immutable-actions.yml
@@ -1,22 +0,0 @@
-name: 'Publish Immutable Action Version'
-
-on:
-  release:
-    types: [published]
-
-permissions: {}
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
-    steps:
-      - name: Checking out
-        uses: actions/checkout@v4
-      - name: Publish
-        id: publish
-        uses: actions/publish-immutable-action@v0.0.4
--- a/.github/linters/.markdown-lint.yml
+++ b/.github/linters/.markdown-lint.yml
--- a/.node-version
+++ b/.node-version
@@ -1 +1 @@
-20.6.0
+24.5.0
--- a/tests/subject.test.ts
+++ b/tests/subject.test.ts
@@ -473,6 +473,13 @@ badline
              '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
          }
        })
+        expect(subjects).toContainEqual({
+          name: 'demo_0.0.1_darwin_arm64',
+          digest: {
+            sha512:
+              '5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718'
+          }
+        })
      })
    })
  })
@@ -480,8 +487,8 @@ badline
  describe('when specifying a subject checksums string', () => {
    const checksums = `
 f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e  demo_0.0.1_linux_386
-187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d  demo_0.0.1_linux_amd64
-9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5  demo_0.0.1_linux_arm64`
+187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *demo_0.0.1_linux_amd64
+9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 demo_0.0.1_linux_arm64`

    it('returns the multiple subjects', async () => {
      const inputs: SubjectInputs = {
@@ -500,6 +507,20 @@ f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e  demo_0.0.1_lin
            'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e'
        }
      })
+      expect(subjects).toContainEqual({
+        name: 'demo_0.0.1_linux_amd64',
+        digest: {
+          sha256:
+            '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
+        }
+      })
+      expect(subjects).toContainEqual({
+        name: 'demo_0.0.1_linux_arm64',
+        digest: {
+          sha256:
+            '9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5'
+        }
+      })
    })
  })

--- a/action.yml
+++ b/action.yml
@@ -73,5 +73,5 @@ outputs:
    description: 'The URL for the attestation summary.'

 runs:
-  using: node20
+  using: node24
  main: ./dist/index.js
--- a/dist/index.js
+++ b/dist/index.js
--- a/.github/linters/eslint.config.mjs
+++ b/.github/linters/eslint.config.mjs
@@ -1,13 +1,14 @@
 import eslint from '@eslint/js'
 import importplugin from 'eslint-plugin-import'
 import jestplugin from 'eslint-plugin-jest'
+import path from 'node:path'
 import tseslint from 'typescript-eslint'

 export default tseslint.config(
  // Ignore non-project files
  {
    name: 'ignore',
-    ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js']
+    ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js', 'eslint.config.mjs']
  },
  // Use recommended rules from ESLint, TypeScript, and other plugins
  eslint.configs.recommended,
@@ -21,7 +22,7 @@ export default tseslint.config(
    languageOptions: {
      ecmaVersion: 2023,
      parserOptions: {
-        project: ['./.github/linters/tsconfig.json', './tsconfig.json']
+        project: [ './tsconfig.lint.json' ]
      }
    },
    rules: {
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "actions/attest",
  "description": "Generate signed attestations for workflow artifacts",
-  "version": "2.4.0",
+  "version": "3.0.0",
  "author": "",
  "private": true,
  "homepage": "https://github.com/actions/attest",
@@ -20,15 +20,15 @@
    ".": "./dist/index.js"
  },
  "engines": {
-    "node": ">=20"
+    "node": ">=24"
  },
  "scripts": {
    "bundle": "npm run format:write && npm run package",
    "ci-test": "jest",
    "format:write": "prettier --write **/*.ts",
    "format:check": "prettier --check **/*.ts",
-    "lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs",
-    "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
+    "lint:eslint": "npx eslint",
+    "lint:markdown": "npx markdownlint --config .markdown-lint.yml \"*.md\"",
    "lint": "npm run lint:eslint && npm run lint:markdown",
    "package": "ncc build src/index.ts --license licenses.txt",
    "package:watch": "npm run package -- --watch",
@@ -73,27 +73,27 @@
    "@actions/core": "^1.11.1",
    "@actions/github": "^6.0.1",
    "@actions/glob": "^0.5.0",
-    "@sigstore/oci": "^0.5.0",
+    "@sigstore/oci": "^0.6.0",
    "csv-parse": "^5.6.0"
  },
  "devDependencies": {
-    "@eslint/js": "^9.28.0",
-    "@sigstore/mock": "^0.10.0",
-    "@types/jest": "^29.5.14",
+    "@eslint/js": "^9.34.0",
+    "@sigstore/mock": "^0.11.0",
+    "@types/jest": "^30.0.0",
    "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^22.15.30",
+    "@types/node": "^24.3.0",
    "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.28.0",
-    "eslint-plugin-import": "^2.31.0",
-    "eslint-plugin-jest": "^28.13.0",
-    "jest": "^29.7.0",
+    "eslint": "^9.34.0",
+    "eslint-plugin-import": "^2.32.0",
+    "eslint-plugin-jest": "^29.0.1",
+    "jest": "^30.0.5",
    "js-yaml": "^4.1.0",
    "markdownlint-cli": "^0.45.0",
    "nock": "^13.5.6",
-    "prettier": "^3.5.3",
-    "ts-jest": "^29.3.4",
-    "typescript": "^5.8.3",
-    "typescript-eslint": "^8.34.0",
+    "prettier": "^3.6.2",
+    "ts-jest": "^29.4.1",
+    "typescript": "^5.9.2",
+    "typescript-eslint": "^8.41.0",
    "undici": "^5.29.0"
  }
 }
--- a/src/main.ts
+++ b/src/main.ts
@@ -81,6 +81,7 @@ export async function run(inputs: RunInputs): Promise<void> {
    })

    const baseDir = process.env.RUNNER_TEMP
+    /* istanbul ignore else */
    if (baseDir) {
      const outputSummaryPath = path.join(baseDir, ATTESTATION_PATHS_FILE_NAME)
      // Append the output path to the attestations paths file
@@ -94,11 +95,13 @@ export async function run(inputs: RunInputs): Promise<void> {
      )
    }

+    /* istanbul ignore else */
    if (att.attestationID) {
      core.setOutput('attestation-id', att.attestationID)
      core.setOutput('attestation-url', attestationURL(att.attestationID))
    }

+    /* istanbul ignore else */
    if (inputs.showSummary) {
      await logSummary(att)
    }
@@ -156,6 +159,7 @@ const logAttestation = (
    core.info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`)
  }

+  /* istanbul ignore else */
  if (attestation.attestationID) {
    core.info(style.highlight('Attestation uploaded to repository'))
    core.info(attestationURL(attestation.attestationID))
@@ -171,6 +175,7 @@ const logAttestation = (
 const logSummary = async (attestation: AttestResult): Promise<void> => {
  const { attestationID } = attestation

+  /* istanbul ignore else */
  if (attestationID) {
    const url = attestationURL(attestationID)
    core.summary.addHeading('Attestation Created', 3)
--- a/src/subject.ts
+++ b/src/subject.ts
@@ -181,8 +181,14 @@ const getSubjectFromChecksumsString = (checksums: string): Subject[] => {
      continue
    }

-    // Swallow the type identifier character at the beginning of the name
-    const name = record.slice(delimIndex + 2)
+    // It's common for checksum records to have a leading flag character before
+    // the artifact name. It will be either a '*' or a space.
+    const flag_and_name = record.slice(delimIndex + 1)
+    const name =
+      flag_and_name.startsWith('*') || flag_and_name.startsWith(' ')
+        ? flag_and_name.slice(1)
+        : flag_and_name
+
    const digest = record.slice(0, delimIndex)

    if (!HEX_STRING_RE.test(digest)) {
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -5,6 +5,7 @@
    "module": "NodeNext",
    "rootDir": "./src",
    "moduleResolution": "NodeNext",
+    "isolatedModules": true,
    "baseUrl": "./",
    "sourceMap": true,
    "outDir": "./dist",
--- a/tsconfig.lint.json
+++ b/tsconfig.lint.json
@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "noEmit": true
+  },
+  "include": ["./__tests__/**/*", "./src/**/*"],
+  "exclude": ["./dist", "./node_modules", "./coverage", "*.json"]
+}
@@ -1 +1 @@
 .6.0
 .5.0