improved checksum parsing (#280)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.github/linters/.yaml-lint.yml

@@ -1,10 +0,0 @@
-rules:
-  document-end: disable
-  document-start:
-    level: warning
-    present: false
-  line-length:
-    level: warning
-    max: 80
-    allow-non-breakable-words: true
-    allow-non-breakable-inline-mappings: true

.github/linters/tsconfig.json

@@ -1,9 +0,0 @@
-{
-  "$schema": "https://json.schemastore.org/tsconfig",
-  "extends": "../../tsconfig.json",
-  "compilerOptions": {
-    "noEmit": true
-  },
-  "include": ["../../__tests__/**/*", "../../src/**/*"],
-  "exclude": ["../../dist", "../../node_modules", "../../coverage", "*.json"]
-}

.github/workflows/check-dist.yml

@@ -28,7 +28,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Node.js
         id: setup-node

.github/workflows/ci.yml

@@ -21,7 +21,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Node.js
         id: setup-node
@@ -58,7 +58,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Calculate subject digest
         id: subject
         env:

.github/workflows/codeql-analysis.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Initialize CodeQL
         id: initialize

.github/workflows/linter.yml

@@ -1,54 +0,0 @@
-name: Lint Codebase
-
-on:
-  pull_request:
-    branches:
-      - main
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-  packages: read
-  statuses: write
-
-jobs:
-  lint:
-    name: Lint Codebase
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        id: checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node.js
-        id: setup-node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: .node-version
-          cache: npm
-
-      - name: Install Dependencies
-        id: install
-        run: npm ci
-
-      - name: Lint Codebase
-        id: super-linter
-        uses: super-linter/super-linter/slim@v7.4.0
-        env:
-          DEFAULT_BRANCH: main
-          FILTER_REGEX_EXCLUDE: dist/**/*
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TYPESCRIPT_DEFAULT_STYLE: prettier
-          VALIDATE_ALL_CODEBASE: true
-          VALIDATE_JAVASCRIPT_STANDARD: false
-          VALIDATE_TYPESCRIPT_STANDARD: false
-          VALIDATE_TYPESCRIPT_ES: false
-          VALIDATE_JSCPD: false
-
-      - name: Run eslint
-        run: npm run lint:eslint

.github/workflows/publish-immutable-actions.yml

@@ -1,22 +0,0 @@
-name: 'Publish Immutable Action Version'
-
-on:
-  release:
-    types: [published]
-
-permissions: {}
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
-    steps:
-      - name: Checking out
-        uses: actions/checkout@v4
-      - name: Publish
-        id: publish
-        uses: actions/publish-immutable-action@v0.0.4

.node-version

@@ -1 +1 @@
-20.6.0
+24.5.0

__tests__/subject.test.ts

@@ -473,6 +473,13 @@ badline
               '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
           }
         })
+        expect(subjects).toContainEqual({
+          name: 'demo_0.0.1_darwin_arm64',
+          digest: {
+            sha512:
+              '5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718'
+          }
+        })
       })
     })
   })
@@ -480,8 +487,8 @@ badline
   describe('when specifying a subject checksums string', () => {
     const checksums = `
 f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e  demo_0.0.1_linux_386
-187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d  demo_0.0.1_linux_amd64
+187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *demo_0.0.1_linux_amd64
-9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5  demo_0.0.1_linux_arm64`
+9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 demo_0.0.1_linux_arm64`
 
     it('returns the multiple subjects', async () => {
       const inputs: SubjectInputs = {
@@ -500,6 +507,20 @@ f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e  demo_0.0.1_lin
             'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e'
         }
       })
+      expect(subjects).toContainEqual({
+        name: 'demo_0.0.1_linux_amd64',
+        digest: {
+          sha256:
+            '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
+        }
+      })
+      expect(subjects).toContainEqual({
+        name: 'demo_0.0.1_linux_arm64',
+        digest: {
+          sha256:
+            '9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5'
+        }
+      })
     })
   })
 

action.yml

@@ -73,5 +73,5 @@ outputs:
     description: 'The URL for the attestation summary.'
 
 runs:
-  using: node20
+  using: node24
   main: ./dist/index.js

eslint.config.mjs

@@ -1,13 +1,14 @@
 import eslint from '@eslint/js'
 import importplugin from 'eslint-plugin-import'
 import jestplugin from 'eslint-plugin-jest'
+import path from 'node:path'
 import tseslint from 'typescript-eslint'
 
 export default tseslint.config(
   // Ignore non-project files
   {
     name: 'ignore',
-    ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js']
+    ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js', 'eslint.config.mjs']
   },
   // Use recommended rules from ESLint, TypeScript, and other plugins
   eslint.configs.recommended,
@@ -21,7 +22,7 @@ export default tseslint.config(
     languageOptions: {
       ecmaVersion: 2023,
       parserOptions: {
-        project: ['./.github/linters/tsconfig.json', './tsconfig.json']
+        project: [ './tsconfig.lint.json' ]
       }
     },
     rules: {

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest",
   "description": "Generate signed attestations for workflow artifacts",
-  "version": "2.4.0",
+  "version": "3.0.0",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest",
@@ -20,15 +20,15 @@
     ".": "./dist/index.js"
   },
   "engines": {
-    "node": ">=20"
+    "node": ">=24"
   },
   "scripts": {
     "bundle": "npm run format:write && npm run package",
     "ci-test": "jest",
     "format:write": "prettier --write **/*.ts",
     "format:check": "prettier --check **/*.ts",
-    "lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs",
+    "lint:eslint": "npx eslint",
-    "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
+    "lint:markdown": "npx markdownlint --config .markdown-lint.yml \"*.md\"",
     "lint": "npm run lint:eslint && npm run lint:markdown",
     "package": "ncc build src/index.ts --license licenses.txt",
     "package:watch": "npm run package -- --watch",
@@ -73,27 +73,27 @@
     "@actions/core": "^1.11.1",
     "@actions/github": "^6.0.1",
     "@actions/glob": "^0.5.0",
-    "@sigstore/oci": "^0.5.0",
+    "@sigstore/oci": "^0.6.0",
     "csv-parse": "^5.6.0"
   },
   "devDependencies": {
-    "@eslint/js": "^9.28.0",
+    "@eslint/js": "^9.34.0",
-    "@sigstore/mock": "^0.10.0",
+    "@sigstore/mock": "^0.11.0",
-    "@types/jest": "^29.5.14",
+    "@types/jest": "^30.0.0",
     "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^22.15.30",
+    "@types/node": "^24.3.0",
     "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.28.0",
+    "eslint": "^9.34.0",
-    "eslint-plugin-import": "^2.31.0",
+    "eslint-plugin-import": "^2.32.0",
-    "eslint-plugin-jest": "^28.13.0",
+    "eslint-plugin-jest": "^29.0.1",
-    "jest": "^29.7.0",
+    "jest": "^30.0.5",
     "js-yaml": "^4.1.0",
     "markdownlint-cli": "^0.45.0",
     "nock": "^13.5.6",
-    "prettier": "^3.5.3",
+    "prettier": "^3.6.2",
-    "ts-jest": "^29.3.4",
+    "ts-jest": "^29.4.1",
-    "typescript": "^5.8.3",
+    "typescript": "^5.9.2",
-    "typescript-eslint": "^8.34.0",
+    "typescript-eslint": "^8.41.0",
     "undici": "^5.29.0"
   }
 }

src/main.ts

@@ -81,6 +81,7 @@ export async function run(inputs: RunInputs): Promise<void> {
     })
 
     const baseDir = process.env.RUNNER_TEMP
+    /* istanbul ignore else */
     if (baseDir) {
       const outputSummaryPath = path.join(baseDir, ATTESTATION_PATHS_FILE_NAME)
       // Append the output path to the attestations paths file
@@ -94,11 +95,13 @@ export async function run(inputs: RunInputs): Promise<void> {
       )
     }
 
+    /* istanbul ignore else */
     if (att.attestationID) {
       core.setOutput('attestation-id', att.attestationID)
       core.setOutput('attestation-url', attestationURL(att.attestationID))
     }
 
+    /* istanbul ignore else */
     if (inputs.showSummary) {
       await logSummary(att)
     }
@@ -156,6 +159,7 @@ const logAttestation = (
     core.info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`)
   }
 
+  /* istanbul ignore else */
   if (attestation.attestationID) {
     core.info(style.highlight('Attestation uploaded to repository'))
     core.info(attestationURL(attestation.attestationID))
@@ -171,6 +175,7 @@ const logAttestation = (
 const logSummary = async (attestation: AttestResult): Promise<void> => {
   const { attestationID } = attestation
 
+  /* istanbul ignore else */
   if (attestationID) {
     const url = attestationURL(attestationID)
     core.summary.addHeading('Attestation Created', 3)

src/subject.ts

@@ -181,8 +181,14 @@ const getSubjectFromChecksumsString = (checksums: string): Subject[] => {
       continue
     }
 
-    // Swallow the type identifier character at the beginning of the name
+    // It's common for checksum records to have a leading flag character before
-    const name = record.slice(delimIndex + 2)
+    // the artifact name. It will be either a '*' or a space.
+    const flag_and_name = record.slice(delimIndex + 1)
+    const name =
+      flag_and_name.startsWith('*') || flag_and_name.startsWith(' ')
+        ? flag_and_name.slice(1)
+        : flag_and_name
+
     const digest = record.slice(0, delimIndex)
 
     if (!HEX_STRING_RE.test(digest)) {

tsconfig.json

@@ -5,6 +5,7 @@
     "module": "NodeNext",
     "rootDir": "./src",
     "moduleResolution": "NodeNext",
+    "isolatedModules": true,
     "baseUrl": "./",
     "sourceMap": true,
     "outDir": "./dist",

tsconfig.lint.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "noEmit": true
+  },
+  "include": ["./__tests__/**/*", "./src/**/*"],
+  "exclude": ["./dist", "./node_modules", "./coverage", "*.json"]
+}