Bump @sigstore/oci from 0.4.0 to 0.5.0 (#235 )

* bump @sigstore/oci from 0.4.0 to 0.5.0 Signed-off-by: Brian DeHamer <bdehamer@github.com> * bump package version to 2.3.0 Signed-off-by: Brian DeHamer <bdehamer@github.com> * update @babel/helpers from 7.22.13 to 7.27.0 Signed-off-by: Brian DeHamer <bdehamer@github.com> --------- Signed-off-by: Brian DeHamer <bdehamer@github.com>
Bump the npm-development group across 1 directory with 6 updates (#234 )
2025-04-25 15:46:24 -07:00 · 2025-04-25 14:06:39 -07:00 · 2025-04-01 15:04:50 -04:00 · 2025-04-01 11:55:49 -04:00 · 2025-03-25 10:30:57 -04:00 · 2025-03-24 14:50:26 -07:00
6 changed files with 1989 additions and 890 deletions
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -38,7 +38,7 @@ jobs:
      - name: Lint Codebase
        id: super-linter
-        uses: super-linter/super-linter/slim@v7
+        uses: super-linter/super-linter/slim@v7.2.1
        env:
          DEFAULT_BRANCH: main
          FILTER_REGEX_EXCLUDE: dist/**/*
--- a/README.md
+++ b/README.md
@@ -27,11 +27,12 @@ information on artifact attestations.
 <!-- prettier-ignore-start -->
 > [!NOTE]
 > Artifact attestations are available in public repositories for all
-> current GitHub plans. They are not available on legacy plans, such as Bronze,
+> current GitHub plans.
-> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
+>
-> artifact attestations are only available for public repositories. To use
+> To use artifact attestations in private or internal repositories, you must
-> artifact attestations in private or internal repositories, you must be on a
+> be on a GitHub Enterprise Cloud plan.
-> GitHub Enterprise Cloud plan.
+>
 > Artifact attestations are NOT supported on GitHub Enterprise Server.
 <!-- prettier-ignore-end -->
 ## Usage
@@ -64,7 +65,7 @@ attest:
   The `subject-path` parameter should identify the artifact for which you want
   to generate an attestation. The `predicate-type` can be any of the the
   [vetted predicate types][3] or a custom value. The `predicate-path`
-   identifies a file containg the JSON-encoded predicate parameters.
+   identifies a file containing the JSON-encoded predicate parameters.
 ### Inputs
--- a/tests/subject.test.ts
+++ b/tests/subject.test.ts
@@ -99,7 +99,7 @@ describe('subjectFromInputs', () => {
      })
    })
-    describe('when the alogrithm is not supported', () => {
+    describe('when the algorithm is not supported', () => {
      it('throws an error', async () => {
        const inputs: SubjectInputs = {
          ...blankInputs,
--- a/dist/index.js
+++ b/dist/index.js
@@ -377,11 +377,9 @@ const buildSLSAProvenancePredicate = (issuer) => __awaiter(void 0, void 0, void
    // Split just the path and ref from the workflow string.
    // owner/repo/.github/workflows/main.yml@main =>
    //   .github/workflows/main.yml, main
-    const [workflowPath, ...workflowRefChunks] = claims.workflow_ref
+    const [workflowPath] = claims.workflow_ref
        .replace(`${claims.repository}/`, '')
        .split('@');
    // Handle case where tag contains `@` (e.g: when using changesets in a monorepo context),
    const workflowRef = workflowRefChunks.join('@');
    return {
        type: SLSA_PREDICATE_V1_TYPE,
        params: {
@@ -389,7 +387,7 @@ const buildSLSAProvenancePredicate = (issuer) => __awaiter(void 0, void 0, void
                buildType: GITHUB_BUILD_TYPE,
                externalParameters: {
                    workflow: {
-                        ref: workflowRef,
+                        ref: claims.ref,
                        repository: `${serverURL}/${claims.repository}`,
                        path: workflowPath
                    }
@@ -6979,7 +6977,7 @@ module.exports = __toCommonJS(dist_src_exports);
 var import_universal_user_agent = __nccwpck_require__(33843);
 // pkg/dist-src/version.js
-var VERSION = "9.0.4";
+var VERSION = "9.0.6";
 // pkg/dist-src/defaults.js
 var userAgent = `octokit-endpoint.js/${VERSION} ${(0, import_universal_user_agent.getUserAgent)()}`;
@@ -7084,9 +7082,9 @@ function addQueryParameters(url, parameters) {
 }
 // pkg/dist-src/util/extract-url-variable-names.js
-var urlVariableRegex = /\{[^}]+\}/g;
+var urlVariableRegex = /\{[^{}}]+\}/g;
 function removeNonChars(variableName) {
-  return variableName.replace(/^\W+|\W+$/g, "").split(/,/);
+  return variableName.replace(/(?:^\W+)|(?:(?<!\W)\W+$)/g, "").split(/,/);
 }
 function extractUrlVariableNames(url) {
  const matches = url.match(urlVariableRegex);
@@ -7272,7 +7270,7 @@ function parse(options) {
    }
    if (url.endsWith("/graphql")) {
      if (options.mediaType.previews?.length) {
-        const previewsFromAcceptHeader = headers.accept.match(/[\w-]+(?=-preview)/g) || [];
+        const previewsFromAcceptHeader = headers.accept.match(/(?<![\w-])[\w-]+(?=-preview)/g) || [];
        headers.accept = previewsFromAcceptHeader.concat(options.mediaType.previews).map((preview) => {
          const format = options.mediaType.format ? `.${options.mediaType.format}` : "+json";
          return `application/vnd.github.${preview}-preview${format}`;
@@ -7521,7 +7519,7 @@ __export(dist_src_exports, {
 module.exports = __toCommonJS(dist_src_exports);
 // pkg/dist-src/version.js
-var VERSION = "9.1.5";
+var VERSION = "9.2.2";
 // pkg/dist-src/normalize-paginated-list-response.js
 function normalizePaginatedListResponse(response) {
@@ -7569,7 +7567,7 @@ function iterator(octokit, route, parameters) {
          const response = await requestMethod({ method, url, headers });
          const normalizedResponse = normalizePaginatedListResponse(response);
          url = ((normalizedResponse.headers.link || "").match(
-            /<([^>]+)>;\s*rel="next"/
+            /<([^<>]+)>;\s*rel="next"/
          ) || [])[1];
          return { value: normalizedResponse };
        } catch (error) {
@@ -7682,6 +7680,8 @@ var paginatingEndpoints = [
  "GET /orgs/{org}/members/{username}/codespaces",
  "GET /orgs/{org}/migrations",
  "GET /orgs/{org}/migrations/{migration_id}/repositories",
  "GET /orgs/{org}/organization-roles/{role_id}/teams",
  "GET /orgs/{org}/organization-roles/{role_id}/users",
  "GET /orgs/{org}/outside_collaborators",
  "GET /orgs/{org}/packages",
  "GET /orgs/{org}/packages/{package_type}/{package_name}/versions",
@@ -10196,7 +10196,7 @@ var RequestError = class extends Error {
    if (options.request.headers.authorization) {
      requestCopy.headers = Object.assign({}, options.request.headers, {
        authorization: options.request.headers.authorization.replace(
-          / .*$/,
+          /(?<! ) .*$/,
          " [REDACTED]"
        )
      });
@@ -10264,7 +10264,7 @@ var import_endpoint = __nccwpck_require__(54471);
 var import_universal_user_agent = __nccwpck_require__(33843);
 // pkg/dist-src/version.js
-var VERSION = "8.2.0";
+var VERSION = "8.4.1";
 // pkg/dist-src/is-plain-object.js
 function isPlainObject(value) {
@@ -10289,7 +10289,7 @@ function getBufferResponse(response) {
 // pkg/dist-src/fetch-wrapper.js
 function fetchWrapper(requestOptions) {
-  var _a, _b, _c;
+  var _a, _b, _c, _d;
  const log = requestOptions.request && requestOptions.request.log ? requestOptions.request.log : console;
  const parseSuccessResponseBody = ((_a = requestOptions.request) == null ? void 0 : _a.parseSuccessResponseBody) !== false;
  if (isPlainObject(requestOptions.body) || Array.isArray(requestOptions.body)) {
@@ -10310,8 +10310,9 @@ function fetchWrapper(requestOptions) {
  return fetch(requestOptions.url, {
    method: requestOptions.method,
    body: requestOptions.body,
    redirect: (_c = requestOptions.request) == null ? void 0 : _c.redirect,
    headers: requestOptions.headers,
-    signal: (_c = requestOptions.request) == null ? void 0 : _c.signal,
+    signal: (_d = requestOptions.request) == null ? void 0 : _d.signal,
    // duplex must be set if request.body is ReadableStream or Async Iterables.
    // See https://fetch.spec.whatwg.org/#dom-requestinit-duplex.
    ...requestOptions.body && { duplex: "half" }
@@ -10322,7 +10323,7 @@ function fetchWrapper(requestOptions) {
      headers[keyAndValue[0]] = keyAndValue[1];
    }
    if ("deprecation" in headers) {
-      const matches = headers.link && headers.link.match(/<([^>]+)>; rel="deprecation"/);
+      const matches = headers.link && headers.link.match(/<([^<>]+)>; rel="deprecation"/);
      const deprecationLink = matches && matches.pop();
      log.warn(
        `[@octokit/request] "${requestOptions.method} ${requestOptions.url}" is deprecated. It is scheduled to be removed on ${headers.sunset}${deprecationLink ? `. See ${deprecationLink}` : ""}`
@@ -12933,7 +12934,7 @@ const getRegistryCredentials = (imageName) => {
    const { username, password } = (0, exports.fromBasicAuth)(creds.auth);
    // If the identitytoken is present, use it as the password (primarily for ACR)
    const pass = creds.identitytoken ? creds.identitytoken : password;
-    return { username, password: pass };
+    return { headers: dockerConfig.HttpHeaders, username, password: pass };
 };
 exports.getRegistryCredentials = getRegistryCredentials;
 // Encode the username and password as base64-encoded basicauth value
@@ -13421,6 +13422,8 @@ class RegistryClient {
    // authenticate requests.
    // https://github.com/google/go-containerregistry/blob/main/pkg/authn/README.md#the-registry
    async signIn(creds) {
        // Ensure we include an auth headers if they are present
        __classPrivateFieldSet(this, _RegistryClient_fetch, __classPrivateFieldGet(this, _RegistryClient_fetch, "f").defaults({ headers: creds.headers }), "f");
        // Initiate a blob upload to get the auth challenge
        const probeResponse = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/blobs/uploads/`, { method: 'POST' });
        // If we get a 200 response, we're already authenticated
@@ -42881,7 +42884,7 @@ const testSet = (set, version, options) => {
 const debug = __nccwpck_require__(1159)
 const { MAX_LENGTH, MAX_SAFE_INTEGER } = __nccwpck_require__(45101)
-const { safeRe: re, t } = __nccwpck_require__(95471)
+const { safeRe: re, safeSrc: src, t } = __nccwpck_require__(95471)
 const parseOptions = __nccwpck_require__(70356)
 const { compareIdentifiers } = __nccwpck_require__(73348)
@@ -42891,7 +42894,7 @@ class SemVer {
    if (version instanceof SemVer) {
      if (version.loose === !!options.loose &&
-          version.includePrerelease === !!options.includePrerelease) {
+        version.includePrerelease === !!options.includePrerelease) {
        return version
      } else {
        version = version.version
@@ -43057,6 +43060,20 @@ class SemVer {
  // preminor will bump the version up to the next minor release, and immediately
  // down to pre-release. premajor and prepatch work the same way.
  inc (release, identifier, identifierBase) {
    if (release.startsWith('pre')) {
      if (!identifier && identifierBase === false) {
        throw new Error('invalid increment argument: identifier is empty')
      }
      // Avoid an invalid semver results
      if (identifier) {
        const r = new RegExp(`^${this.options.loose ? src[t.PRERELEASELOOSE] : src[t.PRERELEASE]}$`)
        const match = `-${identifier}`.match(r)
        if (!match || match[1] !== identifier) {
          throw new Error(`invalid identifier: ${identifier}`)
        }
      }
    }
    switch (release) {
      case 'premajor':
        this.prerelease.length = 0
@@ -43087,6 +43104,12 @@ class SemVer {
        }
        this.inc('pre', identifier, identifierBase)
        break
      case 'release':
        if (this.prerelease.length === 0) {
          throw new Error(`version ${this.raw} is not a prerelease`)
        }
        this.prerelease.length = 0
        break
      case 'major':
        // If this is a pre-major version, bump up to the same major version.
@@ -43130,10 +43153,6 @@ class SemVer {
      case 'pre': {
        const base = Number(identifierBase) ? 1 : 0
        if (!identifier && identifierBase === false) {
          throw new Error('invalid increment argument: identifier is empty')
        }
        if (this.prerelease.length === 0) {
          this.prerelease = [base]
        } else {
@@ -43392,20 +43411,13 @@ const diff = (version1, version2) => {
      return 'major'
    }
-    // Otherwise it can be determined by checking the high version
+    // If the main part has no difference
-
+    if (lowVersion.compareMain(highVersion) === 0) {
-    if (highVersion.patch) {
+      if (lowVersion.minor && !lowVersion.patch) {
-      // anything higher than a patch bump would result in the wrong version
+        return 'minor'
      }
      return 'patch'
    }
    if (highVersion.minor) {
      // anything higher than a minor bump would result in the wrong version
      return 'minor'
    }
    // bumping major/minor/patch all have same result
    return 'major'
  }
  // add the `pre` prefix if we are going to a prerelease version
@@ -43912,6 +43924,7 @@ exports = module.exports = {}
 const re = exports.re = []
 const safeRe = exports.safeRe = []
 const src = exports.src = []
 const safeSrc = exports.safeSrc = []
 const t = exports.t = {}
 let R = 0
@@ -43944,6 +43957,7 @@ const createToken = (name, value, isGlobal) => {
  debug(name, index, value)
  t[name] = index
  src[index] = value
  safeSrc[index] = safe
  re[index] = new RegExp(value, isGlobal ? 'g' : undefined)
  safeRe[index] = new RegExp(safe, isGlobal ? 'g' : undefined)
 }
@@ -56529,6 +56543,14 @@ const { isUint8Array, isArrayBuffer } = __nccwpck_require__(98253)
 const { File: UndiciFile } = __nccwpck_require__(63041)
 const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(94322)
 let random
 try {
  const crypto = __nccwpck_require__(77598)
  random = (max) => crypto.randomInt(0, max)
 } catch {
  random = (max) => Math.floor(Math.random(max))
 }
 let ReadableStream = globalThis.ReadableStream
 /** @type {globalThis['File']} */
@@ -56614,7 +56636,7 @@ function extractBody (object, keepalive = false) {
    // Set source to a copy of the bytes held by object.
    source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
  } else if (util.isFormDataLike(object)) {
-    const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}`
+    const boundary = `----formdata-undici-0${`${random(1e11)}`.padStart(11, '0')}`
    const prefix = `--${boundary}\r\nContent-Disposition: form-data`
    /*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "actions/attest",
  "description": "Generate signed attestations for workflow artifacts",
-  "version": "2.2.0",
+  "version": "2.3.0",
  "author": "",
  "private": true,
  "homepage": "https://github.com/actions/attest",
@@ -69,31 +69,31 @@
    ]
  },
  "dependencies": {
-    "@actions/attest": "^1.5.0",
+    "@actions/attest": "^1.6.0",
    "@actions/core": "^1.11.1",
    "@actions/github": "^6.0.0",
    "@actions/glob": "^0.5.0",
-    "@sigstore/oci": "^0.4.0",
+    "@sigstore/oci": "^0.5.0",
    "csv-parse": "^5.6.0"
  },
  "devDependencies": {
-    "@eslint/js": "^9.18.0",
+    "@eslint/js": "^9.24.0",
-    "@sigstore/mock": "^0.9.0",
+    "@sigstore/mock": "^0.10.0",
    "@types/jest": "^29.5.14",
    "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^22.10.7",
+    "@types/node": "^22.14.1",
    "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.18.0",
+    "eslint": "^9.24.0",
    "eslint-plugin-import": "^2.31.0",
    "eslint-plugin-jest": "^28.11.0",
    "jest": "^29.7.0",
    "js-yaml": "^4.1.0",
-    "markdownlint-cli": "^0.43.0",
+    "markdownlint-cli": "^0.44.0",
    "nock": "^13.5.6",
-    "prettier": "^3.4.2",
+    "prettier": "^3.5.3",
-    "ts-jest": "^29.2.5",
+    "ts-jest": "^29.3.2",
-    "typescript": "^5.7.3",
+    "typescript": "^5.8.3",
-    "typescript-eslint": "^8.21.0",
+    "typescript-eslint": "^8.30.1",
-    "undici": "^5.28.4"
+    "undici": "^5.28.5"
  }
 }