Compare commits
16 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
2da562a775 | ||
|
|
96309a74df | ||
|
|
e287548486 | ||
|
|
fd6b752f2b | ||
|
|
c2fbdcca7f | ||
|
|
c65e8d4737 | ||
|
|
ffbe5726c3 | ||
|
|
1ddccb76ab | ||
|
|
a25a27cab8 | ||
|
|
e18a799f23 | ||
|
|
5b44f686c6 | ||
|
|
9c10929297 | ||
|
|
3f6ab60ba4 | ||
|
|
f7e1c5d786 | ||
|
|
088247d089 | ||
|
|
6bc26cfc5e |
6
.github/workflows/check-dist.yml
vendored
6
.github/workflows/check-dist.yml
vendored
@@ -28,11 +28,11 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@v6.0.2
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@v6.2.0
|
||||
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
@@ -60,7 +60,7 @@ jobs:
|
||||
- if: ${{ failure() && steps.diff.outcome == 'failure' }}
|
||||
name: Upload Artifact
|
||||
id: upload
|
||||
uses: actions/upload-artifact@v6
|
||||
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
|
||||
2
.github/workflows/ci.yml
vendored
2
.github/workflows/ci.yml
vendored
@@ -25,7 +25,7 @@ jobs:
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
||||
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
|
||||
8
.github/workflows/codeql-analysis.yml
vendored
8
.github/workflows/codeql-analysis.yml
vendored
@@ -32,19 +32,19 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@v6.0.2
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
|
||||
- name: Initialize CodeQL
|
||||
id: initialize
|
||||
uses: github/codeql-action/init@v4
|
||||
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
source-root: src
|
||||
|
||||
- name: Autobuild
|
||||
id: autobuild
|
||||
uses: github/codeql-action/autobuild@v4
|
||||
uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
id: analyze
|
||||
uses: github/codeql-action/analyze@v4
|
||||
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
||||
|
||||
18
.github/workflows/prober-github.yml
vendored
Normal file
18
.github/workflows/prober-github.yml
vendored
Normal file
@@ -0,0 +1,18 @@
|
||||
name: GitHub Sigstore Prober
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
# run every 5 minutes, as often as Github Actions allows
|
||||
- cron: '*/5 * * * *'
|
||||
|
||||
jobs:
|
||||
prober:
|
||||
if: github.repository_owner == 'actions'
|
||||
permissions:
|
||||
attestations: write
|
||||
id-token: write
|
||||
secrets: inherit
|
||||
uses: ./.github/workflows/prober.yml
|
||||
with:
|
||||
sigstore: github
|
||||
18
.github/workflows/prober-public-good.yml
vendored
Normal file
18
.github/workflows/prober-public-good.yml
vendored
Normal file
@@ -0,0 +1,18 @@
|
||||
name: Public-Good Sigstore Prober
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
# run every 5 minutes, as often as Github Actions allows
|
||||
- cron: '*/5 * * * *'
|
||||
|
||||
jobs:
|
||||
prober:
|
||||
if: github.repository_owner == 'actions'
|
||||
permissions:
|
||||
attestations: write
|
||||
id-token: write
|
||||
secrets: inherit
|
||||
uses: ./.github/workflows/prober.yml
|
||||
with:
|
||||
sigstore: public-good
|
||||
84
.github/workflows/prober.yml
vendored
Normal file
84
.github/workflows/prober.yml
vendored
Normal file
@@ -0,0 +1,84 @@
|
||||
name: Prober Workflow
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
sigstore:
|
||||
description: 'Which Sigstore instance to use for signing'
|
||||
required: true
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
probe:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
attestations: write
|
||||
id-token: write
|
||||
|
||||
steps:
|
||||
- name: Request OIDC Token
|
||||
run: |
|
||||
curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
|
||||
-H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
|
||||
-H "Accept: application/json; api-version=2.0" \
|
||||
-H "Content-Type: application/json" \
|
||||
--silent | jq -r '.value' | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson'
|
||||
|
||||
- name: Create artifact
|
||||
run: |
|
||||
date > artifact
|
||||
|
||||
- name: Attest build provenance
|
||||
uses: actions/attest@main
|
||||
env:
|
||||
INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
|
||||
with:
|
||||
subject-path: artifact
|
||||
|
||||
- name: Verify build artifact
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
run: |
|
||||
gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
|
||||
|
||||
- name: Upload build artifact
|
||||
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
||||
with:
|
||||
path: "artifact"
|
||||
|
||||
- name: Report attestation prober success
|
||||
if: ${{ success() }}
|
||||
uses: masci/datadog@d7cb6cfc2ba13f7c2ae5227a26f2e2f42a7d179e # v2.0.2
|
||||
with:
|
||||
api-key: "${{ secrets.DATADOG_API_KEY }}"
|
||||
service-checks: |
|
||||
- check: "attestation-integration.actions.prober"
|
||||
status: 0
|
||||
host_name: github.com
|
||||
tags:
|
||||
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
|
||||
- "service:${{ secrets.CATALOG_SERVICE }}"
|
||||
- "stamp:${{ secrets.STAMP }}"
|
||||
- "env:production"
|
||||
- "repo:${{ github.repository }}"
|
||||
- "team:${{ secrets.TEAM }}"
|
||||
- "sigstore:${{ inputs.sigstore }}"
|
||||
|
||||
- name: Report attestation prober failure
|
||||
if: ${{ failure() }}
|
||||
uses: masci/datadog@d7cb6cfc2ba13f7c2ae5227a26f2e2f42a7d179e # v2.0.2
|
||||
with:
|
||||
api-key: "${{ secrets.DATADOG_API_KEY }}"
|
||||
service-checks: |
|
||||
- check: "attestation-integration.actions.prober"
|
||||
message: "${{ github.repository_owner }} failed prober check"
|
||||
status: 2
|
||||
host_name: github.com
|
||||
tags:
|
||||
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
|
||||
- "service:${{ secrets.CATALOG_SERVICE }}"
|
||||
- "stamp:${{ secrets.STAMP }}"
|
||||
- "env:production"
|
||||
- "repo:${{ github.repository }}"
|
||||
- "team:${{ secrets.TEAM }}"
|
||||
- "sigstore:${{ inputs.sigstore }}"
|
||||
1049
package-lock.json
generated
1049
package-lock.json
generated
File diff suppressed because it is too large
Load Diff
20
package.json
20
package.json
@@ -87,23 +87,23 @@
|
||||
},
|
||||
"devDependencies": {
|
||||
"@eslint/js": "^9.39.2",
|
||||
"@jest/globals": "^30.2.0",
|
||||
"@sigstore/mock": "^0.11.0",
|
||||
"@jest/globals": "^30.3.0",
|
||||
"@sigstore/mock": "^0.12.0",
|
||||
"@types/jest": "^30.0.0",
|
||||
"@types/make-fetch-happen": "^10.0.4",
|
||||
"@types/node": "^25.3.0",
|
||||
"@types/node": "^25.6.0",
|
||||
"@vercel/ncc": "^0.38.4",
|
||||
"eslint": "^9.39.2",
|
||||
"eslint-plugin-import": "^2.32.0",
|
||||
"eslint-plugin-jest": "^29.15.0",
|
||||
"jest": "^30.2.0",
|
||||
"eslint-plugin-jest": "^29.15.2",
|
||||
"jest": "^30.3.0",
|
||||
"js-yaml": "^4.1.1",
|
||||
"markdownlint-cli": "^0.47.0",
|
||||
"markdownlint-cli": "^0.48.0",
|
||||
"nock": "^13.5.6",
|
||||
"prettier": "^3.8.1",
|
||||
"ts-jest": "^29.4.6",
|
||||
"prettier": "^3.8.3",
|
||||
"ts-jest": "^29.4.9",
|
||||
"typescript": "^5.9.3",
|
||||
"typescript-eslint": "^8.56.1",
|
||||
"undici": "^7.20.0"
|
||||
"typescript-eslint": "^8.58.2",
|
||||
"undici": "^7.24.4"
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user