docker/actions-toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sigstore class to sign buildkit provenance blobs

Browse Source 
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax
2025-10-29 10:27:42 +01:00
parent 24b234cb06
commit 36cc95143c
9 changed files with 3102 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/test.yml vendored
View File

@@ -146,6 +146,9 @@ jobs:
fail-fast: false
matrix:
include: ${{ fromJson(needs.prepare-itg.outputs.includes) }}
permissions:
contents: read
id-token: write # needed for signing with GitHub OIDC Token
steps:
-
name: Checkout

725
__tests__/.fixtures/sigstore/multi/linux_amd64/provenance.json Normal file
View File

@@ -0,0 +1,725 @@
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"name": "myapp",
"digest": {
"sha256": "2a941bf575c9d943145d990615782173a81214447bb106af5d98456d378530de"
}
}
],
"predicate": {
"buildDefinition": {
"buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md",
"resolvedDependencies": [
{
"uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
"digest": {
"sha256": "e930c2697be77cb7271d316ecfa78768b5eac73de3b16018ed38eb0ea0b5a7cb"
}
},
{
"uri": "pkg:docker/docker/dockerfile@1",
"digest": {
"sha256": "b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6"
}
},
{
"uri": "pkg:docker/golang@1.25-alpine?platform=linux%2Famd64",
"digest": {
"sha256": "aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34"
}
},
{
"uri": "pkg:docker/tonistiigi/xx@1.7.0?platform=linux%2Famd64",
"digest": {
"sha256": "010d4b66aed389848b0694f91c7aaee9df59a6f20be7f5d12e53663a37bd14e2"
}
},
{
"uri": "https://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd",
"digest": {
"sha1": "f1bd8fdfe4d417acd107b32d5749638ff1533bfd"
}
}
],
"externalParameters": {
"configSource": {
"uri": "https://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd",
"digest": {
"sha1": "f1bd8fdfe4d417acd107b32d5749638ff1533bfd"
},
"path": "Dockerfile"
},
"request": {
"frontend": "gateway.v0",
"args": {
"cmdline": "docker/dockerfile:1",
"source": "docker/dockerfile:1"
},
"secrets": [
{
"id": "GIT_AUTH_HEADER",
"optional": true
},
{
"id": "GIT_AUTH_TOKEN",
"optional": true
}
]
}
},
"internalParameters": {
"buildConfig": {
"digestMapping": {
"sha256:0c051f8b602965c35bbb5fc740b4d16ced9b5ec91141bfc82414ea4ebac8f389": "step6",
"sha256:1b79692851a53ae526c956b915846f7ffb95edf257cc082548e64cfc886f3eb8": "step7",
"sha256:1f4a4008f77e0fd66e5e405280ee9b3f1968beac6a3f28c110b31d15b8cd472a": "step2",
"sha256:2030d53ec35fa99af0f54fca7548a9665ec96f2514ba3cbc1b19c9f5c7cec173": "step0",
"sha256:4fcabdc8e56358c8b9a740d0bf712ef67bc33786112213b9071132a6d595b56f": "step5",
"sha256:60898748e8b2996ff10a3ba158e0e8f52b8f285ff74d92657a43cf02bccc118a": "step8",
"sha256:717558c6da2ccb95acf2519318ee6f40d7ffbb1f63b0a9d211ffbc1a1d0e345f": "step4",
"sha256:d4b5a8c2437dc07cb5a1884896309711c899ee3557268d10b66818dd93f13784": "step1",
"sha256:dc0d490768523aa0ed6c1a7c68c5884e1a18e9b7a8c36a0a983edbe17a9bb89e": "step3"
},
"llbDefinition": [
{
"id": "step0",
"op": {
"Op": {
"source": {
"identifier": "docker-image://docker.io/library/golang:1.25-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34"
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step1",
"op": {
"Op": {
"source": {
"identifier": "docker-image://docker.io/tonistiigi/xx:1.7.0@sha256:010d4b66aed389848b0694f91c7aaee9df59a6f20be7f5d12e53663a37bd14e2"
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step2",
"inputs": [
"step0:0",
"step1:0"
],
"op": {
"Op": {
"file": {
"actions": [
{
"Action": {
"copy": {
"allowEmptyWildcard": true,
"allowWildcard": true,
"createDestPath": true,
"dest": "/",
"dirCopyContents": true,
"followSymlink": true,
"mode": -1,
"src": "/",
"timestamp": -1
}
},
"input": 0,
"output": 0,
"secondaryInput": 1
}
]
}
},
"constraints": {}
}
},
{
"id": "step3",
"inputs": [
"step2:0"
],
"op": {
"Op": {
"exec": {
"meta": {
"args": [
"/bin/sh",
"-c",
"apk add --no-cache file git"
],
"cwd": "/go",
"env": [
"PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOLANG_VERSION=1.25.3",
"GOTOOLCHAIN=local",
"GOPATH=/go"
],
"removeMountStubsRecursive": true
},
"mounts": [
{
"dest": "/"
}
]
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step4",
"inputs": [
"step3:0"
],
"op": {
"Op": {
"file": {
"actions": [
{
"Action": {
"mkdir": {
"makeParents": true,
"mode": 493,
"path": "/src",
"timestamp": -1
}
},
"input": 0,
"output": 0,
"secondaryInput": -1
}
]
}
},
"constraints": {}
}
},
{
"id": "step5",
"op": {
"Op": {
"source": {
"attrs": {
"git.authheadersecret": "GIT_AUTH_HEADER",
"git.authtokensecret": "GIT_AUTH_TOKEN",
"git.fullurl": "https://github.com/docker/github-builder-test.git"
},
"identifier": "git://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd"
}
},
"constraints": {}
}
},
{
"id": "step6",
"inputs": [
"step4:0",
"step5:0"
],
"op": {
"Op": {
"exec": {
"meta": {
"args": [
"/bin/sh",
"-c",
"xx-go build -trimpath -o /out/myapp . \u0026\u0026 xx-verify --static /out/myapp"
],
"cwd": "/src",
"env": [
"PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOLANG_VERSION=1.25.3",
"GOTOOLCHAIN=local",
"GOPATH=/go",
"CGO_ENABLED=0",
"TARGETPLATFORM=linux/amd64"
],
"removeMountStubsRecursive": true
},
"mounts": [
{
"dest": "/"
},
{
"cacheOpt": {
"ID": "//root/.cache"
},
"dest": "/root/.cache",
"input": -1,
"mountType": 3,
"output": -1
},
{
"dest": "/src",
"input": 1,
"output": -1,
"readonly": true
}
]
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step7",
"inputs": [
"step6:0"
],
"op": {
"Op": {
"file": {
"actions": [
{
"Action": {
"copy": {
"allowEmptyWildcard": true,
"allowWildcard": true,
"createDestPath": true,
"dest": "/",
"dirCopyContents": true,
"followSymlink": true,
"mode": -1,
"src": "/out",
"timestamp": -1
}
},
"input": -1,
"output": 0,
"secondaryInput": 0
}
]
}
},
"constraints": {}
}
},
{
"id": "step8",
"inputs": [
"step7:0"
],
"op": {
"Op": {}
}
}
]
},
"builderPlatform": "linux/amd64",
"github_event_name": "workflow_dispatch",
"github_event_payload": {
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/19176?v=4",
"created_at": "2022-12-30T23:53:17Z",
"description": null,
"html_url": "https://github.com/enterprises/docker",
"id": 19176,
"name": "Docker",
"node_id": "E_kgDNSug",
"slug": "docker",
"updated_at": "2025-10-20T20:39:05Z",
"website_url": null
},
"inputs": null,
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
"description": "Docker helps developers bring their ideas to life by conquering the complexity of app development.",
"events_url": "https://api.github.com/orgs/docker/events",
"hooks_url": "https://api.github.com/orgs/docker/hooks",
"id": 5429470,
"issues_url": "https://api.github.com/orgs/docker/issues",
"login": "docker",
"members_url": "https://api.github.com/orgs/docker/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
"public_members_url": "https://api.github.com/orgs/docker/public_members{/member}",
"repos_url": "https://api.github.com/orgs/docker/repos",
"url": "https://api.github.com/orgs/docker"
},
"ref": "refs/heads/main",
"repository": {
"allow_forking": true,
"archive_url": "https://api.github.com/repos/docker/github-builder-test/{archive_format}{/ref}",
"archived": false,
"assignees_url": "https://api.github.com/repos/docker/github-builder-test/assignees{/user}",
"blobs_url": "https://api.github.com/repos/docker/github-builder-test/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/docker/github-builder-test/branches{/branch}",
"clone_url": "https://github.com/docker/github-builder-test.git",
"collaborators_url": "https://api.github.com/repos/docker/github-builder-test/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/docker/github-builder-test/comments{/number}",
"commits_url": "https://api.github.com/repos/docker/github-builder-test/commits{/sha}",
"compare_url": "https://api.github.com/repos/docker/github-builder-test/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/docker/github-builder-test/contents/{+path}",
"contributors_url": "https://api.github.com/repos/docker/github-builder-test/contributors",
"created_at": "2025-08-19T08:08:29Z",
"custom_properties": {},
"default_branch": "main",
"deployments_url": "https://api.github.com/repos/docker/github-builder-test/deployments",
"description": "Test repo for https://github.com/docker/github-builder-experimental",
"disabled": false,
"downloads_url": "https://api.github.com/repos/docker/github-builder-test/downloads",
"events_url": "https://api.github.com/repos/docker/github-builder-test/events",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "https://api.github.com/repos/docker/github-builder-test/forks",
"full_name": "docker/github-builder-test",
"git_commits_url": "https://api.github.com/repos/docker/github-builder-test/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/docker/github-builder-test/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/docker/github-builder-test/git/tags{/sha}",
"git_url": "git://github.com/docker/github-builder-test.git",
"has_discussions": false,
"has_downloads": true,
"has_issues": false,
"has_pages": false,
"has_projects": false,
"has_wiki": false,
"homepage": null,
"hooks_url": "https://api.github.com/repos/docker/github-builder-test/hooks",
"html_url": "https://github.com/docker/github-builder-test",
"id": 1040594287,
"is_template": false,
"issue_comment_url": "https://api.github.com/repos/docker/github-builder-test/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/docker/github-builder-test/issues/events{/number}",
"issues_url": "https://api.github.com/repos/docker/github-builder-test/issues{/number}",
"keys_url": "https://api.github.com/repos/docker/github-builder-test/keys{/key_id}",
"labels_url": "https://api.github.com/repos/docker/github-builder-test/labels{/name}",
"language": "Dockerfile",
"languages_url": "https://api.github.com/repos/docker/github-builder-test/languages",
"license": null,
"merges_url": "https://api.github.com/repos/docker/github-builder-test/merges",
"milestones_url": "https://api.github.com/repos/docker/github-builder-test/milestones{/number}",
"mirror_url": null,
"name": "github-builder-test",
"node_id": "R_kgDOPgY1bw",
"notifications_url": "https://api.github.com/repos/docker/github-builder-test/notifications{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
"events_url": "https://api.github.com/users/docker/events{/privacy}",
"followers_url": "https://api.github.com/users/docker/followers",
"following_url": "https://api.github.com/users/docker/following{/other_user}",
"gists_url": "https://api.github.com/users/docker/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/docker",
"id": 5429470,
"login": "docker",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
"organizations_url": "https://api.github.com/users/docker/orgs",
"received_events_url": "https://api.github.com/users/docker/received_events",
"repos_url": "https://api.github.com/users/docker/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/docker/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/docker/subscriptions",
"type": "Organization",
"url": "https://api.github.com/users/docker",
"user_view_type": "public"
},
"private": true,
"pulls_url": "https://api.github.com/repos/docker/github-builder-test/pulls{/number}",
"pushed_at": "2025-10-22T14:08:38Z",
"releases_url": "https://api.github.com/repos/docker/github-builder-test/releases{/id}",
"size": 24,
"ssh_url": "git@github.com:docker/github-builder-test.git",
"stargazers_count": 0,
"stargazers_url": "https://api.github.com/repos/docker/github-builder-test/stargazers",
"statuses_url": "https://api.github.com/repos/docker/github-builder-test/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/docker/github-builder-test/subscribers",
"subscription_url": "https://api.github.com/repos/docker/github-builder-test/subscription",
"svn_url": "https://github.com/docker/github-builder-test",
"tags_url": "https://api.github.com/repos/docker/github-builder-test/tags",
"teams_url": "https://api.github.com/repos/docker/github-builder-test/teams",
"topics": [],
"trees_url": "https://api.github.com/repos/docker/github-builder-test/git/trees{/sha}",
"updated_at": "2025-10-22T14:08:42Z",
"url": "https://api.github.com/repos/docker/github-builder-test",
"visibility": "internal",
"watchers": 0,
"watchers_count": 0,
"web_commit_signoff_required": false
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/1951866?v=4",
"events_url": "https://api.github.com/users/crazy-max/events{/privacy}",
"followers_url": "https://api.github.com/users/crazy-max/followers",
"following_url": "https://api.github.com/users/crazy-max/following{/other_user}",
"gists_url": "https://api.github.com/users/crazy-max/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/crazy-max",
"id": 1951866,
"login": "crazy-max",
"node_id": "MDQ6VXNlcjE5NTE4NjY=",
"organizations_url": "https://api.github.com/users/crazy-max/orgs",
"received_events_url": "https://api.github.com/users/crazy-max/received_events",
"repos_url": "https://api.github.com/users/crazy-max/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/crazy-max/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/crazy-max/subscriptions",
"type": "User",
"url": "https://api.github.com/users/crazy-max",
"user_view_type": "public"
},
"workflow": ".github/workflows/ci.yml"
}
}
},
"runDetails": {
"builder": {
"id": "https://github.com/docker/github-builder-test/actions/runs/18720329526/attempts/1"
},
"metadata": {
"invocationID": "3lb9gejzb3ondafiy8szq6pza",
"startedOn": "2025-10-22T14:53:42.019047245Z",
"finishedOn": "2025-10-22T14:54:12.811607358Z",
"buildkit_metadata": {
"source": {
"locations": {
"step0": {
"locations": [
{
"ranges": [
{
"start": {
"line": 8
},
"end": {
"line": 8
}
}
]
}
]
},
"step1": {
"locations": [
{
"ranges": [
{
"start": {
"line": 6
},
"end": {
"line": 6
}
}
]
}
]
},
"step2": {
"locations": [
{
"ranges": [
{
"start": {
"line": 9
},
"end": {
"line": 9
}
}
]
}
]
},
"step3": {
"locations": [
{
"ranges": [
{
"start": {
"line": 10
},
"end": {
"line": 10
}
}
]
}
]
},
"step4": {
"locations": [
{
"ranges": [
{
"start": {
"line": 12
},
"end": {
"line": 12
}
}
]
}
]
},
"step5": {},
"step6": {
"locations": [
{
"ranges": [
{
"start": {
"line": 16
},
"end": {
"line": 16
}
},
{
"start": {
"line": 17
},
"end": {
"line": 17
}
},
{
"start": {
"line": 18
},
"end": {
"line": 18
}
},
{
"start": {
"line": 19
},
"end": {
"line": 19
}
}
]
}
]
},
"step7": {
"locations": [
{
"ranges": [
{
"start": {
"line": 23
},
"end": {
"line": 23
}
}
]
}
]
}
},
"infos": [
{
"filename": "Dockerfile",
"language": "Dockerfile",
"data": "IyBzeW50YXg9ZG9ja2VyL2RvY2tlcmZpbGU6MQoKQVJHIEdPX1ZFUlNJT049IjEuMjUiCgojIHh4IGlzIGEgaGVscGVyIGZvciBjcm9zcy1jb21waWxhdGlvbgpGUk9NIC0tcGxhdGZvcm09JEJVSUxEUExBVEZPUk0gdG9uaXN0aWlnaS94eDoxLjcuMCBBUyB4eAoKRlJPTSAtLXBsYXRmb3JtPSRCVUlMRFBMQVRGT1JNIGdvbGFuZzoke0dPX1ZFUlNJT059LWFscGluZSBBUyBiYXNlCkNPUFkgLS1mcm9tPXh4IC8gLwpSVU4gYXBrIGFkZCAtLW5vLWNhY2hlIGZpbGUgZ2l0CkVOViBDR09fRU5BQkxFRD0wCldPUktESVIgL3NyYwoKRlJPTSBiYXNlIEFTIGJ1aWxkCkFSRyBUQVJHRVRQTEFURk9STQpSVU4gLS1tb3VudD10eXBlPWJpbmQsdGFyZ2V0PS4gXAogICAgLS1tb3VudD10YXJnZXQ9L3Jvb3QvLmNhY2hlLHR5cGU9Y2FjaGUgXAogIHh4LWdvIGJ1aWxkIC10cmltcGF0aCAtbyAvb3V0L215YXBwIC4gXAogICYmIHh4LXZlcmlmeSAtLXN0YXRpYyAvb3V0L215YXBwCkFSRyBCVUlMREtJVF9TQk9NX1NDQU5fU1RBR0U9dHJ1ZQoKRlJPTSBzY3JhdGNoCkNPUFkgLS1mcm9tPWJ1aWxkIC9vdXQgLwo=",
"llbDefinition": [
{
"id": "step0",
"op": {
"Op": {
"source": {
"identifier": "git://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd",
"attrs": {
"git.authheadersecret": "GIT_AUTH_HEADER",
"git.authtokensecret": "GIT_AUTH_TOKEN",
"git.fullurl": "https://github.com/docker/github-builder-test.git"
}
}
},
"constraints": {}
}
},
{
"id": "step1",
"op": {
"Op": {}
},
"inputs": [
"step0:0"
]
}
],
"digestMapping": {
"sha256:4fcabdc8e56358c8b9a740d0bf712ef67bc33786112213b9071132a6d595b56f": "step0",
"sha256:bc50cc258c6043da1edc694266872a90e37fe4d9dd4b4a6f29715b79a0778011": "step1"
}
}
]
},
"layers": {
"step0:0": [
[
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:2d35ebdb57d9971fea0cac1582aa78935adf8058b2cc32db163c98822e5dfa1b",
"size": 3802452
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:85e8836fcdb2966cd3e43a5440ccddffd1828d2d186a49fa7c17b605db8b3bb3",
"size": 291155
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:91631faa732ae651543f888b70295cbfe29a433d3c8da02b9966f67f238d3603",
"size": 60150352
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:f3f5ae8826faeb0e0415f8f29afbc9550ae5d655f3982b2924949c93d5efd5c8",
"size": 126
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1",
"size": 32
}
]
],
"step1:0": [
[
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:15db0d88ae4923276807d48a05fc8a7208dfbec142770f2fce52af9fee6cd287",
"size": 17084
}
]
]
}
},
"buildkit_completeness": {
"request": true,
"resolvedDependencies": true
}
}
}
}
}

725
__tests__/.fixtures/sigstore/multi/linux_arm64/provenance.json Normal file
View File

@@ -0,0 +1,725 @@
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"name": "myapp",
"digest": {
"sha256": "4b667c986650394031c49aa325f905d0f9dde27ea57d7b4ab3e43d48f0f9140b"
}
}
],
"predicate": {
"buildDefinition": {
"buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md",
"resolvedDependencies": [
{
"uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
"digest": {
"sha256": "e930c2697be77cb7271d316ecfa78768b5eac73de3b16018ed38eb0ea0b5a7cb"
}
},
{
"uri": "pkg:docker/docker/dockerfile@1",
"digest": {
"sha256": "b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6"
}
},
{
"uri": "pkg:docker/golang@1.25-alpine?platform=linux%2Famd64",
"digest": {
"sha256": "aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34"
}
},
{
"uri": "pkg:docker/tonistiigi/xx@1.7.0?platform=linux%2Famd64",
"digest": {
"sha256": "010d4b66aed389848b0694f91c7aaee9df59a6f20be7f5d12e53663a37bd14e2"
}
},
{
"uri": "https://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd",
"digest": {
"sha1": "f1bd8fdfe4d417acd107b32d5749638ff1533bfd"
}
}
],
"externalParameters": {
"configSource": {
"uri": "https://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd",
"digest": {
"sha1": "f1bd8fdfe4d417acd107b32d5749638ff1533bfd"
},
"path": "Dockerfile"
},
"request": {
"frontend": "gateway.v0",
"args": {
"cmdline": "docker/dockerfile:1",
"source": "docker/dockerfile:1"
},
"secrets": [
{
"id": "GIT_AUTH_HEADER",
"optional": true
},
{
"id": "GIT_AUTH_TOKEN",
"optional": true
}
]
}
},
"internalParameters": {
"buildConfig": {
"digestMapping": {
"sha256:1f4a4008f77e0fd66e5e405280ee9b3f1968beac6a3f28c110b31d15b8cd472a": "step2",
"sha256:2030d53ec35fa99af0f54fca7548a9665ec96f2514ba3cbc1b19c9f5c7cec173": "step0",
"sha256:368b1bc65dc4d0861c183479a82ba1d9792be1ec2a72aaa7d01c079683d737ff": "step8",
"sha256:4fcabdc8e56358c8b9a740d0bf712ef67bc33786112213b9071132a6d595b56f": "step5",
"sha256:6a2df8f51e15d0173d4785a6ef59a3c267ab89e42ebb4684a384c03a7ad05147": "step7",
"sha256:6ebefcdf46d57291371b70b4c09dbd29559df2b73ef100296cffb93ea6b083bb": "step6",
"sha256:717558c6da2ccb95acf2519318ee6f40d7ffbb1f63b0a9d211ffbc1a1d0e345f": "step4",
"sha256:d4b5a8c2437dc07cb5a1884896309711c899ee3557268d10b66818dd93f13784": "step1",
"sha256:dc0d490768523aa0ed6c1a7c68c5884e1a18e9b7a8c36a0a983edbe17a9bb89e": "step3"
},
"llbDefinition": [
{
"id": "step0",
"op": {
"Op": {
"source": {
"identifier": "docker-image://docker.io/library/golang:1.25-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34"
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step1",
"op": {
"Op": {
"source": {
"identifier": "docker-image://docker.io/tonistiigi/xx:1.7.0@sha256:010d4b66aed389848b0694f91c7aaee9df59a6f20be7f5d12e53663a37bd14e2"
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step2",
"inputs": [
"step0:0",
"step1:0"
],
"op": {
"Op": {
"file": {
"actions": [
{
"Action": {
"copy": {
"allowEmptyWildcard": true,
"allowWildcard": true,
"createDestPath": true,
"dest": "/",
"dirCopyContents": true,
"followSymlink": true,
"mode": -1,
"src": "/",
"timestamp": -1
}
},
"input": 0,
"output": 0,
"secondaryInput": 1
}
]
}
},
"constraints": {}
}
},
{
"id": "step3",
"inputs": [
"step2:0"
],
"op": {
"Op": {
"exec": {
"meta": {
"args": [
"/bin/sh",
"-c",
"apk add --no-cache file git"
],
"cwd": "/go",
"env": [
"PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOLANG_VERSION=1.25.3",
"GOTOOLCHAIN=local",
"GOPATH=/go"
],
"removeMountStubsRecursive": true
},
"mounts": [
{
"dest": "/"
}
]
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step4",
"inputs": [
"step3:0"
],
"op": {
"Op": {
"file": {
"actions": [
{
"Action": {
"mkdir": {
"makeParents": true,
"mode": 493,
"path": "/src",
"timestamp": -1
}
},
"input": 0,
"output": 0,
"secondaryInput": -1
}
]
}
},
"constraints": {}
}
},
{
"id": "step5",
"op": {
"Op": {
"source": {
"attrs": {
"git.authheadersecret": "GIT_AUTH_HEADER",
"git.authtokensecret": "GIT_AUTH_TOKEN",
"git.fullurl": "https://github.com/docker/github-builder-test.git"
},
"identifier": "git://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd"
}
},
"constraints": {}
}
},
{
"id": "step6",
"inputs": [
"step4:0",
"step5:0"
],
"op": {
"Op": {
"exec": {
"meta": {
"args": [
"/bin/sh",
"-c",
"xx-go build -trimpath -o /out/myapp . \u0026\u0026 xx-verify --static /out/myapp"
],
"cwd": "/src",
"env": [
"PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOLANG_VERSION=1.25.3",
"GOTOOLCHAIN=local",
"GOPATH=/go",
"CGO_ENABLED=0",
"TARGETPLATFORM=linux/arm64"
],
"removeMountStubsRecursive": true
},
"mounts": [
{
"dest": "/"
},
{
"cacheOpt": {
"ID": "//root/.cache"
},
"dest": "/root/.cache",
"input": -1,
"mountType": 3,
"output": -1
},
{
"dest": "/src",
"input": 1,
"output": -1,
"readonly": true
}
]
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step7",
"inputs": [
"step6:0"
],
"op": {
"Op": {
"file": {
"actions": [
{
"Action": {
"copy": {
"allowEmptyWildcard": true,
"allowWildcard": true,
"createDestPath": true,
"dest": "/",
"dirCopyContents": true,
"followSymlink": true,
"mode": -1,
"src": "/out",
"timestamp": -1
}
},
"input": -1,
"output": 0,
"secondaryInput": 0
}
]
}
},
"constraints": {}
}
},
{
"id": "step8",
"inputs": [
"step7:0"
],
"op": {
"Op": {}
}
}
]
},
"builderPlatform": "linux/amd64",
"github_event_name": "workflow_dispatch",
"github_event_payload": {
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/19176?v=4",
"created_at": "2022-12-30T23:53:17Z",
"description": null,
"html_url": "https://github.com/enterprises/docker",
"id": 19176,
"name": "Docker",
"node_id": "E_kgDNSug",
"slug": "docker",
"updated_at": "2025-10-20T20:39:05Z",
"website_url": null
},
"inputs": null,
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
"description": "Docker helps developers bring their ideas to life by conquering the complexity of app development.",
"events_url": "https://api.github.com/orgs/docker/events",
"hooks_url": "https://api.github.com/orgs/docker/hooks",
"id": 5429470,
"issues_url": "https://api.github.com/orgs/docker/issues",
"login": "docker",
"members_url": "https://api.github.com/orgs/docker/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
"public_members_url": "https://api.github.com/orgs/docker/public_members{/member}",
"repos_url": "https://api.github.com/orgs/docker/repos",
"url": "https://api.github.com/orgs/docker"
},
"ref": "refs/heads/main",
"repository": {
"allow_forking": true,
"archive_url": "https://api.github.com/repos/docker/github-builder-test/{archive_format}{/ref}",
"archived": false,
"assignees_url": "https://api.github.com/repos/docker/github-builder-test/assignees{/user}",
"blobs_url": "https://api.github.com/repos/docker/github-builder-test/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/docker/github-builder-test/branches{/branch}",
"clone_url": "https://github.com/docker/github-builder-test.git",
"collaborators_url": "https://api.github.com/repos/docker/github-builder-test/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/docker/github-builder-test/comments{/number}",
"commits_url": "https://api.github.com/repos/docker/github-builder-test/commits{/sha}",
"compare_url": "https://api.github.com/repos/docker/github-builder-test/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/docker/github-builder-test/contents/{+path}",
"contributors_url": "https://api.github.com/repos/docker/github-builder-test/contributors",
"created_at": "2025-08-19T08:08:29Z",
"custom_properties": {},
"default_branch": "main",
"deployments_url": "https://api.github.com/repos/docker/github-builder-test/deployments",
"description": "Test repo for https://github.com/docker/github-builder-experimental",
"disabled": false,
"downloads_url": "https://api.github.com/repos/docker/github-builder-test/downloads",
"events_url": "https://api.github.com/repos/docker/github-builder-test/events",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "https://api.github.com/repos/docker/github-builder-test/forks",
"full_name": "docker/github-builder-test",
"git_commits_url": "https://api.github.com/repos/docker/github-builder-test/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/docker/github-builder-test/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/docker/github-builder-test/git/tags{/sha}",
"git_url": "git://github.com/docker/github-builder-test.git",
"has_discussions": false,
"has_downloads": true,
"has_issues": false,
"has_pages": false,
"has_projects": false,
"has_wiki": false,
"homepage": null,
"hooks_url": "https://api.github.com/repos/docker/github-builder-test/hooks",
"html_url": "https://github.com/docker/github-builder-test",
"id": 1040594287,
"is_template": false,
"issue_comment_url": "https://api.github.com/repos/docker/github-builder-test/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/docker/github-builder-test/issues/events{/number}",
"issues_url": "https://api.github.com/repos/docker/github-builder-test/issues{/number}",
"keys_url": "https://api.github.com/repos/docker/github-builder-test/keys{/key_id}",
"labels_url": "https://api.github.com/repos/docker/github-builder-test/labels{/name}",
"language": "Dockerfile",
"languages_url": "https://api.github.com/repos/docker/github-builder-test/languages",
"license": null,
"merges_url": "https://api.github.com/repos/docker/github-builder-test/merges",
"milestones_url": "https://api.github.com/repos/docker/github-builder-test/milestones{/number}",
"mirror_url": null,
"name": "github-builder-test",
"node_id": "R_kgDOPgY1bw",
"notifications_url": "https://api.github.com/repos/docker/github-builder-test/notifications{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
"events_url": "https://api.github.com/users/docker/events{/privacy}",
"followers_url": "https://api.github.com/users/docker/followers",
"following_url": "https://api.github.com/users/docker/following{/other_user}",
"gists_url": "https://api.github.com/users/docker/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/docker",
"id": 5429470,
"login": "docker",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
"organizations_url": "https://api.github.com/users/docker/orgs",
"received_events_url": "https://api.github.com/users/docker/received_events",
"repos_url": "https://api.github.com/users/docker/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/docker/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/docker/subscriptions",
"type": "Organization",
"url": "https://api.github.com/users/docker",
"user_view_type": "public"
},
"private": true,
"pulls_url": "https://api.github.com/repos/docker/github-builder-test/pulls{/number}",
"pushed_at": "2025-10-22T14:08:38Z",
"releases_url": "https://api.github.com/repos/docker/github-builder-test/releases{/id}",
"size": 24,
"ssh_url": "git@github.com:docker/github-builder-test.git",
"stargazers_count": 0,
"stargazers_url": "https://api.github.com/repos/docker/github-builder-test/stargazers",
"statuses_url": "https://api.github.com/repos/docker/github-builder-test/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/docker/github-builder-test/subscribers",
"subscription_url": "https://api.github.com/repos/docker/github-builder-test/subscription",
"svn_url": "https://github.com/docker/github-builder-test",
"tags_url": "https://api.github.com/repos/docker/github-builder-test/tags",
"teams_url": "https://api.github.com/repos/docker/github-builder-test/teams",
"topics": [],
"trees_url": "https://api.github.com/repos/docker/github-builder-test/git/trees{/sha}",
"updated_at": "2025-10-22T14:08:42Z",
"url": "https://api.github.com/repos/docker/github-builder-test",
"visibility": "internal",
"watchers": 0,
"watchers_count": 0,
"web_commit_signoff_required": false
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/1951866?v=4",
"events_url": "https://api.github.com/users/crazy-max/events{/privacy}",
"followers_url": "https://api.github.com/users/crazy-max/followers",
"following_url": "https://api.github.com/users/crazy-max/following{/other_user}",
"gists_url": "https://api.github.com/users/crazy-max/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/crazy-max",
"id": 1951866,
"login": "crazy-max",
"node_id": "MDQ6VXNlcjE5NTE4NjY=",
"organizations_url": "https://api.github.com/users/crazy-max/orgs",
"received_events_url": "https://api.github.com/users/crazy-max/received_events",
"repos_url": "https://api.github.com/users/crazy-max/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/crazy-max/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/crazy-max/subscriptions",
"type": "User",
"url": "https://api.github.com/users/crazy-max",
"user_view_type": "public"
},
"workflow": ".github/workflows/ci.yml"
}
}
},
"runDetails": {
"builder": {
"id": "https://github.com/docker/github-builder-test/actions/runs/18720329526/attempts/1"
},
"metadata": {
"invocationID": "3lb9gejzb3ondafiy8szq6pza",
"startedOn": "2025-10-22T14:53:42.019047245Z",
"finishedOn": "2025-10-22T14:54:12.811607358Z",
"buildkit_metadata": {
"source": {
"locations": {
"step0": {
"locations": [
{
"ranges": [
{
"start": {
"line": 8
},
"end": {
"line": 8
}
}
]
}
]
},
"step1": {
"locations": [
{
"ranges": [
{
"start": {
"line": 6
},
"end": {
"line": 6
}
}
]
}
]
},
"step2": {
"locations": [
{
"ranges": [
{
"start": {
"line": 9
},
"end": {
"line": 9
}
}
]
}
]
},
"step3": {
"locations": [
{
"ranges": [
{
"start": {
"line": 10
},
"end": {
"line": 10
}
}
]
}
]
},
"step4": {
"locations": [
{
"ranges": [
{
"start": {
"line": 12
},
"end": {
"line": 12
}
}
]
}
]
},
"step5": {},
"step6": {
"locations": [
{
"ranges": [
{
"start": {
"line": 16
},
"end": {
"line": 16
}
},
{
"start": {
"line": 17
},
"end": {
"line": 17
}
},
{
"start": {
"line": 18
},
"end": {
"line": 18
}
},
{
"start": {
"line": 19
},
"end": {
"line": 19
}
}
]
}
]
},
"step7": {
"locations": [
{
"ranges": [
{
"start": {
"line": 23
},
"end": {
"line": 23
}
}
]
}
]
}
},
"infos": [
{
"filename": "Dockerfile",
"language": "Dockerfile",
"data": "IyBzeW50YXg9ZG9ja2VyL2RvY2tlcmZpbGU6MQoKQVJHIEdPX1ZFUlNJT049IjEuMjUiCgojIHh4IGlzIGEgaGVscGVyIGZvciBjcm9zcy1jb21waWxhdGlvbgpGUk9NIC0tcGxhdGZvcm09JEJVSUxEUExBVEZPUk0gdG9uaXN0aWlnaS94eDoxLjcuMCBBUyB4eAoKRlJPTSAtLXBsYXRmb3JtPSRCVUlMRFBMQVRGT1JNIGdvbGFuZzoke0dPX1ZFUlNJT059LWFscGluZSBBUyBiYXNlCkNPUFkgLS1mcm9tPXh4IC8gLwpSVU4gYXBrIGFkZCAtLW5vLWNhY2hlIGZpbGUgZ2l0CkVOViBDR09fRU5BQkxFRD0wCldPUktESVIgL3NyYwoKRlJPTSBiYXNlIEFTIGJ1aWxkCkFSRyBUQVJHRVRQTEFURk9STQpSVU4gLS1tb3VudD10eXBlPWJpbmQsdGFyZ2V0PS4gXAogICAgLS1tb3VudD10YXJnZXQ9L3Jvb3QvLmNhY2hlLHR5cGU9Y2FjaGUgXAogIHh4LWdvIGJ1aWxkIC10cmltcGF0aCAtbyAvb3V0L215YXBwIC4gXAogICYmIHh4LXZlcmlmeSAtLXN0YXRpYyAvb3V0L215YXBwCkFSRyBCVUlMREtJVF9TQk9NX1NDQU5fU1RBR0U9dHJ1ZQoKRlJPTSBzY3JhdGNoCkNPUFkgLS1mcm9tPWJ1aWxkIC9vdXQgLwo=",
"llbDefinition": [
{
"id": "step0",
"op": {
"Op": {
"source": {
"identifier": "git://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd",
"attrs": {
"git.authheadersecret": "GIT_AUTH_HEADER",
"git.authtokensecret": "GIT_AUTH_TOKEN",
"git.fullurl": "https://github.com/docker/github-builder-test.git"
}
}
},
"constraints": {}
}
},
{
"id": "step1",
"op": {
"Op": {}
},
"inputs": [
"step0:0"
]
}
],
"digestMapping": {
"sha256:4fcabdc8e56358c8b9a740d0bf712ef67bc33786112213b9071132a6d595b56f": "step0",
"sha256:bc50cc258c6043da1edc694266872a90e37fe4d9dd4b4a6f29715b79a0778011": "step1"
}
}
]
},
"layers": {
"step0:0": [
[
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:2d35ebdb57d9971fea0cac1582aa78935adf8058b2cc32db163c98822e5dfa1b",
"size": 3802452
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:85e8836fcdb2966cd3e43a5440ccddffd1828d2d186a49fa7c17b605db8b3bb3",
"size": 291155
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:91631faa732ae651543f888b70295cbfe29a433d3c8da02b9966f67f238d3603",
"size": 60150352
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:f3f5ae8826faeb0e0415f8f29afbc9550ae5d655f3982b2924949c93d5efd5c8",
"size": 126
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1",
"size": 32
}
]
],
"step1:0": [
[
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:15db0d88ae4923276807d48a05fc8a7208dfbec142770f2fce52af9fee6cd287",
"size": 17084
}
]
]
}
},
"buildkit_completeness": {
"request": true,
"resolvedDependencies": true
}
}
}
}
}

725
__tests__/.fixtures/sigstore/single/provenance.json Normal file
View File

@@ -0,0 +1,725 @@
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"name": "myapp",
"digest": {
"sha256": "4b667c986650394031c49aa325f905d0f9dde27ea57d7b4ab3e43d48f0f9140b"
}
}
],
"predicate": {
"buildDefinition": {
"buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md",
"resolvedDependencies": [
{
"uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
"digest": {
"sha256": "e930c2697be77cb7271d316ecfa78768b5eac73de3b16018ed38eb0ea0b5a7cb"
}
},
{
"uri": "pkg:docker/docker/dockerfile@1",
"digest": {
"sha256": "b6afd42430b15f2d2a4c5a02b919e98a525b785b1aaff16747d2f623364e39b6"
}
},
{
"uri": "pkg:docker/golang@1.25-alpine?platform=linux%2Famd64",
"digest": {
"sha256": "aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34"
}
},
{
"uri": "pkg:docker/tonistiigi/xx@1.7.0?platform=linux%2Famd64",
"digest": {
"sha256": "010d4b66aed389848b0694f91c7aaee9df59a6f20be7f5d12e53663a37bd14e2"
}
},
{
"uri": "https://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd",
"digest": {
"sha1": "f1bd8fdfe4d417acd107b32d5749638ff1533bfd"
}
}
],
"externalParameters": {
"configSource": {
"uri": "https://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd",
"digest": {
"sha1": "f1bd8fdfe4d417acd107b32d5749638ff1533bfd"
},
"path": "Dockerfile"
},
"request": {
"frontend": "gateway.v0",
"args": {
"cmdline": "docker/dockerfile:1",
"source": "docker/dockerfile:1"
},
"secrets": [
{
"id": "GIT_AUTH_HEADER",
"optional": true
},
{
"id": "GIT_AUTH_TOKEN",
"optional": true
}
]
}
},
"internalParameters": {
"buildConfig": {
"digestMapping": {
"sha256:1f4a4008f77e0fd66e5e405280ee9b3f1968beac6a3f28c110b31d15b8cd472a": "step2",
"sha256:2030d53ec35fa99af0f54fca7548a9665ec96f2514ba3cbc1b19c9f5c7cec173": "step0",
"sha256:368b1bc65dc4d0861c183479a82ba1d9792be1ec2a72aaa7d01c079683d737ff": "step8",
"sha256:4fcabdc8e56358c8b9a740d0bf712ef67bc33786112213b9071132a6d595b56f": "step5",
"sha256:6a2df8f51e15d0173d4785a6ef59a3c267ab89e42ebb4684a384c03a7ad05147": "step7",
"sha256:6ebefcdf46d57291371b70b4c09dbd29559df2b73ef100296cffb93ea6b083bb": "step6",
"sha256:717558c6da2ccb95acf2519318ee6f40d7ffbb1f63b0a9d211ffbc1a1d0e345f": "step4",
"sha256:d4b5a8c2437dc07cb5a1884896309711c899ee3557268d10b66818dd93f13784": "step1",
"sha256:dc0d490768523aa0ed6c1a7c68c5884e1a18e9b7a8c36a0a983edbe17a9bb89e": "step3"
},
"llbDefinition": [
{
"id": "step0",
"op": {
"Op": {
"source": {
"identifier": "docker-image://docker.io/library/golang:1.25-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34"
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step1",
"op": {
"Op": {
"source": {
"identifier": "docker-image://docker.io/tonistiigi/xx:1.7.0@sha256:010d4b66aed389848b0694f91c7aaee9df59a6f20be7f5d12e53663a37bd14e2"
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step2",
"inputs": [
"step0:0",
"step1:0"
],
"op": {
"Op": {
"file": {
"actions": [
{
"Action": {
"copy": {
"allowEmptyWildcard": true,
"allowWildcard": true,
"createDestPath": true,
"dest": "/",
"dirCopyContents": true,
"followSymlink": true,
"mode": -1,
"src": "/",
"timestamp": -1
}
},
"input": 0,
"output": 0,
"secondaryInput": 1
}
]
}
},
"constraints": {}
}
},
{
"id": "step3",
"inputs": [
"step2:0"
],
"op": {
"Op": {
"exec": {
"meta": {
"args": [
"/bin/sh",
"-c",
"apk add --no-cache file git"
],
"cwd": "/go",
"env": [
"PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOLANG_VERSION=1.25.3",
"GOTOOLCHAIN=local",
"GOPATH=/go"
],
"removeMountStubsRecursive": true
},
"mounts": [
{
"dest": "/"
}
]
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step4",
"inputs": [
"step3:0"
],
"op": {
"Op": {
"file": {
"actions": [
{
"Action": {
"mkdir": {
"makeParents": true,
"mode": 493,
"path": "/src",
"timestamp": -1
}
},
"input": 0,
"output": 0,
"secondaryInput": -1
}
]
}
},
"constraints": {}
}
},
{
"id": "step5",
"op": {
"Op": {
"source": {
"attrs": {
"git.authheadersecret": "GIT_AUTH_HEADER",
"git.authtokensecret": "GIT_AUTH_TOKEN",
"git.fullurl": "https://github.com/docker/github-builder-test.git"
},
"identifier": "git://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd"
}
},
"constraints": {}
}
},
{
"id": "step6",
"inputs": [
"step4:0",
"step5:0"
],
"op": {
"Op": {
"exec": {
"meta": {
"args": [
"/bin/sh",
"-c",
"xx-go build -trimpath -o /out/myapp . \u0026\u0026 xx-verify --static /out/myapp"
],
"cwd": "/src",
"env": [
"PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOLANG_VERSION=1.25.3",
"GOTOOLCHAIN=local",
"GOPATH=/go",
"CGO_ENABLED=0",
"TARGETPLATFORM=linux/arm64"
],
"removeMountStubsRecursive": true
},
"mounts": [
{
"dest": "/"
},
{
"cacheOpt": {
"ID": "//root/.cache"
},
"dest": "/root/.cache",
"input": -1,
"mountType": 3,
"output": -1
},
{
"dest": "/src",
"input": 1,
"output": -1,
"readonly": true
}
]
}
},
"constraints": {},
"platform": {
"Architecture": "amd64",
"OS": "linux"
}
}
},
{
"id": "step7",
"inputs": [
"step6:0"
],
"op": {
"Op": {
"file": {
"actions": [
{
"Action": {
"copy": {
"allowEmptyWildcard": true,
"allowWildcard": true,
"createDestPath": true,
"dest": "/",
"dirCopyContents": true,
"followSymlink": true,
"mode": -1,
"src": "/out",
"timestamp": -1
}
},
"input": -1,
"output": 0,
"secondaryInput": 0
}
]
}
},
"constraints": {}
}
},
{
"id": "step8",
"inputs": [
"step7:0"
],
"op": {
"Op": {}
}
}
]
},
"builderPlatform": "linux/amd64",
"github_event_name": "workflow_dispatch",
"github_event_payload": {
"enterprise": {
"avatar_url": "https://avatars.githubusercontent.com/b/19176?v=4",
"created_at": "2022-12-30T23:53:17Z",
"description": null,
"html_url": "https://github.com/enterprises/docker",
"id": 19176,
"name": "Docker",
"node_id": "E_kgDNSug",
"slug": "docker",
"updated_at": "2025-10-20T20:39:05Z",
"website_url": null
},
"inputs": null,
"organization": {
"avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
"description": "Docker helps developers bring their ideas to life by conquering the complexity of app development.",
"events_url": "https://api.github.com/orgs/docker/events",
"hooks_url": "https://api.github.com/orgs/docker/hooks",
"id": 5429470,
"issues_url": "https://api.github.com/orgs/docker/issues",
"login": "docker",
"members_url": "https://api.github.com/orgs/docker/members{/member}",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
"public_members_url": "https://api.github.com/orgs/docker/public_members{/member}",
"repos_url": "https://api.github.com/orgs/docker/repos",
"url": "https://api.github.com/orgs/docker"
},
"ref": "refs/heads/main",
"repository": {
"allow_forking": true,
"archive_url": "https://api.github.com/repos/docker/github-builder-test/{archive_format}{/ref}",
"archived": false,
"assignees_url": "https://api.github.com/repos/docker/github-builder-test/assignees{/user}",
"blobs_url": "https://api.github.com/repos/docker/github-builder-test/git/blobs{/sha}",
"branches_url": "https://api.github.com/repos/docker/github-builder-test/branches{/branch}",
"clone_url": "https://github.com/docker/github-builder-test.git",
"collaborators_url": "https://api.github.com/repos/docker/github-builder-test/collaborators{/collaborator}",
"comments_url": "https://api.github.com/repos/docker/github-builder-test/comments{/number}",
"commits_url": "https://api.github.com/repos/docker/github-builder-test/commits{/sha}",
"compare_url": "https://api.github.com/repos/docker/github-builder-test/compare/{base}...{head}",
"contents_url": "https://api.github.com/repos/docker/github-builder-test/contents/{+path}",
"contributors_url": "https://api.github.com/repos/docker/github-builder-test/contributors",
"created_at": "2025-08-19T08:08:29Z",
"custom_properties": {},
"default_branch": "main",
"deployments_url": "https://api.github.com/repos/docker/github-builder-test/deployments",
"description": "Test repo for https://github.com/docker/github-builder-experimental",
"disabled": false,
"downloads_url": "https://api.github.com/repos/docker/github-builder-test/downloads",
"events_url": "https://api.github.com/repos/docker/github-builder-test/events",
"fork": false,
"forks": 0,
"forks_count": 0,
"forks_url": "https://api.github.com/repos/docker/github-builder-test/forks",
"full_name": "docker/github-builder-test",
"git_commits_url": "https://api.github.com/repos/docker/github-builder-test/git/commits{/sha}",
"git_refs_url": "https://api.github.com/repos/docker/github-builder-test/git/refs{/sha}",
"git_tags_url": "https://api.github.com/repos/docker/github-builder-test/git/tags{/sha}",
"git_url": "git://github.com/docker/github-builder-test.git",
"has_discussions": false,
"has_downloads": true,
"has_issues": false,
"has_pages": false,
"has_projects": false,
"has_wiki": false,
"homepage": null,
"hooks_url": "https://api.github.com/repos/docker/github-builder-test/hooks",
"html_url": "https://github.com/docker/github-builder-test",
"id": 1040594287,
"is_template": false,
"issue_comment_url": "https://api.github.com/repos/docker/github-builder-test/issues/comments{/number}",
"issue_events_url": "https://api.github.com/repos/docker/github-builder-test/issues/events{/number}",
"issues_url": "https://api.github.com/repos/docker/github-builder-test/issues{/number}",
"keys_url": "https://api.github.com/repos/docker/github-builder-test/keys{/key_id}",
"labels_url": "https://api.github.com/repos/docker/github-builder-test/labels{/name}",
"language": "Dockerfile",
"languages_url": "https://api.github.com/repos/docker/github-builder-test/languages",
"license": null,
"merges_url": "https://api.github.com/repos/docker/github-builder-test/merges",
"milestones_url": "https://api.github.com/repos/docker/github-builder-test/milestones{/number}",
"mirror_url": null,
"name": "github-builder-test",
"node_id": "R_kgDOPgY1bw",
"notifications_url": "https://api.github.com/repos/docker/github-builder-test/notifications{?since,all,participating}",
"open_issues": 0,
"open_issues_count": 0,
"owner": {
"avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
"events_url": "https://api.github.com/users/docker/events{/privacy}",
"followers_url": "https://api.github.com/users/docker/followers",
"following_url": "https://api.github.com/users/docker/following{/other_user}",
"gists_url": "https://api.github.com/users/docker/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/docker",
"id": 5429470,
"login": "docker",
"node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
"organizations_url": "https://api.github.com/users/docker/orgs",
"received_events_url": "https://api.github.com/users/docker/received_events",
"repos_url": "https://api.github.com/users/docker/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/docker/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/docker/subscriptions",
"type": "Organization",
"url": "https://api.github.com/users/docker",
"user_view_type": "public"
},
"private": true,
"pulls_url": "https://api.github.com/repos/docker/github-builder-test/pulls{/number}",
"pushed_at": "2025-10-22T14:08:38Z",
"releases_url": "https://api.github.com/repos/docker/github-builder-test/releases{/id}",
"size": 24,
"ssh_url": "git@github.com:docker/github-builder-test.git",
"stargazers_count": 0,
"stargazers_url": "https://api.github.com/repos/docker/github-builder-test/stargazers",
"statuses_url": "https://api.github.com/repos/docker/github-builder-test/statuses/{sha}",
"subscribers_url": "https://api.github.com/repos/docker/github-builder-test/subscribers",
"subscription_url": "https://api.github.com/repos/docker/github-builder-test/subscription",
"svn_url": "https://github.com/docker/github-builder-test",
"tags_url": "https://api.github.com/repos/docker/github-builder-test/tags",
"teams_url": "https://api.github.com/repos/docker/github-builder-test/teams",
"topics": [],
"trees_url": "https://api.github.com/repos/docker/github-builder-test/git/trees{/sha}",
"updated_at": "2025-10-22T14:08:42Z",
"url": "https://api.github.com/repos/docker/github-builder-test",
"visibility": "internal",
"watchers": 0,
"watchers_count": 0,
"web_commit_signoff_required": false
},
"sender": {
"avatar_url": "https://avatars.githubusercontent.com/u/1951866?v=4",
"events_url": "https://api.github.com/users/crazy-max/events{/privacy}",
"followers_url": "https://api.github.com/users/crazy-max/followers",
"following_url": "https://api.github.com/users/crazy-max/following{/other_user}",
"gists_url": "https://api.github.com/users/crazy-max/gists{/gist_id}",
"gravatar_id": "",
"html_url": "https://github.com/crazy-max",
"id": 1951866,
"login": "crazy-max",
"node_id": "MDQ6VXNlcjE5NTE4NjY=",
"organizations_url": "https://api.github.com/users/crazy-max/orgs",
"received_events_url": "https://api.github.com/users/crazy-max/received_events",
"repos_url": "https://api.github.com/users/crazy-max/repos",
"site_admin": false,
"starred_url": "https://api.github.com/users/crazy-max/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/crazy-max/subscriptions",
"type": "User",
"url": "https://api.github.com/users/crazy-max",
"user_view_type": "public"
},
"workflow": ".github/workflows/ci.yml"
}
}
},
"runDetails": {
"builder": {
"id": "https://github.com/docker/github-builder-test/actions/runs/18720329526/attempts/1"
},
"metadata": {
"invocationID": "3lb9gejzb3ondafiy8szq6pza",
"startedOn": "2025-10-22T14:53:42.019047245Z",
"finishedOn": "2025-10-22T14:54:12.811607358Z",
"buildkit_metadata": {
"source": {
"locations": {
"step0": {
"locations": [
{
"ranges": [
{
"start": {
"line": 8
},
"end": {
"line": 8
}
}
]
}
]
},
"step1": {
"locations": [
{
"ranges": [
{
"start": {
"line": 6
},
"end": {
"line": 6
}
}
]
}
]
},
"step2": {
"locations": [
{
"ranges": [
{
"start": {
"line": 9
},
"end": {
"line": 9
}
}
]
}
]
},
"step3": {
"locations": [
{
"ranges": [
{
"start": {
"line": 10
},
"end": {
"line": 10
}
}
]
}
]
},
"step4": {
"locations": [
{
"ranges": [
{
"start": {
"line": 12
},
"end": {
"line": 12
}
}
]
}
]
},
"step5": {},
"step6": {
"locations": [
{
"ranges": [
{
"start": {
"line": 16
},
"end": {
"line": 16
}
},
{
"start": {
"line": 17
},
"end": {
"line": 17
}
},
{
"start": {
"line": 18
},
"end": {
"line": 18
}
},
{
"start": {
"line": 19
},
"end": {
"line": 19
}
}
]
}
]
},
"step7": {
"locations": [
{
"ranges": [
{
"start": {
"line": 23
},
"end": {
"line": 23
}
}
]
}
]
}
},
"infos": [
{
"filename": "Dockerfile",
"language": "Dockerfile",
"data": "IyBzeW50YXg9ZG9ja2VyL2RvY2tlcmZpbGU6MQoKQVJHIEdPX1ZFUlNJT049IjEuMjUiCgojIHh4IGlzIGEgaGVscGVyIGZvciBjcm9zcy1jb21waWxhdGlvbgpGUk9NIC0tcGxhdGZvcm09JEJVSUxEUExBVEZPUk0gdG9uaXN0aWlnaS94eDoxLjcuMCBBUyB4eAoKRlJPTSAtLXBsYXRmb3JtPSRCVUlMRFBMQVRGT1JNIGdvbGFuZzoke0dPX1ZFUlNJT059LWFscGluZSBBUyBiYXNlCkNPUFkgLS1mcm9tPXh4IC8gLwpSVU4gYXBrIGFkZCAtLW5vLWNhY2hlIGZpbGUgZ2l0CkVOViBDR09fRU5BQkxFRD0wCldPUktESVIgL3NyYwoKRlJPTSBiYXNlIEFTIGJ1aWxkCkFSRyBUQVJHRVRQTEFURk9STQpSVU4gLS1tb3VudD10eXBlPWJpbmQsdGFyZ2V0PS4gXAogICAgLS1tb3VudD10YXJnZXQ9L3Jvb3QvLmNhY2hlLHR5cGU9Y2FjaGUgXAogIHh4LWdvIGJ1aWxkIC10cmltcGF0aCAtbyAvb3V0L215YXBwIC4gXAogICYmIHh4LXZlcmlmeSAtLXN0YXRpYyAvb3V0L215YXBwCkFSRyBCVUlMREtJVF9TQk9NX1NDQU5fU1RBR0U9dHJ1ZQoKRlJPTSBzY3JhdGNoCkNPUFkgLS1mcm9tPWJ1aWxkIC9vdXQgLwo=",
"llbDefinition": [
{
"id": "step0",
"op": {
"Op": {
"source": {
"identifier": "git://github.com/docker/github-builder-test.git#f1bd8fdfe4d417acd107b32d5749638ff1533bfd",
"attrs": {
"git.authheadersecret": "GIT_AUTH_HEADER",
"git.authtokensecret": "GIT_AUTH_TOKEN",
"git.fullurl": "https://github.com/docker/github-builder-test.git"
}
}
},
"constraints": {}
}
},
{
"id": "step1",
"op": {
"Op": {}
},
"inputs": [
"step0:0"
]
}
],
"digestMapping": {
"sha256:4fcabdc8e56358c8b9a740d0bf712ef67bc33786112213b9071132a6d595b56f": "step0",
"sha256:bc50cc258c6043da1edc694266872a90e37fe4d9dd4b4a6f29715b79a0778011": "step1"
}
}
]
},
"layers": {
"step0:0": [
[
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:2d35ebdb57d9971fea0cac1582aa78935adf8058b2cc32db163c98822e5dfa1b",
"size": 3802452
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:85e8836fcdb2966cd3e43a5440ccddffd1828d2d186a49fa7c17b605db8b3bb3",
"size": 291155
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:91631faa732ae651543f888b70295cbfe29a433d3c8da02b9966f67f238d3603",
"size": 60150352
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:f3f5ae8826faeb0e0415f8f29afbc9550ae5d655f3982b2924949c93d5efd5c8",
"size": 126
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1",
"size": 32
}
]
],
"step1:0": [
[
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:15db0d88ae4923276807d48a05fc8a7208dfbec142770f2fce52af9fee6cd287",
"size": 17084
}
]
]
}
},
"buildkit_completeness": {
"request": true,
"resolvedDependencies": true
}
}
}
}
}

59
__tests__/sigstore/sigstore.test.itg.ts Normal file
View File

@@ -0,0 +1,59 @@
/**
* Copyright 2025 actions-toolkit authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import {describe, expect, it} from '@jest/globals';
import fs from 'fs';
import * as path from 'path';
import {Sigstore} from '../../src/sigstore/sigstore';
const fixturesDir = path.join(__dirname, '..', '.fixtures');
const maybe = process.env.GITHUB_ACTIONS && process.env.GITHUB_ACTIONS === 'true' && process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu') ? describe : describe.skip;
maybe('signProvenanceBlobs', () => {
it('single platform', async () => {
const sigstore = new Sigstore();
const results = await sigstore.signProvenanceBlobs({
localExportDir: path.join(fixturesDir, 'sigstore', 'single')
});
expect(Object.keys(results).length).toEqual(1);
const provenancePath = Object.keys(results)[0];
expect(provenancePath).toEqual(path.join(fixturesDir, 'sigstore', 'single', 'provenance.json'));
expect(fs.existsSync(results[provenancePath].bundlePath)).toBe(true);
expect(results[provenancePath].bundle).toBeDefined();
expect(results[provenancePath].certificate).toBeDefined();
expect(results[provenancePath].tlogID).toBeDefined();
expect(results[provenancePath].attestationID).not.toBeDefined();
console.log(provenancePath, JSON.stringify(results[provenancePath].bundle, null, 2));
});
it('multi-platform', async () => {
const sigstore = new Sigstore();
const results = await sigstore.signProvenanceBlobs({
localExportDir: path.join(fixturesDir, 'sigstore', 'multi')
});
expect(Object.keys(results).length).toEqual(2);
for (const [provenancePath, res] of Object.entries(results)) {
expect(provenancePath).toMatch(/linux_(amd64|arm64)\/provenance.json/);
expect(fs.existsSync(res.bundlePath)).toBe(true);
expect(res.bundle).toBeDefined();
expect(res.certificate).toBeDefined();
expect(res.tlogID).toBeDefined();
expect(res.attestationID).not.toBeDefined();
console.log(provenancePath, JSON.stringify(res.bundle, null, 2));
}
});
});

5
package.json
View File

@@ -46,6 +46,7 @@
},
"dependencies": {
"@actions/artifact": "^4.0.0",
"@actions/attest": "^2.0.0",
"@actions/cache": "^4.1.0",
"@actions/core": "^1.11.1",
"@actions/exec": "^1.1.1",
@@ -56,6 +57,8 @@
"@azure/storage-blob": "^12.15.0",
"@octokit/core": "^5.2.2",
"@octokit/plugin-rest-endpoint-methods": "^10.4.1",
"@sigstore/bundle": "^3.1.0",
"@sigstore/sign": "^3.1.0",
"async-retry": "^1.3.3",
"csv-parse": "^6.1.0",
"gunzip-maybe": "^1.4.2",
@@ -68,6 +71,8 @@
"tmp": "^0.2.5"
},
"devDependencies": {
"@sigstore/mock": "^0.10.0",
"@sigstore/rekor-types": "^3.0.0",
"@types/gunzip-maybe": "^1.4.2",
"@types/he": "^1.2.3",
"@types/js-yaml": "^4.0.9",

156
src/sigstore/sigstore.ts Normal file
View File

@@ -0,0 +1,156 @@
/**
* Copyright 2025 actions-toolkit authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import {X509Certificate} from 'crypto';
import fs from 'fs';
import path from 'path';
import {signingEndpoints, SigstoreInstance} from '@actions/attest/lib/endpoints';
import * as core from '@actions/core';
import {signPayload} from '@actions/attest/lib/sign';
import {bundleToJSON} from '@sigstore/bundle';
import {Attestation} from '@actions/attest';
import {Bundle} from '@sigstore/sign';
import {Subject} from '../types/intoto/intoto';
export interface SignProvenanceBlobsOpts {
localExportDir: string;
name?: string;
}
export interface SignProvenanceBlobsResult extends Attestation {
bundlePath: string;
subjects: Array<Subject>;
}
export class Sigstore {
private intotoPayloadType = 'application/vnd.in-toto+json';
private searchSigstoreURL = 'https://search.sigstore.dev';
public async signProvenanceBlobs(opts: SignProvenanceBlobsOpts): Promise<Record<string, SignProvenanceBlobsResult>> {
const result: Record<string, SignProvenanceBlobsResult> = {};
try {
if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
throw new Error('missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.');
}
const sigstoreInstance: SigstoreInstance = 'public-good';
const endpoints = signingEndpoints(sigstoreInstance);
core.info(`Using Sigstore signing endpoint: ${endpoints.fulcioURL}`);
const provenanceBlobs = Sigstore.getProvenanceBlobs(opts);
for (const p of Object.keys(provenanceBlobs)) {
await core.group(`Signing ${p}`, async () => {
const blob = provenanceBlobs[p];
const bundlePath = path.join(path.dirname(p), `${opts.name ?? 'provenance'}.sigstore.json`);
const subjects = Sigstore.getProvenanceSubjects(blob);
if (subjects.length === 0) {
core.warning(`No subjects found in provenance ${p}, skip signing.`);
return;
}
const bundle = await signPayload(
{
body: blob,
type: this.intotoPayloadType
},
endpoints
);
const attest = Sigstore.toAttestation(bundle);
core.info(`Provenance blob signed for:`);
for (const subject of subjects) {
const [digestAlg, digestValue] = Object.entries(subject.digest)[0] || [];
core.info(` - ${subject.name} (${digestAlg}:${digestValue})`);
}
if (attest.tlogID) {
core.info(`Attestation signature uploaded to Rekor transparency log: ${this.searchSigstoreURL}?logIndex=${attest.tlogID}`);
}
core.info(`Writing Sigstore bundle to: ${bundlePath}`);
fs.writeFileSync(bundlePath, JSON.stringify(attest.bundle, null, 2), {
encoding: 'utf-8'
});
result[p] = {
...attest,
bundlePath: bundlePath,
subjects: subjects
};
});
}
} catch (err) {
throw new Error(`Signing BuildKit provenance blobs failed: ${(err as Error).message}`);
}
return result;
}
private static getProvenanceBlobs(opts: SignProvenanceBlobsOpts): Record<string, Buffer> {
// For single platform build
const singleProvenance = path.join(opts.localExportDir, 'provenance.json');
if (fs.existsSync(singleProvenance)) {
return {[singleProvenance]: fs.readFileSync(singleProvenance)};
}
// For multi-platform build
const dirents = fs.readdirSync(opts.localExportDir, {withFileTypes: true});
const platformFolders = dirents.filter(dirent => dirent.isDirectory());
if (platformFolders.length > 0 && platformFolders.length === dirents.length && platformFolders.every(platformFolder => fs.existsSync(path.join(opts.localExportDir, platformFolder.name, 'provenance.json')))) {
const result: Record<string, Buffer> = {};
for (const platformFolder of platformFolders) {
const p = path.join(opts.localExportDir, platformFolder.name, 'provenance.json');
result[p] = fs.readFileSync(p);
}
return result;
}
throw new Error(`No valid provenance.json found in ${opts.localExportDir}`);
}
private static getProvenanceSubjects(body: Buffer): Array<Subject> {
const statement = JSON.parse(body.toString()) as {
subject: Array<{name: string; digest: Record<string, string>}>;
};
return statement.subject.map(s => ({
name: s.name,
digest: s.digest
}));
}
// https://github.com/actions/toolkit/blob/d3ab50471b4ff1d1274dffb90ef9c5d9949b4886/packages/attest/src/attest.ts#L90
private static toAttestation(bundle: Bundle): Attestation {
let certBytes: Buffer;
switch (bundle.verificationMaterial.content.$case) {
case 'x509CertificateChain':
certBytes = bundle.verificationMaterial.content.x509CertificateChain.certificates[0].rawBytes;
break;
case 'certificate':
certBytes = bundle.verificationMaterial.content.certificate.rawBytes;
break;
default:
throw new Error('Bundle must contain an x509 certificate');
}
const signingCert = new X509Certificate(certBytes);
// Collect transparency log ID if available
const tlogEntries = bundle.verificationMaterial.tlogEntries;
const tlogID = tlogEntries.length > 0 ? tlogEntries[0].logIndex : undefined;
return {
bundle: bundleToJSON(bundle),
certificate: signingCert.toString(),
tlogID: tlogID
};
}
}

6
src/types/intoto/intoto.ts
View File

@@ -18,3 +18,9 @@
export const MEDIATYPE_PAYLOAD = 'application/vnd.in-toto+json';
export const MEDIATYPE_PREDICATE = 'in-toto.io/predicate-type';
// https://github.com/in-toto/in-toto-golang/blob/0a34c087cedcc36de065b4fccb7cf7c9bc16e29f/in_toto/attestations.go#L30-L42
export interface Subject {
name: string;
digest: Record<string, string>;
}

707
yarn.lock
View File

File diff suppressed because it is too large Load Diff