Merge pull request #838 from crazy-max/fix-toolkit-class

toolkit: add missing classes

.github/compose-releases.json

@@ -1,54 +1,210 @@
 {
   "latest": {
-    "id": 251953773,
-    "tag_name": "v2.40.0",
-    "html_url": "https://github.com/docker/compose/releases/tag/v2.40.0",
+    "id": 258406598,
+    "tag_name": "v2.40.3",
+    "html_url": "https://github.com/docker/compose/releases/tag/v2.40.3",
     "assets": [
-      "https://github.com/docker/compose/releases/download/v2.40.0/checksums.txt",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-aarch64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-aarch64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-aarch64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-aarch64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-x86_64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-x86_64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-x86_64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-x86_64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-aarch64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-aarch64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-aarch64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-aarch64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv6",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv6.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv6.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv6.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv7",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv7.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv7.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv7.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-ppc64le",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-ppc64le.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-ppc64le.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-ppc64le.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-riscv64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-riscv64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-riscv64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-riscv64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-s390x",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-s390x.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-s390x.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-s390x.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-x86_64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-x86_64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-x86_64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-x86_64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-aarch64.exe",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-aarch64.exe.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-aarch64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-aarch64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-x86_64.exe",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-x86_64.exe.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-x86_64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-x86_64.sbom.json"
+      "https://github.com/docker/compose/releases/download/v2.40.3/checksums.txt",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.sbom.json"
+    ]
+  },
+  "v2.40.3": {
+    "id": 258406598,
+    "tag_name": "v2.40.3",
+    "html_url": "https://github.com/docker/compose/releases/tag/v2.40.3",
+    "assets": [
+      "https://github.com/docker/compose/releases/download/v2.40.3/checksums.txt",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.sbom.json"
+    ]
+  },
+  "v2.40.2": {
+    "id": 256436939,
+    "tag_name": "v2.40.2",
+    "html_url": "https://github.com/docker/compose/releases/tag/v2.40.2",
+    "assets": [
+      "https://github.com/docker/compose/releases/download/v2.40.2/checksums.txt",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-darwin-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-darwin-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-darwin-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-darwin-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-darwin-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-darwin-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-darwin-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-darwin-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-armv6",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-armv6.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-armv6.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-armv6.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-armv7",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-armv7.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-armv7.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-armv7.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-ppc64le",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-ppc64le.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-ppc64le.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-ppc64le.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-riscv64",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-riscv64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-riscv64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-riscv64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-s390x",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-s390x.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-s390x.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-s390x.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-linux-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-windows-aarch64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-windows-aarch64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-windows-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-windows-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-windows-x86_64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-windows-x86_64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-windows-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.2/docker-compose-windows-x86_64.sbom.json"
+    ]
+  },
+  "v2.40.1": {
+    "id": 255315577,
+    "tag_name": "v2.40.1",
+    "html_url": "https://github.com/docker/compose/releases/tag/v2.40.1",
+    "assets": [
+      "https://github.com/docker/compose/releases/download/v2.40.1/checksums.txt",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-darwin-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-darwin-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-darwin-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-darwin-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-darwin-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-darwin-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-darwin-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-darwin-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-armv6",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-armv6.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-armv6.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-armv6.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-armv7",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-armv7.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-armv7.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-armv7.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-ppc64le",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-ppc64le.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-ppc64le.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-ppc64le.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-riscv64",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-riscv64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-riscv64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-riscv64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-s390x",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-s390x.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-s390x.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-s390x.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-linux-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-windows-aarch64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-windows-aarch64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-windows-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-windows-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-windows-x86_64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-windows-x86_64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-windows-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.1/docker-compose-windows-x86_64.sbom.json"
     ]
   },
   "v2.40.0": {
@@ -2241,55 +2397,55 @@
     ]
   },
   "edge": {
-    "id": 251953773,
-    "tag_name": "v2.40.0",
-    "html_url": "https://github.com/docker/compose/releases/tag/v2.40.0",
+    "id": 258406598,
+    "tag_name": "v2.40.3",
+    "html_url": "https://github.com/docker/compose/releases/tag/v2.40.3",
     "assets": [
-      "https://github.com/docker/compose/releases/download/v2.40.0/checksums.txt",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-aarch64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-aarch64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-aarch64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-aarch64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-x86_64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-x86_64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-x86_64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-darwin-x86_64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-aarch64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-aarch64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-aarch64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-aarch64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv6",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv6.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv6.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv6.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv7",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv7.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv7.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-armv7.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-ppc64le",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-ppc64le.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-ppc64le.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-ppc64le.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-riscv64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-riscv64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-riscv64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-riscv64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-s390x",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-s390x.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-s390x.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-s390x.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-x86_64",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-x86_64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-x86_64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-linux-x86_64.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-aarch64.exe",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-aarch64.exe.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-aarch64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-aarch64.sbom.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-x86_64.exe",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-x86_64.exe.sha256",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-x86_64.provenance.json",
-      "https://github.com/docker/compose/releases/download/v2.40.0/docker-compose-windows-x86_64.sbom.json"
+      "https://github.com/docker/compose/releases/download/v2.40.3/checksums.txt",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-darwin-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-aarch64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv6.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-armv7.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-ppc64le.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-riscv64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-s390x.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-linux-x86_64.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-aarch64.sbom.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.exe",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.exe.sha256",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.provenance.json",
+      "https://github.com/docker/compose/releases/download/v2.40.3/docker-compose-windows-x86_64.sbom.json"
     ]
   },
   "v2.24.0-birthday.10": {

.github/docker-releases.json

@@ -6,9 +6,15 @@
     "assets": []
   },
   "edge": {
-    "id": 252020476,
-    "tag_name": "docker-v29.0.0-rc.1",
-    "html_url": "https://github.com/moby/moby/releases/tag/docker-v29.0.0-rc.1",
+    "id": 258289954,
+    "tag_name": "docker-v29.0.0-rc.2",
+    "html_url": "https://github.com/moby/moby/releases/tag/docker-v29.0.0-rc.2",
+    "assets": []
+  },
+  "v29.0.0-rc.2": {
+    "id": 258289954,
+    "tag_name": "docker-v29.0.0-rc.2",
+    "html_url": "https://github.com/moby/moby/releases/tag/docker-v29.0.0-rc.2",
     "assets": []
   },
   "v29.0.0-rc.1": {

.github/workflows/buildx-lab-releases-json.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   generate:
-    uses: crazy-max/.github/.github/workflows/releases-json.yml@9791b02439e3c95de89d128a625169ceee56dc55
+    uses: crazy-max/.github/.github/workflows/releases-json.yml@34fd436075cac6431d2036d5f6f1c3f3d4687ac5
     with:
       repository: docker/buildx-desktop
       artifact_name: buildx-lab-releases-json
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@v5
       -
         name: Download
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: buildx-lab-releases-json
           path: .github

.github/workflows/buildx-releases-json.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   generate:
-    uses: crazy-max/.github/.github/workflows/releases-json.yml@9791b02439e3c95de89d128a625169ceee56dc55
+    uses: crazy-max/.github/.github/workflows/releases-json.yml@34fd436075cac6431d2036d5f6f1c3f3d4687ac5
     with:
       repository: docker/buildx
       artifact_name: buildx-releases-json
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@v5
       -
         name: Download
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: buildx-releases-json
           path: .github

.github/workflows/compose-lab-releases-json.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   generate:
-    uses: crazy-max/.github/.github/workflows/releases-json.yml@9791b02439e3c95de89d128a625169ceee56dc55
+    uses: crazy-max/.github/.github/workflows/releases-json.yml@34fd436075cac6431d2036d5f6f1c3f3d4687ac5
     with:
       repository: docker/compose-desktop
       artifact_name: compose-lab-releases-json
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@v5
       -
         name: Download
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: compose-lab-releases-json
           path: .github

.github/workflows/compose-releases-json.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   generate:
-    uses: crazy-max/.github/.github/workflows/releases-json.yml@9791b02439e3c95de89d128a625169ceee56dc55
+    uses: crazy-max/.github/.github/workflows/releases-json.yml@34fd436075cac6431d2036d5f6f1c3f3d4687ac5
     with:
       repository: docker/compose
       artifact_name: compose-releases-json
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@v5
       -
         name: Download
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: compose-releases-json
           path: .github

.github/workflows/cosign-releases-json.yml

@@ -0,0 +1,58 @@
+name: cosign-releases-json
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 */12 * * *'
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    paths:
+      - '.github/workflows/cosign-releases-json.yml'
+
+jobs:
+  generate:
+    uses: crazy-max/.github/.github/workflows/releases-json.yml@34fd436075cac6431d2036d5f6f1c3f3d4687ac5
+    with:
+      repository: sigstore/cosign
+      artifact_name: cosign-releases-json
+      filename: cosign-releases.json
+    secrets: inherit
+
+  open-pr:
+    runs-on: ubuntu-24.04
+    if: github.event_name != 'pull_request'
+    needs:
+      - generate
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v5
+      -
+        name: Download
+        uses: actions/download-artifact@v6
+        with:
+          name: cosign-releases-json
+          path: .github
+      -
+        name: Commit changes
+        run: |
+          git add -A .
+      -
+        name: Create PR
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e  # v7.0.8
+        with:
+          base: main
+          branch: bot/cosign-releases-json
+          commit-message: "github: update .github/cosign-releases.json"
+          signoff: true
+          delete-branch: true
+          title: "Update `.github/cosign-releases.json`"
+          body: |
+            Update `.github/cosign-releases.json` to keep in sync with [https://github.com/sigstore/cosign](https://github.com/sigstore/cosign).
+          draft: false

.github/workflows/docker-releases-json.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   generate:
-    uses: crazy-max/.github/.github/workflows/releases-json.yml@9791b02439e3c95de89d128a625169ceee56dc55
+    uses: crazy-max/.github/.github/workflows/releases-json.yml@34fd436075cac6431d2036d5f6f1c3f3d4687ac5
     with:
       repository: moby/moby
       artifact_name: docker-releases-json
@@ -36,7 +36,7 @@ jobs:
         uses: actions/checkout@v5
       -
         name: Download
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: docker-releases-json
           path: .github

.github/workflows/regclient-releases-json.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   generate:
-    uses: crazy-max/.github/.github/workflows/releases-json.yml@9791b02439e3c95de89d128a625169ceee56dc55
+    uses: crazy-max/.github/.github/workflows/releases-json.yml@34fd436075cac6431d2036d5f6f1c3f3d4687ac5
     with:
       repository: regclient/regclient
       artifact_name: regclient-releases-json
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@v5
       -
         name: Download
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: regclient-releases-json
           path: .github

.github/workflows/test.yml

@@ -106,7 +106,7 @@ jobs:
             });
             await core.group(`Set includes`, async () => {
               let includes = [];
-              for (const os of ['ubuntu-latest', 'ubuntu-24.04-arm', 'macos-13', 'windows-latest']) {
+              for (const os of ['ubuntu-latest', 'ubuntu-24.04-arm', 'macos-15-intel', 'windows-latest']) {
                 for (const test of tests) {
                   if (test === 'docker/install.test.itg.ts') {
                     if (os !== 'windows-latest') {
@@ -146,6 +146,9 @@ jobs:
       fail-fast: false
       matrix:
         include: ${{ fromJson(needs.prepare-itg.outputs.includes) }}
+    permissions:
+      contents: read
+      id-token: write # needed for signing with GitHub OIDC Token
     steps:
       -
         name: Checkout

.github/workflows/undock-releases-json.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   generate:
-    uses: crazy-max/.github/.github/workflows/releases-json.yml@9791b02439e3c95de89d128a625169ceee56dc55
+    uses: crazy-max/.github/.github/workflows/releases-json.yml@34fd436075cac6431d2036d5f6f1c3f3d4687ac5
     with:
       repository: crazy-max/undock
       artifact_name: undock-releases-json
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@v5
       -
         name: Download
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v6
         with:
           name: undock-releases-json
           path: .github

__tests__/.fixtures/cosign/verify-output-err1.txt

@@ -0,0 +1,96 @@
+2025/10/31 13:57:03 --> GET https://index.docker.io/v2/
+2025/10/31 13:57:03 GET /v2/ HTTP/1.1
+Host: index.docker.io
+User-Agent: cosign/v3.0.2 (linux; amd64) go-containerregistry/v0.20.6
+Accept-Encoding: gzip
+
+
+2025/10/31 13:57:03 <-- 401 https://index.docker.io/v2/ (191.948348ms)
+2025/10/31 13:57:03 HTTP/2.0 401 Unauthorized
+Content-Length: 87
+Content-Type: application/json
+Date: Fri, 31 Oct 2025 13:57:03 GMT
+Docker-Distribution-Api-Version: registry/2.0
+Strict-Transport-Security: max-age=31536000
+Www-Authenticate: ***"https://auth.docker.io/token",service="registry.docker.io"
+
+{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":null}]}
+
+2025/10/31 13:57:03 --> GET https://auth.docker.io/token?scope=repository%3Acrazymax%2Fgithub-builder-test%3Apull&service=registry.docker.io [body redacted: basic token response contains credentials]
+2025/10/31 13:57:03 GET /token?scope=repository%3Acrazymax%2Fgithub-builder-test%3Apull&service=registry.docker.io HTTP/1.1
+Host: auth.docker.io
+User-Agent: cosign/v3.0.2 (linux; amd64) go-containerregistry/v0.20.6
+Authorization: <redacted>
+Accept-Encoding: gzip
+
+
+2025/10/31 13:57:03 <-- 200 https://auth.docker.io/token?scope=repository%3Acrazymax%2Fgithub-builder-test%3Apull&service=registry.docker.io (180.01561ms) [body redacted: basic token response contains credentials]
+2025/10/31 13:57:03 HTTP/2.0 200 OK
+Connection: close
+Content-Type: application/json
+Date: Fri, 31 Oct 2025 13:57:03 GMT
+Strict-Transport-Security: max-age=31536000
+X-Trace-Id: 8d63fbce36baf5f2a0c5f2542efa7a7a
+X-Trace-Sampled: false
+
+
+2025/10/31 13:57:03 --> GET https://index.docker.io/v2/crazymax/github-builder-test/referrers/sha256:6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0
+2025/10/31 13:57:03 GET /v2/crazymax/github-builder-test/referrers/sha256:6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0 HTTP/1.1
+Host: index.docker.io
+User-Agent: cosign/v3.0.2 (linux; amd64) go-containerregistry/v0.20.6
+Accept: application/vnd.oci.image.index.v1+json
+Authorization: <redacted>
+Accept-Encoding: gzip
+
+
+2025/10/31 13:57:03 <-- 200 https://index.docker.io/v2/crazymax/github-builder-test/referrers/sha256:6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0 (84.160823ms)
+2025/10/31 13:57:03 HTTP/2.0 200 OK
+Content-Length: 89
+Content-Type: application/vnd.oci.image.index.v1+json
+Date: Fri, 31 Oct 2025 13:57:03 GMT
+Docker-Distribution-Api-Version: registry/2.0
+Strict-Transport-Security: max-age=31536000
+
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[]}
+
+2025/10/31 13:57:03 --> GET https://index.docker.io/v2/crazymax/github-builder-test/referrers/sha256:6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0
+2025/10/31 13:57:03 GET /v2/crazymax/github-builder-test/referrers/sha256:6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0 HTTP/1.1
+Host: index.docker.io
+User-Agent: cosign/v3.0.2 (linux; amd64) go-containerregistry/v0.20.6
+Accept: application/vnd.oci.image.index.v1+json
+Authorization: <redacted>
+Accept-Encoding: gzip
+
+
+2025/10/31 13:57:03 <-- 200 https://index.docker.io/v2/crazymax/github-builder-test/referrers/sha256:6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0 (95.303988ms)
+2025/10/31 13:57:03 HTTP/2.0 200 OK
+Content-Length: 89
+Content-Type: application/vnd.oci.image.index.v1+json
+Date: Fri, 31 Oct 2025 13:57:03 GMT
+Docker-Distribution-Api-Version: registry/2.0
+Strict-Transport-Security: max-age=31536000
+
+{"schemaVersion":2,"mediaType":"application/vnd.oci.image.index.v1+json","manifests":[]}
+
+2025/10/31 13:57:03 --> GET https://index.docker.io/v2/crazymax/github-builder-test/manifests/sha256-6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0.sig
+2025/10/31 13:57:03 GET /v2/crazymax/github-builder-test/manifests/sha256-6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0.sig HTTP/1.1
+Host: index.docker.io
+User-Agent: cosign/v3.0.2 (linux; amd64) go-containerregistry/v0.20.6
+Accept: application/vnd.docker.distribution.manifest.v1+json,application/vnd.docker.distribution.manifest.v1+prettyjws,application/vnd.docker.distribution.manifest.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.index.v1+json
+Authorization: <redacted>
+Accept-Encoding: gzip
+
+
+2025/10/31 13:57:03 <-- 404 https://index.docker.io/v2/crazymax/github-builder-test/manifests/sha256-6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0.sig (66.155995ms)
+2025/10/31 13:57:03 HTTP/2.0 404 Not Found
+Content-Length: 169
+Content-Type: application/json
+Date: Fri, 31 Oct 2025 13:57:03 GMT
+Docker-Distribution-Api-Version: registry/2.0
+Docker-Ratelimit-Source: d2fd3209-1e2e-451f-b428-29c5bbf3b4b7
+Strict-Transport-Security: max-age=31536000
+
+{"errors":[{"code":"MANIFEST_UNKNOWN","message":"manifest unknown","detail":"unknown tag=sha256-6cc021c733ae2760b2493f449d9885b1606002962b51a9c4f0d0d1568b6dc5c0.sig"}]}
+
+Error: no signatures found
+error during command execution: no signatures found

__tests__/.fixtures/imagetools-03.json

@@ -0,0 +1,5 @@
+{
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "digest": "sha256:dccc69dd895968c4f21aa9e43e715f25f0cedfce4b17f1014c88c307928e22fc",
+  "size": 1599
+}

__tests__/.fixtures/imagetools-04.json

@@ -0,0 +1,141 @@
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.index.v1+json",
+  "digest": "sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6",
+  "size": 4654,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:dccc69dd895968c4f21aa9e43e715f25f0cedfce4b17f1014c88c307928e22fc",
+      "size": 1599,
+      "platform": {
+        "architecture": "amd64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:1b6bce668653f08e2d0f9f7c9b646675b2cbce94ce8abdf4eb0eabaef4353045",
+      "size": 1599,
+      "platform": {
+        "architecture": "arm",
+        "os": "linux",
+        "variant": "v7"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:8f251fda6057e9dffc54f7874b249920f15f1813e9b1406a0cebeca5e4ab1ad9",
+      "size": 1599,
+      "platform": {
+        "architecture": "arm64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:d306cbc2d506547f136c8e0ea040b929743f298fb2813d9030efdb9d9eee4d51",
+      "size": 1599,
+      "platform": {
+        "architecture": "s390x",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:9d195ff2dc9ef347bb52ebb1c2a6e6587d4bd87019d2ea11df3e7046a3d19708",
+      "size": 1599,
+      "platform": {
+        "architecture": "ppc64le",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:72410c2c4529fca9339ebbcc8db2a1d5cb4d72d72c669f50b6d45d8a0f79fc22",
+      "size": 1599,
+      "platform": {
+        "architecture": "riscv64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:2ba4ad6eae1efcafee73a971953093c7c32b6938f2f9fd4998c8bf4d0fbe76f2",
+      "size": 1113,
+      "annotations": {
+        "vnd.docker.reference.digest": "sha256:dccc69dd895968c4f21aa9e43e715f25f0cedfce4b17f1014c88c307928e22fc",
+        "vnd.docker.reference.type": "attestation-manifest"
+      },
+      "platform": {
+        "architecture": "unknown",
+        "os": "unknown"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:0709528fae1747ce17638ad2978ee7936b38a294136eaadaf692e415f64b1e03",
+      "size": 1113,
+      "annotations": {
+        "vnd.docker.reference.digest": "sha256:1b6bce668653f08e2d0f9f7c9b646675b2cbce94ce8abdf4eb0eabaef4353045",
+        "vnd.docker.reference.type": "attestation-manifest"
+      },
+      "platform": {
+        "architecture": "unknown",
+        "os": "unknown"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:241b7159129d53923c89708bcc052b3398086a826519896be2f025545916e43e",
+      "size": 1113,
+      "annotations": {
+        "vnd.docker.reference.digest": "sha256:8f251fda6057e9dffc54f7874b249920f15f1813e9b1406a0cebeca5e4ab1ad9",
+        "vnd.docker.reference.type": "attestation-manifest"
+      },
+      "platform": {
+        "architecture": "unknown",
+        "os": "unknown"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:97f4a222a7992dba6dc1a43991d0cca1fcffdc25593033c6a3a7ff14c8651cbf",
+      "size": 1113,
+      "annotations": {
+        "vnd.docker.reference.digest": "sha256:d306cbc2d506547f136c8e0ea040b929743f298fb2813d9030efdb9d9eee4d51",
+        "vnd.docker.reference.type": "attestation-manifest"
+      },
+      "platform": {
+        "architecture": "unknown",
+        "os": "unknown"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:aa933713d8094b2708120e889acb6f7153dee4e0f3298ccd3e37a584cd0c260d",
+      "size": 1113,
+      "annotations": {
+        "vnd.docker.reference.digest": "sha256:9d195ff2dc9ef347bb52ebb1c2a6e6587d4bd87019d2ea11df3e7046a3d19708",
+        "vnd.docker.reference.type": "attestation-manifest"
+      },
+      "platform": {
+        "architecture": "unknown",
+        "os": "unknown"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:d95ca72d4f2a6bc416d4b2f3003b2af9d5f4dea99acec6ad3ab0c2082000a98c",
+      "size": 1113,
+      "annotations": {
+        "vnd.docker.reference.digest": "sha256:72410c2c4529fca9339ebbcc8db2a1d5cb4d72d72c669f50b6d45d8a0f79fc22",
+        "vnd.docker.reference.type": "attestation-manifest"
+      },
+      "platform": {
+        "architecture": "unknown",
+        "os": "unknown"
+      }
+    }
+  ]
+}

__tests__/.fixtures/imagetools-05.json

@@ -0,0 +1,80 @@
+[
+  {
+    "mediaType":"application/vnd.oci.image.manifest.v1+json",
+    "digest":"sha256:2ba4ad6eae1efcafee73a971953093c7c32b6938f2f9fd4998c8bf4d0fbe76f2",
+    "size":1113,
+    "annotations":{
+      "vnd.docker.reference.digest":"sha256:dccc69dd895968c4f21aa9e43e715f25f0cedfce4b17f1014c88c307928e22fc",
+      "vnd.docker.reference.type":"attestation-manifest"
+    },
+    "platform":{
+      "architecture":"unknown",
+      "os":"unknown"
+    }
+  },
+  {
+    "mediaType":"application/vnd.oci.image.manifest.v1+json",
+    "digest":"sha256:0709528fae1747ce17638ad2978ee7936b38a294136eaadaf692e415f64b1e03",
+    "size":1113,
+    "annotations":{
+      "vnd.docker.reference.digest":"sha256:1b6bce668653f08e2d0f9f7c9b646675b2cbce94ce8abdf4eb0eabaef4353045",
+      "vnd.docker.reference.type":"attestation-manifest"
+    },
+    "platform":{
+      "architecture":"unknown",
+      "os":"unknown"
+    }
+  },
+  {
+    "mediaType":"application/vnd.oci.image.manifest.v1+json",
+    "digest":"sha256:241b7159129d53923c89708bcc052b3398086a826519896be2f025545916e43e",
+    "size":1113,
+    "annotations":{
+      "vnd.docker.reference.digest":"sha256:8f251fda6057e9dffc54f7874b249920f15f1813e9b1406a0cebeca5e4ab1ad9",
+      "vnd.docker.reference.type":"attestation-manifest"
+    },
+    "platform":{
+      "architecture":"unknown",
+      "os":"unknown"
+    }
+  },
+  {
+    "mediaType":"application/vnd.oci.image.manifest.v1+json",
+    "digest":"sha256:97f4a222a7992dba6dc1a43991d0cca1fcffdc25593033c6a3a7ff14c8651cbf",
+    "size":1113,
+    "annotations":{
+      "vnd.docker.reference.digest":"sha256:d306cbc2d506547f136c8e0ea040b929743f298fb2813d9030efdb9d9eee4d51",
+      "vnd.docker.reference.type":"attestation-manifest"
+    },
+    "platform":{
+      "architecture":"unknown",
+      "os":"unknown"
+    }
+  },
+  {
+    "mediaType":"application/vnd.oci.image.manifest.v1+json",
+    "digest":"sha256:aa933713d8094b2708120e889acb6f7153dee4e0f3298ccd3e37a584cd0c260d",
+    "size":1113,
+    "annotations":{
+      "vnd.docker.reference.digest":"sha256:9d195ff2dc9ef347bb52ebb1c2a6e6587d4bd87019d2ea11df3e7046a3d19708",
+      "vnd.docker.reference.type":"attestation-manifest"
+    },
+    "platform":{
+      "architecture":"unknown",
+      "os":"unknown"
+    }
+  },
+  {
+    "mediaType":"application/vnd.oci.image.manifest.v1+json",
+    "digest":"sha256:d95ca72d4f2a6bc416d4b2f3003b2af9d5f4dea99acec6ad3ab0c2082000a98c",
+    "size":1113,
+    "annotations":{
+      "vnd.docker.reference.digest":"sha256:72410c2c4529fca9339ebbcc8db2a1d5cb4d72d72c669f50b6d45d8a0f79fc22",
+      "vnd.docker.reference.type":"attestation-manifest"
+    },
+    "platform":{
+      "architecture":"unknown",
+      "os":"unknown"
+    }
+  }
+]

__tests__/.fixtures/sigstore/multi/linux_amd64/hello.txt

@@ -0,0 +1 @@
+Hello, World! This is linux/amd64

__tests__/.fixtures/sigstore/multi/linux_amd64/provenance.json

@@ -0,0 +1,462 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicateType": "https://slsa.dev/provenance/v1",
+  "subject": [
+    {
+      "name": "hello.txt",
+      "digest": {
+        "sha256": "1b37929e66644beb58b3d28d44fba0d82aa90cab03c55a492adb81fe6e833ec8"
+      }
+    }
+  ],
+  "predicate": {
+    "buildDefinition": {
+      "buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md",
+      "resolvedDependencies": [
+        {
+          "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
+          "digest": {
+            "sha256": "e930c2697be77cb7271d316ecfa78768b5eac73de3b16018ed38eb0ea0b5a7cb"
+          }
+        },
+        {
+          "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
+          "digest": {
+            "sha256": "4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"
+          }
+        },
+        {
+          "uri": "https://github.com/docker/github-builder-test.git#bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe",
+          "digest": {
+            "sha1": "bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe"
+          }
+        }
+      ],
+      "externalParameters": {
+        "configSource": {
+          "uri": "https://github.com/docker/github-builder-test.git#bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe",
+          "digest": {
+            "sha1": "bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe"
+          },
+          "path": "hello.Dockerfile"
+        },
+        "request": {
+          "frontend": "dockerfile.v0",
+          "secrets": [
+            {
+              "id": "GIT_AUTH_HEADER",
+              "optional": true
+            },
+            {
+              "id": "GIT_AUTH_TOKEN",
+              "optional": true
+            }
+          ]
+        }
+      },
+      "internalParameters": {
+        "buildConfig": {
+          "digestMapping": {
+            "sha256:23dcbc3cce701a8a9bbb1e33f2ea88304527a4a935c89c4564af698095463ac2": "step3",
+            "sha256:3192c1bd53f90cca959db778dcee30edc9a79f8cd3f9a2c54adc4606507fd3b6": "step0",
+            "sha256:7f1c9e959980ea3e2cf4af8ef97b6c3797a0926752b436bff11474e436defe7f": "step1",
+            "sha256:c8737331fb8e5f5bcb6b22320012d975057514982c788e63db13332a4219b984": "step2"
+          },
+          "llbDefinition": [
+            {
+              "id": "step0",
+              "op": {
+                "Op": {
+                  "source": {
+                    "identifier": "docker-image://docker.io/library/alpine:latest@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"
+                  }
+                },
+                "constraints": {},
+                "platform": {
+                  "Architecture": "amd64",
+                  "OS": "linux"
+                }
+              }
+            },
+            {
+              "id": "step1",
+              "inputs": [
+                "step0:0"
+              ],
+              "op": {
+                "Op": {
+                  "exec": {
+                    "meta": {
+                      "args": [
+                        "/bin/sh",
+                        "-c",
+                        "echo \"Hello, World! This is ${TARGETPLATFORM}\" \u003e /hello.txt"
+                      ],
+                      "cwd": "/",
+                      "env": [
+                        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+                        "TARGETPLATFORM=linux/amd64"
+                      ],
+                      "removeMountStubsRecursive": true
+                    },
+                    "mounts": [
+                      {
+                        "dest": "/"
+                      }
+                    ]
+                  }
+                },
+                "constraints": {},
+                "platform": {
+                  "Architecture": "amd64",
+                  "OS": "linux"
+                }
+              }
+            },
+            {
+              "id": "step2",
+              "inputs": [
+                "step1:0"
+              ],
+              "op": {
+                "Op": {
+                  "file": {
+                    "actions": [
+                      {
+                        "Action": {
+                          "copy": {
+                            "allowEmptyWildcard": true,
+                            "allowWildcard": true,
+                            "createDestPath": true,
+                            "dest": "/",
+                            "dirCopyContents": true,
+                            "followSymlink": true,
+                            "mode": -1,
+                            "src": "/hello.txt",
+                            "timestamp": -1
+                          }
+                        },
+                        "input": -1,
+                        "output": 0,
+                        "secondaryInput": 0
+                      }
+                    ]
+                  }
+                },
+                "constraints": {}
+              }
+            },
+            {
+              "id": "step3",
+              "inputs": [
+                "step2:0"
+              ],
+              "op": {
+                "Op": {}
+              }
+            }
+          ]
+        },
+        "builderPlatform": "linux/amd64",
+        "github_actor": "crazy-max",
+        "github_actor_id": "1951866",
+        "github_event_name": "workflow_dispatch",
+        "github_event_payload": {
+          "enterprise": {
+            "avatar_url": "https://avatars.githubusercontent.com/b/19176?v=4",
+            "created_at": "2022-12-30T23:53:17Z",
+            "description": null,
+            "html_url": "https://github.com/enterprises/docker",
+            "id": 19176,
+            "name": "Docker",
+            "node_id": "E_kgDNSug",
+            "slug": "docker",
+            "updated_at": "2025-10-20T20:39:05Z",
+            "website_url": null
+          },
+          "inputs": null,
+          "organization": {
+            "avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
+            "description": "Docker helps developers bring their ideas to life by conquering the complexity of app development.",
+            "events_url": "https://api.github.com/orgs/docker/events",
+            "hooks_url": "https://api.github.com/orgs/docker/hooks",
+            "id": 5429470,
+            "issues_url": "https://api.github.com/orgs/docker/issues",
+            "login": "docker",
+            "members_url": "https://api.github.com/orgs/docker/members{/member}",
+            "node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
+            "public_members_url": "https://api.github.com/orgs/docker/public_members{/member}",
+            "repos_url": "https://api.github.com/orgs/docker/repos",
+            "url": "https://api.github.com/orgs/docker"
+          },
+          "ref": "refs/heads/main",
+          "repository": {
+            "allow_forking": true,
+            "archive_url": "https://api.github.com/repos/docker/github-builder-test/{archive_format}{/ref}",
+            "archived": false,
+            "assignees_url": "https://api.github.com/repos/docker/github-builder-test/assignees{/user}",
+            "blobs_url": "https://api.github.com/repos/docker/github-builder-test/git/blobs{/sha}",
+            "branches_url": "https://api.github.com/repos/docker/github-builder-test/branches{/branch}",
+            "clone_url": "https://github.com/docker/github-builder-test.git",
+            "collaborators_url": "https://api.github.com/repos/docker/github-builder-test/collaborators{/collaborator}",
+            "comments_url": "https://api.github.com/repos/docker/github-builder-test/comments{/number}",
+            "commits_url": "https://api.github.com/repos/docker/github-builder-test/commits{/sha}",
+            "compare_url": "https://api.github.com/repos/docker/github-builder-test/compare/{base}...{head}",
+            "contents_url": "https://api.github.com/repos/docker/github-builder-test/contents/{+path}",
+            "contributors_url": "https://api.github.com/repos/docker/github-builder-test/contributors",
+            "created_at": "2025-08-19T08:08:29Z",
+            "custom_properties": {},
+            "default_branch": "main",
+            "deployments_url": "https://api.github.com/repos/docker/github-builder-test/deployments",
+            "description": "Test repo for https://github.com/docker/github-builder-experimental",
+            "disabled": false,
+            "downloads_url": "https://api.github.com/repos/docker/github-builder-test/downloads",
+            "events_url": "https://api.github.com/repos/docker/github-builder-test/events",
+            "fork": false,
+            "forks": 0,
+            "forks_count": 0,
+            "forks_url": "https://api.github.com/repos/docker/github-builder-test/forks",
+            "full_name": "docker/github-builder-test",
+            "git_commits_url": "https://api.github.com/repos/docker/github-builder-test/git/commits{/sha}",
+            "git_refs_url": "https://api.github.com/repos/docker/github-builder-test/git/refs{/sha}",
+            "git_tags_url": "https://api.github.com/repos/docker/github-builder-test/git/tags{/sha}",
+            "git_url": "git://github.com/docker/github-builder-test.git",
+            "has_discussions": false,
+            "has_downloads": true,
+            "has_issues": false,
+            "has_pages": false,
+            "has_projects": false,
+            "has_wiki": false,
+            "homepage": null,
+            "hooks_url": "https://api.github.com/repos/docker/github-builder-test/hooks",
+            "html_url": "https://github.com/docker/github-builder-test",
+            "id": 1040594287,
+            "is_template": false,
+            "issue_comment_url": "https://api.github.com/repos/docker/github-builder-test/issues/comments{/number}",
+            "issue_events_url": "https://api.github.com/repos/docker/github-builder-test/issues/events{/number}",
+            "issues_url": "https://api.github.com/repos/docker/github-builder-test/issues{/number}",
+            "keys_url": "https://api.github.com/repos/docker/github-builder-test/keys{/key_id}",
+            "labels_url": "https://api.github.com/repos/docker/github-builder-test/labels{/name}",
+            "language": "Dockerfile",
+            "languages_url": "https://api.github.com/repos/docker/github-builder-test/languages",
+            "license": null,
+            "merges_url": "https://api.github.com/repos/docker/github-builder-test/merges",
+            "milestones_url": "https://api.github.com/repos/docker/github-builder-test/milestones{/number}",
+            "mirror_url": null,
+            "name": "github-builder-test",
+            "node_id": "R_kgDOPgY1bw",
+            "notifications_url": "https://api.github.com/repos/docker/github-builder-test/notifications{?since,all,participating}",
+            "open_issues": 0,
+            "open_issues_count": 0,
+            "owner": {
+              "avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
+              "events_url": "https://api.github.com/users/docker/events{/privacy}",
+              "followers_url": "https://api.github.com/users/docker/followers",
+              "following_url": "https://api.github.com/users/docker/following{/other_user}",
+              "gists_url": "https://api.github.com/users/docker/gists{/gist_id}",
+              "gravatar_id": "",
+              "html_url": "https://github.com/docker",
+              "id": 5429470,
+              "login": "docker",
+              "node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
+              "organizations_url": "https://api.github.com/users/docker/orgs",
+              "received_events_url": "https://api.github.com/users/docker/received_events",
+              "repos_url": "https://api.github.com/users/docker/repos",
+              "site_admin": false,
+              "starred_url": "https://api.github.com/users/docker/starred{/owner}{/repo}",
+              "subscriptions_url": "https://api.github.com/users/docker/subscriptions",
+              "type": "Organization",
+              "url": "https://api.github.com/users/docker",
+              "user_view_type": "public"
+            },
+            "private": true,
+            "pulls_url": "https://api.github.com/repos/docker/github-builder-test/pulls{/number}",
+            "pushed_at": "2025-10-30T10:04:10Z",
+            "releases_url": "https://api.github.com/repos/docker/github-builder-test/releases{/id}",
+            "size": 25,
+            "ssh_url": "git@github.com:docker/github-builder-test.git",
+            "stargazers_count": 0,
+            "stargazers_url": "https://api.github.com/repos/docker/github-builder-test/stargazers",
+            "statuses_url": "https://api.github.com/repos/docker/github-builder-test/statuses/{sha}",
+            "subscribers_url": "https://api.github.com/repos/docker/github-builder-test/subscribers",
+            "subscription_url": "https://api.github.com/repos/docker/github-builder-test/subscription",
+            "svn_url": "https://github.com/docker/github-builder-test",
+            "tags_url": "https://api.github.com/repos/docker/github-builder-test/tags",
+            "teams_url": "https://api.github.com/repos/docker/github-builder-test/teams",
+            "topics": [],
+            "trees_url": "https://api.github.com/repos/docker/github-builder-test/git/trees{/sha}",
+            "updated_at": "2025-10-30T10:04:14Z",
+            "url": "https://api.github.com/repos/docker/github-builder-test",
+            "visibility": "internal",
+            "watchers": 0,
+            "watchers_count": 0,
+            "web_commit_signoff_required": false
+          },
+          "sender": {
+            "avatar_url": "https://avatars.githubusercontent.com/u/1951866?v=4",
+            "events_url": "https://api.github.com/users/crazy-max/events{/privacy}",
+            "followers_url": "https://api.github.com/users/crazy-max/followers",
+            "following_url": "https://api.github.com/users/crazy-max/following{/other_user}",
+            "gists_url": "https://api.github.com/users/crazy-max/gists{/gist_id}",
+            "gravatar_id": "",
+            "html_url": "https://github.com/crazy-max",
+            "id": 1951866,
+            "login": "crazy-max",
+            "node_id": "MDQ6VXNlcjE5NTE4NjY=",
+            "organizations_url": "https://api.github.com/users/crazy-max/orgs",
+            "received_events_url": "https://api.github.com/users/crazy-max/received_events",
+            "repos_url": "https://api.github.com/users/crazy-max/repos",
+            "site_admin": false,
+            "starred_url": "https://api.github.com/users/crazy-max/starred{/owner}{/repo}",
+            "subscriptions_url": "https://api.github.com/users/crazy-max/subscriptions",
+            "type": "User",
+            "url": "https://api.github.com/users/crazy-max",
+            "user_view_type": "public"
+          },
+          "workflow": ".github/workflows/ci.yml"
+        },
+        "github_job": "build",
+        "github_ref": "refs/heads/main",
+        "github_ref_name": "main",
+        "github_ref_protected": "false",
+        "github_ref_type": "branch",
+        "github_repository": "docker/github-builder-test",
+        "github_repository_id": "1040594287",
+        "github_repository_owner": "docker",
+        "github_repository_owner_id": "5429470",
+        "github_run_attempt": "1",
+        "github_run_id": "18937328894",
+        "github_run_number": "183",
+        "github_runner_arch": "X64",
+        "github_runner_environment": "github-hosted",
+        "github_runner_image_os": "ubuntu24",
+        "github_runner_image_version": "20250929.60.1",
+        "github_runner_name": "GitHub Actions 1002376925",
+        "github_runner_os": "Linux",
+        "github_runner_tracking_id": "github_7c0a7521-2999-41e5-af30-b7f0681f204f",
+        "github_server_url": "https://github.com",
+        "github_triggering_actor": "crazy-max",
+        "github_workflow": "ci",
+        "github_workflow_ref": "docker/github-builder-test/.github/workflows/ci.yml@refs/heads/main",
+        "github_workflow_sha": "bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe"
+      }
+    },
+    "runDetails": {
+      "builder": {
+        "id": "https://github.com/docker/github-builder-test/actions/runs/18937328894/attempts/1"
+      },
+      "metadata": {
+        "invocationID": "7qg2yuux3iklv02ktbmbtwgeb",
+        "startedOn": "2025-10-30T10:19:52.868710505Z",
+        "finishedOn": "2025-10-30T10:19:57.635810119Z",
+        "buildkit_metadata": {
+          "source": {
+            "locations": {
+              "step0": {
+                "locations": [
+                  {
+                    "ranges": [
+                      {
+                        "start": {
+                          "line": 1
+                        },
+                        "end": {
+                          "line": 1
+                        }
+                      }
+                    ]
+                  }
+                ]
+              },
+              "step1": {
+                "locations": [
+                  {
+                    "ranges": [
+                      {
+                        "start": {
+                          "line": 3
+                        },
+                        "end": {
+                          "line": 3
+                        }
+                      }
+                    ]
+                  }
+                ]
+              },
+              "step2": {
+                "locations": [
+                  {
+                    "ranges": [
+                      {
+                        "start": {
+                          "line": 7
+                        },
+                        "end": {
+                          "line": 7
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            },
+            "infos": [
+              {
+                "filename": "hello.Dockerfile",
+                "language": "Dockerfile",
+                "data": "RlJPTSBhbHBpbmUgQVMgYmFzZQpBUkcgVEFSR0VUUExBVEZPUk0KUlVOIGVjaG8gIkhlbGxvLCBXb3JsZCEgVGhpcyBpcyAke1RBUkdFVFBMQVRGT1JNfSIgPiAvaGVsbG8udHh0CkFSRyBCVUlMREtJVF9TQk9NX1NDQU5fU1RBR0U9dHJ1ZQoKRlJPTSBzY3JhdGNoCkNPUFkgLS1mcm9tPWJhc2UgL2hlbGxvLnR4dCAvCg==",
+                "llbDefinition": [
+                  {
+                    "id": "step0",
+                    "op": {
+                      "Op": {
+                        "source": {
+                          "identifier": "git://github.com/docker/github-builder-test.git#bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe",
+                          "attrs": {
+                            "git.authheadersecret": "GIT_AUTH_HEADER",
+                            "git.authtokensecret": "GIT_AUTH_TOKEN",
+                            "git.fullurl": "https://github.com/docker/github-builder-test.git"
+                          }
+                        }
+                      },
+                      "constraints": {}
+                    }
+                  },
+                  {
+                    "id": "step1",
+                    "op": {
+                      "Op": {}
+                    },
+                    "inputs": [
+                      "step0:0"
+                    ]
+                  }
+                ],
+                "digestMapping": {
+                  "sha256:47540f0959d81a7ff2fc9742b9ef0bb37d7eca99c13aa6df83b883d06e808ef2": "step0",
+                  "sha256:96933c546ff00debd500304305864192fcb51d348e8c41b6a6e1569a051e66ed": "step1"
+                }
+              }
+            ]
+          },
+          "layers": {
+            "step0:0": [
+              [
+                {
+                  "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+                  "digest": "sha256:2d35ebdb57d9971fea0cac1582aa78935adf8058b2cc32db163c98822e5dfa1b",
+                  "size": 3802452
+                }
+              ]
+            ]
+          }
+        },
+        "buildkit_completeness": {
+          "request": true,
+          "resolvedDependencies": true
+        }
+      }
+    }
+  }
+}

__tests__/.fixtures/sigstore/multi/linux_arm64/hello.txt

@@ -0,0 +1 @@
+Hello, World! This is linux/arm64

__tests__/.fixtures/sigstore/multi/linux_arm64/provenance.json

@@ -0,0 +1,462 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicateType": "https://slsa.dev/provenance/v1",
+  "subject": [
+    {
+      "name": "hello.txt",
+      "digest": {
+        "sha256": "870e0065e68cbdeacbf9cec21b598bb579b0ef55bc48b65b71509667edb570bd"
+      }
+    }
+  ],
+  "predicate": {
+    "buildDefinition": {
+      "buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md",
+      "resolvedDependencies": [
+        {
+          "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
+          "digest": {
+            "sha256": "e930c2697be77cb7271d316ecfa78768b5eac73de3b16018ed38eb0ea0b5a7cb"
+          }
+        },
+        {
+          "uri": "pkg:docker/alpine@latest?platform=linux%2Farm64",
+          "digest": {
+            "sha256": "4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"
+          }
+        },
+        {
+          "uri": "https://github.com/docker/github-builder-test.git#bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe",
+          "digest": {
+            "sha1": "bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe"
+          }
+        }
+      ],
+      "externalParameters": {
+        "configSource": {
+          "uri": "https://github.com/docker/github-builder-test.git#bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe",
+          "digest": {
+            "sha1": "bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe"
+          },
+          "path": "hello.Dockerfile"
+        },
+        "request": {
+          "frontend": "dockerfile.v0",
+          "secrets": [
+            {
+              "id": "GIT_AUTH_HEADER",
+              "optional": true
+            },
+            {
+              "id": "GIT_AUTH_TOKEN",
+              "optional": true
+            }
+          ]
+        }
+      },
+      "internalParameters": {
+        "buildConfig": {
+          "digestMapping": {
+            "sha256:69f88b22af1cbbe236f4b5d834dfe9c4adb9535c1c602f726fd90212c302a7da": "step0",
+            "sha256:98c0e3a8b1a38f5aa8db558b99aace8e7645a18b0e24d6807018146d21788ae2": "step2",
+            "sha256:a560219f1e0cfb232a9727b9bbf9d6735c0b2190f8e00364f844cfc82bd42479": "step1",
+            "sha256:c7edeef726371083a69f15a3565d6c62be55a91e820f251d9a965f8e36fe3e32": "step3"
+          },
+          "llbDefinition": [
+            {
+              "id": "step0",
+              "op": {
+                "Op": {
+                  "source": {
+                    "identifier": "docker-image://docker.io/library/alpine:latest@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"
+                  }
+                },
+                "constraints": {},
+                "platform": {
+                  "Architecture": "arm64",
+                  "OS": "linux"
+                }
+              }
+            },
+            {
+              "id": "step1",
+              "inputs": [
+                "step0:0"
+              ],
+              "op": {
+                "Op": {
+                  "exec": {
+                    "meta": {
+                      "args": [
+                        "/bin/sh",
+                        "-c",
+                        "echo \"Hello, World! This is ${TARGETPLATFORM}\" \u003e /hello.txt"
+                      ],
+                      "cwd": "/",
+                      "env": [
+                        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+                        "TARGETPLATFORM=linux/arm64"
+                      ],
+                      "removeMountStubsRecursive": true
+                    },
+                    "mounts": [
+                      {
+                        "dest": "/"
+                      }
+                    ]
+                  }
+                },
+                "constraints": {},
+                "platform": {
+                  "Architecture": "arm64",
+                  "OS": "linux"
+                }
+              }
+            },
+            {
+              "id": "step2",
+              "inputs": [
+                "step1:0"
+              ],
+              "op": {
+                "Op": {
+                  "file": {
+                    "actions": [
+                      {
+                        "Action": {
+                          "copy": {
+                            "allowEmptyWildcard": true,
+                            "allowWildcard": true,
+                            "createDestPath": true,
+                            "dest": "/",
+                            "dirCopyContents": true,
+                            "followSymlink": true,
+                            "mode": -1,
+                            "src": "/hello.txt",
+                            "timestamp": -1
+                          }
+                        },
+                        "input": -1,
+                        "output": 0,
+                        "secondaryInput": 0
+                      }
+                    ]
+                  }
+                },
+                "constraints": {}
+              }
+            },
+            {
+              "id": "step3",
+              "inputs": [
+                "step2:0"
+              ],
+              "op": {
+                "Op": {}
+              }
+            }
+          ]
+        },
+        "builderPlatform": "linux/amd64",
+        "github_actor": "crazy-max",
+        "github_actor_id": "1951866",
+        "github_event_name": "workflow_dispatch",
+        "github_event_payload": {
+          "enterprise": {
+            "avatar_url": "https://avatars.githubusercontent.com/b/19176?v=4",
+            "created_at": "2022-12-30T23:53:17Z",
+            "description": null,
+            "html_url": "https://github.com/enterprises/docker",
+            "id": 19176,
+            "name": "Docker",
+            "node_id": "E_kgDNSug",
+            "slug": "docker",
+            "updated_at": "2025-10-20T20:39:05Z",
+            "website_url": null
+          },
+          "inputs": null,
+          "organization": {
+            "avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
+            "description": "Docker helps developers bring their ideas to life by conquering the complexity of app development.",
+            "events_url": "https://api.github.com/orgs/docker/events",
+            "hooks_url": "https://api.github.com/orgs/docker/hooks",
+            "id": 5429470,
+            "issues_url": "https://api.github.com/orgs/docker/issues",
+            "login": "docker",
+            "members_url": "https://api.github.com/orgs/docker/members{/member}",
+            "node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
+            "public_members_url": "https://api.github.com/orgs/docker/public_members{/member}",
+            "repos_url": "https://api.github.com/orgs/docker/repos",
+            "url": "https://api.github.com/orgs/docker"
+          },
+          "ref": "refs/heads/main",
+          "repository": {
+            "allow_forking": true,
+            "archive_url": "https://api.github.com/repos/docker/github-builder-test/{archive_format}{/ref}",
+            "archived": false,
+            "assignees_url": "https://api.github.com/repos/docker/github-builder-test/assignees{/user}",
+            "blobs_url": "https://api.github.com/repos/docker/github-builder-test/git/blobs{/sha}",
+            "branches_url": "https://api.github.com/repos/docker/github-builder-test/branches{/branch}",
+            "clone_url": "https://github.com/docker/github-builder-test.git",
+            "collaborators_url": "https://api.github.com/repos/docker/github-builder-test/collaborators{/collaborator}",
+            "comments_url": "https://api.github.com/repos/docker/github-builder-test/comments{/number}",
+            "commits_url": "https://api.github.com/repos/docker/github-builder-test/commits{/sha}",
+            "compare_url": "https://api.github.com/repos/docker/github-builder-test/compare/{base}...{head}",
+            "contents_url": "https://api.github.com/repos/docker/github-builder-test/contents/{+path}",
+            "contributors_url": "https://api.github.com/repos/docker/github-builder-test/contributors",
+            "created_at": "2025-08-19T08:08:29Z",
+            "custom_properties": {},
+            "default_branch": "main",
+            "deployments_url": "https://api.github.com/repos/docker/github-builder-test/deployments",
+            "description": "Test repo for https://github.com/docker/github-builder-experimental",
+            "disabled": false,
+            "downloads_url": "https://api.github.com/repos/docker/github-builder-test/downloads",
+            "events_url": "https://api.github.com/repos/docker/github-builder-test/events",
+            "fork": false,
+            "forks": 0,
+            "forks_count": 0,
+            "forks_url": "https://api.github.com/repos/docker/github-builder-test/forks",
+            "full_name": "docker/github-builder-test",
+            "git_commits_url": "https://api.github.com/repos/docker/github-builder-test/git/commits{/sha}",
+            "git_refs_url": "https://api.github.com/repos/docker/github-builder-test/git/refs{/sha}",
+            "git_tags_url": "https://api.github.com/repos/docker/github-builder-test/git/tags{/sha}",
+            "git_url": "git://github.com/docker/github-builder-test.git",
+            "has_discussions": false,
+            "has_downloads": true,
+            "has_issues": false,
+            "has_pages": false,
+            "has_projects": false,
+            "has_wiki": false,
+            "homepage": null,
+            "hooks_url": "https://api.github.com/repos/docker/github-builder-test/hooks",
+            "html_url": "https://github.com/docker/github-builder-test",
+            "id": 1040594287,
+            "is_template": false,
+            "issue_comment_url": "https://api.github.com/repos/docker/github-builder-test/issues/comments{/number}",
+            "issue_events_url": "https://api.github.com/repos/docker/github-builder-test/issues/events{/number}",
+            "issues_url": "https://api.github.com/repos/docker/github-builder-test/issues{/number}",
+            "keys_url": "https://api.github.com/repos/docker/github-builder-test/keys{/key_id}",
+            "labels_url": "https://api.github.com/repos/docker/github-builder-test/labels{/name}",
+            "language": "Dockerfile",
+            "languages_url": "https://api.github.com/repos/docker/github-builder-test/languages",
+            "license": null,
+            "merges_url": "https://api.github.com/repos/docker/github-builder-test/merges",
+            "milestones_url": "https://api.github.com/repos/docker/github-builder-test/milestones{/number}",
+            "mirror_url": null,
+            "name": "github-builder-test",
+            "node_id": "R_kgDOPgY1bw",
+            "notifications_url": "https://api.github.com/repos/docker/github-builder-test/notifications{?since,all,participating}",
+            "open_issues": 0,
+            "open_issues_count": 0,
+            "owner": {
+              "avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
+              "events_url": "https://api.github.com/users/docker/events{/privacy}",
+              "followers_url": "https://api.github.com/users/docker/followers",
+              "following_url": "https://api.github.com/users/docker/following{/other_user}",
+              "gists_url": "https://api.github.com/users/docker/gists{/gist_id}",
+              "gravatar_id": "",
+              "html_url": "https://github.com/docker",
+              "id": 5429470,
+              "login": "docker",
+              "node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
+              "organizations_url": "https://api.github.com/users/docker/orgs",
+              "received_events_url": "https://api.github.com/users/docker/received_events",
+              "repos_url": "https://api.github.com/users/docker/repos",
+              "site_admin": false,
+              "starred_url": "https://api.github.com/users/docker/starred{/owner}{/repo}",
+              "subscriptions_url": "https://api.github.com/users/docker/subscriptions",
+              "type": "Organization",
+              "url": "https://api.github.com/users/docker",
+              "user_view_type": "public"
+            },
+            "private": true,
+            "pulls_url": "https://api.github.com/repos/docker/github-builder-test/pulls{/number}",
+            "pushed_at": "2025-10-30T10:04:10Z",
+            "releases_url": "https://api.github.com/repos/docker/github-builder-test/releases{/id}",
+            "size": 25,
+            "ssh_url": "git@github.com:docker/github-builder-test.git",
+            "stargazers_count": 0,
+            "stargazers_url": "https://api.github.com/repos/docker/github-builder-test/stargazers",
+            "statuses_url": "https://api.github.com/repos/docker/github-builder-test/statuses/{sha}",
+            "subscribers_url": "https://api.github.com/repos/docker/github-builder-test/subscribers",
+            "subscription_url": "https://api.github.com/repos/docker/github-builder-test/subscription",
+            "svn_url": "https://github.com/docker/github-builder-test",
+            "tags_url": "https://api.github.com/repos/docker/github-builder-test/tags",
+            "teams_url": "https://api.github.com/repos/docker/github-builder-test/teams",
+            "topics": [],
+            "trees_url": "https://api.github.com/repos/docker/github-builder-test/git/trees{/sha}",
+            "updated_at": "2025-10-30T10:04:14Z",
+            "url": "https://api.github.com/repos/docker/github-builder-test",
+            "visibility": "internal",
+            "watchers": 0,
+            "watchers_count": 0,
+            "web_commit_signoff_required": false
+          },
+          "sender": {
+            "avatar_url": "https://avatars.githubusercontent.com/u/1951866?v=4",
+            "events_url": "https://api.github.com/users/crazy-max/events{/privacy}",
+            "followers_url": "https://api.github.com/users/crazy-max/followers",
+            "following_url": "https://api.github.com/users/crazy-max/following{/other_user}",
+            "gists_url": "https://api.github.com/users/crazy-max/gists{/gist_id}",
+            "gravatar_id": "",
+            "html_url": "https://github.com/crazy-max",
+            "id": 1951866,
+            "login": "crazy-max",
+            "node_id": "MDQ6VXNlcjE5NTE4NjY=",
+            "organizations_url": "https://api.github.com/users/crazy-max/orgs",
+            "received_events_url": "https://api.github.com/users/crazy-max/received_events",
+            "repos_url": "https://api.github.com/users/crazy-max/repos",
+            "site_admin": false,
+            "starred_url": "https://api.github.com/users/crazy-max/starred{/owner}{/repo}",
+            "subscriptions_url": "https://api.github.com/users/crazy-max/subscriptions",
+            "type": "User",
+            "url": "https://api.github.com/users/crazy-max",
+            "user_view_type": "public"
+          },
+          "workflow": ".github/workflows/ci.yml"
+        },
+        "github_job": "build",
+        "github_ref": "refs/heads/main",
+        "github_ref_name": "main",
+        "github_ref_protected": "false",
+        "github_ref_type": "branch",
+        "github_repository": "docker/github-builder-test",
+        "github_repository_id": "1040594287",
+        "github_repository_owner": "docker",
+        "github_repository_owner_id": "5429470",
+        "github_run_attempt": "1",
+        "github_run_id": "18937328894",
+        "github_run_number": "183",
+        "github_runner_arch": "X64",
+        "github_runner_environment": "github-hosted",
+        "github_runner_image_os": "ubuntu24",
+        "github_runner_image_version": "20250929.60.1",
+        "github_runner_name": "GitHub Actions 1002376925",
+        "github_runner_os": "Linux",
+        "github_runner_tracking_id": "github_7c0a7521-2999-41e5-af30-b7f0681f204f",
+        "github_server_url": "https://github.com",
+        "github_triggering_actor": "crazy-max",
+        "github_workflow": "ci",
+        "github_workflow_ref": "docker/github-builder-test/.github/workflows/ci.yml@refs/heads/main",
+        "github_workflow_sha": "bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe"
+      }
+    },
+    "runDetails": {
+      "builder": {
+        "id": "https://github.com/docker/github-builder-test/actions/runs/18937328894/attempts/1"
+      },
+      "metadata": {
+        "invocationID": "7qg2yuux3iklv02ktbmbtwgeb",
+        "startedOn": "2025-10-30T10:19:52.868710505Z",
+        "finishedOn": "2025-10-30T10:19:57.635810119Z",
+        "buildkit_metadata": {
+          "source": {
+            "locations": {
+              "step0": {
+                "locations": [
+                  {
+                    "ranges": [
+                      {
+                        "start": {
+                          "line": 1
+                        },
+                        "end": {
+                          "line": 1
+                        }
+                      }
+                    ]
+                  }
+                ]
+              },
+              "step1": {
+                "locations": [
+                  {
+                    "ranges": [
+                      {
+                        "start": {
+                          "line": 3
+                        },
+                        "end": {
+                          "line": 3
+                        }
+                      }
+                    ]
+                  }
+                ]
+              },
+              "step2": {
+                "locations": [
+                  {
+                    "ranges": [
+                      {
+                        "start": {
+                          "line": 7
+                        },
+                        "end": {
+                          "line": 7
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            },
+            "infos": [
+              {
+                "filename": "hello.Dockerfile",
+                "language": "Dockerfile",
+                "data": "RlJPTSBhbHBpbmUgQVMgYmFzZQpBUkcgVEFSR0VUUExBVEZPUk0KUlVOIGVjaG8gIkhlbGxvLCBXb3JsZCEgVGhpcyBpcyAke1RBUkdFVFBMQVRGT1JNfSIgPiAvaGVsbG8udHh0CkFSRyBCVUlMREtJVF9TQk9NX1NDQU5fU1RBR0U9dHJ1ZQoKRlJPTSBzY3JhdGNoCkNPUFkgLS1mcm9tPWJhc2UgL2hlbGxvLnR4dCAvCg==",
+                "llbDefinition": [
+                  {
+                    "id": "step0",
+                    "op": {
+                      "Op": {
+                        "source": {
+                          "identifier": "git://github.com/docker/github-builder-test.git#bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe",
+                          "attrs": {
+                            "git.authheadersecret": "GIT_AUTH_HEADER",
+                            "git.authtokensecret": "GIT_AUTH_TOKEN",
+                            "git.fullurl": "https://github.com/docker/github-builder-test.git"
+                          }
+                        }
+                      },
+                      "constraints": {}
+                    }
+                  },
+                  {
+                    "id": "step1",
+                    "op": {
+                      "Op": {}
+                    },
+                    "inputs": [
+                      "step0:0"
+                    ]
+                  }
+                ],
+                "digestMapping": {
+                  "sha256:47540f0959d81a7ff2fc9742b9ef0bb37d7eca99c13aa6df83b883d06e808ef2": "step0",
+                  "sha256:96933c546ff00debd500304305864192fcb51d348e8c41b6a6e1569a051e66ed": "step1"
+                }
+              }
+            ]
+          },
+          "layers": {
+            "step0:0": [
+              [
+                {
+                  "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+                  "digest": "sha256:6b59a28fa20117e6048ad0616b8d8c901877ef15ff4c7f18db04e4f01f43bc39",
+                  "size": 4138069
+                }
+              ]
+            ]
+          }
+        },
+        "buildkit_completeness": {
+          "request": true,
+          "resolvedDependencies": true
+        }
+      }
+    }
+  }
+}

__tests__/.fixtures/sigstore/single/hello.txt

@@ -0,0 +1 @@
+Hello, World! This is linux/amd64

__tests__/.fixtures/sigstore/single/provenance.json

@@ -0,0 +1,462 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicateType": "https://slsa.dev/provenance/v1",
+  "subject": [
+    {
+      "name": "hello.txt",
+      "digest": {
+        "sha256": "1b37929e66644beb58b3d28d44fba0d82aa90cab03c55a492adb81fe6e833ec8"
+      }
+    }
+  ],
+  "predicate": {
+    "buildDefinition": {
+      "buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md",
+      "resolvedDependencies": [
+        {
+          "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1",
+          "digest": {
+            "sha256": "e930c2697be77cb7271d316ecfa78768b5eac73de3b16018ed38eb0ea0b5a7cb"
+          }
+        },
+        {
+          "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64",
+          "digest": {
+            "sha256": "4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"
+          }
+        },
+        {
+          "uri": "https://github.com/docker/github-builder-test.git#bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe",
+          "digest": {
+            "sha1": "bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe"
+          }
+        }
+      ],
+      "externalParameters": {
+        "configSource": {
+          "uri": "https://github.com/docker/github-builder-test.git#bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe",
+          "digest": {
+            "sha1": "bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe"
+          },
+          "path": "hello.Dockerfile"
+        },
+        "request": {
+          "frontend": "dockerfile.v0",
+          "secrets": [
+            {
+              "id": "GIT_AUTH_HEADER",
+              "optional": true
+            },
+            {
+              "id": "GIT_AUTH_TOKEN",
+              "optional": true
+            }
+          ]
+        }
+      },
+      "internalParameters": {
+        "buildConfig": {
+          "digestMapping": {
+            "sha256:23dcbc3cce701a8a9bbb1e33f2ea88304527a4a935c89c4564af698095463ac2": "step3",
+            "sha256:3192c1bd53f90cca959db778dcee30edc9a79f8cd3f9a2c54adc4606507fd3b6": "step0",
+            "sha256:7f1c9e959980ea3e2cf4af8ef97b6c3797a0926752b436bff11474e436defe7f": "step1",
+            "sha256:c8737331fb8e5f5bcb6b22320012d975057514982c788e63db13332a4219b984": "step2"
+          },
+          "llbDefinition": [
+            {
+              "id": "step0",
+              "op": {
+                "Op": {
+                  "source": {
+                    "identifier": "docker-image://docker.io/library/alpine:latest@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"
+                  }
+                },
+                "constraints": {},
+                "platform": {
+                  "Architecture": "amd64",
+                  "OS": "linux"
+                }
+              }
+            },
+            {
+              "id": "step1",
+              "inputs": [
+                "step0:0"
+              ],
+              "op": {
+                "Op": {
+                  "exec": {
+                    "meta": {
+                      "args": [
+                        "/bin/sh",
+                        "-c",
+                        "echo \"Hello, World! This is ${TARGETPLATFORM}\" \u003e /hello.txt"
+                      ],
+                      "cwd": "/",
+                      "env": [
+                        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+                        "TARGETPLATFORM=linux/amd64"
+                      ],
+                      "removeMountStubsRecursive": true
+                    },
+                    "mounts": [
+                      {
+                        "dest": "/"
+                      }
+                    ]
+                  }
+                },
+                "constraints": {},
+                "platform": {
+                  "Architecture": "amd64",
+                  "OS": "linux"
+                }
+              }
+            },
+            {
+              "id": "step2",
+              "inputs": [
+                "step1:0"
+              ],
+              "op": {
+                "Op": {
+                  "file": {
+                    "actions": [
+                      {
+                        "Action": {
+                          "copy": {
+                            "allowEmptyWildcard": true,
+                            "allowWildcard": true,
+                            "createDestPath": true,
+                            "dest": "/",
+                            "dirCopyContents": true,
+                            "followSymlink": true,
+                            "mode": -1,
+                            "src": "/hello.txt",
+                            "timestamp": -1
+                          }
+                        },
+                        "input": -1,
+                        "output": 0,
+                        "secondaryInput": 0
+                      }
+                    ]
+                  }
+                },
+                "constraints": {}
+              }
+            },
+            {
+              "id": "step3",
+              "inputs": [
+                "step2:0"
+              ],
+              "op": {
+                "Op": {}
+              }
+            }
+          ]
+        },
+        "builderPlatform": "linux/amd64",
+        "github_actor": "crazy-max",
+        "github_actor_id": "1951866",
+        "github_event_name": "workflow_dispatch",
+        "github_event_payload": {
+          "enterprise": {
+            "avatar_url": "https://avatars.githubusercontent.com/b/19176?v=4",
+            "created_at": "2022-12-30T23:53:17Z",
+            "description": null,
+            "html_url": "https://github.com/enterprises/docker",
+            "id": 19176,
+            "name": "Docker",
+            "node_id": "E_kgDNSug",
+            "slug": "docker",
+            "updated_at": "2025-10-20T20:39:05Z",
+            "website_url": null
+          },
+          "inputs": null,
+          "organization": {
+            "avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
+            "description": "Docker helps developers bring their ideas to life by conquering the complexity of app development.",
+            "events_url": "https://api.github.com/orgs/docker/events",
+            "hooks_url": "https://api.github.com/orgs/docker/hooks",
+            "id": 5429470,
+            "issues_url": "https://api.github.com/orgs/docker/issues",
+            "login": "docker",
+            "members_url": "https://api.github.com/orgs/docker/members{/member}",
+            "node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
+            "public_members_url": "https://api.github.com/orgs/docker/public_members{/member}",
+            "repos_url": "https://api.github.com/orgs/docker/repos",
+            "url": "https://api.github.com/orgs/docker"
+          },
+          "ref": "refs/heads/main",
+          "repository": {
+            "allow_forking": true,
+            "archive_url": "https://api.github.com/repos/docker/github-builder-test/{archive_format}{/ref}",
+            "archived": false,
+            "assignees_url": "https://api.github.com/repos/docker/github-builder-test/assignees{/user}",
+            "blobs_url": "https://api.github.com/repos/docker/github-builder-test/git/blobs{/sha}",
+            "branches_url": "https://api.github.com/repos/docker/github-builder-test/branches{/branch}",
+            "clone_url": "https://github.com/docker/github-builder-test.git",
+            "collaborators_url": "https://api.github.com/repos/docker/github-builder-test/collaborators{/collaborator}",
+            "comments_url": "https://api.github.com/repos/docker/github-builder-test/comments{/number}",
+            "commits_url": "https://api.github.com/repos/docker/github-builder-test/commits{/sha}",
+            "compare_url": "https://api.github.com/repos/docker/github-builder-test/compare/{base}...{head}",
+            "contents_url": "https://api.github.com/repos/docker/github-builder-test/contents/{+path}",
+            "contributors_url": "https://api.github.com/repos/docker/github-builder-test/contributors",
+            "created_at": "2025-08-19T08:08:29Z",
+            "custom_properties": {},
+            "default_branch": "main",
+            "deployments_url": "https://api.github.com/repos/docker/github-builder-test/deployments",
+            "description": "Test repo for https://github.com/docker/github-builder-experimental",
+            "disabled": false,
+            "downloads_url": "https://api.github.com/repos/docker/github-builder-test/downloads",
+            "events_url": "https://api.github.com/repos/docker/github-builder-test/events",
+            "fork": false,
+            "forks": 0,
+            "forks_count": 0,
+            "forks_url": "https://api.github.com/repos/docker/github-builder-test/forks",
+            "full_name": "docker/github-builder-test",
+            "git_commits_url": "https://api.github.com/repos/docker/github-builder-test/git/commits{/sha}",
+            "git_refs_url": "https://api.github.com/repos/docker/github-builder-test/git/refs{/sha}",
+            "git_tags_url": "https://api.github.com/repos/docker/github-builder-test/git/tags{/sha}",
+            "git_url": "git://github.com/docker/github-builder-test.git",
+            "has_discussions": false,
+            "has_downloads": true,
+            "has_issues": false,
+            "has_pages": false,
+            "has_projects": false,
+            "has_wiki": false,
+            "homepage": null,
+            "hooks_url": "https://api.github.com/repos/docker/github-builder-test/hooks",
+            "html_url": "https://github.com/docker/github-builder-test",
+            "id": 1040594287,
+            "is_template": false,
+            "issue_comment_url": "https://api.github.com/repos/docker/github-builder-test/issues/comments{/number}",
+            "issue_events_url": "https://api.github.com/repos/docker/github-builder-test/issues/events{/number}",
+            "issues_url": "https://api.github.com/repos/docker/github-builder-test/issues{/number}",
+            "keys_url": "https://api.github.com/repos/docker/github-builder-test/keys{/key_id}",
+            "labels_url": "https://api.github.com/repos/docker/github-builder-test/labels{/name}",
+            "language": "Dockerfile",
+            "languages_url": "https://api.github.com/repos/docker/github-builder-test/languages",
+            "license": null,
+            "merges_url": "https://api.github.com/repos/docker/github-builder-test/merges",
+            "milestones_url": "https://api.github.com/repos/docker/github-builder-test/milestones{/number}",
+            "mirror_url": null,
+            "name": "github-builder-test",
+            "node_id": "R_kgDOPgY1bw",
+            "notifications_url": "https://api.github.com/repos/docker/github-builder-test/notifications{?since,all,participating}",
+            "open_issues": 0,
+            "open_issues_count": 0,
+            "owner": {
+              "avatar_url": "https://avatars.githubusercontent.com/u/5429470?v=4",
+              "events_url": "https://api.github.com/users/docker/events{/privacy}",
+              "followers_url": "https://api.github.com/users/docker/followers",
+              "following_url": "https://api.github.com/users/docker/following{/other_user}",
+              "gists_url": "https://api.github.com/users/docker/gists{/gist_id}",
+              "gravatar_id": "",
+              "html_url": "https://github.com/docker",
+              "id": 5429470,
+              "login": "docker",
+              "node_id": "MDEyOk9yZ2FuaXphdGlvbjU0Mjk0NzA=",
+              "organizations_url": "https://api.github.com/users/docker/orgs",
+              "received_events_url": "https://api.github.com/users/docker/received_events",
+              "repos_url": "https://api.github.com/users/docker/repos",
+              "site_admin": false,
+              "starred_url": "https://api.github.com/users/docker/starred{/owner}{/repo}",
+              "subscriptions_url": "https://api.github.com/users/docker/subscriptions",
+              "type": "Organization",
+              "url": "https://api.github.com/users/docker",
+              "user_view_type": "public"
+            },
+            "private": true,
+            "pulls_url": "https://api.github.com/repos/docker/github-builder-test/pulls{/number}",
+            "pushed_at": "2025-10-30T10:04:10Z",
+            "releases_url": "https://api.github.com/repos/docker/github-builder-test/releases{/id}",
+            "size": 25,
+            "ssh_url": "git@github.com:docker/github-builder-test.git",
+            "stargazers_count": 0,
+            "stargazers_url": "https://api.github.com/repos/docker/github-builder-test/stargazers",
+            "statuses_url": "https://api.github.com/repos/docker/github-builder-test/statuses/{sha}",
+            "subscribers_url": "https://api.github.com/repos/docker/github-builder-test/subscribers",
+            "subscription_url": "https://api.github.com/repos/docker/github-builder-test/subscription",
+            "svn_url": "https://github.com/docker/github-builder-test",
+            "tags_url": "https://api.github.com/repos/docker/github-builder-test/tags",
+            "teams_url": "https://api.github.com/repos/docker/github-builder-test/teams",
+            "topics": [],
+            "trees_url": "https://api.github.com/repos/docker/github-builder-test/git/trees{/sha}",
+            "updated_at": "2025-10-30T10:04:14Z",
+            "url": "https://api.github.com/repos/docker/github-builder-test",
+            "visibility": "internal",
+            "watchers": 0,
+            "watchers_count": 0,
+            "web_commit_signoff_required": false
+          },
+          "sender": {
+            "avatar_url": "https://avatars.githubusercontent.com/u/1951866?v=4",
+            "events_url": "https://api.github.com/users/crazy-max/events{/privacy}",
+            "followers_url": "https://api.github.com/users/crazy-max/followers",
+            "following_url": "https://api.github.com/users/crazy-max/following{/other_user}",
+            "gists_url": "https://api.github.com/users/crazy-max/gists{/gist_id}",
+            "gravatar_id": "",
+            "html_url": "https://github.com/crazy-max",
+            "id": 1951866,
+            "login": "crazy-max",
+            "node_id": "MDQ6VXNlcjE5NTE4NjY=",
+            "organizations_url": "https://api.github.com/users/crazy-max/orgs",
+            "received_events_url": "https://api.github.com/users/crazy-max/received_events",
+            "repos_url": "https://api.github.com/users/crazy-max/repos",
+            "site_admin": false,
+            "starred_url": "https://api.github.com/users/crazy-max/starred{/owner}{/repo}",
+            "subscriptions_url": "https://api.github.com/users/crazy-max/subscriptions",
+            "type": "User",
+            "url": "https://api.github.com/users/crazy-max",
+            "user_view_type": "public"
+          },
+          "workflow": ".github/workflows/ci.yml"
+        },
+        "github_job": "build",
+        "github_ref": "refs/heads/main",
+        "github_ref_name": "main",
+        "github_ref_protected": "false",
+        "github_ref_type": "branch",
+        "github_repository": "docker/github-builder-test",
+        "github_repository_id": "1040594287",
+        "github_repository_owner": "docker",
+        "github_repository_owner_id": "5429470",
+        "github_run_attempt": "1",
+        "github_run_id": "18937328894",
+        "github_run_number": "183",
+        "github_runner_arch": "X64",
+        "github_runner_environment": "github-hosted",
+        "github_runner_image_os": "ubuntu24",
+        "github_runner_image_version": "20250929.60.1",
+        "github_runner_name": "GitHub Actions 1002376925",
+        "github_runner_os": "Linux",
+        "github_runner_tracking_id": "github_7c0a7521-2999-41e5-af30-b7f0681f204f",
+        "github_server_url": "https://github.com",
+        "github_triggering_actor": "crazy-max",
+        "github_workflow": "ci",
+        "github_workflow_ref": "docker/github-builder-test/.github/workflows/ci.yml@refs/heads/main",
+        "github_workflow_sha": "bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe"
+      }
+    },
+    "runDetails": {
+      "builder": {
+        "id": "https://github.com/docker/github-builder-test/actions/runs/18937328894/attempts/1"
+      },
+      "metadata": {
+        "invocationID": "7qg2yuux3iklv02ktbmbtwgeb",
+        "startedOn": "2025-10-30T10:19:52.868710505Z",
+        "finishedOn": "2025-10-30T10:19:57.635810119Z",
+        "buildkit_metadata": {
+          "source": {
+            "locations": {
+              "step0": {
+                "locations": [
+                  {
+                    "ranges": [
+                      {
+                        "start": {
+                          "line": 1
+                        },
+                        "end": {
+                          "line": 1
+                        }
+                      }
+                    ]
+                  }
+                ]
+              },
+              "step1": {
+                "locations": [
+                  {
+                    "ranges": [
+                      {
+                        "start": {
+                          "line": 3
+                        },
+                        "end": {
+                          "line": 3
+                        }
+                      }
+                    ]
+                  }
+                ]
+              },
+              "step2": {
+                "locations": [
+                  {
+                    "ranges": [
+                      {
+                        "start": {
+                          "line": 7
+                        },
+                        "end": {
+                          "line": 7
+                        }
+                      }
+                    ]
+                  }
+                ]
+              }
+            },
+            "infos": [
+              {
+                "filename": "hello.Dockerfile",
+                "language": "Dockerfile",
+                "data": "RlJPTSBhbHBpbmUgQVMgYmFzZQpBUkcgVEFSR0VUUExBVEZPUk0KUlVOIGVjaG8gIkhlbGxvLCBXb3JsZCEgVGhpcyBpcyAke1RBUkdFVFBMQVRGT1JNfSIgPiAvaGVsbG8udHh0CkFSRyBCVUlMREtJVF9TQk9NX1NDQU5fU1RBR0U9dHJ1ZQoKRlJPTSBzY3JhdGNoCkNPUFkgLS1mcm9tPWJhc2UgL2hlbGxvLnR4dCAvCg==",
+                "llbDefinition": [
+                  {
+                    "id": "step0",
+                    "op": {
+                      "Op": {
+                        "source": {
+                          "identifier": "git://github.com/docker/github-builder-test.git#bdb96fcfe8cc9e3a54800bc2537a4d4a14f0c5fe",
+                          "attrs": {
+                            "git.authheadersecret": "GIT_AUTH_HEADER",
+                            "git.authtokensecret": "GIT_AUTH_TOKEN",
+                            "git.fullurl": "https://github.com/docker/github-builder-test.git"
+                          }
+                        }
+                      },
+                      "constraints": {}
+                    }
+                  },
+                  {
+                    "id": "step1",
+                    "op": {
+                      "Op": {}
+                    },
+                    "inputs": [
+                      "step0:0"
+                    ]
+                  }
+                ],
+                "digestMapping": {
+                  "sha256:47540f0959d81a7ff2fc9742b9ef0bb37d7eca99c13aa6df83b883d06e808ef2": "step0",
+                  "sha256:96933c546ff00debd500304305864192fcb51d348e8c41b6a6e1569a051e66ed": "step1"
+                }
+              }
+            ]
+          },
+          "layers": {
+            "step0:0": [
+              [
+                {
+                  "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+                  "digest": "sha256:2d35ebdb57d9971fea0cac1582aa78935adf8058b2cc32db163c98822e5dfa1b",
+                  "size": 3802452
+                }
+              ]
+            ]
+          }
+        },
+        "buildkit_completeness": {
+          "request": true,
+          "resolvedDependencies": true
+        }
+      }
+    }
+  }
+}

__tests__/buildx/imagetools.test.itg.ts

@@ -19,7 +19,10 @@ import * as fs from 'fs';
 import * as path from 'path';
 
 import {ImageTools} from '../../src/buildx/imagetools';
+
+import {Manifest as ImageToolsManifest} from '../../src/types/buildx/imagetools';
 import {Image} from '../../src/types/oci/config';
+import {Descriptor} from '../../src/types/oci/descriptor';
 
 const fixturesDir = path.join(__dirname, '..', '.fixtures');
 
@@ -37,3 +40,39 @@ maybe('inspectImage', () => {
     expect(image).toEqual(expectedImage);
   });
 });
+
+maybe('inspectManifest', () => {
+  it('inspect descriptor', async () => {
+    const manifest = await new ImageTools().inspectManifest('moby/buildkit:latest@sha256:dccc69dd895968c4f21aa9e43e715f25f0cedfce4b17f1014c88c307928e22fc');
+    const expectedManifest = <Descriptor>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-03.json'), {encoding: 'utf-8'}).trim());
+    expect(manifest).toEqual(expectedManifest);
+  });
+  it('inspect index', async () => {
+    const manifest = await new ImageTools().inspectManifest('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6');
+    const expectedManifest = <ImageToolsManifest>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-04.json'), {encoding: 'utf-8'}).trim());
+    expect(manifest).toEqual(expectedManifest);
+  });
+});
+
+maybe('attestationDescriptors', () => {
+  it('returns buildkit attestations descriptors', async () => {
+    const attestations = await new ImageTools().attestationDescriptors('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6');
+    const expectedAttestations = <Array<Descriptor>>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-05.json'), {encoding: 'utf-8'}).trim());
+    expect(attestations).toEqual(expectedAttestations);
+  });
+});
+
+maybe('attestationDigests', () => {
+  it('returns buildkit attestations digests', async () => {
+    const digests = await new ImageTools().attestationDigests('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6');
+    // prettier-ignore
+    expect(digests).toEqual([
+      'sha256:2ba4ad6eae1efcafee73a971953093c7c32b6938f2f9fd4998c8bf4d0fbe76f2',
+      'sha256:0709528fae1747ce17638ad2978ee7936b38a294136eaadaf692e415f64b1e03',
+      'sha256:241b7159129d53923c89708bcc052b3398086a826519896be2f025545916e43e',
+      'sha256:97f4a222a7992dba6dc1a43991d0cca1fcffdc25593033c6a3a7ff14c8651cbf',
+      'sha256:aa933713d8094b2708120e889acb6f7153dee4e0f3298ccd3e37a584cd0c260d',
+      'sha256:d95ca72d4f2a6bc416d4b2f3003b2af9d5f4dea99acec6ad3ab0c2082000a98c'
+    ]);
+  });
+});

__tests__/buildx/install.test.ts

@@ -119,7 +119,12 @@ describe('getDownloadVersion', () => {
     expect(version.key).toEqual('official');
     expect(version.version).toEqual('latest');
     expect(version.downloadURL).toEqual('https://github.com/docker/buildx/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/buildx-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/buildx-releases.json'
+    });
   });
 
   it('returns official v0.10.1 download version', async () => {
@@ -127,7 +132,12 @@ describe('getDownloadVersion', () => {
     expect(version.key).toEqual('official');
     expect(version.version).toEqual('v0.10.1');
     expect(version.downloadURL).toEqual('https://github.com/docker/buildx/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/buildx-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/buildx-releases.json'
+    });
   });
 
   it('returns cloud latest download version', async () => {
@@ -135,7 +145,12 @@ describe('getDownloadVersion', () => {
     expect(version.key).toEqual('cloud');
     expect(version.version).toEqual('latest');
     expect(version.downloadURL).toEqual('https://github.com/docker/buildx-desktop/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/buildx-lab-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/buildx-lab-releases.json'
+    });
   });
 
   it('returns cloud v0.11.2-desktop.2 download version', async () => {
@@ -143,7 +158,12 @@ describe('getDownloadVersion', () => {
     expect(version.key).toEqual('cloud');
     expect(version.version).toEqual('v0.11.2-desktop.2');
     expect(version.downloadURL).toEqual('https://github.com/docker/buildx-desktop/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/buildx-lab-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/buildx-lab-releases.json'
+    });
   });
 
   it('returns cloud for lab version', async () => {
@@ -151,7 +171,12 @@ describe('getDownloadVersion', () => {
     expect(version.key).toEqual('cloud');
     expect(version.version).toEqual('latest');
     expect(version.downloadURL).toEqual('https://github.com/docker/buildx-desktop/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/buildx-lab-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/buildx-lab-releases.json'
+    });
   });
 
   it('unknown repo', async () => {
@@ -187,6 +212,6 @@ describe('getRelease', () => {
 
   it('unknown release', async () => {
     const version = await Install.getDownloadVersion('foo');
-    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Buildx release foo in https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/buildx-releases.json'));
+    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Buildx release foo in releases JSON'));
   });
 });

__tests__/compose/install.test.ts

@@ -99,28 +99,48 @@ describe('getDownloadVersion', () => {
     expect(version.key).toEqual('official');
     expect(version.version).toEqual('latest');
     expect(version.downloadURL).toEqual('https://github.com/docker/compose/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/compose-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/compose-releases.json'
+    });
   });
   it('returns official v2.24.3 download version', async () => {
     const version = await Install.getDownloadVersion('v2.24.3');
     expect(version.key).toEqual('official');
     expect(version.version).toEqual('v2.24.3');
     expect(version.downloadURL).toEqual('https://github.com/docker/compose/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/compose-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/compose-releases.json'
+    });
   });
   it('returns cloud latest download version', async () => {
     const version = await Install.getDownloadVersion('cloud:latest');
     expect(version.key).toEqual('cloud');
     expect(version.version).toEqual('latest');
     expect(version.downloadURL).toEqual('https://github.com/docker/compose-desktop/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/compose-lab-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/compose-lab-releases.json'
+    });
   });
   it('returns cloud v2.27.1-desktop.1 download version', async () => {
     const version = await Install.getDownloadVersion('cloud:v2.27.1-desktop.1');
     expect(version.key).toEqual('cloud');
     expect(version.version).toEqual('v2.27.1-desktop.1');
     expect(version.downloadURL).toEqual('https://github.com/docker/compose-desktop/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/compose-lab-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/compose-lab-releases.json'
+    });
   });
   it('unknown repo', async () => {
     await expect(Install.getDownloadVersion('foo:bar')).rejects.toThrow(new Error('Cannot find compose version for foo:bar'));
@@ -152,6 +172,6 @@ describe('getRelease', () => {
   });
   it('unknown release', async () => {
     const version = await Install.getDownloadVersion('foo');
-    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Compose release foo in https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/compose-releases.json'));
+    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Compose release foo in releases JSON'));
   });
 });

__tests__/cosign/cosign.test.ts

@@ -0,0 +1,90 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, it, jest, test} from '@jest/globals';
+import fs from 'fs';
+import path from 'path';
+import * as semver from 'semver';
+
+import {Exec} from '../../src/exec';
+import {Cosign} from '../../src/cosign/cosign';
+
+const fixturesDir = path.join(__dirname, '..', '.fixtures');
+
+describe('isAvailable', () => {
+  it('checks Cosign is available', async () => {
+    const execSpy = jest.spyOn(Exec, 'getExecOutput');
+    const cosign = new Cosign();
+    await cosign.isAvailable();
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(execSpy).toHaveBeenCalledWith(`cosign`, [], {
+      silent: true,
+      ignoreReturnCode: true
+    });
+  });
+});
+
+describe('printVersion', () => {
+  it('prints Cosign version', async () => {
+    const execSpy = jest.spyOn(Exec, 'exec');
+    const cosign = new Cosign();
+    await cosign.printVersion();
+    expect(execSpy).toHaveBeenCalledWith(`cosign`, ['version', '--json'], {
+      failOnStdErr: false
+    });
+  });
+});
+
+describe('version', () => {
+  it('valid', async () => {
+    const cosign = new Cosign();
+    expect(semver.valid(await cosign.version())).not.toBeUndefined();
+  });
+});
+
+describe('versionSatisfies', () => {
+  test.each([
+    ['v0.4.1', '>=0.3.2', true],
+    ['v0.8.0', '>0.6.0', true],
+    ['v0.8.0', '<0.3.0', false]
+  ])('given %p', async (version, range, expected) => {
+    const cosign = new Cosign();
+    expect(await cosign.versionSatisfies(range, version)).toBe(expected);
+  });
+});
+
+describe('parseCommandOutput', () => {
+  // prettier-ignore
+  test.each([
+    [path.join(fixturesDir, 'cosign', 'sign-output1.txt')],
+    [path.join(fixturesDir, 'cosign', 'sign-output2.txt')],
+    [path.join(fixturesDir, 'cosign', 'sign-output3.txt')],
+  ])('parsing %p', async (fixturePath: string) => {
+    const signResult = Cosign.parseCommandOutput(fs.readFileSync(fixturePath, 'utf-8'));
+    expect(signResult).toBeDefined();
+    expect(signResult.bundle).toBeDefined();
+  });
+
+  // prettier-ignore
+  test.each([
+    [path.join(fixturesDir, 'cosign', 'verify-output-err1.txt')],
+  ])('parsing %p', async (fixturePath: string) => {
+    const signResult = Cosign.parseCommandOutput(fs.readFileSync(fixturePath, 'utf-8'));
+    expect(signResult).toBeDefined();
+    expect(signResult.bundle).toBeUndefined();
+    expect(signResult.errors).toBeDefined();
+  });
+});

__tests__/cosign/install.test.itg.ts

@@ -0,0 +1,50 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, it, test} from '@jest/globals';
+import * as fs from 'fs';
+
+import {Install} from '../../src/cosign/install';
+
+const maybe = !process.env.GITHUB_ACTIONS || (process.env.GITHUB_ACTIONS === 'true' && process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu')) ? describe : describe.skip;
+
+describe('download', () => {
+  // prettier-ignore
+  test.each(['latest'])(
+    'install cosign %s', async (version) => {
+      await expect((async () => {
+        const install = new Install();
+        const toolPath = await install.download(version);
+        if (!fs.existsSync(toolPath)) {
+          throw new Error('toolPath does not exist');
+        }
+        const binPath = await install.install(toolPath);
+        if (!fs.existsSync(binPath)) {
+          throw new Error('binPath does not exist');
+        }
+      })()).resolves.not.toThrow();
+    }, 60000);
+});
+
+maybe('build', () => {
+  it.skip('builds refs/pull/4492/head', async () => {
+    const install = new Install();
+    const toolPath = await install.build('https://github.com/sigstore/cosign.git#refs/pull/4492/head');
+    expect(fs.existsSync(toolPath)).toBe(true);
+    const buildxBin = await install.install(toolPath);
+    expect(fs.existsSync(buildxBin)).toBe(true);
+  }, 500000);
+});

__tests__/cosign/install.test.ts

@@ -0,0 +1,132 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, it, jest, test, afterEach} from '@jest/globals';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import * as rimraf from 'rimraf';
+import osm = require('os');
+
+import {Install} from '../../src/cosign/install';
+
+const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'cosign-install-'));
+
+afterEach(function () {
+  rimraf.sync(tmpDir);
+});
+
+describe('download', () => {
+  // prettier-ignore
+  test.each([
+    ['v2.6.1'],
+    ['v3.0.1'],
+    ['latest']
+  ])(
+  'acquires %p of cosign', async (version) => {
+    const install = new Install();
+    const toolPath = await install.download(version);
+    expect(fs.existsSync(toolPath)).toBe(true);
+    const cosignBin = await install.install(toolPath, tmpDir);
+    expect(fs.existsSync(cosignBin)).toBe(true);
+  }, 100000);
+
+  // prettier-ignore
+  test.each([
+    // following versions are already cached to htc from previous test cases
+    ['v2.6.1'],
+    ['v3.0.1'],
+  ])(
+  'acquires %p of cosign with cache', async (version) => {
+    const install = new Install();
+    const toolPath = await install.download(version);
+    expect(fs.existsSync(toolPath)).toBe(true);
+  }, 100000);
+
+  // prettier-ignore
+  test.each([
+    ['v2.5.3'],
+    ['v2.6.0'],
+  ])(
+  'acquires %p of cosign without cache', async (version) => {
+    const install = new Install();
+    const toolPath = await install.download(version, true);
+    expect(fs.existsSync(toolPath)).toBe(true);
+  }, 100000);
+
+  // TODO: add tests for arm
+  // prettier-ignore
+  test.each([
+    ['win32', 'x64'],
+    ['darwin', 'x64'],
+    ['darwin', 'arm64'],
+    ['linux', 'x64'],
+    ['linux', 'arm64']
+  ])(
+  'acquires undock for %s/%s', async (os, arch) => {
+    jest.spyOn(osm, 'platform').mockImplementation(() => os as NodeJS.Platform);
+    jest.spyOn(osm, 'arch').mockImplementation(() => arch);
+    const install = new Install();
+    const cosignBin = await install.download('latest');
+    expect(fs.existsSync(cosignBin)).toBe(true);
+  }, 100000);
+});
+
+describe('getDownloadVersion', () => {
+  it('returns latest download version', async () => {
+    const version = await Install.getDownloadVersion('latest');
+    expect(version.version).toEqual('latest');
+    expect(version.downloadURL).toEqual('https://github.com/sigstore/cosign/releases/download/v%s/%s');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/cosign-releases.json'
+    });
+  });
+  it('returns v3.0.2 download version', async () => {
+    const version = await Install.getDownloadVersion('v3.0.2');
+    expect(version.version).toEqual('v3.0.2');
+    expect(version.downloadURL).toEqual('https://github.com/sigstore/cosign/releases/download/v%s/%s');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/cosign-releases.json'
+    });
+  });
+});
+
+describe('getRelease', () => {
+  it('returns latest GitHub release', async () => {
+    const version = await Install.getDownloadVersion('latest');
+    const release = await Install.getRelease(version);
+    expect(release).not.toBeNull();
+    expect(release?.tag_name).not.toEqual('');
+  });
+  it('returns v3.0.2 GitHub release', async () => {
+    const version = await Install.getDownloadVersion('v3.0.2');
+    const release = await Install.getRelease(version);
+    expect(release).not.toBeNull();
+    expect(release?.id).toEqual(253720294);
+    expect(release?.tag_name).toEqual('v3.0.2');
+    expect(release?.html_url).toEqual('https://github.com/sigstore/cosign/releases/tag/v3.0.2');
+  });
+  it('unknown release', async () => {
+    const version = await Install.getDownloadVersion('foo');
+    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Cosign release foo in releases JSON'));
+  });
+});

__tests__/docker/install.test.itg.ts

@@ -21,9 +21,7 @@ import path from 'path';
 
 import {Install, InstallSource, InstallSourceArchive, InstallSourceImage} from '../../src/docker/install';
 import {Docker} from '../../src/docker/docker';
-import {Regctl} from '../../src/regclient/regctl';
 import {Install as RegclientInstall} from '../../src/regclient/install';
-import {Undock} from '../../src/undock/undock';
 import {Install as UndockInstall} from '../../src/undock/install';
 import {Exec} from '../../src/exec';
 
@@ -48,9 +46,7 @@ describe('root', () => {
         source: source,
         runDir: tmpDir(),
         contextName: 'foo',
-        daemonConfig: `{"debug":true,"features":{"containerd-snapshotter":true}}`,
-        regctl: new Regctl(),
-        undock: new Undock()
+        daemonConfig: `{"debug":true,"features":{"containerd-snapshotter":true}}`
       });
       await expect(tryInstall(install)).resolves.not.toThrow();
     }, 30 * 60 * 1000);
@@ -70,9 +66,7 @@ describe('rootless', () => {
         runDir: tmpDir(),
         contextName: 'foo',
         daemonConfig: `{"debug":true}`,
-        rootless: true,
-        regctl: new Regctl(),
-        undock: new Undock()
+        rootless: true
       });
       await expect(
         tryInstall(install, async () => {
@@ -97,9 +91,7 @@ describe('tcp', () => {
         runDir: tmpDir(),
         contextName: 'foo',
         daemonConfig: `{"debug":true}`,
-        localTCPPort: 2378,
-        regctl: new Regctl(),
-        undock: new Undock()
+        localTCPPort: 2378
       });
       await expect(
         tryInstall(install, async () => {

__tests__/docker/install.test.ts

@@ -22,8 +22,6 @@ import * as rimraf from 'rimraf';
 import osm = require('os');
 
 import {Install, InstallSourceArchive, InstallSourceImage} from '../../src/docker/install';
-import {Regctl} from '../../src/regclient/regctl';
-import {Undock} from '../../src/undock/undock';
 
 const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'docker-install-'));
 
@@ -66,9 +64,7 @@ describe('download', () => {
     jest.spyOn(osm, 'arch').mockImplementation(() => 'x64');
     const install = new Install({
       source: source,
-      runDir: tmpDir,
-      regctl: new Regctl(),
-      undock: new Undock()
+      runDir: tmpDir
     });
     const toolPath = await install.download();
     expect(fs.existsSync(toolPath)).toBe(true);
@@ -99,7 +95,7 @@ describe('getRelease', () => {
   });
 
   it('unknown release', async () => {
-    await expect(Install.getRelease('foo')).rejects.toThrow(new Error('Cannot find Docker release foo in https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/docker-releases.json'));
+    await expect(Install.getRelease('foo')).rejects.toThrow(new Error('Cannot find Docker release foo in releases JSON'));
   });
 });
 

__tests__/github.test.ts

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-import {describe, expect, jest, it, beforeEach, afterEach} from '@jest/globals';
+import {describe, expect, jest, it, beforeEach, afterEach, test} from '@jest/globals';
 import * as fs from 'fs';
 import * as path from 'path';
 import * as core from '@actions/core';
@@ -43,6 +43,29 @@ describe('context', () => {
   });
 });
 
+describe('releases', () => {
+  // prettier-ignore
+  test.each([
+    ['.github/buildx-lab-releases.json'],
+    ['.github/buildx-releases.json'],
+    ['.github/compose-lab-releases.json'],
+    ['.github/compose-releases.json'],
+    ['.github/docker-releases.json'],
+    ['.github/regclient-releases.json'],
+    ['.github/undock-releases.json'],
+  ])('returns %p', async (path: string) => {
+    const github = new GitHub();
+    const releases = await github.releases('App', {
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: path
+    });
+    expect(releases).toBeDefined();
+    expect(Object.keys(releases).length).toBeGreaterThan(0);
+  });
+});
+
 describe('serverURL', () => {
   const originalEnv = process.env;
   beforeEach(() => {

__tests__/regclient/install.test.ts

@@ -88,13 +88,23 @@ describe('getDownloadVersion', () => {
     const version = await Install.getDownloadVersion('latest');
     expect(version.version).toEqual('latest');
     expect(version.downloadURL).toEqual('https://github.com/regclient/regclient/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/regclient-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/regclient-releases.json'
+    });
   });
   it('returns v0.8.1 download version', async () => {
     const version = await Install.getDownloadVersion('v0.8.1');
     expect(version.version).toEqual('v0.8.1');
     expect(version.downloadURL).toEqual('https://github.com/regclient/regclient/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/regclient-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/regclient-releases.json'
+    });
   });
 });
 
@@ -115,6 +125,6 @@ describe('getRelease', () => {
   });
   it('unknown release', async () => {
     const version = await Install.getDownloadVersion('foo');
-    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find regclient release foo in https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/regclient-releases.json'));
+    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find regclient release foo in releases JSON'));
   });
 });

__tests__/sigstore/sigstore.test.itg.ts

@@ -0,0 +1,92 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, jest, it, beforeAll} from '@jest/globals';
+import fs from 'fs';
+import * as path from 'path';
+
+import {Install as CosignInstall} from '../../src/cosign/install';
+import {Sigstore} from '../../src/sigstore/sigstore';
+
+const fixturesDir = path.join(__dirname, '..', '.fixtures');
+
+const maybe = process.env.GITHUB_ACTIONS && process.env.GITHUB_ACTIONS === 'true' && process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu') ? describe : describe.skip;
+
+// needs current GitHub repo info
+jest.unmock('@actions/github');
+
+beforeAll(async () => {
+  const cosignInstall = new CosignInstall();
+  const cosignBinPath = await cosignInstall.download('v3.0.2', true);
+  await cosignInstall.install(cosignBinPath);
+}, 100000);
+
+maybe('signProvenanceBlobs', () => {
+  it('single platform', async () => {
+    const sigstore = new Sigstore();
+    const results = await sigstore.signProvenanceBlobs({
+      localExportDir: path.join(fixturesDir, 'sigstore', 'single')
+    });
+    expect(Object.keys(results).length).toEqual(1);
+    const provenancePath = Object.keys(results)[0];
+    expect(provenancePath).toEqual(path.join(fixturesDir, 'sigstore', 'single', 'provenance.json'));
+    expect(fs.existsSync(results[provenancePath].bundlePath)).toBe(true);
+    expect(results[provenancePath].bundle).toBeDefined();
+    expect(results[provenancePath].certificate).toBeDefined();
+    expect(results[provenancePath].tlogID).toBeDefined();
+    expect(results[provenancePath].attestationID).not.toBeDefined();
+    console.log(provenancePath, JSON.stringify(results[provenancePath].bundle, null, 2));
+  });
+  it('multi-platform', async () => {
+    const sigstore = new Sigstore();
+    const results = await sigstore.signProvenanceBlobs({
+      localExportDir: path.join(fixturesDir, 'sigstore', 'multi')
+    });
+    expect(Object.keys(results).length).toEqual(2);
+    for (const [provenancePath, res] of Object.entries(results)) {
+      expect(provenancePath).toMatch(/linux_(amd64|arm64)\/provenance.json/);
+      expect(fs.existsSync(res.bundlePath)).toBe(true);
+      expect(res.bundle).toBeDefined();
+      expect(res.certificate).toBeDefined();
+      expect(res.tlogID).toBeDefined();
+      expect(res.attestationID).not.toBeDefined();
+      console.log(provenancePath, JSON.stringify(res.bundle, null, 2));
+    }
+  });
+});
+
+maybe('verifySignedArtifacts', () => {
+  it('sign and verify', async () => {
+    const sigstore = new Sigstore();
+    const signResults = await sigstore.signProvenanceBlobs({
+      localExportDir: path.join(fixturesDir, 'sigstore', 'multi')
+    });
+    expect(Object.keys(signResults).length).toEqual(2);
+
+    const verifyResults = await sigstore.verifySignedArtifacts(
+      {
+        certificateIdentityRegexp: `^https://github.com/docker/actions-toolkit/.github/workflows/test.yml.*$`
+      },
+      signResults
+    );
+    expect(Object.keys(verifyResults).length).toEqual(2);
+    for (const [artifactPath, res] of Object.entries(verifyResults)) {
+      expect(fs.existsSync(artifactPath)).toBe(true);
+      expect(res.bundlePath).toBeDefined();
+      expect(res.cosignArgs).toBeDefined();
+    }
+  });
+});

__tests__/undock/install.test.ts

@@ -93,13 +93,23 @@ describe('getDownloadVersion', () => {
     const version = await Install.getDownloadVersion('latest');
     expect(version.version).toEqual('latest');
     expect(version.downloadURL).toEqual('https://github.com/crazy-max/undock/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/undock-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/undock-releases.json'
+    });
   });
   it('returns v0.6.0 download version', async () => {
     const version = await Install.getDownloadVersion('v0.6.0');
     expect(version.version).toEqual('v0.6.0');
     expect(version.downloadURL).toEqual('https://github.com/crazy-max/undock/releases/download/v%s/%s');
-    expect(version.releasesURL).toEqual('https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/undock-releases.json');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/undock-releases.json'
+    });
   });
 });
 
@@ -120,6 +130,6 @@ describe('getRelease', () => {
   });
   it('unknown release', async () => {
     const version = await Install.getDownloadVersion('foo');
-    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Undock release foo in https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/undock-releases.json'));
+    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Undock release foo in releases JSON'));
   });
 });

dev.Dockerfile

@@ -20,6 +20,7 @@ ARG BUILDX_VERSION=0.29.1
 ARG COMPOSE_VERSION=2.39.1
 ARG UNDOCK_VERSION=0.10.0
 ARG REGCTL_VERSION=v0.8.2
+ARG COSIGN_VERSION=v3.0.2
 
 FROM node:${NODE_VERSION}-alpine AS base
 RUN apk add --no-cache cpio findutils git
@@ -81,6 +82,7 @@ FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
 FROM docker/compose-bin:v${COMPOSE_VERSION} AS compose
 FROM crazymax/undock:${UNDOCK_VERSION} AS undock
 FROM ghcr.io/regclient/regctl:${REGCTL_VERSION} AS regctl
+FROM ghcr.io/sigstore/cosign/cosign:${COSIGN_VERSION} AS cosign
 
 FROM deps AS test
 RUN --mount=type=bind,target=.,rw \
@@ -93,6 +95,7 @@ RUN --mount=type=bind,target=.,rw \
     --mount=type=bind,from=compose,source=/docker-compose,target=/usr/bin/compose \
     --mount=type=bind,from=undock,source=/usr/local/bin/undock,target=/usr/bin/undock \
     --mount=type=bind,from=regctl,source=/regctl,target=/usr/bin/regctl \
+    --mount=type=bind,from=cosign,source=/ko-app/cosign,target=/usr/bin/cosign \
     --mount=type=secret,id=GITHUB_TOKEN \
   GITHUB_TOKEN=$(cat /run/secrets/GITHUB_TOKEN) yarn run test:coverage --coverageDirectory=/tmp/coverage
 

package.json

@@ -45,7 +45,8 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "@actions/artifact": "^2.3.2",
+    "@actions/artifact": "^4.0.0",
+    "@actions/attest": "^2.0.0",
     "@actions/cache": "^4.1.0",
     "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
@@ -56,6 +57,8 @@
     "@azure/storage-blob": "^12.15.0",
     "@octokit/core": "^5.2.2",
     "@octokit/plugin-rest-endpoint-methods": "^10.4.1",
+    "@sigstore/bundle": "^3.1.0",
+    "@sigstore/sign": "^3.1.0",
     "async-retry": "^1.3.3",
     "csv-parse": "^6.1.0",
     "gunzip-maybe": "^1.4.2",
@@ -68,6 +71,8 @@
     "tmp": "^0.2.5"
   },
   "devDependencies": {
+    "@sigstore/mock": "^0.10.0",
+    "@sigstore/rekor-types": "^3.0.0",
     "@types/gunzip-maybe": "^1.4.2",
     "@types/he": "^1.2.3",
     "@types/js-yaml": "^4.0.9",

src/buildx/imagetools.ts

@@ -17,7 +17,10 @@
 import {Buildx} from './buildx';
 import {Exec} from '../exec';
 
+import {Manifest as ImageToolsManifest} from '../types/buildx/imagetools';
 import {Image} from '../types/oci/config';
+import {Descriptor} from '../types/oci/descriptor';
+import {Digest} from '../types/oci/digest';
 
 export interface ImageToolsOpts {
   buildx?: Buildx;
@@ -58,4 +61,37 @@ export class ImageTools {
       throw new Error('Unexpected output format');
     });
   }
+
+  public async inspectManifest(name: string): Promise<ImageToolsManifest | Descriptor> {
+    const cmd = await this.getInspectCommand([name, '--format', '{{json .Manifest}}']);
+    return await Exec.getExecOutput(cmd.command, cmd.args, {
+      ignoreReturnCode: true,
+      silent: true
+    }).then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(res.stderr.trim());
+      }
+      const parsedOutput = JSON.parse(res.stdout);
+      if (typeof parsedOutput === 'object' && !Array.isArray(parsedOutput) && parsedOutput !== null) {
+        if (Object.prototype.hasOwnProperty.call(parsedOutput, 'manifests')) {
+          return <ImageToolsManifest>parsedOutput;
+        } else {
+          return <Descriptor>parsedOutput;
+        }
+      }
+      throw new Error('Unexpected output format');
+    });
+  }
+
+  public async attestationDescriptors(name: string): Promise<Array<Descriptor>> {
+    const manifest = await this.inspectManifest(name);
+    if (typeof manifest === 'object' && manifest !== null && 'manifests' in manifest && Array.isArray(manifest.manifests)) {
+      return manifest.manifests.filter(m => m.annotations && m.annotations['vnd.docker.reference.type'] === 'attestation-manifest');
+    }
+    throw new Error(`No attestation descriptors found for ${name}`);
+  }
+
+  public async attestationDigests(name: string): Promise<Array<Digest>> {
+    return (await this.attestationDescriptors(name)).map(attestation => attestation.digest);
+  }
 }

src/buildx/install.ts

@@ -18,7 +18,6 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import * as core from '@actions/core';
-import * as httpm from '@actions/http-client';
 import * as tc from '@actions/tool-cache';
 import * as semver from 'semver';
 import * as util from 'util';
@@ -29,6 +28,7 @@ import {Context} from '../context';
 import {Exec} from '../exec';
 import {Docker} from '../docker/docker';
 import {Git} from '../git';
+import {GitHub} from '../github';
 import {Util} from '../util';
 
 import {DownloadVersion} from '../types/buildx/buildx';
@@ -36,13 +36,16 @@ import {GitHubRelease} from '../types/github';
 
 export interface InstallOpts {
   standalone?: boolean;
+  githubToken?: string;
 }
 
 export class Install {
-  private readonly _standalone: boolean | undefined;
+  private readonly standalone: boolean | undefined;
+  private readonly githubToken: string | undefined;
 
   constructor(opts?: InstallOpts) {
-    this._standalone = opts?.standalone;
+    this.standalone = opts?.standalone;
+    this.githubToken = opts?.githubToken || process.env.GITHUB_TOKEN;
   }
 
   /*
@@ -55,7 +58,7 @@ export class Install {
     const version: DownloadVersion = await Install.getDownloadVersion(v);
     core.debug(`Install.download version: ${version.version}`);
 
-    const release: GitHubRelease = await Install.getRelease(version);
+    const release: GitHubRelease = await Install.getRelease(version, this.githubToken);
     core.debug(`Install.download release tag name: ${release.tag_name}`);
 
     const vspec = await this.vspec(release.tag_name);
@@ -83,7 +86,7 @@ export class Install {
     const downloadURL = util.format(version.downloadURL, vspec, this.filename(vspec));
     core.info(`Downloading ${downloadURL}`);
 
-    const htcDownloadPath = await tc.downloadTool(downloadURL);
+    const htcDownloadPath = await tc.downloadTool(downloadURL, undefined, this.githubToken);
     core.debug(`Install.download htcDownloadPath: ${htcDownloadPath}`);
 
     const cacheSavePath = await installCache.save(htcDownloadPath);
@@ -205,7 +208,7 @@ export class Install {
   }
 
   private async isStandalone(): Promise<boolean> {
-    const standalone = this._standalone ?? !(await Docker.isAvailable());
+    const standalone = this.standalone ?? !(await Docker.isAvailable());
     core.debug(`Install.isStandalone: ${standalone}`);
     return standalone;
   }
@@ -285,7 +288,12 @@ export class Install {
           key: repoKey,
           version: version,
           downloadURL: 'https://github.com/docker/buildx/releases/download/v%s/%s',
-          releasesURL: 'https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/buildx-releases.json'
+          contentOpts: {
+            owner: 'docker',
+            repo: 'actions-toolkit',
+            ref: 'main',
+            path: '.github/buildx-releases.json'
+          }
         };
       }
       case 'cloud': {
@@ -293,7 +301,12 @@ export class Install {
           key: repoKey,
           version: version,
           downloadURL: 'https://github.com/docker/buildx-desktop/releases/download/v%s/%s',
-          releasesURL: 'https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/buildx-lab-releases.json'
+          contentOpts: {
+            owner: 'docker',
+            repo: 'actions-toolkit',
+            ref: 'main',
+            path: '.github/buildx-lab-releases.json'
+          }
         };
       }
       default: {
@@ -302,17 +315,11 @@ export class Install {
     }
   }
 
-  public static async getRelease(version: DownloadVersion): Promise<GitHubRelease> {
-    const http: httpm.HttpClient = new httpm.HttpClient('docker-actions-toolkit');
-    const resp: httpm.HttpClientResponse = await http.get(version.releasesURL);
-    const body = await resp.readBody();
-    const statusCode = resp.message.statusCode || 500;
-    if (statusCode >= 400) {
-      throw new Error(`Failed to get Buildx releases from ${version.releasesURL} with status code ${statusCode}: ${body}`);
-    }
-    const releases = <Record<string, GitHubRelease>>JSON.parse(body);
+  public static async getRelease(version: DownloadVersion, githubToken?: string): Promise<GitHubRelease> {
+    const github = new GitHub({token: githubToken});
+    const releases = await github.releases('Buildx', version.contentOpts);
     if (!releases[version.version]) {
-      throw new Error(`Cannot find Buildx release ${version.version} in ${version.releasesURL}`);
+      throw new Error(`Cannot find Buildx release ${version.version} in releases JSON`);
     }
     return releases[version.version];
   }

src/compose/install.ts

@@ -18,27 +18,30 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import * as core from '@actions/core';
-import * as httpm from '@actions/http-client';
 import * as tc from '@actions/tool-cache';
 import * as semver from 'semver';
 import * as util from 'util';
 
 import {Cache} from '../cache';
 import {Context} from '../context';
+import {Docker} from '../docker/docker';
+import {GitHub} from '../github';
 
 import {DownloadVersion} from '../types/compose/compose';
 import {GitHubRelease} from '../types/github';
-import {Docker} from '../docker/docker';
 
 export interface InstallOpts {
   standalone?: boolean;
+  githubToken?: string;
 }
 
 export class Install {
-  private readonly _standalone: boolean | undefined;
+  private readonly standalone: boolean | undefined;
+  private readonly githubToken: string | undefined;
 
   constructor(opts?: InstallOpts) {
-    this._standalone = opts?.standalone;
+    this.standalone = opts?.standalone;
+    this.githubToken = opts?.githubToken || process.env.GITHUB_TOKEN;
   }
 
   /*
@@ -51,7 +54,7 @@ export class Install {
     const version: DownloadVersion = await Install.getDownloadVersion(v);
     core.debug(`Install.download version: ${version.version}`);
 
-    const release: GitHubRelease = await Install.getRelease(version);
+    const release: GitHubRelease = await Install.getRelease(version, this.githubToken);
     core.debug(`Install.download release tag name: ${release.tag_name}`);
 
     const vspec = await this.vspec(release.tag_name);
@@ -79,7 +82,7 @@ export class Install {
     const downloadURL = util.format(version.downloadURL, vspec, this.filename());
     core.info(`Downloading ${downloadURL}`);
 
-    const htcDownloadPath = await tc.downloadTool(downloadURL);
+    const htcDownloadPath = await tc.downloadTool(downloadURL, undefined, this.githubToken);
     core.debug(`Install.download htcDownloadPath: ${htcDownloadPath}`);
 
     const cacheSavePath = await installCache.save(htcDownloadPath);
@@ -129,7 +132,7 @@ export class Install {
   }
 
   private async isStandalone(): Promise<boolean> {
-    const standalone = this._standalone ?? !(await Docker.isAvailable());
+    const standalone = this.standalone ?? !(await Docker.isAvailable());
     core.debug(`Install.isStandalone: ${standalone}`);
     return standalone;
   }
@@ -183,7 +186,12 @@ export class Install {
           key: repoKey,
           version: version,
           downloadURL: 'https://github.com/docker/compose/releases/download/v%s/%s',
-          releasesURL: 'https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/compose-releases.json'
+          contentOpts: {
+            owner: 'docker',
+            repo: 'actions-toolkit',
+            ref: 'main',
+            path: '.github/compose-releases.json'
+          }
         };
       }
       case 'cloud': {
@@ -191,7 +199,12 @@ export class Install {
           key: repoKey,
           version: version,
           downloadURL: 'https://github.com/docker/compose-desktop/releases/download/v%s/%s',
-          releasesURL: 'https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/compose-lab-releases.json'
+          contentOpts: {
+            owner: 'docker',
+            repo: 'actions-toolkit',
+            ref: 'main',
+            path: '.github/compose-lab-releases.json'
+          }
         };
       }
       default: {
@@ -200,17 +213,11 @@ export class Install {
     }
   }
 
-  public static async getRelease(version: DownloadVersion): Promise<GitHubRelease> {
-    const http: httpm.HttpClient = new httpm.HttpClient('docker-actions-toolkit');
-    const resp: httpm.HttpClientResponse = await http.get(version.releasesURL);
-    const body = await resp.readBody();
-    const statusCode = resp.message.statusCode || 500;
-    if (statusCode >= 400) {
-      throw new Error(`Failed to get Compose releases from ${version.releasesURL} with status code ${statusCode}: ${body}`);
-    }
-    const releases = <Record<string, GitHubRelease>>JSON.parse(body);
+  public static async getRelease(version: DownloadVersion, githubToken?: string): Promise<GitHubRelease> {
+    const github = new GitHub({token: githubToken});
+    const releases = await github.releases('Compose', version.contentOpts);
     if (!releases[version.version]) {
-      throw new Error(`Cannot find Compose release ${version.version} in ${version.releasesURL}`);
+      throw new Error(`Cannot find Compose release ${version.version} in releases JSON`);
     }
     return releases[version.version];
   }

src/cosign/cosign.ts

@@ -0,0 +1,160 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import * as core from '@actions/core';
+import {BUNDLE_V03_MEDIA_TYPE, SerializedBundle} from '@sigstore/bundle';
+
+import {Exec} from '../exec';
+import * as semver from 'semver';
+import {MEDIATYPE_EMPTY_JSON_V1} from '../types/oci/mediatype';
+
+export interface CosignOpts {
+  binPath?: string;
+}
+
+export interface CosignCommandResult {
+  bundle?: SerializedBundle;
+  signatureManifestDigest?: string;
+  errors?: Array<CosignCommandError>;
+}
+
+export interface CosignCommandError {
+  code: string;
+  message: string;
+  detail: string;
+}
+
+export class Cosign {
+  private readonly binPath: string;
+  private _version: string;
+  private _versionOnce: boolean;
+
+  constructor(opts?: CosignOpts) {
+    this.binPath = opts?.binPath || 'cosign';
+    this._version = '';
+    this._versionOnce = false;
+  }
+
+  public async isAvailable(): Promise<boolean> {
+    const ok: boolean = await Exec.getExecOutput(this.binPath, [], {
+      ignoreReturnCode: true,
+      silent: true
+    })
+      .then(res => {
+        if (res.stderr.length > 0 && res.exitCode != 0) {
+          core.debug(`Cosign.isAvailable cmd err: ${res.stderr.trim()}`);
+          return false;
+        }
+        return res.exitCode == 0;
+      })
+      .catch(error => {
+        core.debug(`Cosign.isAvailable error: ${error}`);
+        return false;
+      });
+
+    core.debug(`Cosign.isAvailable: ${ok}`);
+    return ok;
+  }
+
+  public async version(): Promise<string> {
+    if (this._versionOnce) {
+      return this._version;
+    }
+    this._versionOnce = true;
+    this._version = await Exec.getExecOutput(this.binPath, ['version', '--json'], {
+      ignoreReturnCode: true,
+      silent: true
+    }).then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(res.stderr.trim());
+      }
+      return JSON.parse(res.stdout.trim()).gitVersion;
+    });
+    return this._version;
+  }
+
+  public async printVersion() {
+    await Exec.exec(this.binPath, ['version', '--json'], {
+      failOnStdErr: false
+    });
+  }
+
+  public async versionSatisfies(range: string, version?: string): Promise<boolean> {
+    const ver = version ?? (await this.version());
+    if (!ver) {
+      core.debug(`Cosign.versionSatisfies false: undefined version`);
+      return false;
+    }
+    const res = semver.satisfies(ver, range) || /^[0-9a-f]{7}$/.exec(ver) !== null;
+    core.debug(`Cosign.versionSatisfies ${ver} statisfies ${range}: ${res}`);
+    return res;
+  }
+
+  public static parseCommandOutput(logs: string): CosignCommandResult {
+    let signatureManifestDigest: string | undefined;
+    let signatureManifestFallbackDigest: string | undefined;
+    let bundlePayload: SerializedBundle | undefined;
+    let errors: Array<CosignCommandError> | undefined;
+
+    for (const rawLine of logs.split(/\r?\n/)) {
+      const line = rawLine.trim();
+      if (!line.startsWith('{') || !line.endsWith('}')) {
+        continue;
+      }
+
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      let obj: any;
+      try {
+        obj = JSON.parse(line);
+      } catch {
+        continue;
+      }
+
+      if (obj && Array.isArray(obj.errors) && obj.errors.length > 0) {
+        errors = obj.errors;
+      }
+
+      // signature manifest digest
+      if (!signatureManifestDigest && obj && Array.isArray(obj.manifests) && obj.manifests.length > 0) {
+        const m0 = obj.manifests[0];
+        if (m0?.artifactType === BUNDLE_V03_MEDIA_TYPE && typeof m0.digest === 'string') {
+          signatureManifestDigest = m0.digest;
+        } else if (m0?.artifactType === MEDIATYPE_EMPTY_JSON_V1 && typeof m0.digest === 'string') {
+          signatureManifestFallbackDigest = m0.digest;
+        }
+      }
+
+      // signature payload
+      if (!bundlePayload && obj && obj.mediaType === BUNDLE_V03_MEDIA_TYPE) {
+        bundlePayload = obj as SerializedBundle;
+      }
+
+      if (bundlePayload && signatureManifestDigest) {
+        break;
+      }
+    }
+
+    if (!errors && !bundlePayload) {
+      throw new Error(`Cannot find signature bundle from cosign command output: ${logs}`);
+    }
+
+    return {
+      bundle: bundlePayload,
+      signatureManifestDigest: signatureManifestDigest || signatureManifestFallbackDigest,
+      errors: errors
+    };
+  }
+}

src/cosign/dockerfile.ts

@@ -0,0 +1,61 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export const dockerfileContent = `
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION="1.24"
+ARG ALPINE_VERSION="3.22"
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.7.0 AS xx
+
+FROM --platform=$BUILDPLATFORM golang:\${GO_VERSION}-alpine\${ALPINE_VERSION} AS builder-base
+COPY --from=xx / /
+RUN apk add --no-cache git
+ENV GOTOOLCHAIN=auto
+ENV CGO_ENABLED=0
+WORKDIR /src
+RUN --mount=type=cache,target=/go/pkg/mod \\
+    --mount=type=bind,source=go.mod,target=go.mod \\
+    --mount=type=bind,source=go.sum,target=go.sum \\
+    go mod download
+
+FROM builder-base AS version
+RUN --mount=type=bind,target=. <<'EOT'
+  git rev-parse HEAD 2>/dev/null || {
+    echo >&2 "Failed to get git revision, make sure --build-arg BUILDKIT_CONTEXT_KEEP_GIT_DIR=1 is set when building from Git directly"
+    exit 1
+  }
+  set -ex
+  export PKG=sigs.k8s.io BUILDDATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") TREESTATE=$(if ! git diff --no-ext-diff --quiet --exit-code; then echo dirty; else echo clean; fi) VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) COMMIT=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi);
+  echo "-X \${PKG}/release-utils/version.gitVersion=\${VERSION} -X \${PKG}/release-utils/version.gitCommit=\${COMMIT} -X \${PKG}/release-utils/version.gitTreeState=\${TREESTATE} -X \${PKG}/release-utils/version.buildDate=\${BUILDDATE}" > /tmp/.ldflags;
+  echo -n "\${VERSION}" > /tmp/.version;
+EOT
+
+FROM builder-base AS builder
+ARG TARGETPLATFORM
+RUN --mount=type=bind,target=. \\
+    --mount=type=cache,target=/root/.cache,id=cosign-$TARGETPLATFORM \\
+    --mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \\
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -ex
+  xx-go build -trimpath -ldflags "-s -w $(cat /tmp/.ldflags)" -o /out/cosign ./cmd/cosign
+  xx-verify --static /out/cosign
+EOT
+
+FROM scratch
+COPY --from=builder /out /
+`;

src/cosign/install.ts

@@ -0,0 +1,248 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import * as core from '@actions/core';
+import * as tc from '@actions/tool-cache';
+import * as semver from 'semver';
+import * as util from 'util';
+
+import {Buildx} from '../buildx/buildx';
+import {Cache} from '../cache';
+import {Context} from '../context';
+import {Exec} from '../exec';
+import {Git} from '../git';
+import {GitHub} from '../github';
+import {Util} from '../util';
+
+import {DownloadVersion} from '../types/cosign/cosign';
+import {GitHubRelease} from '../types/github';
+import {dockerfileContent} from './dockerfile';
+
+export interface InstallOpts {
+  githubToken?: string;
+  buildx?: Buildx;
+}
+
+export class Install {
+  private readonly githubToken: string | undefined;
+  private readonly buildx: Buildx;
+
+  constructor(opts?: InstallOpts) {
+    this.githubToken = opts?.githubToken || process.env.GITHUB_TOKEN;
+    this.buildx = opts?.buildx || new Buildx();
+  }
+
+  public async download(v: string, ghaNoCache?: boolean, skipState?: boolean): Promise<string> {
+    const version: DownloadVersion = await Install.getDownloadVersion(v);
+    core.debug(`Install.download version: ${version.version}`);
+
+    const release: GitHubRelease = await Install.getRelease(version, this.githubToken);
+    core.debug(`Install.download release tag name: ${release.tag_name}`);
+
+    const vspec = await this.vspec(release.tag_name);
+    core.debug(`Install.download vspec: ${vspec}`);
+
+    const c = semver.clean(vspec) || '';
+    if (!semver.valid(c)) {
+      throw new Error(`Invalid Cosign version "${vspec}".`);
+    }
+
+    const installCache = new Cache({
+      htcName: 'cosign-dl-bin',
+      htcVersion: vspec,
+      baseCacheDir: path.join(os.homedir(), '.bin'),
+      cacheFile: os.platform() == 'win32' ? 'cosign.exe' : 'cosign',
+      ghaNoCache: ghaNoCache
+    });
+
+    const cacheFoundPath = await installCache.find();
+    if (cacheFoundPath) {
+      core.info(`Cosign binary found in ${cacheFoundPath}`);
+      return cacheFoundPath;
+    }
+
+    const downloadURL = util.format(version.downloadURL, vspec, this.filename());
+    core.info(`Downloading ${downloadURL}`);
+
+    const htcDownloadPath = await tc.downloadTool(downloadURL, undefined, this.githubToken);
+    core.debug(`Install.download htcDownloadPath: ${htcDownloadPath}`);
+
+    const cacheSavePath = await installCache.save(htcDownloadPath, skipState);
+    core.info(`Cached to ${cacheSavePath}`);
+    return cacheSavePath;
+  }
+
+  public async build(gitContext: string, ghaNoCache?: boolean, skipState?: boolean): Promise<string> {
+    const vspec = await this.vspec(gitContext);
+    core.debug(`Install.build vspec: ${vspec}`);
+
+    const installCache = new Cache({
+      htcName: 'cosign-build-bin',
+      htcVersion: vspec,
+      baseCacheDir: path.join(os.homedir(), '.bin'),
+      cacheFile: os.platform() == 'win32' ? 'cosign.exe' : 'cosign',
+      ghaNoCache: ghaNoCache
+    });
+
+    const cacheFoundPath = await installCache.find();
+    if (cacheFoundPath) {
+      core.info(`Cosign binary found in ${cacheFoundPath}`);
+      return cacheFoundPath;
+    }
+
+    const outputDir = path.join(Context.tmpDir(), 'cosign-build-cache');
+    const buildCmd = await this.buildCommand(gitContext, outputDir);
+
+    const buildBinPath = await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
+      ignoreReturnCode: true,
+      input: Buffer.from(dockerfileContent)
+    }).then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(`build failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+      }
+      return `${outputDir}/cosign`;
+    });
+
+    const cacheSavePath = await installCache.save(buildBinPath, skipState);
+    core.info(`Cached to ${cacheSavePath}`);
+    return cacheSavePath;
+  }
+
+  public async install(binPath: string, dest?: string): Promise<string> {
+    dest = dest || Context.tmpDir();
+
+    const binDir = path.join(dest, 'cosign-bin');
+    if (!fs.existsSync(binDir)) {
+      fs.mkdirSync(binDir, {recursive: true});
+    }
+    const binName: string = os.platform() == 'win32' ? 'cosign.exe' : 'cosign';
+    const cosignPath: string = path.join(binDir, binName);
+    fs.copyFileSync(binPath, cosignPath);
+
+    core.info('Fixing perms');
+    fs.chmodSync(cosignPath, '0755');
+
+    core.addPath(binDir);
+    core.info('Added Cosign to PATH');
+
+    core.info(`Binary path: ${cosignPath}`);
+    return cosignPath;
+  }
+
+  private async buildCommand(gitContext: string, outputDir: string): Promise<{args: Array<string>; command: string}> {
+    const buildxStandaloneFound = await new Buildx({standalone: true}).isAvailable();
+    const buildxPluginFound = await new Buildx({standalone: false}).isAvailable();
+
+    let buildStandalone = false;
+    if ((await this.buildx.isStandalone()) && buildxStandaloneFound) {
+      core.debug(`Install.buildCommand: Buildx standalone found, build with it`);
+      buildStandalone = true;
+    } else if (!(await this.buildx.isStandalone()) && buildxPluginFound) {
+      core.debug(`Install.buildCommand: Buildx plugin found, build with it`);
+      buildStandalone = false;
+    } else if (buildxStandaloneFound) {
+      core.debug(`Install.buildCommand: Buildx plugin not found, but standalone found so trying to build with it`);
+      buildStandalone = true;
+    } else if (buildxPluginFound) {
+      core.debug(`Install.buildCommand: Buildx standalone not found, but plugin found so trying to build with it`);
+      buildStandalone = false;
+    } else {
+      throw new Error(`Neither buildx standalone or plugin have been found to build from ref ${gitContext}`);
+    }
+
+    const args = ['build', '--platform', 'local', '--build-arg', 'BUILDKIT_CONTEXT_KEEP_GIT_DIR=1', '--output', `type=local,dest=${outputDir}`];
+    if (process.env.GIT_AUTH_TOKEN) {
+      args.push('--secret', 'id=GIT_AUTH_TOKEN');
+    }
+    args.push('-f-', gitContext);
+
+    // prettier-ignore
+    return await new Buildx({standalone: buildStandalone}).getCommand(args);
+  }
+
+  private filename(): string {
+    let arch: string;
+    switch (os.arch()) {
+      case 'x64': {
+        arch = 'amd64';
+        break;
+      }
+      case 'ppc64': {
+        arch = 'ppc64le';
+        break;
+      }
+      default: {
+        arch = os.arch();
+        break;
+      }
+    }
+    const platform: string = os.platform() == 'win32' ? 'windows' : os.platform();
+    const ext: string = os.platform() == 'win32' ? '.exe' : '';
+    return util.format('cosign-%s-%s%s', platform, arch, ext);
+  }
+
+  private async vspec(versionOrRef: string): Promise<string> {
+    if (!Util.isValidRef(versionOrRef)) {
+      const v = versionOrRef.replace(/^v+|v+$/g, '');
+      core.info(`Use ${v} version spec cache key for ${versionOrRef}`);
+      return v;
+    }
+
+    // eslint-disable-next-line prefer-const
+    let [baseURL, ref] = versionOrRef.split('#');
+    if (ref.length == 0) {
+      ref = 'master';
+    }
+
+    let sha: string;
+    if (ref.match(/^[0-9a-fA-F]{40}$/)) {
+      sha = ref;
+    } else {
+      sha = await Git.remoteSha(baseURL, ref, process.env.GIT_AUTH_TOKEN);
+    }
+
+    const [owner, repo] = baseURL.substring('https://github.com/'.length).split('/');
+    const key = `${owner}/${Util.trimSuffix(repo, '.git')}/${sha}`;
+    const hash = Util.hash(key);
+    core.info(`Use ${hash} version spec cache key for ${key}`);
+    return hash;
+  }
+
+  public static async getDownloadVersion(v: string): Promise<DownloadVersion> {
+    return {
+      version: v,
+      downloadURL: 'https://github.com/sigstore/cosign/releases/download/v%s/%s',
+      contentOpts: {
+        owner: 'docker',
+        repo: 'actions-toolkit',
+        ref: 'main',
+        path: '.github/cosign-releases.json'
+      }
+    };
+  }
+
+  public static async getRelease(version: DownloadVersion, githubToken?: string): Promise<GitHubRelease> {
+    const github = new GitHub({token: githubToken});
+    const releases = await github.releases('Cosign', version.contentOpts);
+    if (!releases[version.version]) {
+      throw new Error(`Cannot find Cosign release ${version.version} in releases JSON`);
+    }
+    return releases[version.version];
+  }
+}

src/docker/assets.ts

@@ -140,7 +140,10 @@ Get-WinEvent -ea SilentlyContinue \`
 `;
 
 export const limaYamlData = `
-# Source: https://github.com/lima-vm/lima/blob/master/templates/docker-rootful.yaml
+# Source:
+# - https://github.com/lima-vm/lima/blob/master/templates/docker-rootful.yaml
+# - https://github.com/lima-vm/lima/blob/master/templates/_images/ubuntu-lts.yaml
+# - https://github.com/lima-vm/lima/blob/master/templates/_images/ubuntu-24.04.yaml
 
 # VM type: "qemu" or "vz" (on macOS 13 and later).
 # The vmType can be specified only on creating the instance.
@@ -162,24 +165,24 @@ images:
   arch: "{{arch}}"
   digest: "{{digest}}"
 {{/each}}
-- location: "https://cloud-images.ubuntu.com/releases/24.04/release-20250228/ubuntu-24.04-server-cloudimg-amd64.img"
+- location: "https://cloud-images.ubuntu.com/releases/noble/release-20250704/ubuntu-24.04-server-cloudimg-amd64.img"
   arch: "x86_64"
-  digest: "sha256:a3aea891c930ee0c762077b963834f5e083eb8102574f1e4dfc9e6e4c1c73ac0"
+  digest: "sha256:f1652d29d497fb7c623433705c9fca6525d1311b11294a0f495eed55c7639d1f"
   kernel:
-    location: "https://cloud-images.ubuntu.com/releases/24.04/release-20250228/unpacked/ubuntu-24.04-server-cloudimg-amd64-vmlinuz-generic"
-    digest: "sha256:2d9f30959f01675fd28aa1c2fe8934728e46766d04ecfad2d206823696a3f830"
+    location: "https://cloud-images.ubuntu.com/releases/noble/release-20250704/unpacked/ubuntu-24.04-server-cloudimg-amd64-vmlinuz-generic"
+    digest: "sha256:67cd9af083515de2101de032b49a64fc4b65778e5383df6ef21cf788a3f4688e"
     cmdline: "root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyAMA0 no_timer_check"
   initrd:
-    location: "https://cloud-images.ubuntu.com/releases/24.04/release-20250228/unpacked/ubuntu-24.04-server-cloudimg-amd64-initrd-generic"
-    digest: "sha256:231352d027aeebf0bb7dca281dfebae894c86e789c7377788d3c2c149471caa3"
-- location: "https://cloud-images.ubuntu.com/releases/24.04/release-20250228/ubuntu-24.04-server-cloudimg-arm64.img"
+    location: "https://cloud-images.ubuntu.com/releases/noble/release-20250704/unpacked/ubuntu-24.04-server-cloudimg-amd64-initrd-generic"
+    digest: "sha256:f257d581c44f66da2d80c7c5dc3fa598ce76ef313d6e27b368683e8030a9e8fd"
+- location: "https://cloud-images.ubuntu.com/releases/noble/release-20250704/ubuntu-24.04-server-cloudimg-arm64.img"
   arch: "aarch64"
-  digest: "sha256:278a0e8475008673d9d3da10ae66a7b1a3dda059746b83d749eca386a5670bd4"
+  digest: "sha256:bbecbb88100ee65497927ed0da247ba15af576a8855004182cf3c87265e25d35"
 # Fallback to the latest release image.
 # Hint: run \`limactl prune\` to invalidate the cache
-- location: "https://cloud-images.ubuntu.com/releases/24.04/release/ubuntu-24.04-server-cloudimg-amd64.img"
+- location: https://cloud-images.ubuntu.com/releases/noble/release/ubuntu-24.04-server-cloudimg-amd64.img
   arch: "x86_64"
-- location: "https://cloud-images.ubuntu.com/releases/24.04/release/ubuntu-24.04-server-cloudimg-arm64.img"
+- location: https://cloud-images.ubuntu.com/releases/noble/release/ubuntu-24.04-server-cloudimg-arm64.img
   arch: "aarch64"
 
 # CPUs
@@ -290,18 +293,25 @@ probes:
     #!/bin/bash
     set -eux -o pipefail
     # Don't check for docker CLI as it's not installed in the VM (only on the host)
-    if ! timeout 30s bash -c "until pgrep dockerd; do sleep 3; done"; then
+    if ! timeout 60s bash -c "until pgrep dockerd; do sleep 3; done"; then
       echo >&2 "dockerd is not running"
       exit 1
     fi
   hint: See "/var/log/cloud-init-output.log". in the guest
 
 hostResolver:
+  # Don't use local system resolver
+  enabled: false
   # hostResolver.hosts requires lima 0.8.3 or later. Names defined here will also
   # resolve inside containers, and not just inside the VM itself.
   hosts:
     host.docker.internal: host.lima.internal
 
+# Use custom DNS servers instead of the host's DNS settings
+dns:
+  - 1.1.1.1
+  - 1.0.0.1
+
 portForwards:
 - guestSocket: "/var/run/docker.sock"
   hostSocket: "{{dockerSock}}"

src/docker/install.ts

@@ -22,16 +22,17 @@ import path from 'path';
 import retry from 'async-retry';
 import * as handlebars from 'handlebars';
 import * as core from '@actions/core';
-import * as httpm from '@actions/http-client';
 import * as io from '@actions/io';
 import * as tc from '@actions/tool-cache';
 
 import {Context} from '../context';
 import {Docker} from './docker';
+import {Exec} from '../exec';
+import {GitHub} from '../github';
 import {Regctl} from '../regclient/regctl';
 import {Undock} from '../undock/undock';
-import {Exec} from '../exec';
 import {Util} from '../util';
+
 import {limaYamlData, dockerServiceLogsPs1, setupDockerWinPs1} from './assets';
 
 import {GitHubRelease} from '../types/github';
@@ -62,6 +63,8 @@ export interface InstallOpts {
 
   regctl?: Regctl;
   undock?: Undock;
+
+  githubToken?: string;
 }
 
 interface LimaImage {
@@ -79,6 +82,7 @@ export class Install {
   private readonly localTCPPort?: number;
   private readonly regctl: Regctl;
   private readonly undock: Undock;
+  private readonly githubToken?: string;
 
   private _version: string | undefined;
   private _toolDir: string | undefined;
@@ -100,6 +104,7 @@ export class Install {
     this.localTCPPort = opts.localTCPPort;
     this.regctl = opts.regctl || new Regctl();
     this.undock = opts.undock || new Undock();
+    this.githubToken = opts.githubToken || process.env.GITHUB_TOKEN;
   }
 
   get toolDir(): string {
@@ -203,7 +208,7 @@ export class Install {
   }
 
   private async downloadSourceArchive(component: 'docker' | 'docker-rootless-extras', src: InstallSourceArchive): Promise<string> {
-    const release: GitHubRelease = await Install.getRelease(src.version);
+    const release: GitHubRelease = await Install.getRelease(src.version, this.githubToken);
     this._version = release.tag_name.replace(/^(docker-)?v+/, '');
     core.debug(`docker.Install.downloadSourceArchive version: ${this._version}`);
 
@@ -326,7 +331,7 @@ export class Install {
     };
 
     await core.group('Starting lima instance', async () => {
-      const limaStartArgs = ['start', `--name=${this.limaInstanceName}`];
+      const limaStartArgs = ['start', `--name=${this.limaInstanceName}`, `--timeout=${process.env.LIMA_START_TIMEOUT ?? '15m'}`];
       if (process.env.LIMA_START_ARGS) {
         limaStartArgs.push(process.env.LIMA_START_ARGS);
       }
@@ -693,19 +698,17 @@ EOF`,
       });
   }
 
-  public static async getRelease(version: string): Promise<GitHubRelease> {
-    const url = `https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/docker-releases.json`;
-    const http: httpm.HttpClient = new httpm.HttpClient('docker-actions-toolkit');
-    const resp: httpm.HttpClientResponse = await http.get(url);
-    const body = await resp.readBody();
-    const statusCode = resp.message.statusCode || 500;
-    if (statusCode >= 400) {
-      throw new Error(`Failed to get Docker release ${version} from ${url} with status code ${statusCode}: ${body}`);
-    }
-    const releases = <Record<string, GitHubRelease>>JSON.parse(body);
+  public static async getRelease(version: string, githubToken?: string): Promise<GitHubRelease> {
+    const github = new GitHub({token: githubToken});
+    const releases = await github.releases('Docker', {
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/docker-releases.json'
+    });
     if (!releases[version]) {
       if (!releases['v' + version]) {
-        throw new Error(`Cannot find Docker release ${version} in ${url}`);
+        throw new Error(`Cannot find Docker release ${version} in releases JSON`);
       }
       return releases['v' + version];
     }

src/github.ts

@@ -31,29 +31,47 @@ import {SummaryTableCell} from '@actions/core/lib/summary';
 import * as github from '@actions/github';
 import {GitHub as Octokit} from '@actions/github/lib/utils';
 import {Context} from '@actions/github/lib/context';
+import * as httpm from '@actions/http-client';
 import {TransferProgressEvent} from '@azure/core-http';
 import {BlobClient, BlobHTTPHeaders} from '@azure/storage-blob';
 import {jwtDecode, JwtPayload} from 'jwt-decode';
 
 import {Util} from './util';
 
-import {BuildSummaryOpts, GitHubActionsRuntimeToken, GitHubActionsRuntimeTokenAC, GitHubRepo, UploadArtifactOpts, UploadArtifactResponse} from './types/github';
+import {BuildSummaryOpts, GitHubActionsRuntimeToken, GitHubActionsRuntimeTokenAC, GitHubContentOpts, GitHubRelease, GitHubRepo, UploadArtifactOpts, UploadArtifactResponse} from './types/github';
 
 export interface GitHubOpts {
   token?: string;
 }
 
 export class GitHub {
+  private readonly githubToken?: string;
   public readonly octokit: InstanceType<typeof Octokit>;
 
   constructor(opts?: GitHubOpts) {
-    this.octokit = github.getOctokit(`${opts?.token}`);
+    this.githubToken = opts?.token || process.env.GITHUB_TOKEN;
+    this.octokit = github.getOctokit(`${this.githubToken}`);
   }
 
   public repoData(): Promise<GitHubRepo> {
     return this.octokit.rest.repos.get({...github.context.repo}).then(response => response.data as GitHubRepo);
   }
 
+  public async releases(name: string, opts: GitHubContentOpts): Promise<Record<string, GitHubRelease>> {
+    const url = `https://raw.githubusercontent.com/${opts.owner}/${opts.repo}/${opts.ref}/${opts.path}`;
+    const http: httpm.HttpClient = new httpm.HttpClient('docker-actions-toolkit');
+    // prettier-ignore
+    const httpResp: httpm.HttpClientResponse = await http.get(url, this.githubToken ? {
+      Authorization: `token ${this.githubToken}`
+    } : undefined);
+    const dt = await httpResp.readBody();
+    const statusCode = httpResp.message.statusCode || 500;
+    if (statusCode >= 400) {
+      throw new Error(`Failed to get ${name} releases from ${url} with status code ${statusCode}: ${dt}`);
+    }
+    return <Record<string, GitHubRelease>>JSON.parse(dt);
+  }
+
   static get context(): Context {
     return github.context;
   }

src/regclient/install.ts

@@ -18,18 +18,28 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import * as core from '@actions/core';
-import * as httpm from '@actions/http-client';
 import * as tc from '@actions/tool-cache';
 import * as semver from 'semver';
 import * as util from 'util';
 
 import {Cache} from '../cache';
 import {Context} from '../context';
+import {GitHub} from '../github';
 
 import {GitHubRelease} from '../types/github';
 import {DownloadVersion} from '../types/regclient/regclient';
 
+export interface InstallOpts {
+  githubToken?: string;
+}
+
 export class Install {
+  private readonly githubToken: string | undefined;
+
+  constructor(opts?: InstallOpts) {
+    this.githubToken = opts?.githubToken || process.env.GITHUB_TOKEN;
+  }
+
   /*
    * Download regclient binary from GitHub release
    * @param v: version semver version or latest
@@ -40,7 +50,7 @@ export class Install {
     const version: DownloadVersion = await Install.getDownloadVersion(v);
     core.debug(`Install.download version: ${version.version}`);
 
-    const release: GitHubRelease = await Install.getRelease(version);
+    const release: GitHubRelease = await Install.getRelease(version, this.githubToken);
     core.debug(`Install.download release tag name: ${release.tag_name}`);
 
     const vspec = await this.vspec(release.tag_name);
@@ -68,7 +78,7 @@ export class Install {
     const downloadURL = util.format(version.downloadURL, vspec, this.filename());
     core.info(`Downloading ${downloadURL}`);
 
-    const htcDownloadPath = await tc.downloadTool(downloadURL);
+    const htcDownloadPath = await tc.downloadTool(downloadURL, undefined, this.githubToken);
     core.debug(`Install.download htcDownloadPath: ${htcDownloadPath}`);
 
     const cacheSavePath = await installCache.save(htcDownloadPath);
@@ -134,21 +144,20 @@ export class Install {
     return {
       version: v,
       downloadURL: 'https://github.com/regclient/regclient/releases/download/v%s/%s',
-      releasesURL: 'https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/regclient-releases.json'
+      contentOpts: {
+        owner: 'docker',
+        repo: 'actions-toolkit',
+        ref: 'main',
+        path: '.github/regclient-releases.json'
+      }
     };
   }
 
-  public static async getRelease(version: DownloadVersion): Promise<GitHubRelease> {
-    const http: httpm.HttpClient = new httpm.HttpClient('docker-actions-toolkit');
-    const resp: httpm.HttpClientResponse = await http.get(version.releasesURL);
-    const body = await resp.readBody();
-    const statusCode = resp.message.statusCode || 500;
-    if (statusCode >= 400) {
-      throw new Error(`Failed to get regclient releases from ${version.releasesURL} with status code ${statusCode}: ${body}`);
-    }
-    const releases = <Record<string, GitHubRelease>>JSON.parse(body);
+  public static async getRelease(version: DownloadVersion, githubToken?: string): Promise<GitHubRelease> {
+    const github = new GitHub({token: githubToken});
+    const releases = await github.releases('regclient', version.contentOpts);
     if (!releases[version.version]) {
-      throw new Error(`Cannot find regclient release ${version.version} in ${version.releasesURL}`);
+      throw new Error(`Cannot find regclient release ${version.version} in releases JSON`);
     }
     return releases[version.version];
   }

src/sigstore/sigstore.ts

@@ -0,0 +1,386 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {X509Certificate} from 'crypto';
+import fs from 'fs';
+import path from 'path';
+
+import {Endpoints} from '@actions/attest/lib/endpoints';
+import * as core from '@actions/core';
+import {signPayload} from '@actions/attest/lib/sign';
+import {bundleFromJSON, bundleToJSON} from '@sigstore/bundle';
+import {Attestation} from '@actions/attest';
+import {Bundle} from '@sigstore/sign';
+
+import {Cosign} from '../cosign/cosign';
+import {Exec} from '../exec';
+import {GitHub} from '../github';
+import {ImageTools} from '../buildx/imagetools';
+
+import {MEDIATYPE_PAYLOAD as INTOTO_MEDIATYPE_PAYLOAD, Subject} from '../types/intoto/intoto';
+import {FULCIO_URL, REKOR_URL, SEARCH_URL, TSASERVER_URL} from '../types/sigstore/sigstore';
+
+export interface SignAttestationManifestsOpts {
+  imageName: string;
+  imageDigest: string;
+  noTransparencyLog?: boolean;
+}
+
+export interface SignAttestationManifestsResult extends Attestation {
+  imageName: string;
+}
+
+export interface VerifySignedManifestsOpts {
+  certificateIdentityRegexp: string;
+  retries?: number;
+}
+
+export interface VerifySignedManifestsResult {
+  cosignArgs: Array<string>;
+  signatureManifestDigest: string;
+}
+
+export interface SignProvenanceBlobsOpts {
+  localExportDir: string;
+  name?: string;
+  noTransparencyLog?: boolean;
+}
+
+export interface SignProvenanceBlobsResult extends Attestation {
+  bundlePath: string;
+  subjects: Array<Subject>;
+}
+
+export interface VerifySignedArtifactsOpts {
+  certificateIdentityRegexp: string;
+}
+
+export interface VerifySignedArtifactsResult {
+  bundlePath: string;
+  cosignArgs: Array<string>;
+}
+
+export interface SigstoreOpts {
+  cosign?: Cosign;
+  imageTools?: ImageTools;
+}
+
+export class Sigstore {
+  private readonly cosign: Cosign;
+  private readonly imageTools: ImageTools;
+
+  constructor(opts?: SigstoreOpts) {
+    this.cosign = opts?.cosign || new Cosign();
+    this.imageTools = opts?.imageTools || new ImageTools();
+  }
+
+  public async signAttestationManifests(opts: SignAttestationManifestsOpts): Promise<Record<string, SignAttestationManifestsResult>> {
+    if (!(await this.cosign.isAvailable())) {
+      throw new Error('Cosign is required to sign attestation manifests');
+    }
+    const result: Record<string, SignAttestationManifestsResult> = {};
+    try {
+      if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+        throw new Error('missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.');
+      }
+
+      const endpoints = this.signingEndpoints(opts.noTransparencyLog);
+      core.info(`Using Sigstore signing endpoint: ${endpoints.fulcioURL}`);
+      const noTransparencyLog = Sigstore.noTransparencyLog(opts.noTransparencyLog);
+
+      const attestationDigests = await this.imageTools.attestationDigests(`${opts.imageName}@${opts.imageDigest}`);
+      for (const attestationDigest of attestationDigests) {
+        const attestationRef = `${opts.imageName}@${attestationDigest}`;
+        await core.group(`Signing attestation manifest ${attestationRef}`, async () => {
+          // prettier-ignore
+          const cosignArgs = [
+            '--verbose',
+            'sign',
+            '--yes',
+            '--oidc-provider', 'github-actions',
+            '--registry-referrers-mode', 'oci-1-1',
+            '--new-bundle-format',
+            '--use-signing-config'
+          ];
+          if (noTransparencyLog) {
+            cosignArgs.push('--tlog-upload=false');
+          }
+          core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
+          const execRes = await Exec.getExecOutput('cosign', [...cosignArgs, attestationRef], {
+            ignoreReturnCode: true,
+            silent: true,
+            env: Object.assign({}, process.env, {
+              COSIGN_EXPERIMENTAL: '1'
+            }) as {
+              [key: string]: string;
+            }
+          });
+          const signResult = Cosign.parseCommandOutput(execRes.stderr.trim());
+          if (execRes.exitCode != 0) {
+            if (signResult.errors && signResult.errors.length > 0) {
+              const errorMessages = signResult.errors.map(e => `- [${e.code}] ${e.message} : ${e.detail}`).join('\n');
+              throw new Error(`Cosign sign command failed with errors:\n${errorMessages}`);
+            } else {
+              throw new Error(`Cosign sign command failed with exit code ${execRes.exitCode}`);
+            }
+          }
+          const attest = Sigstore.toAttestation(bundleFromJSON(signResult.bundle));
+          if (attest.tlogID) {
+            core.info(`Uploaded to Rekor transparency log: ${SEARCH_URL}?logIndex=${attest.tlogID}`);
+          }
+          core.info(`Signature manifest pushed: https://oci.dag.dev/?referrers=${attestationRef}`);
+          result[attestationRef] = {
+            ...attest,
+            imageName: opts.imageName
+          };
+        });
+      }
+    } catch (err) {
+      throw new Error(`Signing BuildKit attestation manifests failed: ${(err as Error).message}`);
+    }
+    return result;
+  }
+
+  public async verifySignedManifests(opts: VerifySignedManifestsOpts, signed: Record<string, SignAttestationManifestsResult>): Promise<Record<string, VerifySignedManifestsResult>> {
+    const result: Record<string, VerifySignedManifestsResult> = {};
+    const retries = opts.retries ?? 15;
+
+    if (!(await this.cosign.isAvailable())) {
+      throw new Error('Cosign is required to verify signed manifests');
+    }
+
+    let lastError: Error | undefined;
+    for (const [attestationRef, signedRes] of Object.entries(signed)) {
+      await core.group(`Verifying signature of ${attestationRef}`, async () => {
+        // prettier-ignore
+        const cosignArgs = [
+          '--verbose',
+          'verify',
+          '--experimental-oci11',
+          '--new-bundle-format',
+          '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
+          '--certificate-identity-regexp', opts.certificateIdentityRegexp
+        ];
+        if (!signedRes.tlogID) {
+          // skip tlog verification but still verify the signed timestamp
+          cosignArgs.push('--use-signed-timestamps', '--insecure-ignore-tlog');
+        }
+        core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
+        for (let attempt = 0; attempt < retries; attempt++) {
+          const execRes = await Exec.getExecOutput('cosign', [...cosignArgs, attestationRef], {
+            ignoreReturnCode: true,
+            silent: true,
+            env: Object.assign({}, process.env, {
+              COSIGN_EXPERIMENTAL: '1'
+            }) as {[key: string]: string}
+          });
+          const verifyResult = Cosign.parseCommandOutput(execRes.stderr.trim());
+          if (execRes.exitCode === 0) {
+            result[attestationRef] = {
+              cosignArgs: cosignArgs,
+              signatureManifestDigest: verifyResult.signatureManifestDigest!
+            };
+            lastError = undefined;
+            core.info(`Signature manifest verified: https://oci.dag.dev/?image=${signedRes.imageName}@${verifyResult.signatureManifestDigest}`);
+            break;
+          } else {
+            if (verifyResult.errors && verifyResult.errors.length > 0) {
+              const errorMessages = verifyResult.errors.map(e => `- [${e.code}] ${e.message} : ${e.detail}`).join('\n');
+              lastError = new Error(`Cosign verify command failed with errors:\n${errorMessages}`);
+              if (verifyResult.errors.some(e => e.code === 'MANIFEST_UNKNOWN')) {
+                core.info(`Cosign verify command failed with MANIFEST_UNKNOWN, retrying attempt ${attempt + 1}/${retries}...\n${errorMessages}`);
+                await new Promise(res => setTimeout(res, Math.pow(2, attempt) * 100));
+              } else {
+                throw lastError;
+              }
+            } else {
+              throw new Error(`Cosign verify command failed: ${execRes.stderr}`);
+            }
+          }
+        }
+      });
+    }
+    if (lastError) {
+      throw lastError;
+    }
+
+    return result;
+  }
+
+  public async signProvenanceBlobs(opts: SignProvenanceBlobsOpts): Promise<Record<string, SignProvenanceBlobsResult>> {
+    const result: Record<string, SignProvenanceBlobsResult> = {};
+    try {
+      if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+        throw new Error('missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.');
+      }
+
+      const endpoints = this.signingEndpoints(opts.noTransparencyLog);
+      core.info(`Using Sigstore signing endpoint: ${endpoints.fulcioURL}`);
+
+      const provenanceBlobs = Sigstore.getProvenanceBlobs(opts);
+      for (const p of Object.keys(provenanceBlobs)) {
+        await core.group(`Signing ${p}`, async () => {
+          const blob = provenanceBlobs[p];
+          const bundlePath = path.join(path.dirname(p), `${opts.name ?? 'provenance'}.sigstore.json`);
+          const subjects = Sigstore.getProvenanceSubjects(blob);
+          if (subjects.length === 0) {
+            core.warning(`No subjects found in provenance ${p}, skip signing.`);
+            return;
+          }
+          const bundle = await signPayload(
+            {
+              body: blob,
+              type: INTOTO_MEDIATYPE_PAYLOAD
+            },
+            endpoints
+          );
+          const attest = Sigstore.toAttestation(bundle);
+          core.info(`Provenance blob signed for:`);
+          for (const subject of subjects) {
+            const [digestAlg, digestValue] = Object.entries(subject.digest)[0] || [];
+            core.info(`  - ${subject.name} (${digestAlg}:${digestValue})`);
+          }
+          if (attest.tlogID) {
+            core.info(`Attestation signature uploaded to Rekor transparency log: ${SEARCH_URL}?logIndex=${attest.tlogID}`);
+          }
+          core.info(`Writing Sigstore bundle to: ${bundlePath}`);
+          fs.writeFileSync(bundlePath, JSON.stringify(attest.bundle, null, 2), {
+            encoding: 'utf-8'
+          });
+          result[p] = {
+            ...attest,
+            bundlePath: bundlePath,
+            subjects: subjects
+          };
+        });
+      }
+    } catch (err) {
+      throw new Error(`Signing BuildKit provenance blobs failed: ${(err as Error).message}`);
+    }
+    return result;
+  }
+
+  public async verifySignedArtifacts(opts: VerifySignedArtifactsOpts, signed: Record<string, SignProvenanceBlobsResult>): Promise<Record<string, VerifySignedArtifactsResult>> {
+    const result: Record<string, VerifySignedArtifactsResult> = {};
+    if (!(await this.cosign.isAvailable())) {
+      throw new Error('Cosign is required to verify signed artifacts');
+    }
+    for (const [provenancePath, signedRes] of Object.entries(signed)) {
+      const baseDir = path.dirname(provenancePath);
+      await core.group(`Verifying signature bundle ${signedRes.bundlePath}`, async () => {
+        for (const subject of signedRes.subjects) {
+          const artifactPath = path.join(baseDir, subject.name);
+          core.info(`Verifying signed artifact ${artifactPath}`);
+          // prettier-ignore
+          const cosignArgs = [
+            'verify-blob-attestation',
+            '--new-bundle-format',
+            '--certificate-oidc-issuer', 'https://token.actions.githubusercontent.com',
+            '--certificate-identity-regexp', opts.certificateIdentityRegexp
+          ]
+          if (!signedRes.tlogID) {
+            // if there is no tlog entry, we skip tlog verification but still verify the signed timestamp
+            cosignArgs.push('--use-signed-timestamps', '--insecure-ignore-tlog');
+          }
+          const execRes = await Exec.getExecOutput('cosign', [...cosignArgs, '--bundle', signedRes.bundlePath, artifactPath], {
+            ignoreReturnCode: true
+          });
+          if (execRes.stderr.length > 0 && execRes.exitCode != 0) {
+            throw new Error(execRes.stderr);
+          }
+          result[artifactPath] = {
+            bundlePath: signedRes.bundlePath,
+            cosignArgs: cosignArgs
+          };
+        }
+      });
+    }
+    return result;
+  }
+
+  private signingEndpoints(noTransparencyLog?: boolean): Endpoints {
+    noTransparencyLog = Sigstore.noTransparencyLog(noTransparencyLog);
+    core.info(`Upload to transparency log: ${noTransparencyLog ? 'disabled' : 'enabled'}`);
+    return {
+      fulcioURL: FULCIO_URL,
+      rekorURL: noTransparencyLog ? undefined : REKOR_URL,
+      tsaServerURL: TSASERVER_URL
+    };
+  }
+
+  private static noTransparencyLog(noTransparencyLog?: boolean): boolean {
+    return noTransparencyLog ?? GitHub.context.payload.repository?.private;
+  }
+
+  private static getProvenanceBlobs(opts: SignProvenanceBlobsOpts): Record<string, Buffer> {
+    // For single platform build
+    const singleProvenance = path.join(opts.localExportDir, 'provenance.json');
+    if (fs.existsSync(singleProvenance)) {
+      return {[singleProvenance]: fs.readFileSync(singleProvenance)};
+    }
+
+    // For multi-platform build
+    const dirents = fs.readdirSync(opts.localExportDir, {withFileTypes: true});
+    const platformFolders = dirents.filter(dirent => dirent.isDirectory());
+    if (platformFolders.length > 0 && platformFolders.length === dirents.length && platformFolders.every(platformFolder => fs.existsSync(path.join(opts.localExportDir, platformFolder.name, 'provenance.json')))) {
+      const result: Record<string, Buffer> = {};
+      for (const platformFolder of platformFolders) {
+        const p = path.join(opts.localExportDir, platformFolder.name, 'provenance.json');
+        result[p] = fs.readFileSync(p);
+      }
+      return result;
+    }
+
+    throw new Error(`No valid provenance.json found in ${opts.localExportDir}`);
+  }
+
+  private static getProvenanceSubjects(body: Buffer): Array<Subject> {
+    const statement = JSON.parse(body.toString()) as {
+      subject: Array<{name: string; digest: Record<string, string>}>;
+    };
+    return statement.subject.map(s => ({
+      name: s.name,
+      digest: s.digest
+    }));
+  }
+
+  // https://github.com/actions/toolkit/blob/d3ab50471b4ff1d1274dffb90ef9c5d9949b4886/packages/attest/src/attest.ts#L90
+  private static toAttestation(bundle: Bundle): Attestation {
+    let certBytes: Buffer;
+    switch (bundle.verificationMaterial.content.$case) {
+      case 'x509CertificateChain':
+        certBytes = bundle.verificationMaterial.content.x509CertificateChain.certificates[0].rawBytes;
+        break;
+      case 'certificate':
+        certBytes = bundle.verificationMaterial.content.certificate.rawBytes;
+        break;
+      default:
+        throw new Error('Bundle must contain an x509 certificate');
+    }
+
+    const signingCert = new X509Certificate(certBytes);
+
+    // Collect transparency log ID if available
+    const tlogEntries = bundle.verificationMaterial.tlogEntries;
+    const tlogID = tlogEntries.length > 0 ? tlogEntries[0].logIndex : undefined;
+
+    return {
+      bundle: bundleToJSON(bundle),
+      certificate: signingCert.toString(),
+      tlogID: tlogID
+    };
+  }
+}

src/toolkit.ts

@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+import {GitHub} from './github';
 import {Buildx} from './buildx/buildx';
 import {Build as BuildxBuild} from './buildx/build';
 import {Bake as BuildxBake} from './buildx/bake';
@@ -22,8 +23,13 @@ import {Builder} from './buildx/builder';
 import {BuildKit} from './buildkit/buildkit';
 import {Compose} from './compose/compose';
 import {Install as ComposeInstall} from './compose/install';
+import {Cosign} from './cosign/cosign';
+import {Install as CosignInstall} from './cosign/install';
+import {Regctl} from './regclient/regctl';
+import {Install as RegctlInstall} from './regclient/install';
 import {Undock} from './undock/undock';
-import {GitHub} from './github';
+import {Install as UndockInstall} from './undock/install';
+import {Sigstore} from './sigstore/sigstore';
 
 export interface ToolkitOpts {
   /**
@@ -43,7 +49,13 @@ export class Toolkit {
   public buildkit: BuildKit;
   public compose: Compose;
   public composeInstall: ComposeInstall;
+  public cosign: Cosign;
+  public cosignInstall: CosignInstall;
+  public regctl: Regctl;
+  public regctlInstall: RegctlInstall;
+  public sigstore: Sigstore;
   public undock: Undock;
+  public undockInstall: UndockInstall;
 
   constructor(opts: ToolkitOpts = {}) {
     this.github = new GitHub({token: opts.githubToken});
@@ -55,6 +67,12 @@ export class Toolkit {
     this.buildkit = new BuildKit({buildx: this.buildx});
     this.compose = new Compose();
     this.composeInstall = new ComposeInstall();
+    this.cosign = new Cosign();
+    this.cosignInstall = new CosignInstall({buildx: this.buildx});
+    this.regctl = new Regctl();
+    this.regctlInstall = new RegctlInstall();
+    this.sigstore = new Sigstore();
     this.undock = new Undock();
+    this.undockInstall = new UndockInstall();
   }
 }

src/types/buildx/buildx.ts

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+import {GitHubContentOpts} from '../github';
+
 export interface Cert {
   cacert?: string;
   cert?: string;
@@ -24,7 +26,7 @@ export interface DownloadVersion {
   key: string;
   version: string;
   downloadURL: string;
-  releasesURL: string;
+  contentOpts: GitHubContentOpts;
 }
 
 export interface LocalRefsOpts {

src/types/buildx/imagetools.ts

@@ -0,0 +1,28 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {Versioned} from '../oci/versioned';
+import {Descriptor} from '../oci/descriptor';
+import {Digest} from '../oci/digest';
+
+// https://github.com/docker/buildx/blob/62857022a08552bee5cad0c3044a9a3b185f0b32/util/imagetools/printers.go#L109-L123
+export interface Manifest extends Versioned {
+  mediaType?: string;
+  digest: Digest;
+  size: number;
+  manifests?: Descriptor[];
+  annotations?: Record<string, string>;
+}

src/types/compose/compose.ts

@@ -14,9 +14,11 @@
  * limitations under the License.
  */
 
+import {GitHubContentOpts} from '../github';
+
 export interface DownloadVersion {
   key: string;
   version: string;
   downloadURL: string;
-  releasesURL: string;
+  contentOpts: GitHubContentOpts;
 }

src/types/cosign/cosign.ts

@@ -0,0 +1,23 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {GitHubContentOpts} from '../github';
+
+export interface DownloadVersion {
+  version: string;
+  downloadURL: string;
+  contentOpts: GitHubContentOpts;
+}

src/types/github.ts

@@ -28,6 +28,13 @@ export interface GitHubRelease {
   assets: Array<string>;
 }
 
+export interface GitHubContentOpts {
+  owner: string;
+  repo: string;
+  ref?: string;
+  path: string;
+}
+
 export type GitHubRepo = OctoOpenApiTypes['schemas']['repository'];
 
 export interface GitHubActionsRuntimeToken extends JwtPayload {

src/types/intoto/intoto.ts

@@ -18,3 +18,9 @@
 export const MEDIATYPE_PAYLOAD = 'application/vnd.in-toto+json';
 
 export const MEDIATYPE_PREDICATE = 'in-toto.io/predicate-type';
+
+// https://github.com/in-toto/in-toto-golang/blob/0a34c087cedcc36de065b4fccb7cf7c9bc16e29f/in_toto/attestations.go#L30-L42
+export interface Subject {
+  name: string;
+  digest: Record<string, string>;
+}

src/types/regclient/regclient.ts

@@ -14,8 +14,10 @@
  * limitations under the License.
  */
 
+import {GitHubContentOpts} from '../github';
+
 export interface DownloadVersion {
   version: string;
   downloadURL: string;
-  releasesURL: string;
+  contentOpts: GitHubContentOpts;
 }

src/types/sigstore/sigstore.ts

@@ -0,0 +1,20 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export const FULCIO_URL = 'https://fulcio.sigstore.dev';
+export const REKOR_URL = 'https://rekor.sigstore.dev';
+export const TSASERVER_URL = 'https://timestamp.sigstore.dev';
+export const SEARCH_URL = 'https://search.sigstore.dev';

src/types/undock/undock.ts

@@ -14,8 +14,10 @@
  * limitations under the License.
  */
 
+import {GitHubContentOpts} from '../github';
+
 export interface DownloadVersion {
   version: string;
   downloadURL: string;
-  releasesURL: string;
+  contentOpts: GitHubContentOpts;
 }

src/undock/install.ts

@@ -18,18 +18,28 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import * as core from '@actions/core';
-import * as httpm from '@actions/http-client';
 import * as tc from '@actions/tool-cache';
 import * as semver from 'semver';
 import * as util from 'util';
 
 import {Cache} from '../cache';
 import {Context} from '../context';
+import {GitHub} from '../github';
 
 import {GitHubRelease} from '../types/github';
 import {DownloadVersion} from '../types/undock/undock';
 
+export interface InstallOpts {
+  githubToken?: string;
+}
+
 export class Install {
+  private readonly githubToken: string | undefined;
+
+  constructor(opts?: InstallOpts) {
+    this.githubToken = opts?.githubToken || process.env.GITHUB_TOKEN;
+  }
+
   /*
    * Download undock binary from GitHub release
    * @param v: version semver version or latest
@@ -40,7 +50,7 @@ export class Install {
     const version: DownloadVersion = await Install.getDownloadVersion(v);
     core.debug(`Install.download version: ${version.version}`);
 
-    const release: GitHubRelease = await Install.getRelease(version);
+    const release: GitHubRelease = await Install.getRelease(version, this.githubToken);
     core.debug(`Install.download release tag name: ${release.tag_name}`);
 
     const vspec = await this.vspec(release.tag_name);
@@ -61,14 +71,14 @@ export class Install {
 
     const cacheFoundPath = await installCache.find();
     if (cacheFoundPath) {
-      core.info(`Unodck binary found in ${cacheFoundPath}`);
+      core.info(`Undock binary found in ${cacheFoundPath}`);
       return cacheFoundPath;
     }
 
     const downloadURL = util.format(version.downloadURL, vspec, this.filename(vspec));
     core.info(`Downloading ${downloadURL}`);
 
-    const htcDownloadPath = await tc.downloadTool(downloadURL);
+    const htcDownloadPath = await tc.downloadTool(downloadURL, undefined, this.githubToken);
     core.debug(`Install.download htcDownloadPath: ${htcDownloadPath}`);
 
     let htcExtPath: string;
@@ -102,7 +112,7 @@ export class Install {
     fs.chmodSync(undockPath, '0755');
 
     core.addPath(binDir);
-    core.info('Added Unodck to PATH');
+    core.info('Added Undock to PATH');
 
     core.info(`Binary path: ${undockPath}`);
     return undockPath;
@@ -145,21 +155,20 @@ export class Install {
     return {
       version: v,
       downloadURL: 'https://github.com/crazy-max/undock/releases/download/v%s/%s',
-      releasesURL: 'https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/undock-releases.json'
+      contentOpts: {
+        owner: 'docker',
+        repo: 'actions-toolkit',
+        ref: 'main',
+        path: '.github/undock-releases.json'
+      }
     };
   }
 
-  public static async getRelease(version: DownloadVersion): Promise<GitHubRelease> {
-    const http: httpm.HttpClient = new httpm.HttpClient('docker-actions-toolkit');
-    const resp: httpm.HttpClientResponse = await http.get(version.releasesURL);
-    const body = await resp.readBody();
-    const statusCode = resp.message.statusCode || 500;
-    if (statusCode >= 400) {
-      throw new Error(`Failed to get Undock releases from ${version.releasesURL} with status code ${statusCode}: ${body}`);
-    }
-    const releases = <Record<string, GitHubRelease>>JSON.parse(body);
+  public static async getRelease(version: DownloadVersion, githubToken?: string): Promise<GitHubRelease> {
+    const github = new GitHub({token: githubToken});
+    const releases = await github.releases('Undock', version.contentOpts);
     if (!releases[version.version]) {
-      throw new Error(`Cannot find Undock release ${version.version} in ${version.releasesURL}`);
+      throw new Error(`Cannot find Undock release ${version.version} in releases JSON`);
     }
     return releases[version.version];
   }