oidc-test-trusted_publisher 0.8.12 → 0.8.13
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +1 -6
- data/Gemfile.lock +1 -19
- data/Rakefile +0 -61
- data/lib/oidc/test/version.rb +1 -1
- data/tasks/rubygems_patch.rb +36 -8
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e7b86a5a4b62f2e5624af0376ad83838927a87e9d01b72688a6806135dfd8d90
|
|
4
|
+
data.tar.gz: a945108b1771070c297c54e9db024bf407b00cb4bcb7a94f5f1e95e7e8081344
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 15991449d707eb6fed9e261b7ab8410d39dad5c300d87ff6e1c63c10194f21e5e4329d625b5a271cbade394f7353e310da70216fe89f670b85a13ba5002442d1
|
|
7
|
+
data.tar.gz: fd4deb1271855cbea300ba4b1957520cf9bf4323ae832d9c15eabd9b1d87f5f4c1d382150f1f5bb40f2dc9293e91f53e9ef2f4aa456d82745acf62b0bf4cac76
|
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
oidc-test (0.8.
|
|
4
|
+
oidc-test (0.8.13)
|
|
5
5
|
|
|
6
6
|
GEM
|
|
7
7
|
remote: https://rubygems.org/
|
|
@@ -9,21 +9,9 @@ GEM
|
|
|
9
9
|
ast (2.4.2)
|
|
10
10
|
diff-lcs (1.5.0)
|
|
11
11
|
json (2.6.3)
|
|
12
|
-
net-http (0.5.0)
|
|
13
|
-
uri
|
|
14
12
|
parallel (1.22.1)
|
|
15
13
|
parser (3.2.2.0)
|
|
16
14
|
ast (~> 2.4.1)
|
|
17
|
-
protobug (0.1.0)
|
|
18
|
-
protobug_googleapis_field_behavior_protos (0.1.0)
|
|
19
|
-
protobug (= 0.1.0)
|
|
20
|
-
protobug_well_known_protos (= 0.1.0)
|
|
21
|
-
protobug_sigstore_protos (0.1.0)
|
|
22
|
-
protobug (= 0.1.0)
|
|
23
|
-
protobug_googleapis_field_behavior_protos (= 0.1.0)
|
|
24
|
-
protobug_well_known_protos (= 0.1.0)
|
|
25
|
-
protobug_well_known_protos (0.1.0)
|
|
26
|
-
protobug (= 0.1.0)
|
|
27
15
|
racc (1.8.1)
|
|
28
16
|
rainbow (3.1.1)
|
|
29
17
|
rake (13.0.6)
|
|
@@ -55,12 +43,7 @@ GEM
|
|
|
55
43
|
rubocop-ast (1.28.0)
|
|
56
44
|
parser (>= 3.2.1.0)
|
|
57
45
|
ruby-progressbar (1.13.0)
|
|
58
|
-
sigstore (0.1.1)
|
|
59
|
-
net-http
|
|
60
|
-
protobug_sigstore_protos (~> 0.1.0)
|
|
61
|
-
uri
|
|
62
46
|
unicode-display_width (2.4.2)
|
|
63
|
-
uri (1.0.2)
|
|
64
47
|
|
|
65
48
|
PLATFORMS
|
|
66
49
|
ruby
|
|
@@ -71,7 +54,6 @@ DEPENDENCIES
|
|
|
71
54
|
rake (~> 13.0)
|
|
72
55
|
rspec (~> 3.0)
|
|
73
56
|
rubocop (~> 1.21)
|
|
74
|
-
sigstore (~> 0.1.1)
|
|
75
57
|
|
|
76
58
|
BUNDLED WITH
|
|
77
59
|
2.5.10
|
data/Rakefile
CHANGED
|
@@ -1,66 +1,5 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
-
require "bundler/gem_helper"
|
|
4
|
-
|
|
5
|
-
module Bundler
|
|
6
|
-
class GemHelper
|
|
7
|
-
prepend(Module.new do
|
|
8
|
-
def install
|
|
9
|
-
super
|
|
10
|
-
|
|
11
|
-
task "release:attest" => "build" do
|
|
12
|
-
Bundler.ui.confirm "Attesting? #{attest?}"
|
|
13
|
-
attest if attest?
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
task "release:rubygem_push" => "release:attest"
|
|
17
|
-
end
|
|
18
|
-
|
|
19
|
-
def build_gem
|
|
20
|
-
@build_gem_path = super
|
|
21
|
-
end
|
|
22
|
-
|
|
23
|
-
def rubygem_push(path)
|
|
24
|
-
return super unless attest?
|
|
25
|
-
|
|
26
|
-
cmd = [{ "RUBYOPT" => "-r#{File.expand_path("tasks/rubygems_patch.rb", __dir__)} #{ENV["RUBYOPT"]}",
|
|
27
|
-
"gem_attestation_path" => "#{path}.sigstore.json" }, *gem_command, "push", path]
|
|
28
|
-
cmd << "--key" << gem_key if gem_key
|
|
29
|
-
cmd << "--host" << allowed_push_host if allowed_push_host
|
|
30
|
-
sh_with_input(cmd)
|
|
31
|
-
Bundler.ui.confirm "Pushed #{name} #{version} to #{gem_push_host}"
|
|
32
|
-
end
|
|
33
|
-
end)
|
|
34
|
-
|
|
35
|
-
def attest?
|
|
36
|
-
return true if %w[y yes true on 1].include?(ENV["gem_attest"])
|
|
37
|
-
return false if %w[n no nil false off 0].include?(ENV["gem_attest"])
|
|
38
|
-
|
|
39
|
-
ENV["ACTIONS_ID_TOKEN_REQUEST_URL"] && ENV["ACTIONS_ID_TOKEN_REQUEST_TOKEN"]
|
|
40
|
-
end
|
|
41
|
-
|
|
42
|
-
def attest
|
|
43
|
-
Bundler.ui.confirm "Signing #{@build_gem_path}..."
|
|
44
|
-
sh [Gem.ruby, "-S", "gem", "install", "sigstore"]
|
|
45
|
-
sh [Gem.ruby, "-rnet/http", "-rsigstore", "-rsigstore/signer", "-e", <<~RUBY, @build_gem_path]
|
|
46
|
-
file = ARGV.first
|
|
47
|
-
jwt = Net::HTTP.get_response(
|
|
48
|
-
URI(ENV.fetch("ACTIONS_ID_TOKEN_REQUEST_URL") + "&audience=sigstore"),
|
|
49
|
-
{ "Authorization" => "bearer \#{ENV.fetch("ACTIONS_ID_TOKEN_REQUEST_TOKEN")}" },
|
|
50
|
-
&:value
|
|
51
|
-
).body.then { JSON.parse(_1).fetch("value") }
|
|
52
|
-
|
|
53
|
-
contents = File.binread(file)
|
|
54
|
-
bundle = Sigstore::Signer.new(jwt:, trusted_root: Sigstore::TrustedRoot.production).sign(contents)
|
|
55
|
-
|
|
56
|
-
json = "\#{file}.sigstore.json"
|
|
57
|
-
File.binwrite(json, bundle.to_json)
|
|
58
|
-
puts "Signed \#{file}, wrote \#{json}"
|
|
59
|
-
RUBY
|
|
60
|
-
end
|
|
61
|
-
end
|
|
62
|
-
end
|
|
63
|
-
|
|
64
3
|
require "bundler/gem_tasks"
|
|
65
4
|
|
|
66
5
|
Bundler::GemHelper.tag_prefix = ENV["TAG_PREFIX"] if ENV["TAG_PREFIX"]
|
data/lib/oidc/test/version.rb
CHANGED
data/tasks/rubygems_patch.rb
CHANGED
|
@@ -1,18 +1,46 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
return unless defined?(Gem)
|
|
4
|
+
|
|
3
5
|
require "rubygems/commands/push_command"
|
|
4
6
|
|
|
5
7
|
Gem::Commands::PushCommand.prepend(Module.new do
|
|
6
8
|
def send_push_request(name, args)
|
|
7
|
-
return super
|
|
9
|
+
return super if options[:attestations]&.any? || @host != "https://rubygems.org"
|
|
10
|
+
|
|
11
|
+
begin
|
|
12
|
+
send_push_request_with_attestation(name, args)
|
|
13
|
+
rescue StandardError => e
|
|
14
|
+
alert_warning "Failed to push with attestation, retrying without attestation.\n#{e.full_message}"
|
|
15
|
+
super
|
|
16
|
+
end
|
|
17
|
+
end
|
|
8
18
|
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
19
|
+
def send_push_request_with_attestation(name, args)
|
|
20
|
+
attestation = attest!(name)
|
|
21
|
+
if options[:attestations]
|
|
22
|
+
options[:attestations] << attestation
|
|
23
|
+
send_push_request(name, args)
|
|
24
|
+
else
|
|
25
|
+
rubygems_api_request(*args, scope: get_push_scope) do |request|
|
|
26
|
+
request.set_form([
|
|
27
|
+
["gem", Gem.read_binary(name), { filename: name, content_type: "application/octet-stream" }],
|
|
28
|
+
["attestations", "[#{Gem.read_binary(attestation)}]", { content_type: "application/json" }]
|
|
29
|
+
], "multipart/form-data")
|
|
30
|
+
request.add_field "Authorization", api_key
|
|
31
|
+
end
|
|
16
32
|
end
|
|
17
33
|
end
|
|
34
|
+
|
|
35
|
+
def attest!(name)
|
|
36
|
+
require "open3"
|
|
37
|
+
bundle = "#{name}.sigstore.json"
|
|
38
|
+
out, st = Open3.capture2e(
|
|
39
|
+
Gem.ruby, "-S", "gem", "exec",
|
|
40
|
+
"sigstore-cli:0.2.1", "sign", name, "--bundle", bundle
|
|
41
|
+
)
|
|
42
|
+
raise Gem::Exception, "Failed to sign gem:\n\n#{out}" unless st.success?
|
|
43
|
+
|
|
44
|
+
bundle
|
|
45
|
+
end
|
|
18
46
|
end)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: oidc-test-trusted_publisher
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.8.
|
|
4
|
+
version: 0.8.13
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Samuel Giddins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-11-
|
|
11
|
+
date: 2024-11-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description:
|
|
14
14
|
email:
|