@actions/attest 1.0.0 → 1.1.0

package/README.md

@@ -112,6 +112,10 @@ export type AttestProvenanceOptions = {
   sigstore?: 'public-good' | 'github'
   // Whether to skip writing the attestation to the GH attestations API.
   skipWrite?: boolean
+  // Issuer URL responsible for minting the OIDC token from which the
+  // provenance data is read. Defaults to
+  // 'https://token.actions.githubusercontent.com".
+  issuer?: string
 }
 ```
 

package/lib/oidc.d.ts

@@ -0,0 +1,6 @@
+declare const REQUIRED_CLAIMS: readonly ["iss", "ref", "sha", "repository", "event_name", "workflow_ref", "repository_id", "repository_owner_id", "runner_environment", "run_id", "run_attempt"];
+export type ClaimSet = {
+    [K in (typeof REQUIRED_CLAIMS)[number]]: string;
+};
+export declare const getIDTokenClaims: (issuer: string) => Promise<ClaimSet>;
+export {};

package/lib/oidc.js

@@ -0,0 +1,119 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getIDTokenClaims = void 0;
+const core_1 = require("@actions/core");
+const http_client_1 = require("@actions/http-client");
+const jwt = __importStar(require("jsonwebtoken"));
+const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const OIDC_AUDIENCE = 'nobody';
+const REQUIRED_CLAIMS = [
+    'iss',
+    'ref',
+    'sha',
+    'repository',
+    'event_name',
+    'workflow_ref',
+    'repository_id',
+    'repository_owner_id',
+    'runner_environment',
+    'run_id',
+    'run_attempt'
+];
+const getIDTokenClaims = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        const token = yield (0, core_1.getIDToken)(OIDC_AUDIENCE);
+        const claims = yield decodeOIDCToken(token, issuer);
+        assertClaimSet(claims);
+        return claims;
+    }
+    catch (error) {
+        throw new Error(`Failed to get ID token: ${error.message}`);
+    }
+});
+exports.getIDTokenClaims = getIDTokenClaims;
+const decodeOIDCToken = (token, issuer) => __awaiter(void 0, void 0, void 0, function* () {
+    // Verify and decode token
+    return new Promise((resolve, reject) => {
+        jwt.verify(token, getPublicKey(issuer), { audience: OIDC_AUDIENCE, issuer }, (err, decoded) => {
+            if (err) {
+                reject(err);
+            }
+            else if (!decoded || typeof decoded === 'string') {
+                reject(new Error('No decoded token'));
+            }
+            else {
+                resolve(decoded);
+            }
+        });
+    });
+});
+// Returns a callback to locate the public key for the given JWT header. This
+// involves two calls:
+// 1. Fetch the OpenID configuration to get the JWKS URI.
+// 2. Fetch the public key from the JWKS URI.
+const getPublicKey = (issuer) => (header, callback) => {
+    // Look up the JWKS URI from the issuer's OpenID configuration
+    new http_client_1.HttpClient('actions/attest')
+        .getJson(`${issuer}/.well-known/openid-configuration`)
+        .then(data => {
+        if (!data.result) {
+            callback(new Error('No OpenID configuration found'));
+        }
+        else {
+            // Fetch the public key from the JWKS URI
+            (0, jwks_rsa_1.default)({ jwksUri: data.result.jwks_uri }).getSigningKey(header.kid, (err, key) => {
+                callback(err, key === null || key === void 0 ? void 0 : key.getPublicKey());
+            });
+        }
+    })
+        .catch(err => {
+        callback(err);
+    });
+};
+function assertClaimSet(claims) {
+    const missingClaims = [];
+    for (const claim of REQUIRED_CLAIMS) {
+        if (!(claim in claims)) {
+            missingClaims.push(claim);
+        }
+    }
+    if (missingClaims.length > 0) {
+        throw new Error(`Missing claims: ${missingClaims.join(', ')}`);
+    }
+}
+//# sourceMappingURL=oidc.js.map

package/lib/oidc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../src/oidc.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAwC;AACxC,sDAA+C;AAC/C,kDAAmC;AACnC,wDAA2B;AAE3B,MAAM,aAAa,GAAG,QAAQ,CAAA;AAE9B,MAAM,eAAe,GAAG;IACtB,KAAK;IACL,KAAK;IACL,KAAK;IACL,YAAY;IACZ,YAAY;IACZ,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,oBAAoB;IACpB,QAAQ;IACR,aAAa;CACL,CAAA;AAQH,MAAM,gBAAgB,GAAG,CAAO,MAAc,EAAqB,EAAE;IAC1E,IAAI;QACF,MAAM,KAAK,GAAG,MAAM,IAAA,iBAAU,EAAC,aAAa,CAAC,CAAA;QAC7C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QACnD,cAAc,CAAC,MAAM,CAAC,CAAA;QACtB,OAAO,MAAM,CAAA;KACd;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;KAC5D;AACH,CAAC,CAAA,CAAA;AATY,QAAA,gBAAgB,oBAS5B;AAED,MAAM,eAAe,GAAG,CACtB,KAAa,EACb,MAAc,EACW,EAAE;IAC3B,0BAA0B;IAC1B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,GAAG,CAAC,MAAM,CACR,KAAK,EACL,YAAY,CAAC,MAAM,CAAC,EACpB,EAAC,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAC,EACjC,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE;YACf,IAAI,GAAG,EAAE;gBACP,MAAM,CAAC,GAAG,CAAC,CAAA;aACZ;iBAAM,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;gBAClD,MAAM,CAAC,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAA;aACtC;iBAAM;gBACL,OAAO,CAAC,OAAO,CAAC,CAAA;aACjB;QACH,CAAC,CACF,CAAA;IACH,CAAC,CAAC,CAAA;AACJ,CAAC,CAAA,CAAA;AAED,6EAA6E;AAC7E,sBAAsB;AACtB,yDAAyD;AACzD,6CAA6C;AAC7C,MAAM,YAAY,GAChB,CAAC,MAAc,EAA4B,EAAE,CAC7C,CAAC,MAAqB,EAAE,QAAgC,EAAE,EAAE;IAC1D,8DAA8D;IAC9D,IAAI,wBAAU,CAAC,gBAAgB,CAAC;SAC7B,OAAO,CAAa,GAAG,MAAM,mCAAmC,CAAC;SACjE,IAAI,CAAC,IAAI,CAAC,EAAE;QACX,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;YAChB,QAAQ,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAA;SACrD;aAAM;YACL,yCAAyC;YACzC,IAAA,kBAAI,EAAC,EAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAC,CAAC,CAAC,aAAa,CACjD,MAAM,CAAC,GAAG,EACV,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBACX,QAAQ,CAAC,GAAG,EAAE,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,YAAY,EAAE,CAAC,CAAA;YACpC,CAAC,CACF,CAAA;SACF;IACH,CAAC,CAAC;SACD,KAAK,CAAC,GAAG,CAAC,EAAE;QACX,QAAQ,CAAC,GAAG,CAAC,CAAA;IACf,CAAC,CAAC,CAAA;AACN,CAAC,CAAA;AAEH,SAAS,cAAc,CAAC,MAAsB;IAC5C,MAAM,aAAa,GAAa,EAAE,CAAA;IAElC,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE;QACnC,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE;YACtB,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;SAC1B;KACF;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE;QAC5B,MAAM,IAAI,KAAK,CAAC,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;KAC/D;AACH,CAAC"}

package/lib/provenance.d.ts

@@ -1,21 +1,18 @@
-/// <reference types="node" />
-/// <reference types="node" />
-/// <reference types="node" />
-/// <reference types="node" />
-/// <reference types="node" />
 import { AttestOptions } from './attest';
 import type { Attestation, Predicate } from './shared.types';
-export type AttestProvenanceOptions = Omit<AttestOptions, 'predicate' | 'predicateType'>;
+export type AttestProvenanceOptions = Omit<AttestOptions, 'predicate' | 'predicateType'> & {
+    issuer?: string;
+};
 /**
  * Builds an SLSA (Supply Chain Levels for Software Artifacts) provenance
  * predicate using the GitHub Actions Workflow build type.
  * https://slsa.dev/spec/v1.0/provenance
  * https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1
- * @param env - The Node.js process environment variables. Defaults to
- * `process.env`.
+ * @param issuer - URL for the OIDC issuer. Defaults to the GitHub Actions token
+ * issuer.
  * @returns The SLSA provenance predicate.
  */
-export declare const buildSLSAProvenancePredicate: (env?: NodeJS.ProcessEnv) => Predicate;
+export declare const buildSLSAProvenancePredicate: (issuer?: string) => Promise<Predicate>;
 /**
  * Attests the build provenance of the provided subject. Generates the SLSA
  * build provenance predicate, assembles it into an in-toto statement, and

package/lib/provenance.js

@@ -11,25 +11,28 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.attestProvenance = exports.buildSLSAProvenancePredicate = void 0;
 const attest_1 = require("./attest");
+const oidc_1 = require("./oidc");
 const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1';
 const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner';
 const GITHUB_BUILD_TYPE = 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1';
+const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com';
 /**
  * Builds an SLSA (Supply Chain Levels for Software Artifacts) provenance
  * predicate using the GitHub Actions Workflow build type.
  * https://slsa.dev/spec/v1.0/provenance
  * https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1
- * @param env - The Node.js process environment variables. Defaults to
- * `process.env`.
+ * @param issuer - URL for the OIDC issuer. Defaults to the GitHub Actions token
+ * issuer.
  * @returns The SLSA provenance predicate.
  */
-const buildSLSAProvenancePredicate = (env = process.env) => {
-    const workflow = env.GITHUB_WORKFLOW_REF || '';
+const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void 0, void 0, void 0, function* () {
+    const serverURL = process.env.GITHUB_SERVER_URL;
+    const claims = yield (0, oidc_1.getIDTokenClaims)(issuer);
     // Split just the path and ref from the workflow string.
     // owner/repo/.github/workflows/main.yml@main =>
     //   .github/workflows/main.yml, main
-    const [workflowPath, workflowRef] = workflow
-        .replace(`${env.GITHUB_REPOSITORY}/`, '')
+    const [workflowPath, workflowRef] = claims.workflow_ref
+        .replace(`${claims.repository}/`, '')
         .split('@');
     return {
         type: SLSA_PREDICATE_V1_TYPE,
@@ -39,37 +42,37 @@ const buildSLSAProvenancePredicate = (env = process.env) => {
                 externalParameters: {
                     workflow: {
                         ref: workflowRef,
-                        repository: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}`,
+                        repository: `${serverURL}/${claims.repository}`,
                         path: workflowPath
                     }
                 },
                 internalParameters: {
                     github: {
-                        event_name: env.GITHUB_EVENT_NAME,
-                        repository_id: env.GITHUB_REPOSITORY_ID,
-                        repository_owner_id: env.GITHUB_REPOSITORY_OWNER_ID
+                        event_name: claims.event_name,
+                        repository_id: claims.repository_id,
+                        repository_owner_id: claims.repository_owner_id
                     }
                 },
                 resolvedDependencies: [
                     {
-                        uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
+                        uri: `git+${serverURL}/${claims.repository}@${claims.ref}`,
                         digest: {
-                            gitCommit: env.GITHUB_SHA
+                            gitCommit: claims.sha
                         }
                     }
                 ]
             },
             runDetails: {
                 builder: {
-                    id: `${GITHUB_BUILDER_ID_PREFIX}/${env.RUNNER_ENVIRONMENT}`
+                    id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}`
                 },
                 metadata: {
-                    invocationId: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}/actions/runs/${env.GITHUB_RUN_ID}/attempts/${env.GITHUB_RUN_ATTEMPT}`
+                    invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}`
                 }
             }
         }
     };
-};
+});
 exports.buildSLSAProvenancePredicate = buildSLSAProvenancePredicate;
 /**
  * Attests the build provenance of the provided subject. Generates the SLSA
@@ -81,7 +84,7 @@ exports.buildSLSAProvenancePredicate = buildSLSAProvenancePredicate;
  */
 function attestProvenance(options) {
     return __awaiter(this, void 0, void 0, function* () {
-        const predicate = (0, exports.buildSLSAProvenancePredicate)(process.env);
+        const predicate = yield (0, exports.buildSLSAProvenancePredicate)(options.issuer);
         return (0, attest_1.attest)(Object.assign(Object.assign({}, options), { predicateType: predicate.type, predicate: predicate.params }));
     });
 }

package/lib/provenance.js.map

@@ -1 +1 @@
-{"version":3,"file":"provenance.js","sourceRoot":"","sources":["../src/provenance.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qCAA8C;AAG9C,MAAM,sBAAsB,GAAG,gCAAgC,CAAA;AAE/D,MAAM,wBAAwB,GAAG,mCAAmC,CAAA;AACpE,MAAM,iBAAiB,GACrB,wEAAwE,CAAA;AAO1E;;;;;;;;GAQG;AACI,MAAM,4BAA4B,GAAG,CAC1C,MAAyB,OAAO,CAAC,GAAG,EACzB,EAAE;IACb,MAAM,QAAQ,GAAG,GAAG,CAAC,mBAAmB,IAAI,EAAE,CAAA;IAE9C,wDAAwD;IACxD,gDAAgD;IAChD,qCAAqC;IACrC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,QAAQ;SACzC,OAAO,CAAC,GAAG,GAAG,CAAC,iBAAiB,GAAG,EAAE,EAAE,CAAC;SACxC,KAAK,CAAC,GAAG,CAAC,CAAA;IAEb,OAAO;QACL,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE;YACN,eAAe,EAAE;gBACf,SAAS,EAAE,iBAAiB;gBAC5B,kBAAkB,EAAE;oBAClB,QAAQ,EAAE;wBACR,GAAG,EAAE,WAAW;wBAChB,UAAU,EAAE,GAAG,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,iBAAiB,EAAE;wBAC/D,IAAI,EAAE,YAAY;qBACnB;iBACF;gBACD,kBAAkB,EAAE;oBAClB,MAAM,EAAE;wBACN,UAAU,EAAE,GAAG,CAAC,iBAAiB;wBACjC,aAAa,EAAE,GAAG,CAAC,oBAAoB;wBACvC,mBAAmB,EAAE,GAAG,CAAC,0BAA0B;qBACpD;iBACF;gBACD,oBAAoB,EAAE;oBACpB;wBACE,GAAG,EAAE,OAAO,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,UAAU,EAAE;wBAC9E,MAAM,EAAE;4BACN,SAAS,EAAE,GAAG,CAAC,UAAU;yBAC1B;qBACF;iBACF;aACF;YACD,UAAU,EAAE;gBACV,OAAO,EAAE;oBACP,EAAE,EAAE,GAAG,wBAAwB,IAAI,GAAG,CAAC,kBAAkB,EAAE;iBAC5D;gBACD,QAAQ,EAAE;oBACR,YAAY,EAAE,GAAG,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,iBAAiB,iBAAiB,GAAG,CAAC,aAAa,aAAa,GAAG,CAAC,kBAAkB,EAAE;iBACvI;aACF;SACF;KACF,CAAA;AACH,CAAC,CAAA;AAlDY,QAAA,4BAA4B,gCAkDxC;AAED;;;;;;;GAOG;AACH,SAAsB,gBAAgB,CACpC,OAAgC;;QAEhC,MAAM,SAAS,GAAG,IAAA,oCAA4B,EAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC3D,OAAO,IAAA,eAAM,kCACR,OAAO,KACV,aAAa,EAAE,SAAS,CAAC,IAAI,EAC7B,SAAS,EAAE,SAAS,CAAC,MAAM,IAC3B,CAAA;IACJ,CAAC;CAAA;AATD,4CASC"}
+{"version":3,"file":"provenance.js","sourceRoot":"","sources":["../src/provenance.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qCAA8C;AAC9C,iCAAuC;AAGvC,MAAM,sBAAsB,GAAG,gCAAgC,CAAA;AAE/D,MAAM,wBAAwB,GAAG,mCAAmC,CAAA;AACpE,MAAM,iBAAiB,GACrB,wEAAwE,CAAA;AAE1E,MAAM,cAAc,GAAG,6CAA6C,CAAA;AASpE;;;;;;;;GAQG;AACI,MAAM,4BAA4B,GAAG,CAC1C,SAAiB,cAAc,EACX,EAAE;IACtB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAA;IAC/C,MAAM,MAAM,GAAG,MAAM,IAAA,uBAAgB,EAAC,MAAM,CAAC,CAAA;IAE7C,wDAAwD;IACxD,gDAAgD;IAChD,qCAAqC;IACrC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,MAAM,CAAC,YAAY;SACpD,OAAO,CAAC,GAAG,MAAM,CAAC,UAAU,GAAG,EAAE,EAAE,CAAC;SACpC,KAAK,CAAC,GAAG,CAAC,CAAA;IAEb,OAAO;QACL,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE;YACN,eAAe,EAAE;gBACf,SAAS,EAAE,iBAAiB;gBAC5B,kBAAkB,EAAE;oBAClB,QAAQ,EAAE;wBACR,GAAG,EAAE,WAAW;wBAChB,UAAU,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE;wBAC/C,IAAI,EAAE,YAAY;qBACnB;iBACF;gBACD,kBAAkB,EAAE;oBAClB,MAAM,EAAE;wBACN,UAAU,EAAE,MAAM,CAAC,UAAU;wBAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;wBACnC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;qBAChD;iBACF;gBACD,oBAAoB,EAAE;oBACpB;wBACE,GAAG,EAAE,OAAO,SAAS,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,GAAG,EAAE;wBAC1D,MAAM,EAAE;4BACN,SAAS,EAAE,MAAM,CAAC,GAAG;yBACtB;qBACF;iBACF;aACF;YACD,UAAU,EAAE;gBACV,OAAO,EAAE;oBACP,EAAE,EAAE,GAAG,wBAAwB,IAAI,MAAM,CAAC,kBAAkB,EAAE;iBAC/D;gBACD,QAAQ,EAAE;oBACR,YAAY,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,iBAAiB,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,WAAW,EAAE;iBAC/G;aACF;SACF;KACF,CAAA;AACH,CAAC,CAAA,CAAA;AAnDY,QAAA,4BAA4B,gCAmDxC;AAED;;;;;;;GAOG;AACH,SAAsB,gBAAgB,CACpC,OAAgC;;QAEhC,MAAM,SAAS,GAAG,MAAM,IAAA,oCAA4B,EAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QACpE,OAAO,IAAA,eAAM,kCACR,OAAO,KACV,aAAa,EAAE,SAAS,CAAC,IAAI,EAC7B,SAAS,EAAE,SAAS,CAAC,MAAM,IAC3B,CAAA;IACJ,CAAC;CAAA;AATD,4CASC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@actions/attest",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Actions attestation lib",
   "keywords": [
     "github",
@@ -37,13 +37,19 @@
   "devDependencies": {
     "@sigstore/mock": "^0.6.5",
     "@sigstore/rekor-types": "^2.0.0",
+    "@types/jsonwebtoken": "^9.0.6",
     "@types/make-fetch-happen": "^10.0.4",
+    "jose": "^5.2.3",
     "nock": "^13.5.1"
   },
   "dependencies": {
+    "@actions/core": "^1.10.1",
     "@actions/github": "^6.0.0",
+    "@actions/http-client": "^2.2.1",
     "@sigstore/bundle": "^2.2.0",
     "@sigstore/sign": "^2.2.3",
+    "jsonwebtoken": "^9.0.2",
+    "jwks-rsa": "^3.1.0",
     "make-fetch-happen": "^13.0.0"
   }
 }