@actions/attest 1.2.1 → 1.3.1

package/README.md

@@ -12,6 +12,9 @@ Once the attestation has been created and signed, it will be uploaded to the GH
 attestations API and associated with the repository from which the workflow was
 initiated.
 
+See [Using artifact attestations to establish provenance for builds](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)
+for more information on artifact attestations.
+
 ## Usage
 
 ### `attest`

package/lib/endpoints.d.ts

@@ -7,6 +7,5 @@ export type Endpoints = {
     tsaServerURL?: string;
 };
 export declare const SIGSTORE_PUBLIC_GOOD: Endpoints;
-export declare const SIGSTORE_GITHUB: Endpoints;
 export declare const signingEndpoints: (sigstore?: SigstoreInstance) => Endpoints;
 export {};

package/lib/endpoints.js

@@ -23,22 +23,16 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.signingEndpoints = exports.SIGSTORE_GITHUB = exports.SIGSTORE_PUBLIC_GOOD = void 0;
+exports.signingEndpoints = exports.SIGSTORE_PUBLIC_GOOD = void 0;
 const github = __importStar(require("@actions/github"));
 const PUBLIC_GOOD_ID = 'public-good';
 const GITHUB_ID = 'github';
 const FULCIO_PUBLIC_GOOD_URL = 'https://fulcio.sigstore.dev';
 const REKOR_PUBLIC_GOOD_URL = 'https://rekor.sigstore.dev';
-const FULCIO_INTERNAL_URL = 'https://fulcio.githubapp.com';
-const TSA_INTERNAL_URL = 'https://timestamp.githubapp.com';
 exports.SIGSTORE_PUBLIC_GOOD = {
     fulcioURL: FULCIO_PUBLIC_GOOD_URL,
     rekorURL: REKOR_PUBLIC_GOOD_URL
 };
-exports.SIGSTORE_GITHUB = {
-    fulcioURL: FULCIO_INTERNAL_URL,
-    tsaServerURL: TSA_INTERNAL_URL
-};
 const signingEndpoints = (sigstore) => {
     var _a;
     let instance;
@@ -57,8 +51,19 @@ const signingEndpoints = (sigstore) => {
         case PUBLIC_GOOD_ID:
             return exports.SIGSTORE_PUBLIC_GOOD;
         case GITHUB_ID:
-            return exports.SIGSTORE_GITHUB;
+            return buildGitHubEndpoints();
     }
 };
 exports.signingEndpoints = signingEndpoints;
+function buildGitHubEndpoints() {
+    const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com';
+    let host = new URL(serverURL).hostname;
+    if (host === 'github.com') {
+        host = 'githubapp.com';
+    }
+    return {
+        fulcioURL: `https://fulcio.${host}`,
+        tsaServerURL: `https://timestamp.${host}`
+    };
+}
 //# sourceMappingURL=endpoints.js.map

package/lib/endpoints.js.map

@@ -1 +1 @@
-{"version":3,"file":"endpoints.js","sourceRoot":"","sources":["../src/endpoints.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wDAAyC;AAEzC,MAAM,cAAc,GAAG,aAAa,CAAA;AACpC,MAAM,SAAS,GAAG,QAAQ,CAAA;AAE1B,MAAM,sBAAsB,GAAG,6BAA6B,CAAA;AAC5D,MAAM,qBAAqB,GAAG,4BAA4B,CAAA;AAE1D,MAAM,mBAAmB,GAAG,8BAA8B,CAAA;AAC1D,MAAM,gBAAgB,GAAG,iCAAiC,CAAA;AAU7C,QAAA,oBAAoB,GAAc;IAC7C,SAAS,EAAE,sBAAsB;IACjC,QAAQ,EAAE,qBAAqB;CAChC,CAAA;AAEY,QAAA,eAAe,GAAc;IACxC,SAAS,EAAE,mBAAmB;IAC9B,YAAY,EAAE,gBAAgB;CAC/B,CAAA;AAEM,MAAM,gBAAgB,GAAG,CAAC,QAA2B,EAAa,EAAE;;IACzE,IAAI,QAA0B,CAAA;IAE9B,4EAA4E;IAC5E,0DAA0D;IAC1D,IAAI,QAAQ,IAAI,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE;QAC9D,QAAQ,GAAG,QAAQ,CAAA;KACpB;SAAM;QACL,QAAQ;YACN,CAAA,MAAA,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,0CAAE,UAAU,MAAK,QAAQ;gBACxD,CAAC,CAAC,cAAc;gBAChB,CAAC,CAAC,SAAS,CAAA;KAChB;IAED,QAAQ,QAAQ,EAAE;QAChB,KAAK,cAAc;YACjB,OAAO,4BAAoB,CAAA;QAC7B,KAAK,SAAS;YACZ,OAAO,uBAAe,CAAA;KACzB;AACH,CAAC,CAAA;AApBY,QAAA,gBAAgB,oBAoB5B"}
+{"version":3,"file":"endpoints.js","sourceRoot":"","sources":["../src/endpoints.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wDAAyC;AAEzC,MAAM,cAAc,GAAG,aAAa,CAAA;AACpC,MAAM,SAAS,GAAG,QAAQ,CAAA;AAE1B,MAAM,sBAAsB,GAAG,6BAA6B,CAAA;AAC5D,MAAM,qBAAqB,GAAG,4BAA4B,CAAA;AAU7C,QAAA,oBAAoB,GAAc;IAC7C,SAAS,EAAE,sBAAsB;IACjC,QAAQ,EAAE,qBAAqB;CAChC,CAAA;AAEM,MAAM,gBAAgB,GAAG,CAAC,QAA2B,EAAa,EAAE;;IACzE,IAAI,QAA0B,CAAA;IAE9B,4EAA4E;IAC5E,0DAA0D;IAC1D,IAAI,QAAQ,IAAI,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE;QAC9D,QAAQ,GAAG,QAAQ,CAAA;KACpB;SAAM;QACL,QAAQ;YACN,CAAA,MAAA,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,0CAAE,UAAU,MAAK,QAAQ;gBACxD,CAAC,CAAC,cAAc;gBAChB,CAAC,CAAC,SAAS,CAAA;KAChB;IAED,QAAQ,QAAQ,EAAE;QAChB,KAAK,cAAc;YACjB,OAAO,4BAAoB,CAAA;QAC7B,KAAK,SAAS;YACZ,OAAO,oBAAoB,EAAE,CAAA;KAChC;AACH,CAAC,CAAA;AApBY,QAAA,gBAAgB,oBAoB5B;AAED,SAAS,oBAAoB;IAC3B,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,oBAAoB,CAAA;IACvE,IAAI,IAAI,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAA;IAEtC,IAAI,IAAI,KAAK,YAAY,EAAE;QACzB,IAAI,GAAG,eAAe,CAAA;KACvB;IACD,OAAO;QACL,SAAS,EAAE,kBAAkB,IAAI,EAAE;QACnC,YAAY,EAAE,qBAAqB,IAAI,EAAE;KAC1C,CAAA;AACH,CAAC"}

package/lib/oidc.d.ts

@@ -1,4 +1,4 @@
-declare const REQUIRED_CLAIMS: readonly ["iss", "ref", "sha", "repository", "event_name", "workflow_ref", "repository_id", "repository_owner_id", "runner_environment", "run_id", "run_attempt"];
+declare const REQUIRED_CLAIMS: readonly ["iss", "ref", "sha", "repository", "event_name", "job_workflow_ref", "workflow_ref", "repository_id", "repository_owner_id", "runner_environment", "run_id", "run_attempt"];
 export type ClaimSet = {
     [K in (typeof REQUIRED_CLAIMS)[number]]: string;
 };

package/lib/oidc.js

@@ -31,15 +31,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getIDTokenClaims = void 0;
 const core_1 = require("@actions/core");
 const http_client_1 = require("@actions/http-client");
-const jwt = __importStar(require("jsonwebtoken"));
-const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const jose = __importStar(require("jose"));
 const OIDC_AUDIENCE = 'nobody';
 const REQUIRED_CLAIMS = [
     'iss',
@@ -47,6 +43,7 @@ const REQUIRED_CLAIMS = [
     'sha',
     'repository',
     'event_name',
+    'job_workflow_ref',
     'workflow_ref',
     'repository_id',
     'repository_owner_id',
@@ -68,43 +65,25 @@ const getIDTokenClaims = (issuer) => __awaiter(void 0, void 0, void 0, function*
 exports.getIDTokenClaims = getIDTokenClaims;
 const decodeOIDCToken = (token, issuer) => __awaiter(void 0, void 0, void 0, function* () {
     // Verify and decode token
-    return new Promise((resolve, reject) => {
-        jwt.verify(token, getPublicKey(issuer), { audience: OIDC_AUDIENCE, issuer }, (err, decoded) => {
-            if (err) {
-                reject(err);
-            }
-            else if (!decoded || typeof decoded === 'string') {
-                reject(new Error('No decoded token'));
-            }
-            else {
-                resolve(decoded);
-            }
-        });
+    const jwks = jose.createLocalJWKSet(yield getJWKS(issuer));
+    const { payload } = yield jose.jwtVerify(token, jwks, {
+        audience: OIDC_AUDIENCE,
+        issuer
     });
+    return payload;
+});
+const getJWKS = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
+    const client = new http_client_1.HttpClient('@actions/attest');
+    const config = yield client.getJson(`${issuer}/.well-known/openid-configuration`);
+    if (!config.result) {
+        throw new Error('No OpenID configuration found');
+    }
+    const jwks = yield client.getJson(config.result.jwks_uri);
+    if (!jwks.result) {
+        throw new Error('No JWKS found for issuer');
+    }
+    return jwks.result;
 });
-// Returns a callback to locate the public key for the given JWT header. This
-// involves two calls:
-// 1. Fetch the OpenID configuration to get the JWKS URI.
-// 2. Fetch the public key from the JWKS URI.
-const getPublicKey = (issuer) => (header, callback) => {
-    // Look up the JWKS URI from the issuer's OpenID configuration
-    new http_client_1.HttpClient('actions/attest')
-        .getJson(`${issuer}/.well-known/openid-configuration`)
-        .then(data => {
-        if (!data.result) {
-            callback(new Error('No OpenID configuration found'));
-        }
-        else {
-            // Fetch the public key from the JWKS URI
-            (0, jwks_rsa_1.default)({ jwksUri: data.result.jwks_uri }).getSigningKey(header.kid, (err, key) => {
-                callback(err, key === null || key === void 0 ? void 0 : key.getPublicKey());
-            });
-        }
-    })
-        .catch(err => {
-        callback(err);
-    });
-};
 function assertClaimSet(claims) {
     const missingClaims = [];
     for (const claim of REQUIRED_CLAIMS) {

package/lib/oidc.js.map

@@ -1 +1 @@
-{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../src/oidc.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAwC;AACxC,sDAA+C;AAC/C,kDAAmC;AACnC,wDAA2B;AAE3B,MAAM,aAAa,GAAG,QAAQ,CAAA;AAE9B,MAAM,eAAe,GAAG;IACtB,KAAK;IACL,KAAK;IACL,KAAK;IACL,YAAY;IACZ,YAAY;IACZ,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,oBAAoB;IACpB,QAAQ;IACR,aAAa;CACL,CAAA;AAQH,MAAM,gBAAgB,GAAG,CAAO,MAAc,EAAqB,EAAE;IAC1E,IAAI;QACF,MAAM,KAAK,GAAG,MAAM,IAAA,iBAAU,EAAC,aAAa,CAAC,CAAA;QAC7C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QACnD,cAAc,CAAC,MAAM,CAAC,CAAA;QACtB,OAAO,MAAM,CAAA;KACd;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;KAC5D;AACH,CAAC,CAAA,CAAA;AATY,QAAA,gBAAgB,oBAS5B;AAED,MAAM,eAAe,GAAG,CACtB,KAAa,EACb,MAAc,EACW,EAAE;IAC3B,0BAA0B;IAC1B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,GAAG,CAAC,MAAM,CACR,KAAK,EACL,YAAY,CAAC,MAAM,CAAC,EACpB,EAAC,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAC,EACjC,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE;YACf,IAAI,GAAG,EAAE;gBACP,MAAM,CAAC,GAAG,CAAC,CAAA;aACZ;iBAAM,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;gBAClD,MAAM,CAAC,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAA;aACtC;iBAAM;gBACL,OAAO,CAAC,OAAO,CAAC,CAAA;aACjB;QACH,CAAC,CACF,CAAA;IACH,CAAC,CAAC,CAAA;AACJ,CAAC,CAAA,CAAA;AAED,6EAA6E;AAC7E,sBAAsB;AACtB,yDAAyD;AACzD,6CAA6C;AAC7C,MAAM,YAAY,GAChB,CAAC,MAAc,EAA4B,EAAE,CAC7C,CAAC,MAAqB,EAAE,QAAgC,EAAE,EAAE;IAC1D,8DAA8D;IAC9D,IAAI,wBAAU,CAAC,gBAAgB,CAAC;SAC7B,OAAO,CAAa,GAAG,MAAM,mCAAmC,CAAC;SACjE,IAAI,CAAC,IAAI,CAAC,EAAE;QACX,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;YAChB,QAAQ,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAA;SACrD;aAAM;YACL,yCAAyC;YACzC,IAAA,kBAAI,EAAC,EAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAC,CAAC,CAAC,aAAa,CACjD,MAAM,CAAC,GAAG,EACV,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBACX,QAAQ,CAAC,GAAG,EAAE,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,YAAY,EAAE,CAAC,CAAA;YACpC,CAAC,CACF,CAAA;SACF;IACH,CAAC,CAAC;SACD,KAAK,CAAC,GAAG,CAAC,EAAE;QACX,QAAQ,CAAC,GAAG,CAAC,CAAA;IACf,CAAC,CAAC,CAAA;AACN,CAAC,CAAA;AAEH,SAAS,cAAc,CAAC,MAAsB;IAC5C,MAAM,aAAa,GAAa,EAAE,CAAA;IAElC,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE;QACnC,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE;YACtB,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;SAC1B;KACF;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE;QAC5B,MAAM,IAAI,KAAK,CAAC,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;KAC/D;AACH,CAAC"}
+{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../src/oidc.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAwC;AACxC,sDAA+C;AAC/C,2CAA4B;AAE5B,MAAM,aAAa,GAAG,QAAQ,CAAA;AAE9B,MAAM,eAAe,GAAG;IACtB,KAAK;IACL,KAAK;IACL,KAAK;IACL,YAAY;IACZ,YAAY;IACZ,kBAAkB;IAClB,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,oBAAoB;IACpB,QAAQ;IACR,aAAa;CACL,CAAA;AAQH,MAAM,gBAAgB,GAAG,CAAO,MAAc,EAAqB,EAAE;IAC1E,IAAI;QACF,MAAM,KAAK,GAAG,MAAM,IAAA,iBAAU,EAAC,aAAa,CAAC,CAAA;QAC7C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QACnD,cAAc,CAAC,MAAM,CAAC,CAAA;QACtB,OAAO,MAAM,CAAA;KACd;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;KAC5D;AACH,CAAC,CAAA,CAAA;AATY,QAAA,gBAAgB,oBAS5B;AAED,MAAM,eAAe,GAAG,CACtB,KAAa,EACb,MAAc,EACY,EAAE;IAC5B,0BAA0B;IAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAA;IAC1D,MAAM,EAAC,OAAO,EAAC,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QAClD,QAAQ,EAAE,aAAa;QACvB,MAAM;KACP,CAAC,CAAA;IAEF,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA,CAAA;AAED,MAAM,OAAO,GAAG,CAAO,MAAc,EAA+B,EAAE;IACpE,MAAM,MAAM,GAAG,IAAI,wBAAU,CAAC,iBAAiB,CAAC,CAAA;IAChD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CACjC,GAAG,MAAM,mCAAmC,CAC7C,CAAA;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAA;KACjD;IAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,CAAqB,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAE7E,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;KAC5C;IAED,OAAO,IAAI,CAAC,MAAM,CAAA;AACpB,CAAC,CAAA,CAAA;AAED,SAAS,cAAc,CAAC,MAAuB;IAC7C,MAAM,aAAa,GAAa,EAAE,CAAA;IAElC,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE;QACnC,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE;YACtB,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;SAC1B;KACF;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE;QAC5B,MAAM,IAAI,KAAK,CAAC,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;KAC/D;AACH,CAAC"}

package/lib/provenance.js

@@ -13,8 +13,7 @@ exports.attestProvenance = exports.buildSLSAProvenancePredicate = void 0;
 const attest_1 = require("./attest");
 const oidc_1 = require("./oidc");
 const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1';
-const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner';
-const GITHUB_BUILD_TYPE = 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1';
+const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1';
 const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com';
 /**
  * Builds an SLSA (Supply Chain Levels for Software Artifacts) provenance
@@ -50,7 +49,8 @@ const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void
                     github: {
                         event_name: claims.event_name,
                         repository_id: claims.repository_id,
-                        repository_owner_id: claims.repository_owner_id
+                        repository_owner_id: claims.repository_owner_id,
+                        runner_environment: claims.runner_environment
                     }
                 },
                 resolvedDependencies: [
@@ -64,7 +64,7 @@ const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void
             },
             runDetails: {
                 builder: {
-                    id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}`
+                    id: `${serverURL}/${claims.job_workflow_ref}`
                 },
                 metadata: {
                     invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}`

package/lib/provenance.js.map

@@ -1 +1 @@
-{"version":3,"file":"provenance.js","sourceRoot":"","sources":["../src/provenance.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qCAA8C;AAC9C,iCAAuC;AAGvC,MAAM,sBAAsB,GAAG,gCAAgC,CAAA;AAE/D,MAAM,wBAAwB,GAAG,mCAAmC,CAAA;AACpE,MAAM,iBAAiB,GACrB,wEAAwE,CAAA;AAE1E,MAAM,cAAc,GAAG,6CAA6C,CAAA;AASpE;;;;;;;;GAQG;AACI,MAAM,4BAA4B,GAAG,CAC1C,SAAiB,cAAc,EACX,EAAE;IACtB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAA;IAC/C,MAAM,MAAM,GAAG,MAAM,IAAA,uBAAgB,EAAC,MAAM,CAAC,CAAA;IAE7C,wDAAwD;IACxD,gDAAgD;IAChD,qCAAqC;IACrC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,MAAM,CAAC,YAAY;SACpD,OAAO,CAAC,GAAG,MAAM,CAAC,UAAU,GAAG,EAAE,EAAE,CAAC;SACpC,KAAK,CAAC,GAAG,CAAC,CAAA;IAEb,OAAO;QACL,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE;YACN,eAAe,EAAE;gBACf,SAAS,EAAE,iBAAiB;gBAC5B,kBAAkB,EAAE;oBAClB,QAAQ,EAAE;wBACR,GAAG,EAAE,WAAW;wBAChB,UAAU,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE;wBAC/C,IAAI,EAAE,YAAY;qBACnB;iBACF;gBACD,kBAAkB,EAAE;oBAClB,MAAM,EAAE;wBACN,UAAU,EAAE,MAAM,CAAC,UAAU;wBAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;wBACnC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;qBAChD;iBACF;gBACD,oBAAoB,EAAE;oBACpB;wBACE,GAAG,EAAE,OAAO,SAAS,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,GAAG,EAAE;wBAC1D,MAAM,EAAE;4BACN,SAAS,EAAE,MAAM,CAAC,GAAG;yBACtB;qBACF;iBACF;aACF;YACD,UAAU,EAAE;gBACV,OAAO,EAAE;oBACP,EAAE,EAAE,GAAG,wBAAwB,IAAI,MAAM,CAAC,kBAAkB,EAAE;iBAC/D;gBACD,QAAQ,EAAE;oBACR,YAAY,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,iBAAiB,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,WAAW,EAAE;iBAC/G;aACF;SACF;KACF,CAAA;AACH,CAAC,CAAA,CAAA;AAnDY,QAAA,4BAA4B,gCAmDxC;AAED;;;;;;;GAOG;AACH,SAAsB,gBAAgB,CACpC,OAAgC;;QAEhC,MAAM,SAAS,GAAG,MAAM,IAAA,oCAA4B,EAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QACpE,OAAO,IAAA,eAAM,kCACR,OAAO,KACV,aAAa,EAAE,SAAS,CAAC,IAAI,EAC7B,SAAS,EAAE,SAAS,CAAC,MAAM,IAC3B,CAAA;IACJ,CAAC;CAAA;AATD,4CASC"}
+{"version":3,"file":"provenance.js","sourceRoot":"","sources":["../src/provenance.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qCAA8C;AAC9C,iCAAuC;AAGvC,MAAM,sBAAsB,GAAG,gCAAgC,CAAA;AAC/D,MAAM,iBAAiB,GAAG,kDAAkD,CAAA;AAE5E,MAAM,cAAc,GAAG,6CAA6C,CAAA;AASpE;;;;;;;;GAQG;AACI,MAAM,4BAA4B,GAAG,CAC1C,SAAiB,cAAc,EACX,EAAE;IACtB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAA;IAC/C,MAAM,MAAM,GAAG,MAAM,IAAA,uBAAgB,EAAC,MAAM,CAAC,CAAA;IAE7C,wDAAwD;IACxD,gDAAgD;IAChD,qCAAqC;IACrC,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,MAAM,CAAC,YAAY;SACpD,OAAO,CAAC,GAAG,MAAM,CAAC,UAAU,GAAG,EAAE,EAAE,CAAC;SACpC,KAAK,CAAC,GAAG,CAAC,CAAA;IAEb,OAAO;QACL,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE;YACN,eAAe,EAAE;gBACf,SAAS,EAAE,iBAAiB;gBAC5B,kBAAkB,EAAE;oBAClB,QAAQ,EAAE;wBACR,GAAG,EAAE,WAAW;wBAChB,UAAU,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE;wBAC/C,IAAI,EAAE,YAAY;qBACnB;iBACF;gBACD,kBAAkB,EAAE;oBAClB,MAAM,EAAE;wBACN,UAAU,EAAE,MAAM,CAAC,UAAU;wBAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;wBACnC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;wBAC/C,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;qBAC9C;iBACF;gBACD,oBAAoB,EAAE;oBACpB;wBACE,GAAG,EAAE,OAAO,SAAS,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,GAAG,EAAE;wBAC1D,MAAM,EAAE;4BACN,SAAS,EAAE,MAAM,CAAC,GAAG;yBACtB;qBACF;iBACF;aACF;YACD,UAAU,EAAE;gBACV,OAAO,EAAE;oBACP,EAAE,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,gBAAgB,EAAE;iBAC9C;gBACD,QAAQ,EAAE;oBACR,YAAY,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,iBAAiB,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,WAAW,EAAE;iBAC/G;aACF;SACF;KACF,CAAA;AACH,CAAC,CAAA,CAAA;AApDY,QAAA,4BAA4B,gCAoDxC;AAED;;;;;;;GAOG;AACH,SAAsB,gBAAgB,CACpC,OAAgC;;QAEhC,MAAM,SAAS,GAAG,MAAM,IAAA,oCAA4B,EAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QACpE,OAAO,IAAA,eAAM,kCACR,OAAO,KACV,aAAa,EAAE,SAAS,CAAC,IAAI,EAC7B,SAAS,EAAE,SAAS,CAAC,MAAM,IAC3B,CAAA;IACJ,CAAC;CAAA;AATD,4CASC"}

package/lib/sign.js

@@ -46,6 +46,7 @@ const initBundleBuilder = (opts) => {
         witnesses.push(new sign_1.RekorWitness({
             rekorBaseURL: opts.rekorURL,
             entryType: 'dsse',
+            fetchOnConflict: true,
             timeout,
             retry
         }));

package/lib/sign.js.map

@@ -1 +1 @@
-{"version":3,"file":"sign.js","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,yCASuB;AAEvB,MAAM,aAAa,GAAG,UAAU,CAAA;AAChC,MAAM,eAAe,GAAG,KAAK,CAAA;AAC7B,MAAM,eAAe,GAAG,CAAC,CAAA;AAqCzB;;;;;;GAMG;AACI,MAAM,WAAW,GAAG,CACzB,OAAgB,EAChB,OAAoB,EACH,EAAE;IACnB,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAA;IAED,yCAAyC;IACzC,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;AACpD,CAAC,CAAA,CAAA;AAXY,QAAA,WAAW,eAWvB;AAED,qEAAqE;AACrE,MAAM,iBAAiB,GAAG,CAAC,IAAiB,EAAiB,EAAE;IAC7D,MAAM,gBAAgB,GAAG,IAAI,wBAAiB,CAAC,aAAa,CAAC,CAAA;IAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAA;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,eAAe,CAAA;IAC3C,MAAM,SAAS,GAAc,EAAE,CAAA;IAE/B,MAAM,MAAM,GAAG,IAAI,mBAAY,CAAC;QAC9B,gBAAgB;QAChB,aAAa,EAAE,IAAI,CAAC,SAAS;QAC7B,OAAO;QACP,KAAK;KACN,CAAC,CAAA;IAEF,IAAI,IAAI,CAAC,QAAQ,EAAE;QACjB,SAAS,CAAC,IAAI,CACZ,IAAI,mBAAY,CAAC;YACf,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,SAAS,EAAE,MAAM;YACjB,OAAO;YACP,KAAK;SACN,CAAC,CACH,CAAA;KACF;IAED,IAAI,IAAI,CAAC,YAAY,EAAE;QACrB,SAAS,CAAC,IAAI,CACZ,IAAI,iBAAU,CAAC;YACb,UAAU,EAAE,IAAI,CAAC,YAAY;YAC7B,OAAO;YACP,KAAK;SACN,CAAC,CACH,CAAA;KACF;IAED,gEAAgE;IAChE,4CAA4C;IAC5C,OAAO,IAAI,wBAAiB,CAAC,EAAC,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,IAAI,EAAC,CAAC,CAAA;AAC5E,CAAC,CAAA"}
+{"version":3,"file":"sign.js","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,yCASuB;AAEvB,MAAM,aAAa,GAAG,UAAU,CAAA;AAChC,MAAM,eAAe,GAAG,KAAK,CAAA;AAC7B,MAAM,eAAe,GAAG,CAAC,CAAA;AAqCzB;;;;;;GAMG;AACI,MAAM,WAAW,GAAG,CACzB,OAAgB,EAChB,OAAoB,EACH,EAAE;IACnB,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAA;IAED,yCAAyC;IACzC,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;AACpD,CAAC,CAAA,CAAA;AAXY,QAAA,WAAW,eAWvB;AAED,qEAAqE;AACrE,MAAM,iBAAiB,GAAG,CAAC,IAAiB,EAAiB,EAAE;IAC7D,MAAM,gBAAgB,GAAG,IAAI,wBAAiB,CAAC,aAAa,CAAC,CAAA;IAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAA;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,eAAe,CAAA;IAC3C,MAAM,SAAS,GAAc,EAAE,CAAA;IAE/B,MAAM,MAAM,GAAG,IAAI,mBAAY,CAAC;QAC9B,gBAAgB;QAChB,aAAa,EAAE,IAAI,CAAC,SAAS;QAC7B,OAAO;QACP,KAAK;KACN,CAAC,CAAA;IAEF,IAAI,IAAI,CAAC,QAAQ,EAAE;QACjB,SAAS,CAAC,IAAI,CACZ,IAAI,mBAAY,CAAC;YACf,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,SAAS,EAAE,MAAM;YACjB,eAAe,EAAE,IAAI;YACrB,OAAO;YACP,KAAK;SACN,CAAC,CACH,CAAA;KACF;IAED,IAAI,IAAI,CAAC,YAAY,EAAE;QACrB,SAAS,CAAC,IAAI,CACZ,IAAI,iBAAU,CAAC;YACb,UAAU,EAAE,IAAI,CAAC,YAAY;YAC7B,OAAO;YACP,KAAK;SACN,CAAC,CACH,CAAA;KACF;IAED,gEAAgE;IAChE,4CAA4C;IAC5C,OAAO,IAAI,wBAAiB,CAAC,EAAC,MAAM,EAAE,SAAS,EAAE,iBAAiB,EAAE,IAAI,EAAC,CAAC,CAAA;AAC5E,CAAC,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@actions/attest",
-  "version": "1.2.1",
+  "version": "1.3.1",
   "description": "Actions attestation lib",
   "keywords": [
     "github",
@@ -35,10 +35,9 @@
     "url": "https://github.com/actions/toolkit/issues"
   },
   "devDependencies": {
-    "@sigstore/mock": "^0.6.5",
+    "@sigstore/mock": "^0.7.4",
     "@sigstore/rekor-types": "^2.0.0",
     "@types/jsonwebtoken": "^9.0.6",
-    "jose": "^5.2.3",
     "nock": "^13.5.1",
     "undici": "^5.28.4"
   },
@@ -47,10 +46,9 @@
     "@actions/github": "^6.0.0",
     "@actions/http-client": "^2.2.1",
     "@octokit/plugin-retry": "^6.0.1",
-    "@sigstore/bundle": "^2.3.0",
-    "@sigstore/sign": "^2.3.0",
-    "jsonwebtoken": "^9.0.2",
-    "jwks-rsa": "^3.1.0"
+    "@sigstore/bundle": "^2.3.2",
+    "@sigstore/sign": "^2.3.2",
+    "jose": "^5.2.3"
   },
   "overrides": {
     "@octokit/plugin-retry": {