@actions/attest 1.3.0 → 1.3.1

package/lib/oidc.js

@@ -31,15 +31,11 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
         step((generator = generator.apply(thisArg, _arguments || [])).next());
     });
 };
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getIDTokenClaims = void 0;
 const core_1 = require("@actions/core");
 const http_client_1 = require("@actions/http-client");
-const jwt = __importStar(require("jsonwebtoken"));
-const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const jose = __importStar(require("jose"));
 const OIDC_AUDIENCE = 'nobody';
 const REQUIRED_CLAIMS = [
     'iss',
@@ -69,43 +65,25 @@ const getIDTokenClaims = (issuer) => __awaiter(void 0, void 0, void 0, function*
 exports.getIDTokenClaims = getIDTokenClaims;
 const decodeOIDCToken = (token, issuer) => __awaiter(void 0, void 0, void 0, function* () {
     // Verify and decode token
-    return new Promise((resolve, reject) => {
-        jwt.verify(token, getPublicKey(issuer), { audience: OIDC_AUDIENCE, issuer }, (err, decoded) => {
-            if (err) {
-                reject(err);
-            }
-            else if (!decoded || typeof decoded === 'string') {
-                reject(new Error('No decoded token'));
-            }
-            else {
-                resolve(decoded);
-            }
-        });
+    const jwks = jose.createLocalJWKSet(yield getJWKS(issuer));
+    const { payload } = yield jose.jwtVerify(token, jwks, {
+        audience: OIDC_AUDIENCE,
+        issuer
     });
+    return payload;
+});
+const getJWKS = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
+    const client = new http_client_1.HttpClient('@actions/attest');
+    const config = yield client.getJson(`${issuer}/.well-known/openid-configuration`);
+    if (!config.result) {
+        throw new Error('No OpenID configuration found');
+    }
+    const jwks = yield client.getJson(config.result.jwks_uri);
+    if (!jwks.result) {
+        throw new Error('No JWKS found for issuer');
+    }
+    return jwks.result;
 });
-// Returns a callback to locate the public key for the given JWT header. This
-// involves two calls:
-// 1. Fetch the OpenID configuration to get the JWKS URI.
-// 2. Fetch the public key from the JWKS URI.
-const getPublicKey = (issuer) => (header, callback) => {
-    // Look up the JWKS URI from the issuer's OpenID configuration
-    new http_client_1.HttpClient('actions/attest')
-        .getJson(`${issuer}/.well-known/openid-configuration`)
-        .then(data => {
-        if (!data.result) {
-            callback(new Error('No OpenID configuration found'));
-        }
-        else {
-            // Fetch the public key from the JWKS URI
-            (0, jwks_rsa_1.default)({ jwksUri: data.result.jwks_uri }).getSigningKey(header.kid, (err, key) => {
-                callback(err, key === null || key === void 0 ? void 0 : key.getPublicKey());
-            });
-        }
-    })
-        .catch(err => {
-        callback(err);
-    });
-};
 function assertClaimSet(claims) {
     const missingClaims = [];
     for (const claim of REQUIRED_CLAIMS) {

package/lib/oidc.js.map

@@ -1 +1 @@
-{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../src/oidc.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAwC;AACxC,sDAA+C;AAC/C,kDAAmC;AACnC,wDAA2B;AAE3B,MAAM,aAAa,GAAG,QAAQ,CAAA;AAE9B,MAAM,eAAe,GAAG;IACtB,KAAK;IACL,KAAK;IACL,KAAK;IACL,YAAY;IACZ,YAAY;IACZ,kBAAkB;IAClB,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,oBAAoB;IACpB,QAAQ;IACR,aAAa;CACL,CAAA;AAQH,MAAM,gBAAgB,GAAG,CAAO,MAAc,EAAqB,EAAE;IAC1E,IAAI;QACF,MAAM,KAAK,GAAG,MAAM,IAAA,iBAAU,EAAC,aAAa,CAAC,CAAA;QAC7C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QACnD,cAAc,CAAC,MAAM,CAAC,CAAA;QACtB,OAAO,MAAM,CAAA;KACd;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;KAC5D;AACH,CAAC,CAAA,CAAA;AATY,QAAA,gBAAgB,oBAS5B;AAED,MAAM,eAAe,GAAG,CACtB,KAAa,EACb,MAAc,EACW,EAAE;IAC3B,0BAA0B;IAC1B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,GAAG,CAAC,MAAM,CACR,KAAK,EACL,YAAY,CAAC,MAAM,CAAC,EACpB,EAAC,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAC,EACjC,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE;YACf,IAAI,GAAG,EAAE;gBACP,MAAM,CAAC,GAAG,CAAC,CAAA;aACZ;iBAAM,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;gBAClD,MAAM,CAAC,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC,CAAA;aACtC;iBAAM;gBACL,OAAO,CAAC,OAAO,CAAC,CAAA;aACjB;QACH,CAAC,CACF,CAAA;IACH,CAAC,CAAC,CAAA;AACJ,CAAC,CAAA,CAAA;AAED,6EAA6E;AAC7E,sBAAsB;AACtB,yDAAyD;AACzD,6CAA6C;AAC7C,MAAM,YAAY,GAChB,CAAC,MAAc,EAA4B,EAAE,CAC7C,CAAC,MAAqB,EAAE,QAAgC,EAAE,EAAE;IAC1D,8DAA8D;IAC9D,IAAI,wBAAU,CAAC,gBAAgB,CAAC;SAC7B,OAAO,CAAa,GAAG,MAAM,mCAAmC,CAAC;SACjE,IAAI,CAAC,IAAI,CAAC,EAAE;QACX,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;YAChB,QAAQ,CAAC,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC,CAAA;SACrD;aAAM;YACL,yCAAyC;YACzC,IAAA,kBAAI,EAAC,EAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAC,CAAC,CAAC,aAAa,CACjD,MAAM,CAAC,GAAG,EACV,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBACX,QAAQ,CAAC,GAAG,EAAE,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,YAAY,EAAE,CAAC,CAAA;YACpC,CAAC,CACF,CAAA;SACF;IACH,CAAC,CAAC;SACD,KAAK,CAAC,GAAG,CAAC,EAAE;QACX,QAAQ,CAAC,GAAG,CAAC,CAAA;IACf,CAAC,CAAC,CAAA;AACN,CAAC,CAAA;AAEH,SAAS,cAAc,CAAC,MAAsB;IAC5C,MAAM,aAAa,GAAa,EAAE,CAAA;IAElC,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE;QACnC,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE;YACtB,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;SAC1B;KACF;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE;QAC5B,MAAM,IAAI,KAAK,CAAC,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;KAC/D;AACH,CAAC"}
+{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../src/oidc.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAwC;AACxC,sDAA+C;AAC/C,2CAA4B;AAE5B,MAAM,aAAa,GAAG,QAAQ,CAAA;AAE9B,MAAM,eAAe,GAAG;IACtB,KAAK;IACL,KAAK;IACL,KAAK;IACL,YAAY;IACZ,YAAY;IACZ,kBAAkB;IAClB,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,oBAAoB;IACpB,QAAQ;IACR,aAAa;CACL,CAAA;AAQH,MAAM,gBAAgB,GAAG,CAAO,MAAc,EAAqB,EAAE;IAC1E,IAAI;QACF,MAAM,KAAK,GAAG,MAAM,IAAA,iBAAU,EAAC,aAAa,CAAC,CAAA;QAC7C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QACnD,cAAc,CAAC,MAAM,CAAC,CAAA;QACtB,OAAO,MAAM,CAAA;KACd;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;KAC5D;AACH,CAAC,CAAA,CAAA;AATY,QAAA,gBAAgB,oBAS5B;AAED,MAAM,eAAe,GAAG,CACtB,KAAa,EACb,MAAc,EACY,EAAE;IAC5B,0BAA0B;IAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAA;IAC1D,MAAM,EAAC,OAAO,EAAC,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QAClD,QAAQ,EAAE,aAAa;QACvB,MAAM;KACP,CAAC,CAAA;IAEF,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA,CAAA;AAED,MAAM,OAAO,GAAG,CAAO,MAAc,EAA+B,EAAE;IACpE,MAAM,MAAM,GAAG,IAAI,wBAAU,CAAC,iBAAiB,CAAC,CAAA;IAChD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CACjC,GAAG,MAAM,mCAAmC,CAC7C,CAAA;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAA;KACjD;IAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,CAAqB,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAE7E,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;KAC5C;IAED,OAAO,IAAI,CAAC,MAAM,CAAA;AACpB,CAAC,CAAA,CAAA;AAED,SAAS,cAAc,CAAC,MAAuB;IAC7C,MAAM,aAAa,GAAa,EAAE,CAAA;IAElC,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE;QACnC,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE;YACtB,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;SAC1B;KACF;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE;QAC5B,MAAM,IAAI,KAAK,CAAC,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;KAC/D;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@actions/attest",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "Actions attestation lib",
   "keywords": [
     "github",
@@ -38,7 +38,6 @@
     "@sigstore/mock": "^0.7.4",
     "@sigstore/rekor-types": "^2.0.0",
     "@types/jsonwebtoken": "^9.0.6",
-    "jose": "^5.2.3",
     "nock": "^13.5.1",
     "undici": "^5.28.4"
   },
@@ -49,8 +48,7 @@
     "@octokit/plugin-retry": "^6.0.1",
     "@sigstore/bundle": "^2.3.2",
     "@sigstore/sign": "^2.3.2",
-    "jsonwebtoken": "^9.0.2",
-    "jwks-rsa": "^3.1.0"
+    "jose": "^5.2.3"
   },
   "overrides": {
     "@octokit/plugin-retry": {