@actions/attest 1.4.1 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +21 -13
- package/lib/attest.d.ts +10 -3
- package/lib/attest.js +11 -5
- package/lib/attest.js.map +1 -1
- package/lib/intoto.d.ts +1 -1
- package/lib/intoto.js +2 -2
- package/lib/intoto.js.map +1 -1
- package/lib/oidc.js +9 -2
- package/lib/oidc.js.map +1 -1
- package/lib/provenance.js +3 -1
- package/lib/provenance.js.map +1 -1
- package/lib/sign.js +1 -2
- package/lib/sign.js.map +1 -1
- package/package.json +6 -6
package/README.md
CHANGED
|
@@ -32,8 +32,7 @@ async function run() {
|
|
|
32
32
|
const ghToken = core.getInput('gh-token');
|
|
33
33
|
|
|
34
34
|
const attestation = await attest({
|
|
35
|
-
|
|
36
|
-
subjectDigest: { 'sha256': '36ab4667...'},
|
|
35
|
+
subjects: [{name: 'my-artifact-name', digest: { 'sha256': '36ab4667...'}}],
|
|
37
36
|
predicateType: 'https://in-toto.io/attestation/release',
|
|
38
37
|
predicate: { . . . },
|
|
39
38
|
token: ghToken
|
|
@@ -49,11 +48,12 @@ The `attest` function supports the following options:
|
|
|
49
48
|
|
|
50
49
|
```typescript
|
|
51
50
|
export type AttestOptions = {
|
|
52
|
-
//
|
|
53
|
-
subjectName
|
|
54
|
-
//
|
|
55
|
-
|
|
56
|
-
|
|
51
|
+
// Deprecated. Use 'subjects' instead.
|
|
52
|
+
subjectName?: string
|
|
53
|
+
// Deprecated. Use 'subjects' instead.
|
|
54
|
+
subjectDigest?: Record<string, string>
|
|
55
|
+
// Collection of subjects to be attested
|
|
56
|
+
subjects?: Subject[]
|
|
57
57
|
// URI identifying the content type of the predicate being attested.
|
|
58
58
|
predicateType: string
|
|
59
59
|
// Predicate to be attested.
|
|
@@ -68,6 +68,13 @@ export type AttestOptions = {
|
|
|
68
68
|
// Whether to skip writing the attestation to the GH attestations API.
|
|
69
69
|
skipWrite?: boolean
|
|
70
70
|
}
|
|
71
|
+
|
|
72
|
+
export type Subject = {
|
|
73
|
+
// Name of the subject.
|
|
74
|
+
name: string
|
|
75
|
+
// Digests of the subject. Should be a map of digest algorithms to their hex-encoded values.
|
|
76
|
+
digest: Record<string, string>
|
|
77
|
+
}
|
|
71
78
|
```
|
|
72
79
|
|
|
73
80
|
### `attestProvenance`
|
|
@@ -105,12 +112,13 @@ The `attestProvenance` function supports the following options:
|
|
|
105
112
|
|
|
106
113
|
```typescript
|
|
107
114
|
export type AttestProvenanceOptions = {
|
|
108
|
-
//
|
|
109
|
-
subjectName
|
|
110
|
-
//
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
115
|
+
// Deprecated. Use 'subjects' instead.
|
|
116
|
+
subjectName?: string
|
|
117
|
+
// Deprecated. Use 'subjects' instead.
|
|
118
|
+
subjectDigest?: Record<string, string>
|
|
119
|
+
// Collection of subjects to be attested
|
|
120
|
+
subjects?: Subject[]
|
|
121
|
+
// URI identifying the content type of the predicate being attested.
|
|
114
122
|
token: string
|
|
115
123
|
// Sigstore instance to use for signing. Must be one of "public-good" or
|
|
116
124
|
// "github".
|
package/lib/attest.d.ts
CHANGED
|
@@ -1,11 +1,18 @@
|
|
|
1
1
|
import { SigstoreInstance } from './endpoints';
|
|
2
|
-
import type { Attestation } from './shared.types';
|
|
2
|
+
import type { Attestation, Subject } from './shared.types';
|
|
3
3
|
/**
|
|
4
4
|
* Options for attesting a subject / predicate.
|
|
5
5
|
*/
|
|
6
6
|
export type AttestOptions = {
|
|
7
|
-
|
|
8
|
-
|
|
7
|
+
/**
|
|
8
|
+
* @deprecated Use `subjects` instead.
|
|
9
|
+
**/
|
|
10
|
+
subjectName?: string;
|
|
11
|
+
/**
|
|
12
|
+
* @deprecated Use `subjects` instead.
|
|
13
|
+
**/
|
|
14
|
+
subjectDigest?: Record<string, string>;
|
|
15
|
+
subjects?: Subject[];
|
|
9
16
|
predicateType: string;
|
|
10
17
|
predicate: object;
|
|
11
18
|
token: string;
|
package/lib/attest.js
CHANGED
|
@@ -26,15 +26,21 @@ const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json';
|
|
|
26
26
|
*/
|
|
27
27
|
function attest(options) {
|
|
28
28
|
return __awaiter(this, void 0, void 0, function* () {
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
}
|
|
29
|
+
let subjects;
|
|
30
|
+
if (options.subjects) {
|
|
31
|
+
subjects = options.subjects;
|
|
32
|
+
}
|
|
33
|
+
else if (options.subjectName && options.subjectDigest) {
|
|
34
|
+
subjects = [{ name: options.subjectName, digest: options.subjectDigest }];
|
|
35
|
+
}
|
|
36
|
+
else {
|
|
37
|
+
throw new Error('Must provide either subjectName and subjectDigest or subjects');
|
|
38
|
+
}
|
|
33
39
|
const predicate = {
|
|
34
40
|
type: options.predicateType,
|
|
35
41
|
params: options.predicate
|
|
36
42
|
};
|
|
37
|
-
const statement = (0, intoto_1.buildIntotoStatement)(
|
|
43
|
+
const statement = (0, intoto_1.buildIntotoStatement)(subjects, predicate);
|
|
38
44
|
// Sign the provenance statement
|
|
39
45
|
const payload = {
|
|
40
46
|
body: Buffer.from(JSON.stringify(statement)),
|
package/lib/attest.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"attest.js","sourceRoot":"","sources":["../src/attest.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,6CAA6C;AAC7C,mCAAsC;AACtC,2CAA8D;AAC9D,qCAA6C;AAC7C,iCAA2C;AAC3C,mCAAwC;AAKxC,MAAM,mBAAmB,GAAG,8BAA8B,CAAA;
|
|
1
|
+
{"version":3,"file":"attest.js","sourceRoot":"","sources":["../src/attest.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,6CAA6C;AAC7C,mCAAsC;AACtC,2CAA8D;AAC9D,qCAA6C;AAC7C,iCAA2C;AAC3C,mCAAwC;AAKxC,MAAM,mBAAmB,GAAG,8BAA8B,CAAA;AA+B1D;;;;;;GAMG;AACH,SAAsB,MAAM,CAAC,OAAsB;;QACjD,IAAI,QAAmB,CAAA;QAEvB,IAAI,OAAO,CAAC,QAAQ,EAAE;YACpB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;SAC5B;aAAM,IAAI,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,aAAa,EAAE;YACvD,QAAQ,GAAG,CAAC,EAAC,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,aAAa,EAAC,CAAC,CAAA;SACxE;aAAM;YACL,MAAM,IAAI,KAAK,CACb,+DAA+D,CAChE,CAAA;SACF;QAED,MAAM,SAAS,GAAc;YAC3B,IAAI,EAAE,OAAO,CAAC,aAAa;YAC3B,MAAM,EAAE,OAAO,CAAC,SAAS;SAC1B,CAAA;QAED,MAAM,SAAS,GAAG,IAAA,6BAAoB,EAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;QAE3D,gCAAgC;QAChC,MAAM,OAAO,GAAY;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YAC5C,IAAI,EAAE,mBAAmB;SAC1B,CAAA;QACD,MAAM,SAAS,GAAG,IAAA,4BAAgB,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QACpD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAW,EAAC,OAAO,EAAE,SAAS,CAAC,CAAA;QAEpD,wBAAwB;QACxB,IAAI,aAAiC,CAAA;QACrC,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,EAAE;YAC9B,aAAa,GAAG,MAAM,IAAA,wBAAgB,EACpC,IAAA,qBAAY,EAAC,MAAM,CAAC,EACpB,OAAO,CAAC,KAAK,EACb,EAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAC,CAC3B,CAAA;SACF;QAED,OAAO,aAAa,CAAC,MAAM,EAAE,aAAa,CAAC,CAAA;IAC7C,CAAC;CAAA;AAvCD,wBAuCC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,aAAsB;IAC3D,IAAI,SAAiB,CAAA;IACrB,QAAQ,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,KAAK,EAAE;QACjD,KAAK,sBAAsB;YACzB,SAAS;gBACP,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,oBAAoB,CAAC,YAAY,CAAC,CAAC,CAAC;qBACrE,QAAQ,CAAA;YACb,MAAK;QACP,KAAK,aAAa;YAChB,SAAS,GAAG,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAA;YACpE,MAAK;QACP;YACE,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;KAC7D;IAED,MAAM,WAAW,GAAG,IAAI,wBAAe,CAAC,SAAS,CAAC,CAAA;IAElD,2CAA2C;IAC3C,MAAM,WAAW,GAAG,MAAM,CAAC,oBAAoB,CAAC,WAAW,CAAA;IAC3D,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAA;IAE3E,OAAO;QACL,MAAM,EAAE,IAAA,qBAAY,EAAC,MAAM,CAAC;QAC5B,WAAW,EAAE,WAAW,CAAC,QAAQ,EAAE;QACnC,MAAM;QACN,aAAa;KACd,CAAA;AACH,CAAC"}
|
package/lib/intoto.d.ts
CHANGED
|
@@ -15,4 +15,4 @@ export type InTotoStatement = {
|
|
|
15
15
|
* @param predicate - The predicate of the statement.
|
|
16
16
|
* @returns The constructed in-toto statement.
|
|
17
17
|
*/
|
|
18
|
-
export declare const buildIntotoStatement: (
|
|
18
|
+
export declare const buildIntotoStatement: (subjects: Subject[], predicate: Predicate) => InTotoStatement;
|
package/lib/intoto.js
CHANGED
|
@@ -8,10 +8,10 @@ const INTOTO_STATEMENT_V1_TYPE = 'https://in-toto.io/Statement/v1';
|
|
|
8
8
|
* @param predicate - The predicate of the statement.
|
|
9
9
|
* @returns The constructed in-toto statement.
|
|
10
10
|
*/
|
|
11
|
-
const buildIntotoStatement = (
|
|
11
|
+
const buildIntotoStatement = (subjects, predicate) => {
|
|
12
12
|
return {
|
|
13
13
|
_type: INTOTO_STATEMENT_V1_TYPE,
|
|
14
|
-
subject:
|
|
14
|
+
subject: subjects,
|
|
15
15
|
predicateType: predicate.type,
|
|
16
16
|
predicate: predicate.params
|
|
17
17
|
};
|
package/lib/intoto.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"intoto.js","sourceRoot":"","sources":["../src/intoto.ts"],"names":[],"mappings":";;;AAEA,MAAM,wBAAwB,GAAG,iCAAiC,CAAA;AAalE;;;;;GAKG;AACI,MAAM,oBAAoB,GAAG,CAClC,
|
|
1
|
+
{"version":3,"file":"intoto.js","sourceRoot":"","sources":["../src/intoto.ts"],"names":[],"mappings":";;;AAEA,MAAM,wBAAwB,GAAG,iCAAiC,CAAA;AAalE;;;;;GAKG;AACI,MAAM,oBAAoB,GAAG,CAClC,QAAmB,EACnB,SAAoB,EACH,EAAE;IACnB,OAAO;QACL,KAAK,EAAE,wBAAwB;QAC/B,OAAO,EAAE,QAAQ;QACjB,aAAa,EAAE,SAAS,CAAC,IAAI;QAC7B,SAAS,EAAE,SAAS,CAAC,MAAM;KAC5B,CAAA;AACH,CAAC,CAAA;AAVY,QAAA,oBAAoB,wBAUhC"}
|
package/lib/oidc.js
CHANGED
|
@@ -72,9 +72,16 @@ const decodeOIDCToken = (token, issuer) => __awaiter(void 0, void 0, void 0, fun
|
|
|
72
72
|
// Verify and decode token
|
|
73
73
|
const jwks = jose.createLocalJWKSet(yield getJWKS(issuer));
|
|
74
74
|
const { payload } = yield jose.jwtVerify(token, jwks, {
|
|
75
|
-
audience: OIDC_AUDIENCE
|
|
76
|
-
issuer
|
|
75
|
+
audience: OIDC_AUDIENCE
|
|
77
76
|
});
|
|
77
|
+
if (!payload.iss) {
|
|
78
|
+
throw new Error('Missing "iss" claim');
|
|
79
|
+
}
|
|
80
|
+
// Check that the issuer STARTS WITH the expected issuer URL to account for
|
|
81
|
+
// the fact that the value may include an enterprise-specific slug
|
|
82
|
+
if (!payload.iss.startsWith(issuer)) {
|
|
83
|
+
throw new Error(`Unexpected "iss" claim: ${payload.iss}`);
|
|
84
|
+
}
|
|
78
85
|
return payload;
|
|
79
86
|
});
|
|
80
87
|
const getJWKS = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
|
package/lib/oidc.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../src/oidc.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAwC;AACxC,sDAA+C;AAC/C,2CAA4B;AAE5B,MAAM,aAAa,GAAG,QAAQ,CAAA;AAE9B,MAAM,iBAAiB,GAAG;IACxB,oBAAoB;IACpB,IAAI,MAAM,CAAC,kCAAkC,CAAC;CACtC,CAAA;AAEV,MAAM,eAAe,GAAG;IACtB,KAAK;IACL,KAAK;IACL,KAAK;IACL,YAAY;IACZ,YAAY;IACZ,kBAAkB;IAClB,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,oBAAoB;IACpB,QAAQ;IACR,aAAa;CACL,CAAA;AAQH,MAAM,gBAAgB,GAAG,CAAO,MAAe,EAAqB,EAAE;IAC3E,MAAM,GAAG,MAAM,IAAI,SAAS,EAAE,CAAA;IAC9B,IAAI;QACF,MAAM,KAAK,GAAG,MAAM,IAAA,iBAAU,EAAC,aAAa,CAAC,CAAA;QAC7C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QACnD,cAAc,CAAC,MAAM,CAAC,CAAA;QACtB,OAAO,MAAM,CAAA;KACd;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;KAC5D;AACH,CAAC,CAAA,CAAA;AAVY,QAAA,gBAAgB,oBAU5B;AAED,MAAM,eAAe,GAAG,CACtB,KAAa,EACb,MAAc,EACY,EAAE;IAC5B,0BAA0B;IAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAA;IAC1D,MAAM,EAAC,OAAO,EAAC,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QAClD,QAAQ,EAAE,aAAa;
|
|
1
|
+
{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../src/oidc.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wCAAwC;AACxC,sDAA+C;AAC/C,2CAA4B;AAE5B,MAAM,aAAa,GAAG,QAAQ,CAAA;AAE9B,MAAM,iBAAiB,GAAG;IACxB,oBAAoB;IACpB,IAAI,MAAM,CAAC,kCAAkC,CAAC;CACtC,CAAA;AAEV,MAAM,eAAe,GAAG;IACtB,KAAK;IACL,KAAK;IACL,KAAK;IACL,YAAY;IACZ,YAAY;IACZ,kBAAkB;IAClB,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,oBAAoB;IACpB,QAAQ;IACR,aAAa;CACL,CAAA;AAQH,MAAM,gBAAgB,GAAG,CAAO,MAAe,EAAqB,EAAE;IAC3E,MAAM,GAAG,MAAM,IAAI,SAAS,EAAE,CAAA;IAC9B,IAAI;QACF,MAAM,KAAK,GAAG,MAAM,IAAA,iBAAU,EAAC,aAAa,CAAC,CAAA;QAC7C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QACnD,cAAc,CAAC,MAAM,CAAC,CAAA;QACtB,OAAO,MAAM,CAAA;KACd;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;KAC5D;AACH,CAAC,CAAA,CAAA;AAVY,QAAA,gBAAgB,oBAU5B;AAED,MAAM,eAAe,GAAG,CACtB,KAAa,EACb,MAAc,EACY,EAAE;IAC5B,0BAA0B;IAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAA;IAC1D,MAAM,EAAC,OAAO,EAAC,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QAClD,QAAQ,EAAE,aAAa;KACxB,CAAC,CAAA;IAEF,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;KACvC;IAED,2EAA2E;IAC3E,kEAAkE;IAClE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE;QACnC,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;KAC1D;IAED,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA,CAAA;AAED,MAAM,OAAO,GAAG,CAAO,MAAc,EAA+B,EAAE;IACpE,MAAM,MAAM,GAAG,IAAI,wBAAU,CAAC,iBAAiB,CAAC,CAAA;IAChD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CACjC,GAAG,MAAM,mCAAmC,CAC7C,CAAA;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE;QAClB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAA;KACjD;IAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,CAAqB,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAE7E,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;KAC5C;IAED,OAAO,IAAI,CAAC,MAAM,CAAA;AACpB,CAAC,CAAA,CAAA;AAED,SAAS,cAAc,CAAC,MAAuB;IAC7C,MAAM,aAAa,GAAa,EAAE,CAAA;IAElC,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE;QACnC,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE;YACtB,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;SAC1B;KACF;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE;QAC5B,MAAM,IAAI,KAAK,CAAC,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;KAC/D;AACH,CAAC;AAED,yDAAyD;AACzD,SAAS,SAAS;IAChB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,oBAAoB,CAAA;IAEvE,qDAAqD;IACrD,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE;QACpE,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,EAAE,CAAC,CAAA;KACpD;IAED,IAAI,IAAI,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAA;IAEtC,IAAI,IAAI,KAAK,YAAY,EAAE;QACzB,IAAI,GAAG,uBAAuB,CAAA;KAC/B;IAED,OAAO,yBAAyB,IAAI,EAAE,CAAA;AACxC,CAAC"}
|
package/lib/provenance.js
CHANGED
|
@@ -29,9 +29,11 @@ const buildSLSAProvenancePredicate = (issuer) => __awaiter(void 0, void 0, void
|
|
|
29
29
|
// Split just the path and ref from the workflow string.
|
|
30
30
|
// owner/repo/.github/workflows/main.yml@main =>
|
|
31
31
|
// .github/workflows/main.yml, main
|
|
32
|
-
const [workflowPath,
|
|
32
|
+
const [workflowPath, ...workflowRefChunks] = claims.workflow_ref
|
|
33
33
|
.replace(`${claims.repository}/`, '')
|
|
34
34
|
.split('@');
|
|
35
|
+
// Handle case where tag contains `@` (e.g: when using changesets in a monorepo context),
|
|
36
|
+
const workflowRef = workflowRefChunks.join('@');
|
|
35
37
|
return {
|
|
36
38
|
type: SLSA_PREDICATE_V1_TYPE,
|
|
37
39
|
params: {
|
package/lib/provenance.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"provenance.js","sourceRoot":"","sources":["../src/provenance.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qCAA8C;AAC9C,iCAAuC;AAGvC,MAAM,sBAAsB,GAAG,gCAAgC,CAAA;AAC/D,MAAM,iBAAiB,GAAG,kDAAkD,CAAA;AAS5E;;;;;;;;GAQG;AACI,MAAM,4BAA4B,GAAG,CAC1C,MAAe,EACK,EAAE;IACtB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAA;IAC/C,MAAM,MAAM,GAAG,MAAM,IAAA,uBAAgB,EAAC,MAAM,CAAC,CAAA;IAE7C,wDAAwD;IACxD,gDAAgD;IAChD,qCAAqC;IACrC,MAAM,CAAC,YAAY,EAAE,
|
|
1
|
+
{"version":3,"file":"provenance.js","sourceRoot":"","sources":["../src/provenance.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qCAA8C;AAC9C,iCAAuC;AAGvC,MAAM,sBAAsB,GAAG,gCAAgC,CAAA;AAC/D,MAAM,iBAAiB,GAAG,kDAAkD,CAAA;AAS5E;;;;;;;;GAQG;AACI,MAAM,4BAA4B,GAAG,CAC1C,MAAe,EACK,EAAE;IACtB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAA;IAC/C,MAAM,MAAM,GAAG,MAAM,IAAA,uBAAgB,EAAC,MAAM,CAAC,CAAA;IAE7C,wDAAwD;IACxD,gDAAgD;IAChD,qCAAqC;IACrC,MAAM,CAAC,YAAY,EAAE,GAAG,iBAAiB,CAAC,GAAG,MAAM,CAAC,YAAY;SAC7D,OAAO,CAAC,GAAG,MAAM,CAAC,UAAU,GAAG,EAAE,EAAE,CAAC;SACpC,KAAK,CAAC,GAAG,CAAC,CAAA;IACb,yFAAyF;IACzF,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IAE/C,OAAO;QACL,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE;YACN,eAAe,EAAE;gBACf,SAAS,EAAE,iBAAiB;gBAC5B,kBAAkB,EAAE;oBAClB,QAAQ,EAAE;wBACR,GAAG,EAAE,WAAW;wBAChB,UAAU,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE;wBAC/C,IAAI,EAAE,YAAY;qBACnB;iBACF;gBACD,kBAAkB,EAAE;oBAClB,MAAM,EAAE;wBACN,UAAU,EAAE,MAAM,CAAC,UAAU;wBAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;wBACnC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;wBAC/C,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;qBAC9C;iBACF;gBACD,oBAAoB,EAAE;oBACpB;wBACE,GAAG,EAAE,OAAO,SAAS,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,GAAG,EAAE;wBAC1D,MAAM,EAAE;4BACN,SAAS,EAAE,MAAM,CAAC,GAAG;yBACtB;qBACF;iBACF;aACF;YACD,UAAU,EAAE;gBACV,OAAO,EAAE;oBACP,EAAE,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,gBAAgB,EAAE;iBAC9C;gBACD,QAAQ,EAAE;oBACR,YAAY,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,iBAAiB,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,WAAW,EAAE;iBAC/G;aACF;SACF;KACF,CAAA;AACH,CAAC,CAAA,CAAA;AAtDY,QAAA,4BAA4B,gCAsDxC;AAED;;;;;;;GAOG;AACH,SAAsB,gBAAgB,CACpC,OAAgC;;QAEhC,MAAM,SAAS,GAAG,MAAM,IAAA,oCAA4B,EAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QACpE,OAAO,IAAA,eAAM,kCACR,OAAO,KACV,aAAa,EAAE,SAAS,CAAC,IAAI,EAC7B,SAAS,EAAE,SAAS,CAAC,MAAM,IAC3B,CAAA;IACJ,CAAC;CAAA;AATD,4CASC"}
|
package/lib/sign.js
CHANGED
|
@@ -45,7 +45,6 @@ const initBundleBuilder = (opts) => {
|
|
|
45
45
|
if (opts.rekorURL) {
|
|
46
46
|
witnesses.push(new sign_1.RekorWitness({
|
|
47
47
|
rekorBaseURL: opts.rekorURL,
|
|
48
|
-
entryType: 'dsse',
|
|
49
48
|
fetchOnConflict: true,
|
|
50
49
|
timeout,
|
|
51
50
|
retry
|
|
@@ -60,6 +59,6 @@ const initBundleBuilder = (opts) => {
|
|
|
60
59
|
}
|
|
61
60
|
// Build the bundle with the singleCertificate option which will
|
|
62
61
|
// trigger the creation of v0.3 DSSE bundles
|
|
63
|
-
return new sign_1.DSSEBundleBuilder({ signer, witnesses
|
|
62
|
+
return new sign_1.DSSEBundleBuilder({ signer, witnesses });
|
|
64
63
|
};
|
|
65
64
|
//# sourceMappingURL=sign.js.map
|
package/lib/sign.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sign.js","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,yCASuB;AAEvB,MAAM,aAAa,GAAG,UAAU,CAAA;AAChC,MAAM,eAAe,GAAG,KAAK,CAAA;AAC7B,MAAM,eAAe,GAAG,CAAC,CAAA;AAqCzB;;;;;;GAMG;AACI,MAAM,WAAW,GAAG,CACzB,OAAgB,EAChB,OAAoB,EACH,EAAE;IACnB,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAA;IAED,yCAAyC;IACzC,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;AACpD,CAAC,CAAA,CAAA;AAXY,QAAA,WAAW,eAWvB;AAED,qEAAqE;AACrE,MAAM,iBAAiB,GAAG,CAAC,IAAiB,EAAiB,EAAE;IAC7D,MAAM,gBAAgB,GAAG,IAAI,wBAAiB,CAAC,aAAa,CAAC,CAAA;IAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAA;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,eAAe,CAAA;IAC3C,MAAM,SAAS,GAAc,EAAE,CAAA;IAE/B,MAAM,MAAM,GAAG,IAAI,mBAAY,CAAC;QAC9B,gBAAgB;QAChB,aAAa,EAAE,IAAI,CAAC,SAAS;QAC7B,OAAO;QACP,KAAK;KACN,CAAC,CAAA;IAEF,IAAI,IAAI,CAAC,QAAQ,EAAE;QACjB,SAAS,CAAC,IAAI,CACZ,IAAI,mBAAY,CAAC;YACf,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,
|
|
1
|
+
{"version":3,"file":"sign.js","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,yCASuB;AAEvB,MAAM,aAAa,GAAG,UAAU,CAAA;AAChC,MAAM,eAAe,GAAG,KAAK,CAAA;AAC7B,MAAM,eAAe,GAAG,CAAC,CAAA;AAqCzB;;;;;;GAMG;AACI,MAAM,WAAW,GAAG,CACzB,OAAgB,EAChB,OAAoB,EACH,EAAE;IACnB,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAA;IAED,yCAAyC;IACzC,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;AACpD,CAAC,CAAA,CAAA;AAXY,QAAA,WAAW,eAWvB;AAED,qEAAqE;AACrE,MAAM,iBAAiB,GAAG,CAAC,IAAiB,EAAiB,EAAE;IAC7D,MAAM,gBAAgB,GAAG,IAAI,wBAAiB,CAAC,aAAa,CAAC,CAAA;IAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAA;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,eAAe,CAAA;IAC3C,MAAM,SAAS,GAAc,EAAE,CAAA;IAE/B,MAAM,MAAM,GAAG,IAAI,mBAAY,CAAC;QAC9B,gBAAgB;QAChB,aAAa,EAAE,IAAI,CAAC,SAAS;QAC7B,OAAO;QACP,KAAK;KACN,CAAC,CAAA;IAEF,IAAI,IAAI,CAAC,QAAQ,EAAE;QACjB,SAAS,CAAC,IAAI,CACZ,IAAI,mBAAY,CAAC;YACf,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,eAAe,EAAE,IAAI;YACrB,OAAO;YACP,KAAK;SACN,CAAC,CACH,CAAA;KACF;IAED,IAAI,IAAI,CAAC,YAAY,EAAE;QACrB,SAAS,CAAC,IAAI,CACZ,IAAI,iBAAU,CAAC;YACb,UAAU,EAAE,IAAI,CAAC,YAAY;YAC7B,OAAO;YACP,KAAK;SACN,CAAC,CACH,CAAA;KACF;IAED,gEAAgE;IAChE,4CAA4C;IAC5C,OAAO,IAAI,wBAAiB,CAAC,EAAC,MAAM,EAAE,SAAS,EAAC,CAAC,CAAA;AACnD,CAAC,CAAA"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@actions/attest",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.5.0",
|
|
4
4
|
"description": "Actions attestation lib",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"github",
|
|
@@ -35,19 +35,19 @@
|
|
|
35
35
|
"url": "https://github.com/actions/toolkit/issues"
|
|
36
36
|
},
|
|
37
37
|
"devDependencies": {
|
|
38
|
-
"@sigstore/mock": "^0.
|
|
39
|
-
"@sigstore/rekor-types": "^
|
|
38
|
+
"@sigstore/mock": "^0.8.0",
|
|
39
|
+
"@sigstore/rekor-types": "^3.0.0",
|
|
40
40
|
"@types/jsonwebtoken": "^9.0.6",
|
|
41
41
|
"nock": "^13.5.1",
|
|
42
42
|
"undici": "^5.28.4"
|
|
43
43
|
},
|
|
44
44
|
"dependencies": {
|
|
45
|
-
"@actions/core": "^1.
|
|
45
|
+
"@actions/core": "^1.11.1",
|
|
46
46
|
"@actions/github": "^6.0.0",
|
|
47
47
|
"@actions/http-client": "^2.2.3",
|
|
48
48
|
"@octokit/plugin-retry": "^6.0.1",
|
|
49
|
-
"@sigstore/bundle": "^
|
|
50
|
-
"@sigstore/sign": "^
|
|
49
|
+
"@sigstore/bundle": "^3.0.0",
|
|
50
|
+
"@sigstore/sign": "^3.0.0",
|
|
51
51
|
"jose": "^5.2.3"
|
|
52
52
|
},
|
|
53
53
|
"overrides": {
|