@actions/attest 2.2.1 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/artifactMetadata.js +4 -40
- package/lib/artifactMetadata.js.map +1 -1
- package/lib/attest.d.ts +2 -2
- package/lib/attest.js +13 -16
- package/lib/attest.js.map +1 -1
- package/lib/endpoints.js +4 -41
- package/lib/endpoints.js.map +1 -1
- package/lib/index.d.ts +5 -4
- package/lib/index.js +3 -10
- package/lib/index.js.map +1 -1
- package/lib/intoto.d.ts +1 -1
- package/lib/intoto.js +1 -5
- package/lib/intoto.js.map +1 -1
- package/lib/oidc.js +6 -43
- package/lib/oidc.js.map +1 -1
- package/lib/provenance.d.ts +2 -2
- package/lib/provenance.js +7 -12
- package/lib/provenance.js.map +1 -1
- package/lib/shared.types.js +1 -2
- package/lib/sign.js +7 -11
- package/lib/sign.js.map +1 -1
- package/lib/store.js +4 -41
- package/lib/store.js.map +1 -1
- package/package.json +12 -10
package/lib/artifactMetadata.js
CHANGED
|
@@ -1,37 +1,3 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
-
if (k2 === undefined) k2 = k;
|
|
4
|
-
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
-
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
-
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
-
}
|
|
8
|
-
Object.defineProperty(o, k2, desc);
|
|
9
|
-
}) : (function(o, m, k, k2) {
|
|
10
|
-
if (k2 === undefined) k2 = k;
|
|
11
|
-
o[k2] = m[k];
|
|
12
|
-
}));
|
|
13
|
-
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
-
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
-
}) : function(o, v) {
|
|
16
|
-
o["default"] = v;
|
|
17
|
-
});
|
|
18
|
-
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
-
var ownKeys = function(o) {
|
|
20
|
-
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
-
var ar = [];
|
|
22
|
-
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
-
return ar;
|
|
24
|
-
};
|
|
25
|
-
return ownKeys(o);
|
|
26
|
-
};
|
|
27
|
-
return function (mod) {
|
|
28
|
-
if (mod && mod.__esModule) return mod;
|
|
29
|
-
var result = {};
|
|
30
|
-
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
-
__setModuleDefault(result, mod);
|
|
32
|
-
return result;
|
|
33
|
-
};
|
|
34
|
-
})();
|
|
35
1
|
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
36
2
|
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
37
3
|
return new (P || (P = Promise))(function (resolve, reject) {
|
|
@@ -52,10 +18,8 @@ var __rest = (this && this.__rest) || function (s, e) {
|
|
|
52
18
|
}
|
|
53
19
|
return t;
|
|
54
20
|
};
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
const github = __importStar(require("@actions/github"));
|
|
58
|
-
const plugin_retry_1 = require("@octokit/plugin-retry");
|
|
21
|
+
import * as github from '@actions/github';
|
|
22
|
+
import { retry } from '@octokit/plugin-retry';
|
|
59
23
|
const CREATE_STORAGE_RECORD_REQUEST = 'POST /orgs/{owner}/artifacts/metadata/storage-record';
|
|
60
24
|
const DEFAULT_RETRY_COUNT = 5;
|
|
61
25
|
/**
|
|
@@ -69,10 +33,10 @@ const DEFAULT_RETRY_COUNT = 5;
|
|
|
69
33
|
* @returns The ID of the storage record.
|
|
70
34
|
* @throws Error if the storage record fails to persist.
|
|
71
35
|
*/
|
|
72
|
-
function createStorageRecord(artifactOptions, packageRegistryOptions, token, retryAttempts, headers) {
|
|
36
|
+
export function createStorageRecord(artifactOptions, packageRegistryOptions, token, retryAttempts, headers) {
|
|
73
37
|
return __awaiter(this, void 0, void 0, function* () {
|
|
74
38
|
const retries = retryAttempts !== null && retryAttempts !== void 0 ? retryAttempts : DEFAULT_RETRY_COUNT;
|
|
75
|
-
const octokit = github.getOctokit(token, { retry: { retries } },
|
|
39
|
+
const octokit = github.getOctokit(token, { retry: { retries } }, retry);
|
|
76
40
|
try {
|
|
77
41
|
const response = yield octokit.request(CREATE_STORAGE_RECORD_REQUEST, Object.assign({ owner: github.context.repo.owner, headers }, buildRequestParams(artifactOptions, packageRegistryOptions)));
|
|
78
42
|
const data = typeof response.data == 'string'
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"artifactMetadata.js","sourceRoot":"","sources":["../src/artifactMetadata.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"artifactMetadata.js","sourceRoot":"","sources":["../src/artifactMetadata.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA,OAAO,KAAK,MAAM,MAAM,iBAAiB,CAAA;AACzC,OAAO,EAAC,KAAK,EAAC,MAAM,uBAAuB,CAAA;AAG3C,MAAM,6BAA6B,GACjC,sDAAsD,CAAA;AACxD,MAAM,mBAAmB,GAAG,CAAC,CAAA;AA4B7B;;;;;;;;;;GAUG;AACH,MAAM,UAAgB,mBAAmB,CACvC,eAAgC,EAChC,sBAA8C,EAC9C,KAAa,EACb,aAAsB,EACtB,OAAwB;;QAExB,MAAM,OAAO,GAAG,aAAa,aAAb,aAAa,cAAb,aAAa,GAAI,mBAAmB,CAAA;QACpD,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,EAAC,KAAK,EAAE,EAAC,OAAO,EAAC,EAAC,EAAE,KAAK,CAAC,CAAA;QACnE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,6BAA6B,kBAClE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,EAChC,OAAO,IACJ,kBAAkB,CAAC,eAAe,EAAE,sBAAsB,CAAC,EAC9D,CAAA;YAEF,MAAM,IAAI,GACR,OAAO,QAAQ,CAAC,IAAI,IAAI,QAAQ;gBAC9B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;gBAC3B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAA;YAEnB,OAAO,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,eAAe,CAAC,GAAG,CAAC,CAAC,CAAe,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;QAC7D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAA;YACxD,MAAM,IAAI,KAAK,CAAC,qCAAqC,OAAO,EAAE,CAAC,CAAA;QACjE,CAAC;IACH,CAAC;CAAA;AAED,SAAS,kBAAkB,CACzB,eAAgC,EAChC,sBAA8C;IAE9C,MAAM,EAAC,WAAW,EAAE,WAAW,KAAa,sBAAsB,EAA9B,IAAI,UAAI,sBAAsB,EAA5D,8BAAmC,CAAyB,CAAA;IAClE,qDACK,eAAe,KAClB,YAAY,EAAE,WAAW,EACzB,YAAY,EAAE,WAAW,KACtB,IAAI,EACR;AACH,CAAC"}
|
package/lib/attest.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { SigstoreInstance } from './endpoints';
|
|
2
|
-
import type { Attestation, Subject } from './shared.types';
|
|
1
|
+
import { SigstoreInstance } from './endpoints.js';
|
|
2
|
+
import type { Attestation, Subject } from './shared.types.js';
|
|
3
3
|
/**
|
|
4
4
|
* Options for attesting a subject / predicate.
|
|
5
5
|
*/
|
package/lib/attest.js
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
"use strict";
|
|
2
1
|
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
2
|
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
3
|
return new (P || (P = Promise))(function (resolve, reject) {
|
|
@@ -8,14 +7,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
8
7
|
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
8
|
});
|
|
10
9
|
};
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
const sign_1 = require("./sign");
|
|
18
|
-
const store_1 = require("./store");
|
|
10
|
+
import { bundleToJSON } from '@sigstore/bundle';
|
|
11
|
+
import { X509Certificate } from 'crypto';
|
|
12
|
+
import { signingEndpoints } from './endpoints.js';
|
|
13
|
+
import { buildIntotoStatement } from './intoto.js';
|
|
14
|
+
import { signPayload } from './sign.js';
|
|
15
|
+
import { writeAttestation } from './store.js';
|
|
19
16
|
const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json';
|
|
20
17
|
/**
|
|
21
18
|
* Generates an attestation for the given subject and predicate. The subject and
|
|
@@ -24,7 +21,7 @@ const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json';
|
|
|
24
21
|
* @param options - The options for attestation.
|
|
25
22
|
* @returns A promise that resolves to the attestation.
|
|
26
23
|
*/
|
|
27
|
-
function attest(options) {
|
|
24
|
+
export function attest(options) {
|
|
28
25
|
return __awaiter(this, void 0, void 0, function* () {
|
|
29
26
|
let subjects;
|
|
30
27
|
if (options.subjects) {
|
|
@@ -40,18 +37,18 @@ function attest(options) {
|
|
|
40
37
|
type: options.predicateType,
|
|
41
38
|
params: options.predicate
|
|
42
39
|
};
|
|
43
|
-
const statement =
|
|
40
|
+
const statement = buildIntotoStatement(subjects, predicate);
|
|
44
41
|
// Sign the provenance statement
|
|
45
42
|
const payload = {
|
|
46
43
|
body: Buffer.from(JSON.stringify(statement)),
|
|
47
44
|
type: INTOTO_PAYLOAD_TYPE
|
|
48
45
|
};
|
|
49
|
-
const endpoints =
|
|
50
|
-
const bundle = yield
|
|
46
|
+
const endpoints = signingEndpoints(options.sigstore);
|
|
47
|
+
const bundle = yield signPayload(payload, endpoints);
|
|
51
48
|
// Store the attestation
|
|
52
49
|
let attestationID;
|
|
53
50
|
if (options.skipWrite !== true) {
|
|
54
|
-
attestationID = yield
|
|
51
|
+
attestationID = yield writeAttestation(bundleToJSON(bundle), options.token, { headers: options.headers });
|
|
55
52
|
}
|
|
56
53
|
return toAttestation(bundle, attestationID);
|
|
57
54
|
});
|
|
@@ -70,12 +67,12 @@ function toAttestation(bundle, attestationID) {
|
|
|
70
67
|
default:
|
|
71
68
|
throw new Error('Bundle must contain an x509 certificate');
|
|
72
69
|
}
|
|
73
|
-
const signingCert = new
|
|
70
|
+
const signingCert = new X509Certificate(certBytes);
|
|
74
71
|
// Collect transparency log ID if available
|
|
75
72
|
const tlogEntries = bundle.verificationMaterial.tlogEntries;
|
|
76
73
|
const tlogID = tlogEntries.length > 0 ? tlogEntries[0].logIndex : undefined;
|
|
77
74
|
return {
|
|
78
|
-
bundle:
|
|
75
|
+
bundle: bundleToJSON(bundle),
|
|
79
76
|
certificate: signingCert.toString(),
|
|
80
77
|
tlogID,
|
|
81
78
|
attestationID
|
package/lib/attest.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"attest.js","sourceRoot":"","sources":["../src/attest.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"attest.js","sourceRoot":"","sources":["../src/attest.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAC,YAAY,EAAC,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAC,eAAe,EAAC,MAAM,QAAQ,CAAA;AACtC,OAAO,EAAmB,gBAAgB,EAAC,MAAM,gBAAgB,CAAA;AACjE,OAAO,EAAC,oBAAoB,EAAC,MAAM,aAAa,CAAA;AAChD,OAAO,EAAU,WAAW,EAAC,MAAM,WAAW,CAAA;AAC9C,OAAO,EAAC,gBAAgB,EAAC,MAAM,YAAY,CAAA;AAK3C,MAAM,mBAAmB,GAAG,8BAA8B,CAAA;AA+B1D;;;;;;GAMG;AACH,MAAM,UAAgB,MAAM,CAAC,OAAsB;;QACjD,IAAI,QAAmB,CAAA;QAEvB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QAC7B,CAAC;aAAM,IAAI,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YACxD,QAAQ,GAAG,CAAC,EAAC,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,aAAa,EAAC,CAAC,CAAA;QACzE,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CACb,+DAA+D,CAChE,CAAA;QACH,CAAC;QAED,MAAM,SAAS,GAAc;YAC3B,IAAI,EAAE,OAAO,CAAC,aAAa;YAC3B,MAAM,EAAE,OAAO,CAAC,SAAS;SAC1B,CAAA;QAED,MAAM,SAAS,GAAG,oBAAoB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;QAE3D,gCAAgC;QAChC,MAAM,OAAO,GAAY;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YAC5C,IAAI,EAAE,mBAAmB;SAC1B,CAAA;QACD,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;QACpD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,CAAA;QAEpD,wBAAwB;QACxB,IAAI,aAAiC,CAAA;QACrC,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;YAC/B,aAAa,GAAG,MAAM,gBAAgB,CACpC,YAAY,CAAC,MAAM,CAAC,EACpB,OAAO,CAAC,KAAK,EACb,EAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAC,CAC3B,CAAA;QACH,CAAC;QAED,OAAO,aAAa,CAAC,MAAM,EAAE,aAAa,CAAC,CAAA;IAC7C,CAAC;CAAA;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,aAAsB;IAC3D,IAAI,SAAiB,CAAA;IACrB,QAAQ,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QAClD,KAAK,sBAAsB;YACzB,SAAS;gBACP,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,oBAAoB,CAAC,YAAY,CAAC,CAAC,CAAC;qBACrE,QAAQ,CAAA;YACb,MAAK;QACP,KAAK,aAAa;YAChB,SAAS,GAAG,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAA;YACpE,MAAK;QACP;YACE,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAA;IAC9D,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,eAAe,CAAC,SAAS,CAAC,CAAA;IAElD,2CAA2C;IAC3C,MAAM,WAAW,GAAG,MAAM,CAAC,oBAAoB,CAAC,WAAW,CAAA;IAC3D,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAA;IAE3E,OAAO;QACL,MAAM,EAAE,YAAY,CAAC,MAAM,CAAC;QAC5B,WAAW,EAAE,WAAW,CAAC,QAAQ,EAAE;QACnC,MAAM;QACN,aAAa;KACd,CAAA;AACH,CAAC"}
|
package/lib/endpoints.js
CHANGED
|
@@ -1,49 +1,13 @@
|
|
|
1
|
-
|
|
2
|
-
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
-
if (k2 === undefined) k2 = k;
|
|
4
|
-
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
-
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
-
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
-
}
|
|
8
|
-
Object.defineProperty(o, k2, desc);
|
|
9
|
-
}) : (function(o, m, k, k2) {
|
|
10
|
-
if (k2 === undefined) k2 = k;
|
|
11
|
-
o[k2] = m[k];
|
|
12
|
-
}));
|
|
13
|
-
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
-
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
-
}) : function(o, v) {
|
|
16
|
-
o["default"] = v;
|
|
17
|
-
});
|
|
18
|
-
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
-
var ownKeys = function(o) {
|
|
20
|
-
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
-
var ar = [];
|
|
22
|
-
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
-
return ar;
|
|
24
|
-
};
|
|
25
|
-
return ownKeys(o);
|
|
26
|
-
};
|
|
27
|
-
return function (mod) {
|
|
28
|
-
if (mod && mod.__esModule) return mod;
|
|
29
|
-
var result = {};
|
|
30
|
-
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
-
__setModuleDefault(result, mod);
|
|
32
|
-
return result;
|
|
33
|
-
};
|
|
34
|
-
})();
|
|
35
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
-
exports.signingEndpoints = exports.SIGSTORE_PUBLIC_GOOD = void 0;
|
|
37
|
-
const github = __importStar(require("@actions/github"));
|
|
1
|
+
import * as github from '@actions/github';
|
|
38
2
|
const PUBLIC_GOOD_ID = 'public-good';
|
|
39
3
|
const GITHUB_ID = 'github';
|
|
40
4
|
const FULCIO_PUBLIC_GOOD_URL = 'https://fulcio.sigstore.dev';
|
|
41
5
|
const REKOR_PUBLIC_GOOD_URL = 'https://rekor.sigstore.dev';
|
|
42
|
-
|
|
6
|
+
export const SIGSTORE_PUBLIC_GOOD = {
|
|
43
7
|
fulcioURL: FULCIO_PUBLIC_GOOD_URL,
|
|
44
8
|
rekorURL: REKOR_PUBLIC_GOOD_URL
|
|
45
9
|
};
|
|
46
|
-
const signingEndpoints = (sigstore) => {
|
|
10
|
+
export const signingEndpoints = (sigstore) => {
|
|
47
11
|
var _a;
|
|
48
12
|
let instance;
|
|
49
13
|
// An explicitly set instance type takes precedence, but if not set, use the
|
|
@@ -59,12 +23,11 @@ const signingEndpoints = (sigstore) => {
|
|
|
59
23
|
}
|
|
60
24
|
switch (instance) {
|
|
61
25
|
case PUBLIC_GOOD_ID:
|
|
62
|
-
return
|
|
26
|
+
return SIGSTORE_PUBLIC_GOOD;
|
|
63
27
|
case GITHUB_ID:
|
|
64
28
|
return buildGitHubEndpoints();
|
|
65
29
|
}
|
|
66
30
|
};
|
|
67
|
-
exports.signingEndpoints = signingEndpoints;
|
|
68
31
|
function buildGitHubEndpoints() {
|
|
69
32
|
const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com';
|
|
70
33
|
let host = new URL(serverURL).hostname;
|
package/lib/endpoints.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"endpoints.js","sourceRoot":"","sources":["../src/endpoints.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"endpoints.js","sourceRoot":"","sources":["../src/endpoints.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,iBAAiB,CAAA;AAEzC,MAAM,cAAc,GAAG,aAAa,CAAA;AACpC,MAAM,SAAS,GAAG,QAAQ,CAAA;AAE1B,MAAM,sBAAsB,GAAG,6BAA6B,CAAA;AAC5D,MAAM,qBAAqB,GAAG,4BAA4B,CAAA;AAU1D,MAAM,CAAC,MAAM,oBAAoB,GAAc;IAC7C,SAAS,EAAE,sBAAsB;IACjC,QAAQ,EAAE,qBAAqB;CAChC,CAAA;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,QAA2B,EAAa,EAAE;;IACzE,IAAI,QAA0B,CAAA;IAE9B,4EAA4E;IAC5E,0DAA0D;IAC1D,IAAI,QAAQ,IAAI,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/D,QAAQ,GAAG,QAAQ,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,QAAQ;YACN,CAAA,MAAA,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,0CAAE,UAAU,MAAK,QAAQ;gBACxD,CAAC,CAAC,cAAc;gBAChB,CAAC,CAAC,SAAS,CAAA;IACjB,CAAC;IAED,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,cAAc;YACjB,OAAO,oBAAoB,CAAA;QAC7B,KAAK,SAAS;YACZ,OAAO,oBAAoB,EAAE,CAAA;IACjC,CAAC;AACH,CAAC,CAAA;AAED,SAAS,oBAAoB;IAC3B,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,oBAAoB,CAAA;IACvE,IAAI,IAAI,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAA;IAEtC,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,IAAI,GAAG,eAAe,CAAA;IACxB,CAAC;IACD,OAAO;QACL,SAAS,EAAE,kBAAkB,IAAI,EAAE;QACnC,YAAY,EAAE,qBAAqB,IAAI,EAAE;KAC1C,CAAA;AACH,CAAC"}
|
package/lib/index.d.ts
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
|
-
export { createStorageRecord } from './artifactMetadata';
|
|
2
|
-
export { AttestOptions, attest } from './attest';
|
|
3
|
-
export { AttestProvenanceOptions, attestProvenance, buildSLSAProvenancePredicate } from './provenance';
|
|
1
|
+
export { createStorageRecord, ArtifactOptions, PackageRegistryOptions } from './artifactMetadata.js';
|
|
2
|
+
export { AttestOptions, attest } from './attest.js';
|
|
3
|
+
export { AttestProvenanceOptions, attestProvenance, buildSLSAProvenancePredicate } from './provenance.js';
|
|
4
4
|
export type { SerializedBundle } from '@sigstore/bundle';
|
|
5
|
-
export type { Attestation, Predicate, Subject } from './shared.types';
|
|
5
|
+
export type { Attestation, Predicate, Subject } from './shared.types.js';
|
|
6
|
+
export type { SigstoreInstance } from './endpoints.js';
|
package/lib/index.js
CHANGED
|
@@ -1,11 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
var artifactMetadata_1 = require("./artifactMetadata");
|
|
5
|
-
Object.defineProperty(exports, "createStorageRecord", { enumerable: true, get: function () { return artifactMetadata_1.createStorageRecord; } });
|
|
6
|
-
var attest_1 = require("./attest");
|
|
7
|
-
Object.defineProperty(exports, "attest", { enumerable: true, get: function () { return attest_1.attest; } });
|
|
8
|
-
var provenance_1 = require("./provenance");
|
|
9
|
-
Object.defineProperty(exports, "attestProvenance", { enumerable: true, get: function () { return provenance_1.attestProvenance; } });
|
|
10
|
-
Object.defineProperty(exports, "buildSLSAProvenancePredicate", { enumerable: true, get: function () { return provenance_1.buildSLSAProvenancePredicate; } });
|
|
1
|
+
export { createStorageRecord } from './artifactMetadata.js';
|
|
2
|
+
export { attest } from './attest.js';
|
|
3
|
+
export { attestProvenance, buildSLSAProvenancePredicate } from './provenance.js';
|
|
11
4
|
//# sourceMappingURL=index.js.map
|
package/lib/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EAGpB,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EAAgB,MAAM,EAAC,MAAM,aAAa,CAAA;AACjD,OAAO,EAEL,gBAAgB,EAChB,4BAA4B,EAC7B,MAAM,iBAAiB,CAAA"}
|
package/lib/intoto.d.ts
CHANGED
package/lib/intoto.js
CHANGED
|
@@ -1,6 +1,3 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.buildIntotoStatement = void 0;
|
|
4
1
|
const INTOTO_STATEMENT_V1_TYPE = 'https://in-toto.io/Statement/v1';
|
|
5
2
|
/**
|
|
6
3
|
* Assembles the given subject and predicate into an in-toto statement.
|
|
@@ -8,7 +5,7 @@ const INTOTO_STATEMENT_V1_TYPE = 'https://in-toto.io/Statement/v1';
|
|
|
8
5
|
* @param predicate - The predicate of the statement.
|
|
9
6
|
* @returns The constructed in-toto statement.
|
|
10
7
|
*/
|
|
11
|
-
const buildIntotoStatement = (subjects, predicate) => {
|
|
8
|
+
export const buildIntotoStatement = (subjects, predicate) => {
|
|
12
9
|
return {
|
|
13
10
|
_type: INTOTO_STATEMENT_V1_TYPE,
|
|
14
11
|
subject: subjects,
|
|
@@ -16,5 +13,4 @@ const buildIntotoStatement = (subjects, predicate) => {
|
|
|
16
13
|
predicate: predicate.params
|
|
17
14
|
};
|
|
18
15
|
};
|
|
19
|
-
exports.buildIntotoStatement = buildIntotoStatement;
|
|
20
16
|
//# sourceMappingURL=intoto.js.map
|
package/lib/intoto.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"intoto.js","sourceRoot":"","sources":["../src/intoto.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"intoto.js","sourceRoot":"","sources":["../src/intoto.ts"],"names":[],"mappings":"AAEA,MAAM,wBAAwB,GAAG,iCAAiC,CAAA;AAalE;;;;;GAKG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAClC,QAAmB,EACnB,SAAoB,EACH,EAAE;IACnB,OAAO;QACL,KAAK,EAAE,wBAAwB;QAC/B,OAAO,EAAE,QAAQ;QACjB,aAAa,EAAE,SAAS,CAAC,IAAI;QAC7B,SAAS,EAAE,SAAS,CAAC,MAAM;KAC5B,CAAA;AACH,CAAC,CAAA"}
|
package/lib/oidc.js
CHANGED
|
@@ -1,37 +1,3 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
-
if (k2 === undefined) k2 = k;
|
|
4
|
-
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
-
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
-
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
-
}
|
|
8
|
-
Object.defineProperty(o, k2, desc);
|
|
9
|
-
}) : (function(o, m, k, k2) {
|
|
10
|
-
if (k2 === undefined) k2 = k;
|
|
11
|
-
o[k2] = m[k];
|
|
12
|
-
}));
|
|
13
|
-
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
-
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
-
}) : function(o, v) {
|
|
16
|
-
o["default"] = v;
|
|
17
|
-
});
|
|
18
|
-
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
-
var ownKeys = function(o) {
|
|
20
|
-
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
-
var ar = [];
|
|
22
|
-
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
-
return ar;
|
|
24
|
-
};
|
|
25
|
-
return ownKeys(o);
|
|
26
|
-
};
|
|
27
|
-
return function (mod) {
|
|
28
|
-
if (mod && mod.__esModule) return mod;
|
|
29
|
-
var result = {};
|
|
30
|
-
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
-
__setModuleDefault(result, mod);
|
|
32
|
-
return result;
|
|
33
|
-
};
|
|
34
|
-
})();
|
|
35
1
|
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
36
2
|
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
37
3
|
return new (P || (P = Promise))(function (resolve, reject) {
|
|
@@ -41,11 +7,9 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
41
7
|
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
42
8
|
});
|
|
43
9
|
};
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
const http_client_1 = require("@actions/http-client");
|
|
48
|
-
const jose = __importStar(require("jose"));
|
|
10
|
+
import { getIDToken } from '@actions/core';
|
|
11
|
+
import { HttpClient } from '@actions/http-client';
|
|
12
|
+
import * as jose from 'jose';
|
|
49
13
|
const OIDC_AUDIENCE = 'nobody';
|
|
50
14
|
const VALID_SERVER_URLS = [
|
|
51
15
|
'https://github.com',
|
|
@@ -65,10 +29,10 @@ const REQUIRED_CLAIMS = [
|
|
|
65
29
|
'run_id',
|
|
66
30
|
'run_attempt'
|
|
67
31
|
];
|
|
68
|
-
const getIDTokenClaims = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
|
|
32
|
+
export const getIDTokenClaims = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
|
|
69
33
|
issuer = issuer || getIssuer();
|
|
70
34
|
try {
|
|
71
|
-
const token = yield
|
|
35
|
+
const token = yield getIDToken(OIDC_AUDIENCE);
|
|
72
36
|
const claims = yield decodeOIDCToken(token, issuer);
|
|
73
37
|
assertClaimSet(claims);
|
|
74
38
|
return claims;
|
|
@@ -77,7 +41,6 @@ const getIDTokenClaims = (issuer) => __awaiter(void 0, void 0, void 0, function*
|
|
|
77
41
|
throw new Error(`Failed to get ID token: ${error.message}`);
|
|
78
42
|
}
|
|
79
43
|
});
|
|
80
|
-
exports.getIDTokenClaims = getIDTokenClaims;
|
|
81
44
|
const decodeOIDCToken = (token, issuer) => __awaiter(void 0, void 0, void 0, function* () {
|
|
82
45
|
// Verify and decode token
|
|
83
46
|
const jwks = jose.createLocalJWKSet(yield getJWKS(issuer));
|
|
@@ -95,7 +58,7 @@ const decodeOIDCToken = (token, issuer) => __awaiter(void 0, void 0, void 0, fun
|
|
|
95
58
|
return payload;
|
|
96
59
|
});
|
|
97
60
|
const getJWKS = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
|
|
98
|
-
const client = new
|
|
61
|
+
const client = new HttpClient('@actions/attest');
|
|
99
62
|
const config = yield client.getJson(`${issuer}/.well-known/openid-configuration`);
|
|
100
63
|
if (!config.result) {
|
|
101
64
|
throw new Error('No OpenID configuration found');
|
package/lib/oidc.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../src/oidc.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../src/oidc.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAC,UAAU,EAAC,MAAM,eAAe,CAAA;AACxC,OAAO,EAAC,UAAU,EAAC,MAAM,sBAAsB,CAAA;AAC/C,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,MAAM,aAAa,GAAG,QAAQ,CAAA;AAE9B,MAAM,iBAAiB,GAAG;IACxB,oBAAoB;IACpB,IAAI,MAAM,CAAC,kCAAkC,CAAC;CACtC,CAAA;AAEV,MAAM,eAAe,GAAG;IACtB,KAAK;IACL,KAAK;IACL,KAAK;IACL,YAAY;IACZ,YAAY;IACZ,kBAAkB;IAClB,cAAc;IACd,eAAe;IACf,qBAAqB;IACrB,oBAAoB;IACpB,QAAQ;IACR,aAAa;CACL,CAAA;AAQV,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAO,MAAe,EAAqB,EAAE;IAC3E,MAAM,GAAG,MAAM,IAAI,SAAS,EAAE,CAAA;IAC9B,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,aAAa,CAAC,CAAA;QAC7C,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QACnD,cAAc,CAAC,MAAM,CAAC,CAAA;QACtB,OAAO,MAAM,CAAA;IACf,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;IAC7D,CAAC;AACH,CAAC,CAAA,CAAA;AAED,MAAM,eAAe,GAAG,CACtB,KAAa,EACb,MAAc,EACY,EAAE;IAC5B,0BAA0B;IAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,CAAA;IAC1D,MAAM,EAAC,OAAO,EAAC,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QAClD,QAAQ,EAAE,aAAa;KACxB,CAAC,CAAA;IAEF,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;IACxC,CAAC;IAED,2EAA2E;IAC3E,kEAAkE;IAClE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAC3D,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA,CAAA;AAED,MAAM,OAAO,GAAG,CAAO,MAAc,EAA+B,EAAE;IACpE,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAAA;IAChD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,OAAO,CACjC,GAAG,MAAM,mCAAmC,CAC7C,CAAA;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAA;IAClD,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,OAAO,CAAqB,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAE7E,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;IAC7C,CAAC;IAED,OAAO,IAAI,CAAC,MAAM,CAAA;AACpB,CAAC,CAAA,CAAA;AAED,SAAS,cAAc,CAAC,MAAuB;IAC7C,MAAM,aAAa,GAAa,EAAE,CAAA;IAElC,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,CAAC,CAAC,KAAK,IAAI,MAAM,CAAC,EAAE,CAAC;YACvB,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAC3B,CAAC;IACH,CAAC;IAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,mBAAmB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAChE,CAAC;AACH,CAAC;AAED,yDAAyD;AACzD,SAAS,SAAS;IAChB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,oBAAoB,CAAA;IAEvE,qDAAqD;IACrD,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,EAAE,CAAC,CAAA;IACrD,CAAC;IAED,IAAI,IAAI,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAA;IAEtC,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,IAAI,GAAG,uBAAuB,CAAA;IAChC,CAAC;IAED,OAAO,yBAAyB,IAAI,EAAE,CAAA;AACxC,CAAC"}
|
package/lib/provenance.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { AttestOptions } from './attest';
|
|
2
|
-
import type { Attestation, Predicate } from './shared.types';
|
|
1
|
+
import { AttestOptions } from './attest.js';
|
|
2
|
+
import type { Attestation, Predicate } from './shared.types.js';
|
|
3
3
|
export type AttestProvenanceOptions = Omit<AttestOptions, 'predicate' | 'predicateType'> & {
|
|
4
4
|
issuer?: string;
|
|
5
5
|
};
|
package/lib/provenance.js
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
"use strict";
|
|
2
1
|
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
2
|
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
3
|
return new (P || (P = Promise))(function (resolve, reject) {
|
|
@@ -8,11 +7,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
8
7
|
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
8
|
});
|
|
10
9
|
};
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
exports.attestProvenance = attestProvenance;
|
|
14
|
-
const attest_1 = require("./attest");
|
|
15
|
-
const oidc_1 = require("./oidc");
|
|
10
|
+
import { attest } from './attest.js';
|
|
11
|
+
import { getIDTokenClaims } from './oidc.js';
|
|
16
12
|
const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1';
|
|
17
13
|
const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1';
|
|
18
14
|
/**
|
|
@@ -24,9 +20,9 @@ const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1';
|
|
|
24
20
|
* issuer.
|
|
25
21
|
* @returns The SLSA provenance predicate.
|
|
26
22
|
*/
|
|
27
|
-
const buildSLSAProvenancePredicate = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
|
|
23
|
+
export const buildSLSAProvenancePredicate = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
|
|
28
24
|
const serverURL = process.env.GITHUB_SERVER_URL;
|
|
29
|
-
const claims = yield
|
|
25
|
+
const claims = yield getIDTokenClaims(issuer);
|
|
30
26
|
// Split just the path and ref from the workflow string.
|
|
31
27
|
// owner/repo/.github/workflows/main.yml@main =>
|
|
32
28
|
// .github/workflows/main.yml, main
|
|
@@ -73,7 +69,6 @@ const buildSLSAProvenancePredicate = (issuer) => __awaiter(void 0, void 0, void
|
|
|
73
69
|
}
|
|
74
70
|
};
|
|
75
71
|
});
|
|
76
|
-
exports.buildSLSAProvenancePredicate = buildSLSAProvenancePredicate;
|
|
77
72
|
/**
|
|
78
73
|
* Attests the build provenance of the provided subject. Generates the SLSA
|
|
79
74
|
* build provenance predicate, assembles it into an in-toto statement, and
|
|
@@ -82,10 +77,10 @@ exports.buildSLSAProvenancePredicate = buildSLSAProvenancePredicate;
|
|
|
82
77
|
* @param options - The options for attesting the provenance.
|
|
83
78
|
* @returns A promise that resolves to the attestation.
|
|
84
79
|
*/
|
|
85
|
-
function attestProvenance(options) {
|
|
80
|
+
export function attestProvenance(options) {
|
|
86
81
|
return __awaiter(this, void 0, void 0, function* () {
|
|
87
|
-
const predicate = yield
|
|
88
|
-
return
|
|
82
|
+
const predicate = yield buildSLSAProvenancePredicate(options.issuer);
|
|
83
|
+
return attest(Object.assign(Object.assign({}, options), { predicateType: predicate.type, predicate: predicate.params }));
|
|
89
84
|
});
|
|
90
85
|
}
|
|
91
86
|
//# sourceMappingURL=provenance.js.map
|
package/lib/provenance.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"provenance.js","sourceRoot":"","sources":["../src/provenance.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"provenance.js","sourceRoot":"","sources":["../src/provenance.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAC,MAAM,EAAgB,MAAM,aAAa,CAAA;AACjD,OAAO,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAA;AAG1C,MAAM,sBAAsB,GAAG,gCAAgC,CAAA;AAC/D,MAAM,iBAAiB,GAAG,kDAAkD,CAAA;AAS5E;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAC1C,MAAe,EACK,EAAE;IACtB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAA;IAC/C,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAA;IAE7C,wDAAwD;IACxD,gDAAgD;IAChD,qCAAqC;IACrC,MAAM,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC,YAAY;SACvC,OAAO,CAAC,GAAG,MAAM,CAAC,UAAU,GAAG,EAAE,EAAE,CAAC;SACpC,KAAK,CAAC,GAAG,CAAC,CAAA;IAEb,OAAO;QACL,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE;YACN,eAAe,EAAE;gBACf,SAAS,EAAE,iBAAiB;gBAC5B,kBAAkB,EAAE;oBAClB,QAAQ,EAAE;wBACR,GAAG,EAAE,MAAM,CAAC,GAAG;wBACf,UAAU,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE;wBAC/C,IAAI,EAAE,YAAY;qBACnB;iBACF;gBACD,kBAAkB,EAAE;oBAClB,MAAM,EAAE;wBACN,UAAU,EAAE,MAAM,CAAC,UAAU;wBAC7B,aAAa,EAAE,MAAM,CAAC,aAAa;wBACnC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;wBAC/C,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;qBAC9C;iBACF;gBACD,oBAAoB,EAAE;oBACpB;wBACE,GAAG,EAAE,OAAO,SAAS,IAAI,MAAM,CAAC,UAAU,IAAI,MAAM,CAAC,GAAG,EAAE;wBAC1D,MAAM,EAAE;4BACN,SAAS,EAAE,MAAM,CAAC,GAAG;yBACtB;qBACF;iBACF;aACF;YACD,UAAU,EAAE;gBACV,OAAO,EAAE;oBACP,EAAE,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,gBAAgB,EAAE;iBAC9C;gBACD,QAAQ,EAAE;oBACR,YAAY,EAAE,GAAG,SAAS,IAAI,MAAM,CAAC,UAAU,iBAAiB,MAAM,CAAC,MAAM,aAAa,MAAM,CAAC,WAAW,EAAE;iBAC/G;aACF;SACF;KACF,CAAA;AACH,CAAC,CAAA,CAAA;AAED;;;;;;;GAOG;AACH,MAAM,UAAgB,gBAAgB,CACpC,OAAgC;;QAEhC,MAAM,SAAS,GAAG,MAAM,4BAA4B,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QACpE,OAAO,MAAM,iCACR,OAAO,KACV,aAAa,EAAE,SAAS,CAAC,IAAI,EAC7B,SAAS,EAAE,SAAS,CAAC,MAAM,IAC3B,CAAA;IACJ,CAAC;CAAA"}
|
package/lib/shared.types.js
CHANGED
package/lib/sign.js
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
"use strict";
|
|
2
1
|
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
2
|
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
3
|
return new (P || (P = Promise))(function (resolve, reject) {
|
|
@@ -8,9 +7,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
8
7
|
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
8
|
});
|
|
10
9
|
};
|
|
11
|
-
|
|
12
|
-
exports.signPayload = void 0;
|
|
13
|
-
const sign_1 = require("@sigstore/sign");
|
|
10
|
+
import { CIContextProvider, DSSEBundleBuilder, FulcioSigner, RekorWitness, TSAWitness } from '@sigstore/sign';
|
|
14
11
|
const OIDC_AUDIENCE = 'sigstore';
|
|
15
12
|
const DEFAULT_TIMEOUT = 10000;
|
|
16
13
|
const DEFAULT_RETRIES = 3;
|
|
@@ -21,7 +18,7 @@ const DEFAULT_RETRIES = 3;
|
|
|
21
18
|
* @param options Signing options.
|
|
22
19
|
* @returns A promise that resolves to the Sigstore signature bundle.
|
|
23
20
|
*/
|
|
24
|
-
const signPayload = (payload, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
21
|
+
export const signPayload = (payload, options) => __awaiter(void 0, void 0, void 0, function* () {
|
|
25
22
|
const artifact = {
|
|
26
23
|
data: payload.body,
|
|
27
24
|
type: payload.type
|
|
@@ -29,21 +26,20 @@ const signPayload = (payload, options) => __awaiter(void 0, void 0, void 0, func
|
|
|
29
26
|
// Sign the artifact and build the bundle
|
|
30
27
|
return initBundleBuilder(options).create(artifact);
|
|
31
28
|
});
|
|
32
|
-
exports.signPayload = signPayload;
|
|
33
29
|
// Assembles the Sigstore bundle builder with the appropriate options
|
|
34
30
|
const initBundleBuilder = (opts) => {
|
|
35
|
-
const identityProvider = new
|
|
31
|
+
const identityProvider = new CIContextProvider(OIDC_AUDIENCE);
|
|
36
32
|
const timeout = opts.timeout || DEFAULT_TIMEOUT;
|
|
37
33
|
const retry = opts.retry || DEFAULT_RETRIES;
|
|
38
34
|
const witnesses = [];
|
|
39
|
-
const signer = new
|
|
35
|
+
const signer = new FulcioSigner({
|
|
40
36
|
identityProvider,
|
|
41
37
|
fulcioBaseURL: opts.fulcioURL,
|
|
42
38
|
timeout,
|
|
43
39
|
retry
|
|
44
40
|
});
|
|
45
41
|
if (opts.rekorURL) {
|
|
46
|
-
witnesses.push(new
|
|
42
|
+
witnesses.push(new RekorWitness({
|
|
47
43
|
rekorBaseURL: opts.rekorURL,
|
|
48
44
|
fetchOnConflict: true,
|
|
49
45
|
timeout,
|
|
@@ -51,7 +47,7 @@ const initBundleBuilder = (opts) => {
|
|
|
51
47
|
}));
|
|
52
48
|
}
|
|
53
49
|
if (opts.tsaServerURL) {
|
|
54
|
-
witnesses.push(new
|
|
50
|
+
witnesses.push(new TSAWitness({
|
|
55
51
|
tsaBaseURL: opts.tsaServerURL,
|
|
56
52
|
timeout,
|
|
57
53
|
retry
|
|
@@ -59,6 +55,6 @@ const initBundleBuilder = (opts) => {
|
|
|
59
55
|
}
|
|
60
56
|
// Build the bundle with the singleCertificate option which will
|
|
61
57
|
// trigger the creation of v0.3 DSSE bundles
|
|
62
|
-
return new
|
|
58
|
+
return new DSSEBundleBuilder({ signer, witnesses });
|
|
63
59
|
};
|
|
64
60
|
//# sourceMappingURL=sign.js.map
|
package/lib/sign.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sign.js","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"sign.js","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAGL,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,EACZ,YAAY,EACZ,UAAU,EAEX,MAAM,gBAAgB,CAAA;AAEvB,MAAM,aAAa,GAAG,UAAU,CAAA;AAChC,MAAM,eAAe,GAAG,KAAK,CAAA;AAC7B,MAAM,eAAe,GAAG,CAAC,CAAA;AAqCzB;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,CACzB,OAAgB,EAChB,OAAoB,EACH,EAAE;IACnB,MAAM,QAAQ,GAAG;QACf,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAA;IAED,yCAAyC;IACzC,OAAO,iBAAiB,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;AACpD,CAAC,CAAA,CAAA;AAED,qEAAqE;AACrE,MAAM,iBAAiB,GAAG,CAAC,IAAiB,EAAiB,EAAE;IAC7D,MAAM,gBAAgB,GAAG,IAAI,iBAAiB,CAAC,aAAa,CAAC,CAAA;IAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,eAAe,CAAA;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,eAAe,CAAA;IAC3C,MAAM,SAAS,GAAc,EAAE,CAAA;IAE/B,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC;QAC9B,gBAAgB;QAChB,aAAa,EAAE,IAAI,CAAC,SAAS;QAC7B,OAAO;QACP,KAAK;KACN,CAAC,CAAA;IAEF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,SAAS,CAAC,IAAI,CACZ,IAAI,YAAY,CAAC;YACf,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,eAAe,EAAE,IAAI;YACrB,OAAO;YACP,KAAK;SACN,CAAC,CACH,CAAA;IACH,CAAC;IAED,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,SAAS,CAAC,IAAI,CACZ,IAAI,UAAU,CAAC;YACb,UAAU,EAAE,IAAI,CAAC,YAAY;YAC7B,OAAO;YACP,KAAK;SACN,CAAC,CACH,CAAA;IACH,CAAC;IAED,gEAAgE;IAChE,4CAA4C;IAC5C,OAAO,IAAI,iBAAiB,CAAC,EAAC,MAAM,EAAE,SAAS,EAAC,CAAC,CAAA;AACnD,CAAC,CAAA"}
|
package/lib/store.js
CHANGED
|
@@ -1,37 +1,3 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
-
if (k2 === undefined) k2 = k;
|
|
4
|
-
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
-
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
-
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
-
}
|
|
8
|
-
Object.defineProperty(o, k2, desc);
|
|
9
|
-
}) : (function(o, m, k, k2) {
|
|
10
|
-
if (k2 === undefined) k2 = k;
|
|
11
|
-
o[k2] = m[k];
|
|
12
|
-
}));
|
|
13
|
-
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
-
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
-
}) : function(o, v) {
|
|
16
|
-
o["default"] = v;
|
|
17
|
-
});
|
|
18
|
-
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
-
var ownKeys = function(o) {
|
|
20
|
-
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
-
var ar = [];
|
|
22
|
-
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
-
return ar;
|
|
24
|
-
};
|
|
25
|
-
return ownKeys(o);
|
|
26
|
-
};
|
|
27
|
-
return function (mod) {
|
|
28
|
-
if (mod && mod.__esModule) return mod;
|
|
29
|
-
var result = {};
|
|
30
|
-
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
-
__setModuleDefault(result, mod);
|
|
32
|
-
return result;
|
|
33
|
-
};
|
|
34
|
-
})();
|
|
35
1
|
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
36
2
|
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
37
3
|
return new (P || (P = Promise))(function (resolve, reject) {
|
|
@@ -41,10 +7,8 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
|
|
41
7
|
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
42
8
|
});
|
|
43
9
|
};
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
const github = __importStar(require("@actions/github"));
|
|
47
|
-
const plugin_retry_1 = require("@octokit/plugin-retry");
|
|
10
|
+
import * as github from '@actions/github';
|
|
11
|
+
import { retry } from '@octokit/plugin-retry';
|
|
48
12
|
const CREATE_ATTESTATION_REQUEST = 'POST /repos/{owner}/{repo}/attestations';
|
|
49
13
|
const DEFAULT_RETRY_COUNT = 5;
|
|
50
14
|
/**
|
|
@@ -54,10 +18,10 @@ const DEFAULT_RETRY_COUNT = 5;
|
|
|
54
18
|
* @returns The ID of the attestation.
|
|
55
19
|
* @throws Error if the attestation fails to persist.
|
|
56
20
|
*/
|
|
57
|
-
const writeAttestation = (attestation_1, token_1, ...args_1) => __awaiter(void 0, [attestation_1, token_1, ...args_1], void 0, function* (attestation, token, options = {}) {
|
|
21
|
+
export const writeAttestation = (attestation_1, token_1, ...args_1) => __awaiter(void 0, [attestation_1, token_1, ...args_1], void 0, function* (attestation, token, options = {}) {
|
|
58
22
|
var _a;
|
|
59
23
|
const retries = (_a = options.retry) !== null && _a !== void 0 ? _a : DEFAULT_RETRY_COUNT;
|
|
60
|
-
const octokit = github.getOctokit(token, { retry: { retries } },
|
|
24
|
+
const octokit = github.getOctokit(token, { retry: { retries } }, retry);
|
|
61
25
|
try {
|
|
62
26
|
const response = yield octokit.request(CREATE_ATTESTATION_REQUEST, {
|
|
63
27
|
owner: github.context.repo.owner,
|
|
@@ -75,5 +39,4 @@ const writeAttestation = (attestation_1, token_1, ...args_1) => __awaiter(void 0
|
|
|
75
39
|
throw new Error(`Failed to persist attestation: ${message}`);
|
|
76
40
|
}
|
|
77
41
|
});
|
|
78
|
-
exports.writeAttestation = writeAttestation;
|
|
79
42
|
//# sourceMappingURL=store.js.map
|
package/lib/store.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"store.js","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"store.js","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,KAAK,MAAM,MAAM,iBAAiB,CAAA;AACzC,OAAO,EAAC,KAAK,EAAC,MAAM,uBAAuB,CAAA;AAG3C,MAAM,0BAA0B,GAAG,yCAAyC,CAAA;AAC5E,MAAM,mBAAmB,GAAG,CAAC,CAAA;AAM7B;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,oCAIb,EAAE,2EAHnB,WAAoB,EACpB,KAAa,EACb,UAAwB,EAAE;;IAE1B,MAAM,OAAO,GAAG,MAAA,OAAO,CAAC,KAAK,mCAAI,mBAAmB,CAAA;IACpD,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,EAAC,KAAK,EAAE,EAAC,OAAO,EAAC,EAAC,EAAE,KAAK,CAAC,CAAA;IAEnE,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,0BAA0B,EAAE;YACjE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK;YAChC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI;YAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,MAAM,EAAE,WAIP;SACF,CAAC,CAAA;QAEF,MAAM,IAAI,GACR,OAAO,QAAQ,CAAC,IAAI,IAAI,QAAQ;YAC9B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;YAC3B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAA;QACnB,OAAO,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,EAAE,CAAA;IACjB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAA;QACxD,MAAM,IAAI,KAAK,CAAC,kCAAkC,OAAO,EAAE,CAAC,CAAA;IAC9D,CAAC;AACH,CAAC,CAAA,CAAA"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@actions/attest",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "3.0.0",
|
|
4
4
|
"description": "Actions attestation lib",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"github",
|
|
@@ -9,8 +9,15 @@
|
|
|
9
9
|
],
|
|
10
10
|
"homepage": "https://github.com/actions/toolkit/tree/main/packages/attest",
|
|
11
11
|
"license": "MIT",
|
|
12
|
+
"type": "module",
|
|
12
13
|
"main": "lib/index.js",
|
|
13
14
|
"types": "lib/index.d.ts",
|
|
15
|
+
"exports": {
|
|
16
|
+
".": {
|
|
17
|
+
"types": "./lib/index.d.ts",
|
|
18
|
+
"import": "./lib/index.js"
|
|
19
|
+
}
|
|
20
|
+
},
|
|
14
21
|
"directories": {
|
|
15
22
|
"lib": "lib",
|
|
16
23
|
"test": "__tests__"
|
|
@@ -42,17 +49,12 @@
|
|
|
42
49
|
"undici": "^6.23.0"
|
|
43
50
|
},
|
|
44
51
|
"dependencies": {
|
|
45
|
-
"@actions/core": "^
|
|
46
|
-
"@actions/github": "^
|
|
47
|
-
"@actions/http-client": "^
|
|
48
|
-
"@octokit/plugin-retry": "^
|
|
52
|
+
"@actions/core": "^3.0.0",
|
|
53
|
+
"@actions/github": "^9.0.0",
|
|
54
|
+
"@actions/http-client": "^4.0.0",
|
|
55
|
+
"@octokit/plugin-retry": "^8.0.3",
|
|
49
56
|
"@sigstore/bundle": "^3.1.0",
|
|
50
57
|
"@sigstore/sign": "^3.1.0",
|
|
51
58
|
"jose": "^5.10.0"
|
|
52
|
-
},
|
|
53
|
-
"overrides": {
|
|
54
|
-
"@octokit/plugin-retry": {
|
|
55
|
-
"@octokit/core": "^5.2.0"
|
|
56
|
-
}
|
|
57
59
|
}
|
|
58
60
|
}
|