From b24527d9cbfd6c27196c10f8dccbacaa2a1c53f2 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Wed, 12 Jun 2024 13:17:25 -0700 Subject: [PATCH] Bump @actions/attest from 1.2.1 to 1.3.0 (#89) Signed-off-by: Brian DeHamer --- dist/index.js | 33 +++++++++++++++---------- package-lock.json | 62 +++++++++++++++++++++++------------------------ package.json | 4 +-- 3 files changed, 53 insertions(+), 46 deletions(-) diff --git a/dist/index.js b/dist/index.js index bd865ee7..b2f867e8 100644 --- a/dist/index.js +++ b/dist/index.js @@ -116,22 +116,16 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.signingEndpoints = exports.SIGSTORE_GITHUB = exports.SIGSTORE_PUBLIC_GOOD = void 0; +exports.signingEndpoints = exports.SIGSTORE_PUBLIC_GOOD = void 0; const github = __importStar(__nccwpck_require__(95438)); const PUBLIC_GOOD_ID = 'public-good'; const GITHUB_ID = 'github'; const FULCIO_PUBLIC_GOOD_URL = 'https://fulcio.sigstore.dev'; const REKOR_PUBLIC_GOOD_URL = 'https://rekor.sigstore.dev'; -const FULCIO_INTERNAL_URL = 'https://fulcio.githubapp.com'; -const TSA_INTERNAL_URL = 'https://timestamp.githubapp.com'; exports.SIGSTORE_PUBLIC_GOOD = { fulcioURL: FULCIO_PUBLIC_GOOD_URL, rekorURL: REKOR_PUBLIC_GOOD_URL }; -exports.SIGSTORE_GITHUB = { - fulcioURL: FULCIO_INTERNAL_URL, - tsaServerURL: TSA_INTERNAL_URL -}; const signingEndpoints = (sigstore) => { var _a; let instance; @@ -150,10 +144,21 @@ const signingEndpoints = (sigstore) => { case PUBLIC_GOOD_ID: return exports.SIGSTORE_PUBLIC_GOOD; case GITHUB_ID: - return exports.SIGSTORE_GITHUB; + return buildGitHubEndpoints(); } }; exports.signingEndpoints = signingEndpoints; +function buildGitHubEndpoints() { + const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'; + let host = new URL(serverURL).hostname; + if (host === 'github.com') { + host = 'githubapp.com'; + } + return { + fulcioURL: `https://fulcio.${host}`, + tsaServerURL: `https://timestamp.${host}` + }; +} //# sourceMappingURL=endpoints.js.map /***/ }), @@ -254,6 +259,7 @@ const REQUIRED_CLAIMS = [ 'sha', 'repository', 'event_name', + 'job_workflow_ref', 'workflow_ref', 'repository_id', 'repository_owner_id', @@ -346,8 +352,7 @@ exports.attestProvenance = exports.buildSLSAProvenancePredicate = void 0; const attest_1 = __nccwpck_require__(46373); const oidc_1 = __nccwpck_require__(95847); const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'; -const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner'; -const GITHUB_BUILD_TYPE = 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'; +const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'; const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'; /** * Builds an SLSA (Supply Chain Levels for Software Artifacts) provenance @@ -383,7 +388,8 @@ const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void github: { event_name: claims.event_name, repository_id: claims.repository_id, - repository_owner_id: claims.repository_owner_id + repository_owner_id: claims.repository_owner_id, + runner_environment: claims.runner_environment } }, resolvedDependencies: [ @@ -397,7 +403,7 @@ const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void }, runDetails: { builder: { - id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}` + id: `${serverURL}/${claims.job_workflow_ref}` }, metadata: { invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}` @@ -478,6 +484,7 @@ const initBundleBuilder = (opts) => { witnesses.push(new sign_1.RekorWitness({ rekorBaseURL: opts.rekorURL, entryType: 'dsse', + fetchOnConflict: true, timeout, retry })); @@ -94351,7 +94358,7 @@ exports.parse = parse; /***/ ((module) => { "use strict"; -module.exports = {"i8":"2.3.1"}; +module.exports = {"i8":"2.3.2"}; /***/ }), diff --git a/package-lock.json b/package-lock.json index 55c8ec85..4bdbc2af 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,15 +1,15 @@ { "name": "actions/attest", - "version": "1.2.1", + "version": "1.3.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "actions/attest", - "version": "1.2.1", + "version": "1.3.0", "license": "MIT", "dependencies": { - "@actions/attest": "^1.2.1", + "@actions/attest": "^1.3.0", "@actions/core": "^1.10.1", "@actions/glob": "^0.4.0", "@sigstore/oci": "^0.3.6", @@ -51,16 +51,16 @@ } }, "node_modules/@actions/attest": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.2.1.tgz", - "integrity": "sha512-ZLfmO6o2x3UL2BG++oIHMPx5kApWr8Uy1cgiiafXpHgamsqFUPjUtcp0/gpOaXkxUZftdVno7NwBTisw8qr9UA==", + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.3.0.tgz", + "integrity": "sha512-Xmv+HIefU8PMx3q+BwGmL28MLyQ2FF05ROZjH+iuoQ9q43qzmbJmmzou3NBOSspUa1N2nVtirPq7jPj9g8AMEg==", "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", "@actions/http-client": "^2.2.1", "@octokit/plugin-retry": "^6.0.1", - "@sigstore/bundle": "^2.3.0", - "@sigstore/sign": "^2.3.0", + "@sigstore/bundle": "^2.3.2", + "@sigstore/sign": "^2.3.2", "jsonwebtoken": "^9.0.2", "jwks-rsa": "^3.1.0" } @@ -1689,11 +1689,11 @@ } }, "node_modules/@sigstore/bundle": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.1.tgz", - "integrity": "sha512-eqV17lO3EIFqCWK3969Rz+J8MYrRZKw9IBHpSo6DEcEX2c+uzDFOgHE9f2MnyDpfs48LFO4hXmk9KhQ74JzU1g==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.2.tgz", + "integrity": "sha512-wueKWDk70QixNLB363yHc2D2ItTgYiMTdPwK8D9dKQMR3ZQ0c35IxP5xnwQ8cNLoCgCRcHf14kE+CLIvNX1zmA==", "dependencies": { - "@sigstore/protobuf-specs": "^0.3.1" + "@sigstore/protobuf-specs": "^0.3.2" }, "engines": { "node": "^16.14.0 || >=18.0.0" @@ -1749,13 +1749,13 @@ } }, "node_modules/@sigstore/sign": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.1.tgz", - "integrity": "sha512-YZ71wKIOweC8ViUeZXboz0iPLqMkskxuoeN/D1CEpAyZvEepbX9oRMIoO6a/DxUqO1VEaqmcmmqzSiqtOsvSmw==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.2.tgz", + "integrity": "sha512-5Vz5dPVuunIIvC5vBb0APwo7qKA4G9yM48kPWJT+OEERs40md5GoUR1yedwpekWZ4m0Hhw44m6zU+ObsON+iDA==", "dependencies": { - "@sigstore/bundle": "^2.3.0", + "@sigstore/bundle": "^2.3.2", "@sigstore/core": "^1.0.0", - "@sigstore/protobuf-specs": "^0.3.1", + "@sigstore/protobuf-specs": "^0.3.2", "make-fetch-happen": "^13.0.1", "proc-log": "^4.2.0", "promise-retry": "^2.0.1" @@ -8666,16 +8666,16 @@ "dev": true }, "@actions/attest": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.2.1.tgz", - "integrity": "sha512-ZLfmO6o2x3UL2BG++oIHMPx5kApWr8Uy1cgiiafXpHgamsqFUPjUtcp0/gpOaXkxUZftdVno7NwBTisw8qr9UA==", + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.3.0.tgz", + "integrity": "sha512-Xmv+HIefU8PMx3q+BwGmL28MLyQ2FF05ROZjH+iuoQ9q43qzmbJmmzou3NBOSspUa1N2nVtirPq7jPj9g8AMEg==", "requires": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", "@actions/http-client": "^2.2.1", "@octokit/plugin-retry": "^6.0.1", - "@sigstore/bundle": "^2.3.0", - "@sigstore/sign": "^2.3.0", + "@sigstore/bundle": "^2.3.2", + "@sigstore/sign": "^2.3.2", "jsonwebtoken": "^9.0.2", "jwks-rsa": "^3.1.0" } @@ -9807,11 +9807,11 @@ "dev": true }, "@sigstore/bundle": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.1.tgz", - "integrity": "sha512-eqV17lO3EIFqCWK3969Rz+J8MYrRZKw9IBHpSo6DEcEX2c+uzDFOgHE9f2MnyDpfs48LFO4hXmk9KhQ74JzU1g==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.2.tgz", + "integrity": "sha512-wueKWDk70QixNLB363yHc2D2ItTgYiMTdPwK8D9dKQMR3ZQ0c35IxP5xnwQ8cNLoCgCRcHf14kE+CLIvNX1zmA==", "requires": { - "@sigstore/protobuf-specs": "^0.3.1" + "@sigstore/protobuf-specs": "^0.3.2" } }, "@sigstore/core": { @@ -9852,13 +9852,13 @@ "integrity": "sha512-c6B0ehIWxMI8wiS/bj6rHMPqeFvngFV7cDU/MY+B16P9Z3Mp9k8L93eYZ7BYzSickzuqAQqAq0V956b3Ju6mLw==" }, "@sigstore/sign": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.1.tgz", - "integrity": "sha512-YZ71wKIOweC8ViUeZXboz0iPLqMkskxuoeN/D1CEpAyZvEepbX9oRMIoO6a/DxUqO1VEaqmcmmqzSiqtOsvSmw==", + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.2.tgz", + "integrity": "sha512-5Vz5dPVuunIIvC5vBb0APwo7qKA4G9yM48kPWJT+OEERs40md5GoUR1yedwpekWZ4m0Hhw44m6zU+ObsON+iDA==", "requires": { - "@sigstore/bundle": "^2.3.0", + "@sigstore/bundle": "^2.3.2", "@sigstore/core": "^1.0.0", - "@sigstore/protobuf-specs": "^0.3.1", + "@sigstore/protobuf-specs": "^0.3.2", "make-fetch-happen": "^13.0.1", "proc-log": "^4.2.0", "promise-retry": "^2.0.1" diff --git a/package.json b/package.json index 4fe14eb2..0896afba 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "actions/attest", "description": "Generate signed attestations for workflow artifacts", - "version": "1.2.1", + "version": "1.3.0", "author": "", "private": true, "homepage": "https://github.com/actions/attest", @@ -69,7 +69,7 @@ ] }, "dependencies": { - "@actions/attest": "^1.2.1", + "@actions/attest": "^1.3.0", "@actions/core": "^1.10.1", "@actions/glob": "^0.4.0", "@sigstore/oci": "^0.3.6",