Compare commits

...

6 Commits

Author SHA1 Message Date
Brian DeHamer 740d40239e wip
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2024-09-18 15:26:14 -07:00
dependabot[bot] 4c42c37b1b Bump the npm-development group across 1 directory with 4 updates (#240)
Bumps the npm-development group with 4 updates in the / directory: [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint-plugin-github](https://github.com/github/eslint-plugin-github) and [typescript](https://github.com/microsoft/TypeScript).


Updates `@types/jest` from 29.5.12 to 29.5.13
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

Updates `@types/node` from 22.5.4 to 22.5.5
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-github` from 5.0.1 to 5.0.2
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v5.0.1...v5.0.2)

Updates `typescript` from 5.5.4 to 5.6.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.5.4...v5.6.2)

---
updated-dependencies:
- dependency-name: "@types/jest"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-16 12:04:17 -07:00
Brian DeHamer 2de3600266 bump jose from 5.8.0 to 5.9.2 (#239)
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2024-09-16 11:58:51 -07:00
dependabot[bot] dc98cd55e1 Bump the npm-development group with 2 updates (#229)
Bumps the npm-development group with 2 updates: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest).


Updates `@types/node` from 22.5.2 to 22.5.4
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-jest` from 28.8.1 to 28.8.3
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v28.8.1...v28.8.3)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-09 19:31:43 -07:00
Brian DeHamer 43c221e61f add stamp tag to prober (#227)
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2024-09-05 16:25:38 -07:00
Brian DeHamer 1c608d11d6 bump predicate from 1.1.2 to 1.1.3 (#226)
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2024-09-05 10:18:01 -07:00
5 changed files with 439 additions and 85 deletions
+29 -13
View File
@@ -5,6 +5,20 @@ on:
inputs:
sigstore:
description: 'Which Sigstore instance to use for signing'
default: 'public-good'
required: false
type: string
secrets:
trust-domain:
description: 'Trust domain in which the test is executed'
required: true
type: string
service:
description: 'Service against which status should be reported'
required: true
type: string
team:
description: 'Team associated with status report'
required: true
type: string
@@ -16,6 +30,8 @@ jobs:
id-token: write
steps:
- uses: hmarr/debug-action@v2
- name: Request OIDC Token
run: |
curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
@@ -28,6 +44,11 @@ jobs:
run: |
date > artifact
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
path: "artifact"
- name: Attest build provenance
uses: actions/attest-build-provenance@v1
env:
@@ -41,11 +62,6 @@ jobs:
run: |
gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
path: "artifact"
- name: Report attestation prober success
if: ${{ success() }}
uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
@@ -56,12 +72,12 @@ jobs:
status: 0
host_name: github.com
tags:
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
- "service:${{ secrets.CATALOG_SERVICE }}"
- "deployed_to:production"
- "catalog_service:${{ secrets.service }}"
- "service:${{ secrets.service }}"
- "stamp:${{ secrets.trust-domain }}"
- "env:production"
- "repo:${{ github.repository }}"
- "team:${{ secrets.TEAM }}"
- "team:${{ secrets.team }}"
- "sigstore:${{ inputs.sigstore }}"
- name: Report attestation prober failure
@@ -75,10 +91,10 @@ jobs:
status: 2
host_name: github.com
tags:
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
- "service:${{ secrets.CATALOG_SERVICE }}"
- "deployed_to:production"
- "catalog_service:${{ secrets.service }}"
- "service:${{ secrets.service }}"
- "stamp:${{ secrets.trust-domain }}"
- "env:production"
- "repo:${{ github.repository }}"
- "team:${{ secrets.TEAM }}"
- "team:${{ secrets.team }}"
- "sigstore:${{ inputs.sigstore }}"
+1 -1
View File
@@ -50,7 +50,7 @@ outputs:
runs:
using: 'composite'
steps:
- uses: actions/attest-build-provenance/predicate@d58ddf9f241cd8163408934540d01c3335864d64 # predicate@1.1.2
- uses: actions/attest-build-provenance/predicate@f1185f1959cdaeda41a7f5a7b43cbe6b58a7a793 # predicate@1.1.3
id: generate-build-provenance-predicate
- uses: actions/attest@67422f5511b7ff725f4dbd6fb9bd2cd925c65a8d # v1.4.1
id: attest
Generated Vendored
+168 -38
View File
@@ -26010,7 +26010,7 @@ function isCloudflareWorkers() {
let USER_AGENT;
if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
const NAME = 'jose';
const VERSION = 'v5.8.0';
const VERSION = 'v5.9.2';
USER_AGENT = `${NAME}/${VERSION}`;
}
exports.jwksCache = Symbol();
@@ -26275,7 +26275,7 @@ class FlattenedSign {
if (typeof alg !== 'string' || !alg) {
throw new errors_js_1.JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
}
(0, check_key_type_js_1.default)(alg, key, 'sign');
(0, check_key_type_js_1.checkKeyTypeWithJwk)(alg, key, 'sign');
let payload = this._payload;
if (b64) {
payload = buffer_utils_js_1.encoder.encode((0, base64url_js_1.encode)(payload));
@@ -26326,6 +26326,8 @@ const is_object_js_1 = __nccwpck_require__(39127);
const check_key_type_js_1 = __nccwpck_require__(56241);
const validate_crit_js_1 = __nccwpck_require__(50863);
const validate_algorithms_js_1 = __nccwpck_require__(55148);
const is_jwk_js_1 = __nccwpck_require__(8377);
const import_js_1 = __nccwpck_require__(74230);
async function flattenedVerify(jws, key, options) {
if (!(0, is_object_js_1.default)(jws)) {
throw new errors_js_1.JWSInvalid('Flattened JWS must be an object');
@@ -26390,8 +26392,14 @@ async function flattenedVerify(jws, key, options) {
if (typeof key === 'function') {
key = await key(parsedProt, jws);
resolvedKey = true;
(0, check_key_type_js_1.checkKeyTypeWithJwk)(alg, key, 'verify');
if ((0, is_jwk_js_1.isJWK)(key)) {
key = await (0, import_js_1.importJWK)(key, alg);
}
}
else {
(0, check_key_type_js_1.checkKeyTypeWithJwk)(alg, key, 'verify');
}
(0, check_key_type_js_1.default)(alg, key, 'verify');
const data = (0, buffer_utils_js_1.concat)(buffer_utils_js_1.encoder.encode(jws.protected ?? ''), buffer_utils_js_1.encoder.encode('.'), typeof jws.payload === 'string' ? buffer_utils_js_1.encoder.encode(jws.payload) : jws.payload);
let signature;
try {
@@ -27142,22 +27150,53 @@ exports["default"] = checkIvLength;
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.checkKeyTypeWithJwk = void 0;
const invalid_key_input_js_1 = __nccwpck_require__(1146);
const is_key_like_js_1 = __nccwpck_require__(17947);
const jwk = __nccwpck_require__(8377);
const tag = (key) => key?.[Symbol.toStringTag];
const symmetricTypeCheck = (alg, key) => {
const jwkMatchesOp = (alg, key, usage) => {
if (key.use !== undefined && key.use !== 'sig') {
throw new TypeError('Invalid key for this operation, when present its use must be sig');
}
if (key.key_ops !== undefined && key.key_ops.includes?.(usage) !== true) {
throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${usage}`);
}
if (key.alg !== undefined && key.alg !== alg) {
throw new TypeError(`Invalid key for this operation, when present its alg must be ${alg}`);
}
return true;
};
const symmetricTypeCheck = (alg, key, usage, allowJwk) => {
if (key instanceof Uint8Array)
return;
if (allowJwk && jwk.isJWK(key)) {
if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))
return;
throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
}
if (!(0, is_key_like_js_1.default)(key)) {
throw new TypeError((0, invalid_key_input_js_1.withAlg)(alg, key, ...is_key_like_js_1.types, 'Uint8Array'));
throw new TypeError((0, invalid_key_input_js_1.withAlg)(alg, key, ...is_key_like_js_1.types, 'Uint8Array', allowJwk ? 'JSON Web Key' : null));
}
if (key.type !== 'secret') {
throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
}
};
const asymmetricTypeCheck = (alg, key, usage) => {
const asymmetricTypeCheck = (alg, key, usage, allowJwk) => {
if (allowJwk && jwk.isJWK(key)) {
switch (usage) {
case 'sign':
if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))
return;
throw new TypeError(`JSON Web Key for this operation be a private JWK`);
case 'verify':
if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))
return;
throw new TypeError(`JSON Web Key for this operation be a public JWK`);
}
}
if (!(0, is_key_like_js_1.default)(key)) {
throw new TypeError((0, invalid_key_input_js_1.withAlg)(alg, key, ...is_key_like_js_1.types));
throw new TypeError((0, invalid_key_input_js_1.withAlg)(alg, key, ...is_key_like_js_1.types, allowJwk ? 'JSON Web Key' : null));
}
if (key.type === 'secret') {
throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
@@ -27175,19 +27214,20 @@ const asymmetricTypeCheck = (alg, key, usage) => {
throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
}
};
const checkKeyType = (alg, key, usage) => {
function checkKeyType(allowJwk, alg, key, usage) {
const symmetric = alg.startsWith('HS') ||
alg === 'dir' ||
alg.startsWith('PBES2') ||
/^A\d{3}(?:GCM)?KW$/.test(alg);
if (symmetric) {
symmetricTypeCheck(alg, key);
symmetricTypeCheck(alg, key, usage, allowJwk);
}
else {
asymmetricTypeCheck(alg, key, usage);
asymmetricTypeCheck(alg, key, usage, allowJwk);
}
};
exports["default"] = checkKeyType;
}
exports["default"] = checkKeyType.bind(undefined, false);
exports.checkKeyTypeWithJwk = checkKeyType.bind(undefined, true);
/***/ }),
@@ -27631,6 +27671,7 @@ exports["default"] = (date) => Math.floor(date.getTime() / 1000);
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.withAlg = void 0;
function message(msg, actual, ...types) {
types = types.filter(Boolean);
if (types.length > 2) {
const last = types.pop();
msg += `one of type ${types.join(', ')}, or ${last}.`;
@@ -27695,6 +27736,34 @@ const isDisjoint = (...headers) => {
exports["default"] = isDisjoint;
/***/ }),
/***/ 8377:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.isSecretJWK = exports.isPublicJWK = exports.isPrivateJWK = exports.isJWK = void 0;
const is_object_js_1 = __nccwpck_require__(39127);
function isJWK(key) {
return (0, is_object_js_1.default)(key) && typeof key.kty === 'string';
}
exports.isJWK = isJWK;
function isPrivateJWK(key) {
return key.kty !== 'oct' && typeof key.d === 'string';
}
exports.isPrivateJWK = isPrivateJWK;
function isPublicJWK(key) {
return key.kty !== 'oct' && typeof key.d === 'undefined';
}
exports.isPublicJWK = isPublicJWK;
function isSecretJWK(key) {
return isJWK(key) && key.kty === 'oct' && typeof key.k === 'string';
}
exports.isSecretJWK = isSecretJWK;
/***/ }),
/***/ 39127:
@@ -28158,7 +28227,7 @@ const decodeBase64 = (input) => new Uint8Array(node_buffer_1.Buffer.from(input,
exports.decodeBase64 = decodeBase64;
const encodeBase64 = (input) => node_buffer_1.Buffer.from(input).toString('base64');
exports.encodeBase64 = encodeBase64;
const decode = (input) => new Uint8Array(node_buffer_1.Buffer.from(normalize(input), 'base64'));
const decode = (input) => new Uint8Array(node_buffer_1.Buffer.from(normalize(input), 'base64url'));
exports.decode = decode;
@@ -28229,13 +28298,23 @@ exports["default"] = checkCekLength;
/***/ }),
/***/ 94647:
/***/ ((__unused_webpack_module, exports) => {
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
Object.defineProperty(exports, "__esModule", ({ value: true }));
const node_crypto_1 = __nccwpck_require__(6005);
exports["default"] = (key, alg) => {
const { modulusLength } = key.asymmetricKeyDetails;
let modulusLength;
try {
if (key instanceof node_crypto_1.KeyObject) {
modulusLength = key.asymmetricKeyDetails?.modulusLength;
}
else {
modulusLength = Buffer.from(key.n, 'base64url').byteLength << 3;
}
}
catch { }
if (typeof modulusLength !== 'number' || modulusLength < 2048) {
throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
}
@@ -28759,6 +28838,7 @@ const webcrypto_js_1 = __nccwpck_require__(86852);
const is_key_object_js_1 = __nccwpck_require__(62768);
const invalid_key_input_js_1 = __nccwpck_require__(1146);
const is_key_like_js_1 = __nccwpck_require__(17947);
const is_jwk_js_1 = __nccwpck_require__(8377);
exports.weakMap = new WeakMap();
const namedCurveToJOSE = (namedCurve) => {
switch (namedCurve) {
@@ -28782,6 +28862,9 @@ const getNamedCurve = (kee, raw) => {
else if ((0, is_key_object_js_1.default)(kee)) {
key = kee;
}
else if ((0, is_jwk_js_1.isJWK)(kee)) {
return kee.crv;
}
else {
throw new TypeError((0, invalid_key_input_js_1.default)(kee, ...is_key_like_js_1.types));
}
@@ -28822,6 +28905,7 @@ const webcrypto_js_1 = __nccwpck_require__(86852);
const crypto_key_js_1 = __nccwpck_require__(73386);
const invalid_key_input_js_1 = __nccwpck_require__(1146);
const is_key_like_js_1 = __nccwpck_require__(17947);
const jwk = __nccwpck_require__(8377);
function getSignVerifyKey(alg, key, usage) {
if (key instanceof Uint8Array) {
if (!alg.startsWith('HS')) {
@@ -28836,7 +28920,13 @@ function getSignVerifyKey(alg, key, usage) {
(0, crypto_key_js_1.checkSigCryptoKey)(key, alg, usage);
return node_crypto_1.KeyObject.from(key);
}
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, 'Uint8Array'));
if (jwk.isJWK(key)) {
if (alg.startsWith('HS')) {
return (0, node_crypto_1.createSecretKey)(Buffer.from(key.k, 'base64url'));
}
return key;
}
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, 'Uint8Array', 'JSON Web Key'));
}
exports["default"] = getSignVerifyKey;
@@ -28905,8 +28995,11 @@ exports["default"] = (obj) => util.types.isKeyObject(obj);
Object.defineProperty(exports, "__esModule", ({ value: true }));
const node_crypto_1 = __nccwpck_require__(6005);
const parse = (jwk) => {
return (jwk.d ? node_crypto_1.createPrivateKey : node_crypto_1.createPublicKey)({ format: 'jwk', key: jwk });
const parse = (key) => {
if (key.d) {
return (0, node_crypto_1.createPrivateKey)({ format: 'jwk', key });
}
return (0, node_crypto_1.createPublicKey)({ format: 'jwk', key });
};
exports["default"] = parse;
@@ -28967,10 +29060,6 @@ const node_crypto_1 = __nccwpck_require__(6005);
const get_named_curve_js_1 = __nccwpck_require__(99302);
const errors_js_1 = __nccwpck_require__(94419);
const check_key_length_js_1 = __nccwpck_require__(94647);
const PSS = {
padding: node_crypto_1.constants.RSA_PKCS1_PSS_PADDING,
saltLength: node_crypto_1.constants.RSA_PSS_SALTLEN_DIGEST,
};
const ecCurveAlgMap = new Map([
['ES256', 'P-256'],
['ES256K', 'secp256k1'],
@@ -28978,25 +29067,57 @@ const ecCurveAlgMap = new Map([
['ES512', 'P-521'],
]);
function keyForCrypto(alg, key) {
let asymmetricKeyType;
let asymmetricKeyDetails;
let isJWK;
if (key instanceof node_crypto_1.KeyObject) {
asymmetricKeyType = key.asymmetricKeyType;
asymmetricKeyDetails = key.asymmetricKeyDetails;
}
else {
isJWK = true;
switch (key.kty) {
case 'RSA':
asymmetricKeyType = 'rsa';
break;
case 'EC':
asymmetricKeyType = 'ec';
break;
case 'OKP': {
if (key.crv === 'Ed25519') {
asymmetricKeyType = 'ed25519';
break;
}
if (key.crv === 'Ed448') {
asymmetricKeyType = 'ed448';
break;
}
throw new TypeError('Invalid key for this operation, its crv must be Ed25519 or Ed448');
}
default:
throw new TypeError('Invalid key for this operation, its kty must be RSA, OKP, or EC');
}
}
let options;
switch (alg) {
case 'EdDSA':
if (!['ed25519', 'ed448'].includes(key.asymmetricKeyType)) {
if (!['ed25519', 'ed448'].includes(asymmetricKeyType)) {
throw new TypeError('Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448');
}
return key;
break;
case 'RS256':
case 'RS384':
case 'RS512':
if (key.asymmetricKeyType !== 'rsa') {
if (asymmetricKeyType !== 'rsa') {
throw new TypeError('Invalid key for this operation, its asymmetricKeyType must be rsa');
}
(0, check_key_length_js_1.default)(key, alg);
return key;
break;
case 'PS256':
case 'PS384':
case 'PS512':
if (key.asymmetricKeyType === 'rsa-pss') {
const { hashAlgorithm, mgf1HashAlgorithm, saltLength } = key.asymmetricKeyDetails;
if (asymmetricKeyType === 'rsa-pss') {
const { hashAlgorithm, mgf1HashAlgorithm, saltLength } = asymmetricKeyDetails;
const length = parseInt(alg.slice(-3), 10);
if (hashAlgorithm !== undefined &&
(hashAlgorithm !== `sha${length}` || mgf1HashAlgorithm !== hashAlgorithm)) {
@@ -29006,16 +29127,20 @@ function keyForCrypto(alg, key) {
throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${alg}`);
}
}
else if (key.asymmetricKeyType !== 'rsa') {
else if (asymmetricKeyType !== 'rsa') {
throw new TypeError('Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss');
}
(0, check_key_length_js_1.default)(key, alg);
return { key, ...PSS };
options = {
padding: node_crypto_1.constants.RSA_PKCS1_PSS_PADDING,
saltLength: node_crypto_1.constants.RSA_PSS_SALTLEN_DIGEST,
};
break;
case 'ES256':
case 'ES256K':
case 'ES384':
case 'ES512': {
if (key.asymmetricKeyType !== 'ec') {
if (asymmetricKeyType !== 'ec') {
throw new TypeError('Invalid key for this operation, its asymmetricKeyType must be ec');
}
const actual = (0, get_named_curve_js_1.default)(key);
@@ -29023,11 +29148,16 @@ function keyForCrypto(alg, key) {
if (actual !== expected) {
throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${expected}, got ${actual}`);
}
return { dsaEncoding: 'ieee-p1363', key };
options = { dsaEncoding: 'ieee-p1363' };
break;
}
default:
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
if (isJWK) {
return { format: 'jwk', key, ...options };
}
return options ? { ...options, key } : key;
}
exports["default"] = keyForCrypto;
@@ -29218,13 +29348,13 @@ const node_key_js_1 = __nccwpck_require__(52413);
const get_sign_verify_key_js_1 = __nccwpck_require__(53170);
const oneShotSign = (0, node_util_1.promisify)(crypto.sign);
const sign = async (alg, key, data) => {
const keyObject = (0, get_sign_verify_key_js_1.default)(alg, key, 'sign');
const k = (0, get_sign_verify_key_js_1.default)(alg, key, 'sign');
if (alg.startsWith('HS')) {
const hmac = crypto.createHmac((0, hmac_digest_js_1.default)(alg), keyObject);
const hmac = crypto.createHmac((0, hmac_digest_js_1.default)(alg), k);
hmac.update(data);
return hmac.digest();
}
return oneShotSign((0, dsa_digest_js_1.default)(alg), data, (0, node_key_js_1.default)(alg, keyObject));
return oneShotSign((0, dsa_digest_js_1.default)(alg), data, (0, node_key_js_1.default)(alg, k));
};
exports["default"] = sign;
@@ -29258,9 +29388,9 @@ const sign_js_1 = __nccwpck_require__(69935);
const get_sign_verify_key_js_1 = __nccwpck_require__(53170);
const oneShotVerify = (0, node_util_1.promisify)(crypto.verify);
const verify = async (alg, key, signature, data) => {
const keyObject = (0, get_sign_verify_key_js_1.default)(alg, key, 'verify');
const k = (0, get_sign_verify_key_js_1.default)(alg, key, 'verify');
if (alg.startsWith('HS')) {
const expected = await (0, sign_js_1.default)(alg, keyObject, data);
const expected = await (0, sign_js_1.default)(alg, k, data);
const actual = signature;
try {
return crypto.timingSafeEqual(actual, expected);
@@ -29270,7 +29400,7 @@ const verify = async (alg, key, signature, data) => {
}
}
const algorithm = (0, dsa_digest_js_1.default)(alg);
const keyInput = (0, node_key_js_1.default)(alg, keyObject);
const keyInput = (0, node_key_js_1.default)(alg, k);
try {
return await oneShotVerify(algorithm, data, keyInput, signature);
}
+235 -27
View File
@@ -13,24 +13,24 @@
"@actions/core": "^1.10.1"
},
"devDependencies": {
"@types/jest": "^29.5.12",
"@types/node": "^22.5.2",
"@types/jest": "^29.5.13",
"@types/node": "^22.5.5",
"@typescript-eslint/eslint-plugin": "^7.17.0",
"@typescript-eslint/parser": "^7.18.0",
"@vercel/ncc": "^0.38.1",
"eslint": "^8.57.0",
"eslint-plugin-github": "^5.0.1",
"eslint-plugin-jest": "^28.8.1",
"eslint-plugin-github": "^5.0.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-jsonc": "^2.16.0",
"eslint-plugin-prettier": "^5.2.1",
"jest": "^29.7.0",
"jose": "^5.8.0",
"jose": "^5.9.2",
"markdownlint-cli": "^0.41.0",
"nock": "^13.5.5",
"prettier": "^3.3.3",
"prettier-eslint": "^16.3.0",
"ts-jest": "^29.2.5",
"typescript": "^5.5.4"
"typescript": "^5.6.2"
},
"engines": {
"node": ">=20"
@@ -1648,9 +1648,10 @@
}
},
"node_modules/@types/jest": {
"version": "29.5.12",
"version": "29.5.13",
"resolved": "https://registry.npmjs.org/@types/jest/-/jest-29.5.13.tgz",
"integrity": "sha512-wd+MVEZCHt23V0/L642O5APvspWply/rGY5BcW4SUETo2UzPU3Z26qr8jC2qxpimI2jjx9h7+2cj2FwIr01bXg==",
"dev": true,
"license": "MIT",
"dependencies": {
"expect": "^29.0.0",
"pretty-format": "^29.0.0"
@@ -1671,9 +1672,9 @@
"dev": true
},
"node_modules/@types/node": {
"version": "22.5.2",
"resolved": "https://registry.npmjs.org/@types/node/-/node-22.5.2.tgz",
"integrity": "sha512-acJsPTEqYqulZS/Yp/S3GgeE6GZ0qYODUR8aVr/DkhHQ8l9nd4j5x1/ZJy9/gHrRlFMqkO6i0I3E27Alu4jjPg==",
"version": "22.5.5",
"resolved": "https://registry.npmjs.org/@types/node/-/node-22.5.5.tgz",
"integrity": "sha512-Xjs4y5UPO/CLdzpgR6GirZJx36yScjh73+2NlLlkFRSoQN8B0DpfXPdZGnvVmLRLOsqDpOfTNv7D9trgGhmOIA==",
"dev": true,
"dependencies": {
"undici-types": "~6.19.2"
@@ -3390,14 +3391,14 @@
}
},
"node_modules/eslint-plugin-github": {
"version": "5.0.1",
"resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-5.0.1.tgz",
"integrity": "sha512-qbXG3wL5Uh2JB92EKeX2hPtO9c/t75qVxQjVLYuTFfhHifLZzv9CBvLCvoaBhLrAC/xTMVht7DK/NofYK8X4Dg==",
"version": "5.0.2",
"resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-5.0.2.tgz",
"integrity": "sha512-nMdzWJQ5CimjQDY6SFeJ0KIXuNFf0dgDWEd4eP3UWfuTuP/dXcZJDg7MQRvAFt743T1zUi4+/HdOihfu8xJkLA==",
"dev": true,
"dependencies": {
"@github/browserslist-config": "^1.0.0",
"@typescript-eslint/eslint-plugin": "^7.0.1",
"@typescript-eslint/parser": "^7.0.1",
"@typescript-eslint/eslint-plugin": "^8.0.0",
"@typescript-eslint/parser": "^8.0.0",
"aria-query": "^5.3.0",
"eslint-config-prettier": ">=8.0.0",
"eslint-plugin-escompat": "^3.3.3",
@@ -3420,6 +3421,212 @@
"eslint": "^8.0.1"
}
},
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/eslint-plugin": {
"version": "8.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.6.0.tgz",
"integrity": "sha512-UOaz/wFowmoh2G6Mr9gw60B1mm0MzUtm6Ic8G2yM1Le6gyj5Loi/N+O5mocugRGY+8OeeKmkMmbxNqUCq3B4Sg==",
"dev": true,
"dependencies": {
"@eslint-community/regexpp": "^4.10.0",
"@typescript-eslint/scope-manager": "8.6.0",
"@typescript-eslint/type-utils": "8.6.0",
"@typescript-eslint/utils": "8.6.0",
"@typescript-eslint/visitor-keys": "8.6.0",
"graphemer": "^1.4.0",
"ignore": "^5.3.1",
"natural-compare": "^1.4.0",
"ts-api-utils": "^1.3.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependencies": {
"@typescript-eslint/parser": "^8.0.0 || ^8.0.0-alpha.0",
"eslint": "^8.57.0 || ^9.0.0"
},
"peerDependenciesMeta": {
"typescript": {
"optional": true
}
}
},
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/parser": {
"version": "8.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.6.0.tgz",
"integrity": "sha512-eQcbCuA2Vmw45iGfcyG4y6rS7BhWfz9MQuk409WD47qMM+bKCGQWXxvoOs1DUp+T7UBMTtRTVT+kXr7Sh4O9Ow==",
"dev": true,
"dependencies": {
"@typescript-eslint/scope-manager": "8.6.0",
"@typescript-eslint/types": "8.6.0",
"@typescript-eslint/typescript-estree": "8.6.0",
"@typescript-eslint/visitor-keys": "8.6.0",
"debug": "^4.3.4"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependencies": {
"eslint": "^8.57.0 || ^9.0.0"
},
"peerDependenciesMeta": {
"typescript": {
"optional": true
}
}
},
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/scope-manager": {
"version": "8.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.6.0.tgz",
"integrity": "sha512-ZuoutoS5y9UOxKvpc/GkvF4cuEmpokda4wRg64JEia27wX+PysIE9q+lzDtlHHgblwUWwo5/Qn+/WyTUvDwBHw==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "8.6.0",
"@typescript-eslint/visitor-keys": "8.6.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/type-utils": {
"version": "8.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.6.0.tgz",
"integrity": "sha512-dtePl4gsuenXVwC7dVNlb4mGDcKjDT/Ropsk4za/ouMBPplCLyznIaR+W65mvCvsyS97dymoBRrioEXI7k0XIg==",
"dev": true,
"dependencies": {
"@typescript-eslint/typescript-estree": "8.6.0",
"@typescript-eslint/utils": "8.6.0",
"debug": "^4.3.4",
"ts-api-utils": "^1.3.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependenciesMeta": {
"typescript": {
"optional": true
}
}
},
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/types": {
"version": "8.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.6.0.tgz",
"integrity": "sha512-rojqFZGd4MQxw33SrOy09qIDS8WEldM8JWtKQLAjf/X5mGSeEFh5ixQlxssMNyPslVIk9yzWqXCsV2eFhYrYUw==",
"dev": true,
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/typescript-estree": {
"version": "8.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.6.0.tgz",
"integrity": "sha512-MOVAzsKJIPIlLK239l5s06YXjNqpKTVhBVDnqUumQJja5+Y94V3+4VUFRA0G60y2jNnTVwRCkhyGQpavfsbq/g==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "8.6.0",
"@typescript-eslint/visitor-keys": "8.6.0",
"debug": "^4.3.4",
"fast-glob": "^3.3.2",
"is-glob": "^4.0.3",
"minimatch": "^9.0.4",
"semver": "^7.6.0",
"ts-api-utils": "^1.3.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependenciesMeta": {
"typescript": {
"optional": true
}
}
},
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/utils": {
"version": "8.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.6.0.tgz",
"integrity": "sha512-eNp9cWnYf36NaOVjkEUznf6fEgVy1TWpE0o52e4wtojjBx7D1UV2WAWGzR+8Y5lVFtpMLPwNbC67T83DWSph4A==",
"dev": true,
"dependencies": {
"@eslint-community/eslint-utils": "^4.4.0",
"@typescript-eslint/scope-manager": "8.6.0",
"@typescript-eslint/types": "8.6.0",
"@typescript-eslint/typescript-estree": "8.6.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependencies": {
"eslint": "^8.57.0 || ^9.0.0"
}
},
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/visitor-keys": {
"version": "8.6.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.6.0.tgz",
"integrity": "sha512-wapVFfZg9H0qOYh4grNVQiMklJGluQrOUiOhYRrQWhx7BY/+I1IYb8BczWNbbUpO+pqy0rDciv3lQH5E1bCLrg==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "8.6.0",
"eslint-visitor-keys": "^3.4.3"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/eslint-plugin-github/node_modules/brace-expansion": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
"integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
"dev": true,
"dependencies": {
"balanced-match": "^1.0.0"
}
},
"node_modules/eslint-plugin-github/node_modules/minimatch": {
"version": "9.0.5",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
"integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
"dev": true,
"dependencies": {
"brace-expansion": "^2.0.1"
},
"engines": {
"node": ">=16 || 14 >=14.17"
},
"funding": {
"url": "https://github.com/sponsors/isaacs"
}
},
"node_modules/eslint-plugin-i18n-text": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/eslint-plugin-i18n-text/-/eslint-plugin-i18n-text-1.0.1.tgz",
@@ -3491,9 +3698,9 @@
}
},
"node_modules/eslint-plugin-jest": {
"version": "28.8.1",
"resolved": "https://registry.npmjs.org/eslint-plugin-jest/-/eslint-plugin-jest-28.8.1.tgz",
"integrity": "sha512-G46XMyYu6PtSNJUkQ0hsPjzXYpzq/O4vpCciMizTKRJG8kNsRreGoMRDG6H9FIB/xVgfFuclVnuX4XRvFUzrZQ==",
"version": "28.8.3",
"resolved": "https://registry.npmjs.org/eslint-plugin-jest/-/eslint-plugin-jest-28.8.3.tgz",
"integrity": "sha512-HIQ3t9hASLKm2IhIOqnu+ifw7uLZkIlR7RYNv7fMcEi/p0CIiJmfriStQS2LDkgtY4nyLbIZAD+JL347Yc2ETQ==",
"dev": true,
"dependencies": {
"@typescript-eslint/utils": "^6.0.0 || ^7.0.0 || ^8.0.0"
@@ -3775,9 +3982,10 @@
"license": "Apache-2.0"
},
"node_modules/fast-glob": {
"version": "3.3.1",
"version": "3.3.2",
"resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.2.tgz",
"integrity": "sha512-oX2ruAFQwf/Orj8m737Y5adxDQO0LAB7/S5MnxCdTNDd4p6BsyIVsv9JQsATbTSq8KHRpLwIHbVlUNatxd+1Ow==",
"dev": true,
"license": "MIT",
"dependencies": {
"@nodelib/fs.stat": "^2.0.2",
"@nodelib/fs.walk": "^1.2.3",
@@ -5466,9 +5674,9 @@
}
},
"node_modules/jose": {
"version": "5.8.0",
"resolved": "https://registry.npmjs.org/jose/-/jose-5.8.0.tgz",
"integrity": "sha512-E7CqYpL/t7MMnfGnK/eg416OsFCVUrU/Y3Vwe7QjKhu/BkS1Ms455+2xsqZQVN57/U2MHMBvEb5SrmAZWAIntA==",
"version": "5.9.2",
"resolved": "https://registry.npmjs.org/jose/-/jose-5.9.2.tgz",
"integrity": "sha512-ILI2xx/I57b20sd7rHZvgiiQrmp2mcotwsAH+5ajbpFQbrYVQdNHYlQhoA5cFb78CgtBOxtC05TeA+mcgkuCqQ==",
"funding": {
"url": "https://github.com/sponsors/panva"
}
@@ -7813,9 +8021,9 @@
}
},
"node_modules/typescript": {
"version": "5.5.4",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.5.4.tgz",
"integrity": "sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q==",
"version": "5.6.2",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.6.2.tgz",
"integrity": "sha512-NW8ByodCSNCwZeghjN3o+JX5OFH0Ojg6sadjEKY4huZ52TqbJTJnDo5+Tw98lSy63NZvi4n+ez5m2u5d4PkZyw==",
"dev": true,
"bin": {
"tsc": "bin/tsc",
+6 -6
View File
@@ -74,23 +74,23 @@
"@actions/core": "^1.10.1"
},
"devDependencies": {
"@types/jest": "^29.5.12",
"@types/node": "^22.5.2",
"@types/jest": "^29.5.13",
"@types/node": "^22.5.5",
"@typescript-eslint/eslint-plugin": "^7.17.0",
"@typescript-eslint/parser": "^7.18.0",
"@vercel/ncc": "^0.38.1",
"eslint": "^8.57.0",
"eslint-plugin-github": "^5.0.1",
"eslint-plugin-jest": "^28.8.1",
"eslint-plugin-github": "^5.0.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-jsonc": "^2.16.0",
"eslint-plugin-prettier": "^5.2.1",
"jest": "^29.7.0",
"jose": "^5.8.0",
"jose": "^5.9.2",
"markdownlint-cli": "^0.41.0",
"nock": "^13.5.5",
"prettier": "^3.3.3",
"prettier-eslint": "^16.3.0",
"ts-jest": "^29.2.5",
"typescript": "^5.5.4"
"typescript": "^5.6.2"
}
}