test suite re-write (#356)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer
2026-02-19 10:14:47 -08:00
committed by GitHub
parent 7d7ff4475a
commit 19ad753d23
23 changed files with 1871 additions and 1866 deletions
-195
View File
@@ -1,195 +0,0 @@
import { jest } from '@jest/globals'
import type { Descriptor } from '@sigstore/oci'
// Mock functions
const mockGetOctokit = jest.fn()
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const mockAttest = jest.fn<() => Promise<any>>()
const mockCreateStorageRecord = jest.fn<() => Promise<number[]>>()
const mockGetRegistryCredentials = jest.fn()
const mockAttachArtifactToImage = jest.fn<() => Promise<Descriptor>>()
// Mock @actions/github
jest.unstable_mockModule('@actions/github', () => ({
getOctokit: mockGetOctokit,
context: {
repo: { owner: 'foo', repo: 'bar' },
payload: { repository: { visibility: 'private' } }
}
}))
// Mock @actions/attest
jest.unstable_mockModule('@actions/attest', () => ({
attest: mockAttest,
createStorageRecord: mockCreateStorageRecord
}))
// Mock @sigstore/oci
jest.unstable_mockModule('@sigstore/oci', () => ({
getRegistryCredentials: mockGetRegistryCredentials,
attachArtifactToImage: mockAttachArtifactToImage
}))
// Dynamic imports after mocking
const { createAttestation, repoOwnerIsOrg } = await import('../src/attest')
const subjectName = 'ghcr.io/foo/bar'
const subjectDigest =
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
const predicate = {
type: 'https://in-toto.io/attestation/release/v0.1',
params: {}
}
describe('repoOwnerIsOrg', () => {
beforeEach(() => {
jest.clearAllMocks()
})
it('returns true when repo owner is an organization', async () => {
mockGetOctokit.mockReturnValue({
rest: {
repos: {
get: jest
.fn<() => Promise<{ data: { owner: { type: string } } }>>()
.mockResolvedValue({
data: { owner: { type: 'Organization' } }
})
}
}
})
const result = await repoOwnerIsOrg('gh-token')
expect(result).toBe(true)
})
it('returns false when repo owner is a user', async () => {
mockGetOctokit.mockReturnValue({
rest: {
repos: {
// eslint-disable-next-line @typescript-eslint/no-explicit-any
get: jest.fn<() => Promise<any>>().mockResolvedValue({
data: { owner: { type: 'User' } }
})
}
}
})
const result = await repoOwnerIsOrg('gh-token')
expect(result).toBe(false)
})
})
describe('createAttestation', () => {
beforeEach(() => {
jest.clearAllMocks()
// Default mock implementations
mockAttest.mockResolvedValue({
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
certificate: 'cert',
tlogID: 'tlog-123',
attestationID: 'att-123'
})
mockGetRegistryCredentials.mockReturnValue({
username: 'user',
password: 'pass'
})
mockAttachArtifactToImage.mockResolvedValue({
digest: 'sha256:abc123',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 100
})
})
describe('when createStorageRecord is false', () => {
it('skips storage record creation', async () => {
const subjects = [
{
name: subjectName,
digest: { sha256: subjectDigest.replace('sha256:', '') }
}
]
const result = await createAttestation(subjects, predicate, {
sigstoreInstance: 'github',
pushToRegistry: true,
createStorageRecord: false,
githubToken: 'gh-token'
})
expect(result.attestationDigest).toBe('sha256:abc123')
expect(mockCreateStorageRecord).not.toHaveBeenCalled()
})
})
describe('when storage records are empty', () => {
beforeEach(() => {
mockGetOctokit.mockReturnValue({
rest: {
repos: {
// eslint-disable-next-line @typescript-eslint/no-explicit-any
get: jest.fn<() => Promise<any>>().mockResolvedValue({
data: { owner: { type: 'Organization' } }
})
}
}
})
mockCreateStorageRecord.mockResolvedValue([])
})
it('handles empty storage records gracefully', async () => {
const subjects = [
{
name: subjectName,
digest: { sha256: subjectDigest.replace('sha256:', '') }
}
]
const result = await createAttestation(subjects, predicate, {
sigstoreInstance: 'github',
pushToRegistry: true,
createStorageRecord: true,
githubToken: 'gh-token'
})
expect(result.attestationDigest).toBe('sha256:abc123')
})
})
describe('when subject has unsupported protocol', () => {
beforeEach(() => {
mockGetOctokit.mockReturnValue({
rest: {
repos: {
// eslint-disable-next-line @typescript-eslint/no-explicit-any
get: jest.fn<() => Promise<any>>().mockResolvedValue({
data: { owner: { type: 'Organization' } }
})
}
}
})
mockCreateStorageRecord.mockResolvedValue([123])
})
it('handles unsupported protocol gracefully', async () => {
const subjects = [
{
name: 'http://registry.example.com/foo/bar',
digest: { sha256: subjectDigest.replace('sha256:', '') }
}
]
const result = await createAttestation(subjects, predicate, {
sigstoreInstance: 'github',
pushToRegistry: true,
createStorageRecord: true,
githubToken: 'gh-token'
})
expect(result.attestationDigest).toBe('sha256:abc123')
})
})
})
+253
View File
@@ -0,0 +1,253 @@
import type { Attestation, Predicate, Subject } from '@actions/attest'
import { jest } from '@jest/globals'
import type { RestEndpointMethodTypes } from '@octokit/plugin-rest-endpoint-methods'
import type { Descriptor } from '@sigstore/oci'
// =============================================================================
// @actions/core mock factory
// =============================================================================
export type CoreMock = {
info: jest.Mock
warning: jest.Mock
debug: jest.Mock
startGroup: jest.Mock
endGroup: jest.Mock
setOutput: jest.Mock
setFailed: jest.Mock
summary: SummaryMock
}
export type SummaryMock = {
write: jest.Mock
addRaw: jest.Mock
addHeading: jest.Mock
addLink: jest.Mock
addTable: jest.Mock
addBreak: jest.Mock
addSeparator: jest.Mock
addQuote: jest.Mock
addCodeBlock: jest.Mock
addList: jest.Mock
addImage: jest.Mock
addDetails: jest.Mock
addEOL: jest.Mock
emptyBuffer: jest.Mock
stringify: jest.Mock
isEmptyBuffer: jest.Mock
clear: jest.Mock
}
export const createSummaryMock = (): SummaryMock => {
const mock: SummaryMock = {
write: jest.fn(),
addRaw: jest.fn(),
addHeading: jest.fn(),
addLink: jest.fn(),
addTable: jest.fn(),
addBreak: jest.fn(),
addSeparator: jest.fn(),
addQuote: jest.fn(),
addCodeBlock: jest.fn(),
addList: jest.fn(),
addImage: jest.fn(),
addDetails: jest.fn(),
addEOL: jest.fn(),
emptyBuffer: jest.fn(),
stringify: jest.fn().mockReturnValue(''),
isEmptyBuffer: jest.fn().mockReturnValue(true),
clear: jest.fn()
}
// Make chainable
for (const key of Object.keys(mock) as (keyof SummaryMock)[]) {
if (key !== 'stringify' && key !== 'isEmptyBuffer') {
mock[key].mockReturnThis()
}
}
return mock
}
export const createCoreMock = (): CoreMock => ({
info: jest.fn(),
warning: jest.fn(),
debug: jest.fn(),
startGroup: jest.fn(),
endGroup: jest.fn(),
setOutput: jest.fn(),
setFailed: jest.fn(),
summary: createSummaryMock()
})
// =============================================================================
// @actions/github mock factory
// =============================================================================
export type GitHubContextMock = {
repo: { owner: string; repo: string }
payload: { repository?: { visibility: string } }
serverUrl: string
}
export const createGitHubContextMock = (
overrides: Partial<GitHubContextMock> = {}
): GitHubContextMock => ({
repo: { owner: 'test-owner', repo: 'test-repo' },
payload: { repository: { visibility: 'public' } },
serverUrl: 'https://github.com',
...overrides
})
export type OctokitMock = {
rest: {
repos: {
get: jest.Mock
}
}
}
export const createOctokitMock = (
ownerType: 'Organization' | 'User' = 'Organization'
): OctokitMock => ({
rest: {
repos: {
get: jest
.fn<RestEndpointMethodTypes['repos']['get']['response']>()
.mockResolvedValue({
data: { owner: { type: ownerType } }
})
}
}
})
// =============================================================================
// @actions/attest mock factory
// =============================================================================
export type AttestMock = {
attest: jest.Mock
buildSLSAProvenancePredicate: jest.Mock
createStorageRecord: jest.Mock
}
export const createAttestMock = (): AttestMock => ({
attest: jest.fn(),
buildSLSAProvenancePredicate: jest.fn(),
createStorageRecord: jest.fn()
})
export const createAttestationResult = (
overrides: Partial<Attestation> = {}
): Attestation => ({
bundle: {
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' as const,
verificationMaterial: {
certificate: { rawBytes: '' },
publicKey: undefined,
x509CertificateChain: undefined,
tlogEntries: [],
timestampVerificationData: undefined
},
dsseEnvelope: {
payload: '',
payloadType: '',
signatures: []
},
messageSignature: undefined
},
certificate: '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
tlogID: 'tlog-123',
attestationID: 'att-123',
...overrides
})
// =============================================================================
// @sigstore/oci mock factory
// =============================================================================
export type OciMock = {
getRegistryCredentials: jest.Mock
attachArtifactToImage: jest.Mock
}
export const createOciMock = (): OciMock => ({
getRegistryCredentials: jest.fn().mockReturnValue({
username: 'test-user',
password: 'test-pass'
}),
attachArtifactToImage: jest
.fn<() => Promise<Descriptor>>()
.mockResolvedValue({
digest: 'sha256:abc123def456',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 1234
})
})
// =============================================================================
// Common test data
// =============================================================================
export const TEST_SUBJECT: Subject = {
name: 'test-artifact',
digest: {
sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
}
}
export const TEST_SUBJECT_WITH_REGISTRY: Subject = {
name: 'ghcr.io/test-owner/test-repo',
digest: {
sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
}
}
export const TEST_PREDICATE: Predicate = {
type: 'https://example.com/predicate/v1',
params: { foo: 'bar' }
}
export const TEST_PROVENANCE_PREDICATE: Predicate = {
type: 'https://slsa.dev/provenance/v1',
params: {
buildDefinition: {
buildType: 'https://actions.github.io/buildtypes/workflow/v1'
},
runDetails: {
builder: { id: 'https://github.com/actions/runner' }
}
}
}
// =============================================================================
// Environment helpers
// =============================================================================
export const setupTestEnvironment = (
env: Record<string, string> = {}
): (() => void) => {
const originalEnv = { ...process.env }
process.env = {
...process.env,
ACTIONS_ID_TOKEN_REQUEST_URL: 'https://token.url',
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'test-token',
RUNNER_TEMP: '/tmp',
...env
}
return () => {
process.env = originalEnv
}
}
// =============================================================================
// OIDC token helpers
// =============================================================================
export const createOidcToken = (subject = 'test@example.com'): string => {
const payload = {
sub: subject,
iss: 'https://token.actions.githubusercontent.com'
}
return `.${Buffer.from(JSON.stringify(payload)).toString('base64')}.`
}
@@ -0,0 +1,13 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:12345678-1234-1234-1234-123456789012",
"version": 1,
"components": [
{
"type": "library",
"name": "test-component",
"version": "1.0.0"
}
]
}
@@ -0,0 +1,9 @@
{
"buildType": "https://example.com/build/v1",
"builder": {
"id": "https://github.com/actions/runner"
},
"metadata": {
"buildStartedOn": "2024-01-01T00:00:00Z"
}
}
+15
View File
@@ -0,0 +1,15 @@
{
"spdxVersion": "SPDX-2.3",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "test-package",
"dataLicense": "CC0-1.0",
"documentNamespace": "https://example.com/test-package",
"packages": [
{
"SPDXID": "SPDXRef-Package",
"name": "test-package",
"versionInfo": "1.0.0",
"downloadLocation": "https://example.com/test-package-1.0.0.tar.gz"
}
]
}
+43 -7
View File
@@ -1,6 +1,3 @@
/**
* Unit tests for the action's entrypoint, src/index.ts
*/
import { jest } from '@jest/globals' import { jest } from '@jest/globals'
// Mock functions // Mock functions
@@ -22,14 +19,53 @@ jest.unstable_mockModule('../src/main', () => ({
describe('index', () => { describe('index', () => {
beforeEach(() => { beforeEach(() => {
jest.clearAllMocks() jest.clearAllMocks()
mockGetBooleanInput.mockReturnValue(false)
mockGetInput.mockReturnValue('') mockGetInput.mockReturnValue('')
mockGetBooleanInput.mockReturnValue(false)
}) })
it('calls run when imported', async () => { it('should call run with inputs from core.getInput', async () => {
// Dynamic import after mocking mockGetInput.mockImplementation((name: string) => {
const inputs: Record<string, string> = {
'subject-path': '/path/to/subject',
'subject-name': 'my-artifact',
'subject-digest': '',
'subject-checksums': '',
'predicate-type': 'https://example.com/predicate',
predicate: '{}',
'predicate-path': '',
'sbom-path': '',
'github-token': 'test-token'
}
return inputs[name] || ''
})
mockGetBooleanInput.mockImplementation((name: string) => {
const inputs: Record<string, boolean> = {
'push-to-registry': false,
'create-storage-record': true,
'show-summary': true,
'private-signing': false
}
return inputs[name] || false
})
// Dynamic import triggers the module
await import('../src/index') await import('../src/index')
expect(mockRun).toHaveBeenCalled() expect(mockRun).toHaveBeenCalledWith({
subjectPath: '/path/to/subject',
subjectName: 'my-artifact',
subjectDigest: '',
subjectChecksums: '',
predicateType: 'https://example.com/predicate',
predicate: '{}',
predicatePath: '',
sbomPath: '',
githubToken: 'test-token',
pushToRegistry: false,
createStorageRecord: true,
showSummary: true,
privateSigning: false
})
}) })
}) })
+228
View File
@@ -0,0 +1,228 @@
import { jest } from '@jest/globals'
import {
createAttestationResult,
createGitHubContextMock,
createOctokitMock,
TEST_PREDICATE,
TEST_SUBJECT_WITH_REGISTRY
} from '../fixtures/mocks'
import type { Attestation } from '@actions/attest'
import type { Descriptor } from '@sigstore/oci'
// Mock functions
const mockGetOctokit = jest.fn()
const mockAttest = jest.fn<() => Promise<Attestation>>()
const mockCreateStorageRecord = jest.fn<() => Promise<number[]>>()
const mockGetRegistryCredentials = jest.fn()
const mockAttachArtifactToImage = jest.fn<() => Promise<Descriptor>>()
// Mutable context for tests
const mockContext = createGitHubContextMock()
// Mock @actions/github
jest.unstable_mockModule('@actions/github', () => ({
getOctokit: mockGetOctokit,
context: mockContext
}))
// Mock @actions/attest
jest.unstable_mockModule('@actions/attest', () => ({
attest: mockAttest,
createStorageRecord: mockCreateStorageRecord
}))
// Mock @sigstore/oci
jest.unstable_mockModule('@sigstore/oci', () => ({
getRegistryCredentials: mockGetRegistryCredentials,
attachArtifactToImage: mockAttachArtifactToImage
}))
// Dynamic imports after mocking
const { createAttestation, repoOwnerIsOrg } = await import('../../src/attest')
describe('repoOwnerIsOrg', () => {
beforeEach(() => {
jest.clearAllMocks()
})
it('should return true when repo owner is an Organization', async () => {
mockGetOctokit.mockReturnValue(createOctokitMock('Organization'))
const result = await repoOwnerIsOrg('test-token')
expect(result).toBe(true)
expect(mockGetOctokit).toHaveBeenCalledWith('test-token')
})
it('should return false when repo owner is a User', async () => {
mockGetOctokit.mockReturnValue(createOctokitMock('User'))
const result = await repoOwnerIsOrg('test-token')
expect(result).toBe(false)
})
})
describe('createAttestation', () => {
const defaultOpts = {
sigstoreInstance: 'github' as const,
pushToRegistry: false,
createStorageRecord: false,
githubToken: 'test-token'
}
beforeEach(() => {
jest.clearAllMocks()
mockAttest.mockResolvedValue(createAttestationResult())
mockGetRegistryCredentials.mockReturnValue({
username: 'test-user',
password: 'test-pass'
})
mockAttachArtifactToImage.mockResolvedValue({
digest: 'sha256:attestation-digest',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 1234
})
mockCreateStorageRecord.mockResolvedValue([12345])
mockGetOctokit.mockReturnValue(createOctokitMock('Organization'))
})
describe('basic attestation', () => {
it('should call attest with correct parameters', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
await createAttestation(subjects, TEST_PREDICATE, defaultOpts)
expect(mockAttest).toHaveBeenCalledWith({
subjects,
predicateType: TEST_PREDICATE.type,
predicate: TEST_PREDICATE.params,
sigstore: 'github',
token: 'test-token'
})
})
it('should return attestation result', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(
subjects,
TEST_PREDICATE,
defaultOpts
)
expect(result.attestationID).toBe('att-123')
expect(result.certificate).toContain('BEGIN CERTIFICATE')
expect(result.tlogID).toBe('tlog-123')
})
})
describe('registry push', () => {
const pushOpts = { ...defaultOpts, pushToRegistry: true }
it('should push attestation to registry when enabled', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(subjects, TEST_PREDICATE, pushOpts)
expect(mockGetRegistryCredentials).toHaveBeenCalledWith(subjects[0].name)
expect(mockAttachArtifactToImage).toHaveBeenCalled()
expect(result.attestationDigest).toBe('sha256:attestation-digest')
})
it('should skip registry push for multiple subjects', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY, TEST_SUBJECT_WITH_REGISTRY]
await createAttestation(subjects, TEST_PREDICATE, pushOpts)
expect(mockAttachArtifactToImage).not.toHaveBeenCalled()
})
})
describe('storage record creation', () => {
const storageOpts = {
...defaultOpts,
pushToRegistry: true,
createStorageRecord: true
}
it('should create storage record when enabled and owner is org', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(
subjects,
TEST_PREDICATE,
storageOpts
)
expect(mockCreateStorageRecord).toHaveBeenCalled()
expect(result.storageRecordIds).toEqual([12345])
})
it('should skip storage record when owner is User', async () => {
mockGetOctokit.mockReturnValue(createOctokitMock('User'))
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(
subjects,
TEST_PREDICATE,
storageOpts
)
expect(mockCreateStorageRecord).not.toHaveBeenCalled()
expect(result.storageRecordIds).toBeUndefined()
})
it('should skip storage record when createStorageRecord is false', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const opts = { ...storageOpts, createStorageRecord: false }
await createAttestation(subjects, TEST_PREDICATE, opts)
expect(mockCreateStorageRecord).not.toHaveBeenCalled()
})
it('should handle empty storage records gracefully', async () => {
mockCreateStorageRecord.mockResolvedValue([])
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(
subjects,
TEST_PREDICATE,
storageOpts
)
expect(result.storageRecordIds).toEqual([])
})
it('should continue when storage record creation fails', async () => {
mockCreateStorageRecord.mockRejectedValue(new Error('Permission denied'))
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
// Should not throw
const result = await createAttestation(
subjects,
TEST_PREDICATE,
storageOpts
)
expect(result.attestationID).toBe('att-123')
expect(result.storageRecordIds).toBeUndefined()
})
})
describe('sigstore instance selection', () => {
it('should use public-good sigstore instance when specified', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const opts = { ...defaultOpts, sigstoreInstance: 'public-good' as const }
await createAttestation(subjects, TEST_PREDICATE, opts)
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({ sigstore: 'public-good' })
)
})
})
})
+454
View File
@@ -0,0 +1,454 @@
import { jest } from '@jest/globals'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import {
createAttestationResult,
createOctokitMock,
TEST_PROVENANCE_PREDICATE
} from '../fixtures/mocks'
import type { Attestation, Predicate } from '@actions/attest'
import type { Descriptor } from '@sigstore/oci'
import type { RunInputs } from '../../src/main'
// Create persistent mock functions
const infoMock = jest.fn()
const warningMock = jest.fn()
const debugMock = jest.fn()
const startGroupMock = jest.fn()
const endGroupMock = jest.fn()
const setOutputMock = jest.fn()
const setFailedMock = jest.fn()
// Create chainable summary mock
const summaryMock = {
write: jest.fn().mockReturnThis(),
addRaw: jest.fn().mockReturnThis(),
addHeading: jest.fn().mockReturnThis(),
addLink: jest.fn().mockReturnThis(),
addTable: jest.fn().mockReturnThis(),
addBreak: jest.fn().mockReturnThis(),
addSeparator: jest.fn().mockReturnThis(),
addQuote: jest.fn().mockReturnThis(),
addCodeBlock: jest.fn().mockReturnThis(),
addList: jest.fn().mockReturnThis(),
addImage: jest.fn().mockReturnThis(),
addDetails: jest.fn().mockReturnThis(),
addEOL: jest.fn().mockReturnThis(),
emptyBuffer: jest.fn().mockReturnThis(),
stringify: jest.fn().mockReturnValue(''),
isEmptyBuffer: jest.fn().mockReturnValue(true),
clear: jest.fn().mockReturnThis()
}
const mockGetOctokit = jest.fn()
const mockAttest = jest.fn<() => Promise<Attestation>>()
const mockBuildSLSAProvenancePredicate = jest.fn<() => Promise<Predicate>>()
const mockCreateStorageRecord = jest.fn<() => Promise<number[]>>()
const mockGetRegistryCredentials = jest.fn()
const mockAttachArtifactToImage = jest.fn<() => Promise<Descriptor>>()
// Mutable context for tests
const mockContext = {
repo: { owner: 'test-owner', repo: 'test-repo' },
payload: { repository: { visibility: 'private' } },
serverUrl: 'https://github.com'
}
// Mock @actions/core
jest.unstable_mockModule('@actions/core', () => ({
info: infoMock,
warning: warningMock,
debug: debugMock,
startGroup: startGroupMock,
endGroup: endGroupMock,
setOutput: setOutputMock,
setFailed: setFailedMock,
summary: summaryMock
}))
// Mock @actions/github
jest.unstable_mockModule('@actions/github', () => ({
getOctokit: mockGetOctokit,
context: mockContext
}))
// Mock @actions/attest
jest.unstable_mockModule('@actions/attest', () => ({
attest: mockAttest,
buildSLSAProvenancePredicate: mockBuildSLSAProvenancePredicate,
createStorageRecord: mockCreateStorageRecord
}))
// Mock @sigstore/oci
jest.unstable_mockModule('@sigstore/oci', () => ({
getRegistryCredentials: mockGetRegistryCredentials,
attachArtifactToImage: mockAttachArtifactToImage
}))
// Dynamic import after mocking
const { run } = await import('../../src/main')
const defaultInputs: RunInputs = {
predicate: '',
predicateType: '',
predicatePath: '',
sbomPath: '',
subjectName: '',
subjectDigest: '',
subjectPath: '',
subjectChecksums: '',
pushToRegistry: false,
createStorageRecord: false,
showSummary: false,
githubToken: 'test-token',
privateSigning: false
}
describe('run', () => {
let tempDir: string
const originalEnv = { ...process.env }
beforeEach(async () => {
jest.clearAllMocks()
// Reset chainable summary mocks
for (const key of Object.keys(summaryMock)) {
if (key !== 'stringify' && key !== 'isEmptyBuffer') {
;(
summaryMock[key as keyof typeof summaryMock] as jest.Mock
).mockReturnThis()
}
}
mockAttest.mockResolvedValue(createAttestationResult())
mockBuildSLSAProvenancePredicate.mockResolvedValue(
TEST_PROVENANCE_PREDICATE
)
mockCreateStorageRecord.mockResolvedValue([12345])
mockGetOctokit.mockReturnValue(createOctokitMock('Organization'))
mockGetRegistryCredentials.mockReturnValue({ username: 'u', password: 'p' })
mockAttachArtifactToImage.mockResolvedValue({
digest: 'sha256:abc',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 100
})
// Reset context
mockContext.repo = { owner: 'test-owner', repo: 'test-repo' }
mockContext.payload = { repository: { visibility: 'private' } }
// Create temp directory
tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'main-test-'))
// Set required environment
process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://token.url'
process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token'
process.env.RUNNER_TEMP = tempDir
})
afterEach(async () => {
process.env = { ...originalEnv }
await fs.rm(tempDir, { recursive: true, force: true })
})
describe('environment validation', () => {
it('should fail when ACTIONS_ID_TOKEN_REQUEST_URL is not set', async () => {
delete process.env.ACTIONS_ID_TOKEN_REQUEST_URL
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}'
})
expect(setFailedMock).toHaveBeenCalledWith(
expect.objectContaining({
message: expect.stringContaining('id-token')
})
)
})
})
describe('subject validation', () => {
it('should fail when no subject inputs are provided', async () => {
await run(defaultInputs)
expect(setFailedMock).toHaveBeenCalledWith(
expect.objectContaining({
message: expect.stringContaining('subject-path')
})
)
})
})
describe('attestation type detection', () => {
it('should detect provenance attestation when no predicate inputs provided', async () => {
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
})
expect(infoMock).toHaveBeenCalledWith(
'Attestation type: Build Provenance'
)
expect(mockBuildSLSAProvenancePredicate).toHaveBeenCalled()
})
it('should detect custom attestation when predicate inputs provided', async () => {
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}'
})
expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
expect(mockBuildSLSAProvenancePredicate).not.toHaveBeenCalled()
})
it('should detect SBOM attestation when sbom-path provided', async () => {
const sbomPath = path.join(tempDir, 'sbom.json')
await fs.writeFile(
sbomPath,
JSON.stringify({
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test'
})
)
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
sbomPath
})
expect(infoMock).toHaveBeenCalledWith('Attestation type: SBOM')
})
it('should fail when sbom-path is combined with predicate inputs', async () => {
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
sbomPath: '/path/to/sbom.json',
predicateType: 'https://example.com/predicate'
})
expect(setFailedMock).toHaveBeenCalledWith(
expect.objectContaining({
message: expect.stringContaining(
'Cannot specify sbom-path together with'
)
})
)
})
})
describe('successful attestation', () => {
const validInputs: RunInputs = {
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}'
}
it('should create attestation successfully', async () => {
await run(validInputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(mockAttest).toHaveBeenCalled()
})
it('should set output for attestation-id', async () => {
await run(validInputs)
expect(setOutputMock).toHaveBeenCalledWith('attestation-id', 'att-123')
})
it('should set output for attestation-url', async () => {
await run(validInputs)
expect(setOutputMock).toHaveBeenCalledWith(
'attestation-url',
'https://github.com/test-owner/test-repo/attestations/att-123'
)
})
it('should set output for bundle-path', async () => {
await run(validInputs)
expect(setOutputMock).toHaveBeenCalledWith(
'bundle-path',
expect.stringContaining('attestation.json')
)
})
it('should write attestation bundle to file', async () => {
await run(validInputs)
const bundlePath = setOutputMock.mock.calls.find(
(call: unknown[]) => call[0] === 'bundle-path'
)?.[1] as string
const content = await fs.readFile(bundlePath, 'utf-8')
expect(content).toContain('mediaType')
})
})
describe('sigstore instance selection', () => {
const validInputs: RunInputs = {
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}'
}
it('should use github sigstore for private repos', async () => {
mockContext.payload = { repository: { visibility: 'private' } }
await run(validInputs)
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({ sigstore: 'github' })
)
})
it('should use public-good sigstore for public repos', async () => {
mockContext.payload = { repository: { visibility: 'public' } }
await run(validInputs)
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({ sigstore: 'public-good' })
)
})
it('should use github sigstore when privateSigning is true', async () => {
mockContext.payload = { repository: { visibility: 'public' } }
await run({ ...validInputs, privateSigning: true })
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({ sigstore: 'github' })
)
})
})
describe('multiple subjects', () => {
it('should handle multiple subjects from glob pattern', async () => {
// Create test files
for (let i = 0; i < 3; i++) {
await fs.writeFile(path.join(tempDir, `file-${i}.txt`), `content-${i}`)
}
await run({
...defaultInputs,
subjectPath: path.join(tempDir, 'file-*.txt'),
predicateType: 'https://example.com/predicate',
predicate: '{}'
})
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith(
expect.stringContaining('3 subjects')
)
})
it('should fail when subject count exceeds maximum', async () => {
// Create too many files
for (let i = 0; i < 1025; i++) {
await fs.writeFile(path.join(tempDir, `file-${i}.txt`), `content-${i}`)
}
await run({
...defaultInputs,
subjectPath: path.join(tempDir, 'file-*.txt'),
predicateType: 'https://example.com/predicate',
predicate: '{}'
})
expect(setFailedMock).toHaveBeenCalledWith(
expect.objectContaining({
message: expect.stringContaining('Too many subjects')
})
)
})
})
describe('summary output', () => {
const validInputs: RunInputs = {
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}',
showSummary: true
}
it('should write summary when showSummary is true', async () => {
await run(validInputs)
expect(summaryMock.addHeading).toHaveBeenCalled()
expect(summaryMock.write).toHaveBeenCalled()
})
it('should not write summary when showSummary is false', async () => {
await run({ ...validInputs, showSummary: false })
expect(summaryMock.write).not.toHaveBeenCalled()
})
})
describe('registry push', () => {
const registryInputs: RunInputs = {
...defaultInputs,
subjectName: 'ghcr.io/test-owner/test-repo',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}',
pushToRegistry: true
}
it('should push attestation to registry when enabled', async () => {
await run(registryInputs)
expect(mockAttachArtifactToImage).toHaveBeenCalled()
})
it('should lowercase subject name for registry push', async () => {
await run({
...registryInputs,
subjectName: 'ghcr.io/TEST-OWNER/Test-Repo'
})
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({
subjects: [
expect.objectContaining({
name: 'ghcr.io/test-owner/test-repo'
})
]
})
)
})
})
})
@@ -1,5 +1,6 @@
import type { Predicate } from '@actions/attest' import type { Predicate } from '@actions/attest'
import { jest } from '@jest/globals' import { jest } from '@jest/globals'
import { TEST_PROVENANCE_PREDICATE } from '../fixtures/mocks'
// Mock function // Mock function
const mockBuildSLSAProvenancePredicate = jest.fn<() => Promise<Predicate>>() const mockBuildSLSAProvenancePredicate = jest.fn<() => Promise<Predicate>>()
@@ -10,39 +11,27 @@ jest.unstable_mockModule('@actions/attest', () => ({
})) }))
// Dynamic import after mocking // Dynamic import after mocking
const { generateProvenancePredicate } = await import('../src/provenance') const { generateProvenancePredicate } = await import('../../src/provenance')
describe('generateProvenancePredicate', () => { describe('generateProvenancePredicate', () => {
const mockPredicate = {
type: 'https://slsa.dev/provenance/v1',
params: {
buildDefinition: {
buildType: 'https://actions.github.io/buildtypes/workflow/v1'
},
runDetails: {
builder: { id: 'https://github.com/actions/runner' }
}
}
}
beforeEach(() => { beforeEach(() => {
jest.clearAllMocks() jest.clearAllMocks()
mockBuildSLSAProvenancePredicate.mockResolvedValue(mockPredicate) mockBuildSLSAProvenancePredicate.mockResolvedValue(TEST_PROVENANCE_PREDICATE)
}) })
it('returns the SLSA provenance predicate', async () => { it('should delegate to buildSLSAProvenancePredicate', async () => {
const result = await generateProvenancePredicate() const result = await generateProvenancePredicate()
expect(mockBuildSLSAProvenancePredicate).toHaveBeenCalledTimes(1) expect(mockBuildSLSAProvenancePredicate).toHaveBeenCalledTimes(1)
expect(result).toEqual(mockPredicate) expect(result).toEqual(TEST_PROVENANCE_PREDICATE)
}) })
it('propagates errors from buildSLSAProvenancePredicate', async () => { it('should propagate errors from the underlying function', async () => {
const error = new Error('Failed to build provenance') const error = new Error('Failed to build provenance predicate')
mockBuildSLSAProvenancePredicate.mockRejectedValue(error) mockBuildSLSAProvenancePredicate.mockRejectedValue(error)
await expect(generateProvenancePredicate()).rejects.toThrow( await expect(generateProvenancePredicate()).rejects.toThrow(
'Failed to build provenance' 'Failed to build provenance predicate'
) )
}) })
}) })
-676
View File
@@ -1,676 +0,0 @@
/**
* Unit tests for the action's main functionality, src/main.ts
*
* These should be run as if the action was called from a workflow.
* Specifically, the inputs listed in `action.yml` should be set as environment
* variables following the pattern `INPUT_<INPUT_NAME>`.
*/
import type { Predicate } from '@actions/attest'
import { jest } from '@jest/globals'
import type { RunInputs } from '../src/main'
// Create mock functions before mocking modules
const infoMock = jest.fn()
const warningMock = jest.fn()
const startGroupMock = jest.fn()
const endGroupMock = jest.fn()
const setOutputMock = jest.fn()
const setFailedMock = jest.fn()
const debugMock = jest.fn()
// OCI mocks
const getRegCredsMock = jest.fn()
const attachArtifactMock = jest.fn()
// Attest mocks
const attestMock = jest.fn()
const createStorageRecordMock = jest.fn()
// Local attest mocks
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const createAttestationMock = jest.fn<() => Promise<any>>()
const repoOwnerIsOrgMock = jest.fn()
// Provenance mock
const generateProvenancePredicateMock = jest.fn<() => Promise<Predicate>>()
// GitHub context mock
const mockContext = {
repo: { owner: 'foo', repo: 'bar' },
payload: { repository: { visibility: 'private' } }
}
const mockGetOctokit = jest.fn()
// Summary mock with chainable methods
const summaryMock = {
write: jest.fn().mockReturnThis(),
addRaw: jest.fn().mockReturnThis(),
addHeading: jest.fn().mockReturnThis(),
addLink: jest.fn().mockReturnThis(),
addTable: jest.fn().mockReturnThis(),
addBreak: jest.fn().mockReturnThis(),
addSeparator: jest.fn().mockReturnThis(),
addQuote: jest.fn().mockReturnThis(),
addCodeBlock: jest.fn().mockReturnThis(),
addList: jest.fn().mockReturnThis(),
addImage: jest.fn().mockReturnThis(),
addDetails: jest.fn().mockReturnThis(),
addEOL: jest.fn().mockReturnThis(),
emptyBuffer: jest.fn().mockReturnThis(),
stringify: jest.fn().mockReturnValue(''),
isEmptyBuffer: jest.fn().mockReturnValue(true),
clear: jest.fn().mockReturnThis()
}
// Mock @actions/core
jest.unstable_mockModule('@actions/core', () => ({
info: infoMock,
warning: warningMock,
startGroup: startGroupMock,
endGroup: endGroupMock,
setOutput: setOutputMock,
setFailed: setFailedMock,
debug: debugMock,
summary: summaryMock
}))
// Mock @actions/github
jest.unstable_mockModule('@actions/github', () => ({
context: mockContext,
getOctokit: mockGetOctokit
}))
// Mock @sigstore/oci
jest.unstable_mockModule('@sigstore/oci', () => ({
getRegistryCredentials: getRegCredsMock,
attachArtifactToImage: attachArtifactMock
}))
// Mock @actions/attest
jest.unstable_mockModule('@actions/attest', () => ({
attest: attestMock,
createStorageRecord: createStorageRecordMock
}))
// Mock ../src/attest
jest.unstable_mockModule('../src/attest', () => ({
createAttestation: createAttestationMock,
repoOwnerIsOrg: repoOwnerIsOrgMock
}))
// Mock ../src/provenance
jest.unstable_mockModule('../src/provenance', () => ({
generateProvenancePredicate: generateProvenancePredicateMock
}))
// Dynamic imports after mocking
const { mockFulcio, mockRekor, mockTSA } = await import('@sigstore/mock')
const fs = (await import('fs/promises')).default
const nock = (await import('nock')).default
const os = (await import('os')).default
const path = (await import('path')).default
const { MockAgent, setGlobalDispatcher } = await import('undici')
const { run } = await import('../src/main')
// MockAgent for mocking @actions/github
const mockAgent = new MockAgent()
setGlobalDispatcher(mockAgent)
const defaultInputs: RunInputs = {
predicate: '',
predicateType: '',
predicatePath: '',
sbomPath: '',
subjectName: '',
subjectDigest: '',
subjectPath: '',
subjectChecksums: '',
pushToRegistry: false,
createStorageRecord: true,
showSummary: true,
githubToken: '',
privateSigning: false
}
describe('action', () => {
// Capture original environment variables so we can restore after each test
const originalEnv = process.env
const originalContext = {
repo: { owner: 'foo', repo: 'bar' },
payload: { repository: { visibility: 'private' } }
}
// Mock OIDC token endpoint
const tokenURL = 'https://token.url'
// Fake an OIDC token
const oidcSubject = 'foo@bar.com'
const oidcPayload = { sub: oidcSubject, iss: '' }
const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
'base64'
)}.}`
const subjectName = 'ghcr.io/registry/foo/bar'
const subjectDigest =
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
const predicate = '{}'
const predicateType = 'https://in-toto.io/attestation/release/v0.1'
const attestationID = '1234567890'
const storageRecordID = 987654321
beforeEach(() => {
jest.clearAllMocks()
nock(tokenURL)
.get('/')
.query({ audience: 'sigstore' })
.reply(200, { value: oidcToken })
const pool = mockAgent.get('https://api.github.com')
pool
.intercept({
path: /^\/repos\/.*\/.*\/attestations$/,
method: 'post'
})
.reply(201, { id: attestationID })
pool
.intercept({
path: /^\/orgs\/.*\/artifacts\/metadata\/storage-record$/,
method: 'post'
})
.reply(200, { storage_records: [{ id: storageRecordID }] })
process.env = {
...originalEnv,
ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
RUNNER_TEMP: process.env.RUNNER_TEMP || '/tmp'
}
})
afterEach(() => {
// Restore the original environment
process.env = originalEnv
// Restore the original github.context
setGHContext(originalContext)
})
describe('when ACTIONS_ID_TOKEN_REQUEST_URL is not set', () => {
const inputs: RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicateType,
predicate,
githubToken: 'gh-token'
}
beforeEach(() => {
// Nullify the OIDC token URL
process.env.ACTIONS_ID_TOKEN_REQUEST_URL = ''
})
it('sets a failed status', async () => {
await run(inputs)
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
)
)
})
})
describe('when no inputs are provided', () => {
it('sets a failed status', async () => {
await run(defaultInputs)
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'One of subject-path, subject-digest, or subject-checksums must be provided'
)
)
})
})
describe('when the repository is private', () => {
const inputs: RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicateType,
predicate,
githubToken: 'gh-token'
}
beforeEach(async () => {
// Set the GH context with private repository visibility and a repo owner.
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
// Mock createAttestation to return expected values
createAttestationMock.mockResolvedValue({
attestationID,
certificate:
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
tlogID: 'tlog-123',
attestationDigest: 'sha256:123456',
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
})
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
it('invokes the action w/o error', async () => {
await run(inputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
expect(infoMock).toHaveBeenCalledWith(
expect.stringMatching(
`Attestation created for ${subjectName}@${subjectDigest}`
)
)
expect(createAttestationMock).toHaveBeenCalled()
})
})
describe('when the repository is public', () => {
const inputs: RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicateType,
predicate,
githubToken: 'gh-token',
pushToRegistry: true
}
beforeEach(async () => {
// Set the GH context with public repository visibility and a repo owner.
setGHContext({
payload: { repository: { visibility: 'public' } },
repo: { owner: 'foo', repo: 'bar' }
})
// Setup createAttestation mock
createAttestationMock.mockResolvedValue({
attestationID,
certificate:
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
tlogID: 'tlog-123',
attestationDigest: 'sha256:123456',
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
storageRecordIds: [storageRecordID]
})
await mockFulcio({
baseURL: 'https://fulcio.sigstore.dev',
strict: false
})
await mockRekor({ baseURL: 'https://rekor.sigstore.dev' })
mockGetOctokit.mockReturnValue({
rest: {
repos: {
get: jest
.fn<() => Promise<{ data: { owner: { type: string } } }>>()
.mockResolvedValue({
data: { owner: { type: 'Organization' } }
})
}
}
})
})
it('invokes the action w/o error', async () => {
await run(inputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(createAttestationMock).toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
expect(infoMock).toHaveBeenCalledWith(
expect.stringMatching(
`Attestation created for ${subjectName}@${subjectDigest}`
)
)
})
it('catches error when storage record creation fails and continues', async () => {
// Mock createAttestation to simulate storage record failure (but still succeed overall)
createAttestationMock.mockResolvedValue({
attestationID,
certificate:
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
tlogID: 'tlog-123',
attestationDigest: 'sha256:123456',
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
// No storageRecordIDs - simulates empty/failed storage record
})
await run(inputs)
expect(createAttestationMock).toHaveBeenCalled()
expect(setFailedMock).not.toHaveBeenCalled()
})
it('does not create a storage record when the repo is owned by a user', async () => {
// Mock createAttestation to not return storage record IDs
createAttestationMock.mockResolvedValue({
attestationID,
certificate:
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
tlogID: 'tlog-123',
attestationDigest: 'sha256:123456',
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
})
await run(inputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(createAttestationMock).toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith(
expect.stringMatching(
`Attestation created for ${subjectName}@${subjectDigest}`
)
)
})
})
describe('when the subject count is greater than 1', () => {
let dir = ''
const filename = 'subject'
beforeEach(async () => {
const subjectCount = 5
const content = 'file content'
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
dir = await fs.mkdtemp(tmpDir + path.sep)
// Add files for glob testing
for (let i = 0; i < subjectCount; i++) {
await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
}
// Set the GH context with private repository visibility and a repo owner.
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
// Set-up a Fulcio mock for each subject
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
// Set-up a TSA mock for each subject
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(dir, { recursive: true })
})
it('invokes the action w/o error', async () => {
const inputs: RunInputs = {
...defaultInputs,
subjectPath: path.join(dir, `${filename}-*`),
predicateType,
predicate,
githubToken: 'gh-token'
}
await run(inputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
expect(infoMock).toHaveBeenNthCalledWith(
2,
expect.stringMatching('Attestation created for 5 subjects')
)
})
})
describe('when the subject count exceeds the max', () => {
let dir = ''
const filename = 'subject'
beforeEach(async () => {
const subjectCount = 1025
const content = 'file content'
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
dir = await fs.mkdtemp(tmpDir + path.sep)
// Add files for glob testing
for (let i = 0; i < subjectCount; i++) {
await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
}
// Set the GH context with private repository visibility and a repo owner.
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(dir, { recursive: true })
})
it('sets a failed status', async () => {
const inputs: RunInputs = {
...defaultInputs,
subjectPath: path.join(dir, `${filename}-*`),
predicateType,
predicate,
githubToken: 'gh-token'
}
await run(inputs)
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'Too many subjects specified (>1024). The maximum number of subjects is 1024.'
)
)
})
})
describe('attestation type detection', () => {
describe('when sbom-path is provided with predicate inputs', () => {
it('sets a failed status for conflicting inputs', async () => {
const inputs: RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
sbomPath: '/path/to/sbom.json',
predicateType: 'https://example.com/predicate',
githubToken: 'gh-token'
}
await run(inputs)
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'Cannot specify sbom-path together with predicate-type, predicate, or predicate-path'
)
)
})
})
describe('when predicate is provided without predicate-type', () => {
it('sets a failed status for missing predicate-type', async () => {
const inputs: RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicate: '{}',
githubToken: 'gh-token'
}
await run(inputs)
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'predicate-type is required when using predicate or predicate-path'
)
)
})
})
describe('when custom attestation inputs are provided', () => {
const inputs: RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicateType,
predicate,
githubToken: 'gh-token'
}
beforeEach(async () => {
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
it('logs the attestation type as Custom', async () => {
await run(inputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
})
})
describe('when provenance attestation is detected', () => {
const inputs: RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
githubToken: 'gh-token'
}
const mockProvPredicate = {
type: 'https://slsa.dev/provenance/v1',
params: { buildDefinition: {}, runDetails: {} }
}
beforeEach(async () => {
// Configure mock for provenance predicate
generateProvenancePredicateMock.mockResolvedValue(mockProvPredicate)
// Configure mock for createAttestation
createAttestationMock.mockResolvedValue({
attestationID: '1234567890',
certificate:
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
tlogID: 'tlog-123',
attestationDigest: 'sha256:123456',
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
})
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
it('logs the attestation type as Build Provenance and generates predicate', async () => {
await run(inputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith(
'Attestation type: Build Provenance'
)
})
})
describe('when sbom attestation is detected', () => {
let tmpDir: string
let sbomFilePath: string
const spdxSBOM = {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package',
packages: []
}
beforeEach(async () => {
tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'main-test-'))
sbomFilePath = path.join(tmpDir, 'sbom.spdx.json')
await fs.writeFile(sbomFilePath, JSON.stringify(spdxSBOM))
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
afterEach(async () => {
await fs.rm(tmpDir, { recursive: true })
})
it('logs the attestation type as SBOM and generates predicate', async () => {
const inputs: RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
sbomPath: sbomFilePath,
githubToken: 'gh-token'
}
await run(inputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith('Attestation type: SBOM')
})
})
})
})
// Helper to update the mock context
function setGHContext(context: {
repo?: { owner: string; repo: string }
payload?: { repository?: { visibility: string } }
}): void {
if (context.repo) {
mockContext.repo = context.repo
}
if (context.payload) {
mockContext.payload = context.payload as typeof mockContext.payload
}
}
-133
View File
@@ -1,133 +0,0 @@
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { predicateFromInputs, PredicateInputs } from '../src/predicate'
describe('subjectFromInputs', () => {
const blankInputs: PredicateInputs = {
predicateType: '',
predicate: '',
predicatePath: ''
}
describe('when no inputs are provided', () => {
it('throws an error', async () => {
await expect(predicateFromInputs(blankInputs)).rejects.toThrow(
/predicate-type/i
)
})
})
describe('when neither predicate path nor predicate are provided', () => {
it('throws an error', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/one of predicate-path or predicate must be provided/i
)
})
})
describe('when both predicate path and predicate are provided', () => {
it('throws an error', async () => {
const inputs: PredicateInputs = {
predicateType: 'https://example.com/predicate',
predicate: '{}',
predicatePath: 'path/to/predicate'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/only one of predicate-path or predicate may be provided/i
)
})
})
describe('when specifying a predicate path', () => {
const predicateType = 'https://example.com/predicate'
const content = '{}'
let predicatePath = ''
beforeEach(async () => {
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
const dir = await fs.mkdtemp(tmpDir + path.sep)
const filename = 'subject'
predicatePath = path.join(dir, filename)
// Write file to temp directory
await fs.writeFile(predicatePath, content)
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(path.parse(predicatePath).dir, { recursive: true })
})
it('returns the predicate', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicatePath
}
await expect(predicateFromInputs(inputs)).resolves.toEqual({
type: predicateType,
params: JSON.parse(content)
})
})
})
describe('when specifying a predicate path that does not exist', () => {
const predicateType = 'https://example.com/predicate'
const predicatePath = 'foo'
it('returns the predicate', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicatePath
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/file not found/
)
})
})
describe('when specifying a predicate value', () => {
const predicateType = 'https://example.com/predicate'
const content = '{}'
it('returns the predicate', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicate: content
}
await expect(predicateFromInputs(inputs)).resolves.toEqual({
type: predicateType,
params: JSON.parse(content)
})
})
})
describe('when specifying a predicate value exceeding the max size', () => {
const predicateType = 'https://example.com/predicate'
const content = JSON.stringify({ a: 'a'.repeat(16 * 1024 * 1024) })
it('throws an error', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicate: content
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/predicate string exceeds maximum/
)
})
})
})
-161
View File
@@ -1,161 +0,0 @@
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { parseSBOMFromPath, generateSBOMPredicate, SBOM } from '../src/sbom'
describe('parseSBOMFromPath', () => {
let tmpDir: string
beforeEach(async () => {
tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'sbom-test-'))
})
afterEach(async () => {
await fs.rm(tmpDir, { recursive: true })
})
describe('when file does not exist', () => {
it('throws an error', async () => {
await expect(parseSBOMFromPath('/nonexistent/file.json')).rejects.toThrow(
/SBOM file not found/
)
})
})
describe('when file contains valid SPDX SBOM', () => {
const spdxSBOM = {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package',
packages: []
}
it('returns SBOM with type spdx', async () => {
const filePath = path.join(tmpDir, 'sbom.spdx.json')
await fs.writeFile(filePath, JSON.stringify(spdxSBOM))
const result = await parseSBOMFromPath(filePath)
expect(result.type).toBe('spdx')
expect(result.object).toEqual(spdxSBOM)
})
})
describe('when file contains valid CycloneDX SBOM', () => {
const cyclonedxSBOM = {
bomFormat: 'CycloneDX',
specVersion: '1.4',
serialNumber: 'urn:uuid:12345',
components: []
}
it('returns SBOM with type cyclonedx', async () => {
const filePath = path.join(tmpDir, 'sbom.cdx.json')
await fs.writeFile(filePath, JSON.stringify(cyclonedxSBOM))
const result = await parseSBOMFromPath(filePath)
expect(result.type).toBe('cyclonedx')
expect(result.object).toEqual(cyclonedxSBOM)
})
})
describe('when file contains invalid SBOM format', () => {
it('throws an error', async () => {
const filePath = path.join(tmpDir, 'invalid.json')
await fs.writeFile(filePath, JSON.stringify({ random: 'data' }))
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/Unsupported SBOM format/
)
})
})
describe('when file contains invalid JSON', () => {
it('throws an error', async () => {
const filePath = path.join(tmpDir, 'invalid.json')
await fs.writeFile(filePath, 'not valid json')
await expect(parseSBOMFromPath(filePath)).rejects.toThrow()
})
})
describe('when file exceeds maximum size', () => {
it('throws an error', async () => {
const filePath = path.join(tmpDir, 'large.json')
// Create a file larger than 16MB
const largeContent = 'x'.repeat(17 * 1024 * 1024)
await fs.writeFile(filePath, largeContent)
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/SBOM file exceeds maximum allowed size/
)
})
})
})
describe('generateSBOMPredicate', () => {
describe('for SPDX SBOM', () => {
const spdxSBOM: SBOM = {
type: 'spdx',
object: {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package'
}
}
it('returns predicate with correct SPDX type', () => {
const predicate = generateSBOMPredicate(spdxSBOM)
expect(predicate.type).toBe('https://spdx.dev/Document/v2.3')
expect(predicate.params).toEqual(spdxSBOM.object)
})
})
describe('for CycloneDX SBOM', () => {
const cyclonedxSBOM: SBOM = {
type: 'cyclonedx',
object: {
bomFormat: 'CycloneDX',
specVersion: '1.4',
serialNumber: 'urn:uuid:12345'
}
}
it('returns predicate with correct CycloneDX type', () => {
const predicate = generateSBOMPredicate(cyclonedxSBOM)
expect(predicate.type).toBe('https://cyclonedx.org/bom')
expect(predicate.params).toEqual(cyclonedxSBOM.object)
})
})
describe('for SPDX without version', () => {
const invalidSBOM: SBOM = {
type: 'spdx',
object: {
SPDXID: 'SPDXRef-DOCUMENT'
}
}
it('throws an error', () => {
expect(() => generateSBOMPredicate(invalidSBOM)).toThrow(
/Cannot find spdxVersion/
)
})
})
describe('for unsupported SBOM type', () => {
const unsupportedSBOM = {
type: 'unknown' as SBOM['type'],
object: { foo: 'bar' }
}
it('throws an error', () => {
expect(() => generateSBOMPredicate(unsupportedSBOM)).toThrow(
/Unsupported SBOM format/
)
})
})
})
-15
View File
@@ -1,15 +0,0 @@
import { highlight, mute } from '../src/style'
describe('style', () => {
describe('highlight', () => {
it('adds cyan color to the string', () => {
expect(highlight('foo')).toBe('\x1B[36mfoo\x1B[39m')
})
})
describe('mute', () => {
it('adds gray color to the string', () => {
expect(mute('foo')).toBe('\x1B[38;5;244mfoo\x1B[39m')
})
})
})
-600
View File
@@ -1,600 +0,0 @@
import crypto from 'crypto'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import {
formatSubjectDigest,
subjectFromInputs,
SubjectInputs
} from '../src/subject'
describe('subjectFromInputs', () => {
const blankInputs: SubjectInputs = {
subjectPath: '',
subjectName: '',
subjectDigest: '',
subjectChecksums: ''
}
describe('when no inputs are provided', () => {
it('throws an error', async () => {
await expect(subjectFromInputs(blankInputs)).rejects.toThrow(
/one of subject-path, subject-digest, or subject-checksums must be provided/i
)
})
})
describe('when both subject path and subject digest are provided', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
subjectName: 'foo',
subjectPath: 'path/to/subject',
subjectDigest: 'digest',
subjectChecksums: ''
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/only one of subject-path, subject-digest, or subject-checksums may be provided/i
)
})
})
describe('when both subject path and subject checksums are provided', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
subjectName: '',
subjectPath: 'path/to/subject',
subjectDigest: '',
subjectChecksums: 'path/to/checksums'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/only one of subject-path, subject-digest, or subject-checksums may be provided/i
)
})
})
describe('when both subject digest and subject checksums are provided', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
subjectName: 'foo',
subjectPath: '',
subjectDigest: 'digest',
subjectChecksums: 'path/to/checksums'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/only one of subject-path, subject-digest, or subject-checksums may be provided/i
)
})
})
describe('when subject digest is provided but not the name', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'digest'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-name must be provided when using subject-digest/i
)
})
})
describe('when specifying a subject digest', () => {
const name = 'Subject'
describe('when the digest is malformed', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'digest',
subjectName: name
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format "sha256:<hex-digest>"/i
)
})
})
describe('when the algorithm is not supported', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'md5:deadbeef',
subjectName: name
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format "sha256:<hex-digest>"/i
)
})
})
describe('when the sha256 digest is malformed', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'sha256:deadbeef',
subjectName: name
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format "sha256:<hex-digest>"/i
)
})
})
describe('when the sha256 digest is valid', () => {
const alg = 'sha256'
const digest =
'7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
it('returns the subject', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: `${alg}:${digest}`,
subjectName: name
}
const subject = await subjectFromInputs(inputs)
expect(subject).toBeDefined()
expect(subject).toHaveLength(1)
expect(subject[0].name).toEqual(name)
expect(subject[0].digest).toEqual({ [alg]: digest })
})
})
describe('when the downcaseName is true', () => {
const imageName = 'ghcr.io/FOO/bar'
const alg = 'sha256'
const digest =
'7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
it('returns the subject (with name downcased)', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: `${alg}:${digest}`,
subjectName: imageName,
downcaseName: true
}
const subject = await subjectFromInputs(inputs)
expect(subject).toBeDefined()
expect(subject).toHaveLength(1)
expect(subject[0].name).toEqual(imageName.toLowerCase())
expect(subject[0].digest).toEqual({ [alg]: digest })
})
})
})
describe('when specifying a subject path', () => {
describe('when the file does NOT exist', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: '/f/a/k/e'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/could not find subject at path/i
)
})
})
})
describe('when the file exists', () => {
let dir = ''
const filename = 'subject'
const content = 'file content'
const expectedDigest = crypto
.createHash('sha256')
.update(content)
.digest('hex')
beforeEach(async () => {
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
dir = await fs.mkdtemp(tmpDir + path.sep)
// Write file to temp directory
await fs.writeFile(path.join(dir, filename), content)
// Add files for glob testing
for (let i = 0; i < 3; i++) {
await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
await fs.writeFile(path.join(dir, `other-${i}`), content)
}
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(dir, { recursive: true })
})
describe('when no name is provided', () => {
it('returns the subject', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(dir, filename)
}
const subject = await subjectFromInputs(inputs)
expect(subject).toBeDefined()
expect(subject).toHaveLength(1)
expect(subject[0].name).toEqual(filename)
expect(subject[0].digest).toEqual({ sha256: expectedDigest })
})
})
describe('when a name is provided', () => {
const name = 'mysubject'
it('returns the subject', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(dir, filename),
subjectName: name
}
const subject = await subjectFromInputs(inputs)
expect(subject).toBeDefined()
expect(subject).toHaveLength(1)
expect(subject[0].name).toEqual(name)
expect(subject[0].digest).toEqual({ sha256: expectedDigest })
})
})
describe('when a file glob is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(dir, 'subject-*')
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(3)
subjects.forEach((subject, i) => {
expect(subject.name).toEqual(`${filename}-${i}`)
expect(subject.digest).toEqual({ sha256: expectedDigest })
})
})
})
describe('when a file glob is supplied which also matches non-files', () => {
it('returns the subjects (excluding non-files)', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${dir}*`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(7)
})
})
describe('when a comma-separated list is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'subject-1',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-2',
digest: { sha256: expectedDigest }
})
})
})
describe('when a multi-line list is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'subject-0',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-2',
digest: { sha256: expectedDigest }
})
})
})
describe('when an excluding glob is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject-*')},!${path.join(dir, 'subject-1')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'subject-0',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-2',
digest: { sha256: expectedDigest }
})
})
})
describe('when a multi-line glob list is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject-*')}\n ${path.join(dir, 'other-*')} `
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(6)
expect(subjects).toContainEqual({
name: 'subject-0',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-1',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-2',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'other-0',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'other-1',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'other-2',
digest: { sha256: expectedDigest }
})
})
})
describe('when duplicate subjects are supplied', () => {
let otherDir = ''
// Add duplicate subject in alternate directory
beforeEach(async () => {
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
otherDir = await fs.mkdtemp(tmpDir + path.sep)
// Write file to temp directory
await fs.writeFile(path.join(otherDir, filename), content)
})
it('returns de-duplicated subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject')}, ${path.join(otherDir, 'subject')} `
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(1)
})
})
})
describe('when specifying a subject checksums file', () => {
const checksums = `
187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d demo_0.0.1_linux_amd64
badline
5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718 demo_0.0.1_darwin_arm64`
let dir = ''
const filename = 'checksums'
beforeEach(async () => {
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
dir = await fs.mkdtemp(tmpDir + path.sep)
// Write file to temp directory
await fs.writeFile(path.join(dir, filename), checksums)
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(dir, { recursive: true })
})
describe('when the specified path is NOT a file', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: dir
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject checksums file not found/i
)
})
})
describe('when the specific path is a file', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: path.join(dir, filename)
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_amd64',
digest: {
sha256:
'187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
}
})
expect(subjects).toContainEqual({
name: 'demo_0.0.1_darwin_arm64',
digest: {
sha512:
'5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718'
}
})
})
})
})
describe('when specifying a subject checksums string', () => {
const checksums = `
f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386
187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *demo_0.0.1_linux_amd64
9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 demo_0.0.1_linux_arm64`
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(3)
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_386',
digest: {
sha256:
'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e'
}
})
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_amd64',
digest: {
sha256:
'187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
}
})
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_arm64',
digest: {
sha256:
'9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5'
}
})
})
})
describe('when specifying a subject checksums string with duplicates', () => {
const checksums = `
f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386
f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386
187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *demo_0.0.1_linux_amd64`
it('returns de-duplicated subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_386',
digest: {
sha256:
'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e'
}
})
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_amd64',
digest: {
sha256:
'187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
}
})
})
})
describe('when specifying a subject checksums string with an unrecognized digest', () => {
const checksums = `f861e demo_0.0.1_linux_386`
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/unknown digest algorithm/i
)
})
})
describe('when specifying a subject checksums string with an invalid digest', () => {
const checksums =
'!!!!e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386'
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(/invalid digest/i)
})
})
})
describe('subjectDigest', () => {
it('returns the digest', () => {
const subject = {
name: 'foo',
digest: { sha1: 'deadbeef' }
}
const digest = formatSubjectDigest(subject)
expect(digest).toEqual('sha1:deadbeef')
})
})
@@ -2,7 +2,7 @@ import {
detectAttestationType, detectAttestationType,
validateAttestationInputs, validateAttestationInputs,
DetectionInputs DetectionInputs
} from '../src/detect' } from '../../src/detect'
describe('detectAttestationType', () => { describe('detectAttestationType', () => {
const blankInputs: DetectionInputs = { const blankInputs: DetectionInputs = {
@@ -12,14 +12,12 @@ describe('detectAttestationType', () => {
predicatePath: '' predicatePath: ''
} }
describe('when no inputs are provided', () => { it('should return provenance when no inputs are provided', () => {
it('returns provenance', () => { expect(detectAttestationType(blankInputs)).toBe('provenance')
expect(detectAttestationType(blankInputs)).toBe('provenance')
})
}) })
describe('when sbom-path is provided', () => { describe('SBOM detection', () => {
it('returns sbom', () => { it('should return sbom when sbom-path is provided', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
sbomPath: '/path/to/sbom.json' sbomPath: '/path/to/sbom.json'
@@ -27,7 +25,7 @@ describe('detectAttestationType', () => {
expect(detectAttestationType(inputs)).toBe('sbom') expect(detectAttestationType(inputs)).toBe('sbom')
}) })
it('returns sbom even when predicate inputs are also provided', () => { it('should prioritize sbom over custom predicate inputs', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
sbomPath: '/path/to/sbom.json', sbomPath: '/path/to/sbom.json',
@@ -37,38 +35,32 @@ describe('detectAttestationType', () => {
}) })
}) })
describe('when predicate-type is provided', () => { describe('custom detection', () => {
it('returns custom', () => { it('should return custom when predicate-type is provided', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
predicateType: 'https://example.com/predicate' predicateType: 'https://example.com/predicate'
} }
expect(detectAttestationType(inputs)).toBe('custom') expect(detectAttestationType(inputs)).toBe('custom')
}) })
})
describe('when predicate is provided', () => { it('should return custom when predicate is provided', () => {
it('returns custom', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
predicate: '{}' predicate: '{}'
} }
expect(detectAttestationType(inputs)).toBe('custom') expect(detectAttestationType(inputs)).toBe('custom')
}) })
})
describe('when predicate-path is provided', () => { it('should return custom when predicate-path is provided', () => {
it('returns custom', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
predicatePath: '/path/to/predicate.json' predicatePath: '/path/to/predicate.json'
} }
expect(detectAttestationType(inputs)).toBe('custom') expect(detectAttestationType(inputs)).toBe('custom')
}) })
})
describe('when predicate-type and predicate are provided', () => { it('should return custom when predicate-type and predicate are both provided', () => {
it('returns custom', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
predicateType: 'https://example.com/predicate', predicateType: 'https://example.com/predicate',
@@ -87,24 +79,20 @@ describe('validateAttestationInputs', () => {
predicatePath: '' predicatePath: ''
} }
describe('when no inputs are provided', () => { it('should not throw when no inputs are provided', () => {
it('does not throw', () => { expect(() => validateAttestationInputs(blankInputs)).not.toThrow()
expect(() => validateAttestationInputs(blankInputs)).not.toThrow()
})
}) })
describe('when sbom-path is provided alone', () => { it('should not throw when sbom-path is provided alone', () => {
it('does not throw', () => { const inputs: DetectionInputs = {
const inputs: DetectionInputs = { ...blankInputs,
...blankInputs, sbomPath: '/path/to/sbom.json'
sbomPath: '/path/to/sbom.json' }
} expect(() => validateAttestationInputs(inputs)).not.toThrow()
expect(() => validateAttestationInputs(inputs)).not.toThrow()
})
}) })
describe('when sbom-path is combined with predicate-type', () => { describe('sbom-path conflicts', () => {
it('throws an error', () => { it('should throw when sbom-path is combined with predicate-type', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
sbomPath: '/path/to/sbom.json', sbomPath: '/path/to/sbom.json',
@@ -114,10 +102,8 @@ describe('validateAttestationInputs', () => {
/Cannot specify sbom-path together with/ /Cannot specify sbom-path together with/
) )
}) })
})
describe('when sbom-path is combined with predicate', () => { it('should throw when sbom-path is combined with predicate', () => {
it('throws an error', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
sbomPath: '/path/to/sbom.json', sbomPath: '/path/to/sbom.json',
@@ -127,10 +113,8 @@ describe('validateAttestationInputs', () => {
/Cannot specify sbom-path together with/ /Cannot specify sbom-path together with/
) )
}) })
})
describe('when sbom-path is combined with predicate-path', () => { it('should throw when sbom-path is combined with predicate-path', () => {
it('throws an error', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
sbomPath: '/path/to/sbom.json', sbomPath: '/path/to/sbom.json',
@@ -142,8 +126,8 @@ describe('validateAttestationInputs', () => {
}) })
}) })
describe('when predicate is provided without predicate-type', () => { describe('predicate-type requirements', () => {
it('throws an error', () => { it('should throw when predicate is provided without predicate-type', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
predicate: '{}' predicate: '{}'
@@ -152,10 +136,8 @@ describe('validateAttestationInputs', () => {
/predicate-type is required/ /predicate-type is required/
) )
}) })
})
describe('when predicate-path is provided without predicate-type', () => { it('should throw when predicate-path is provided without predicate-type', () => {
it('throws an error', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
predicatePath: '/path/to/predicate.json' predicatePath: '/path/to/predicate.json'
@@ -164,10 +146,8 @@ describe('validateAttestationInputs', () => {
/predicate-type is required/ /predicate-type is required/
) )
}) })
})
describe('when predicate-type and predicate are provided', () => { it('should not throw when predicate-type and predicate are provided', () => {
it('does not throw', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
predicateType: 'https://example.com/predicate', predicateType: 'https://example.com/predicate',
@@ -175,10 +155,8 @@ describe('validateAttestationInputs', () => {
} }
expect(() => validateAttestationInputs(inputs)).not.toThrow() expect(() => validateAttestationInputs(inputs)).not.toThrow()
}) })
})
describe('when predicate-type and predicate-path are provided', () => { it('should not throw when predicate-type and predicate-path are provided', () => {
it('does not throw', () => {
const inputs: DetectionInputs = { const inputs: DetectionInputs = {
...blankInputs, ...blankInputs,
predicateType: 'https://example.com/predicate', predicateType: 'https://example.com/predicate',
+142
View File
@@ -0,0 +1,142 @@
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { predicateFromInputs, PredicateInputs } from '../../src/predicate'
describe('predicateFromInputs', () => {
const blankInputs: PredicateInputs = {
predicateType: '',
predicate: '',
predicatePath: ''
}
let tempDir: string
beforeEach(async () => {
tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'predicate-test-'))
})
afterEach(async () => {
await fs.rm(tempDir, { recursive: true, force: true })
})
describe('input validation', () => {
it('should throw when predicate-type is not provided', async () => {
await expect(predicateFromInputs(blankInputs)).rejects.toThrow(
/predicate-type must be provided/
)
})
it('should throw when neither predicate nor predicate-path is provided', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/one of predicate-path or predicate must be provided/i
)
})
it('should throw when both predicate and predicate-path are provided', async () => {
const inputs: PredicateInputs = {
predicateType: 'https://example.com/predicate',
predicate: '{}',
predicatePath: '/path/to/predicate.json'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/only one of predicate-path or predicate may be provided/i
)
})
})
describe('with predicate string', () => {
it('should parse and return the predicate', async () => {
const predicateType = 'https://example.com/predicate'
const predicateContent = { foo: 'bar', nested: { value: 123 } }
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicate: JSON.stringify(predicateContent)
}
const result = await predicateFromInputs(inputs)
expect(result).toEqual({
type: predicateType,
params: predicateContent
})
})
it('should throw when predicate string exceeds max size', async () => {
const predicateType = 'https://example.com/predicate'
const largeContent = JSON.stringify({ data: 'x'.repeat(16 * 1024 * 1024) })
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicate: largeContent
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/predicate string exceeds maximum/
)
})
it('should throw when predicate is invalid JSON', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate',
predicate: 'not valid json'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(/JSON/)
})
})
describe('with predicate path', () => {
it('should read and parse predicate from file', async () => {
const predicateType = 'https://example.com/predicate'
const predicateContent = { buildType: 'test', metadata: { version: '1.0' } }
const filePath = path.join(tempDir, 'predicate.json')
await fs.writeFile(filePath, JSON.stringify(predicateContent))
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicatePath: filePath
}
const result = await predicateFromInputs(inputs)
expect(result).toEqual({
type: predicateType,
params: predicateContent
})
})
it('should throw when predicate file does not exist', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate',
predicatePath: '/nonexistent/file.json'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(/file not found/)
})
it('should throw when predicate file contains invalid JSON', async () => {
const filePath = path.join(tempDir, 'invalid.json')
await fs.writeFile(filePath, 'not valid json')
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate',
predicatePath: filePath
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(/JSON/)
})
})
})
+181
View File
@@ -0,0 +1,181 @@
import { jest } from '@jest/globals'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { parseSBOMFromPath, generateSBOMPredicate, SBOM } from '../../src/sbom'
describe('parseSBOMFromPath', () => {
let tempDir: string
beforeEach(async () => {
tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'sbom-test-'))
})
afterEach(async () => {
await fs.rm(tempDir, { recursive: true, force: true })
})
describe('file handling', () => {
it('should throw when file does not exist', async () => {
await expect(parseSBOMFromPath('/nonexistent/file.json')).rejects.toThrow(
/SBOM file not found/
)
})
it('should rethrow non-ENOENT errors', async () => {
const statSpy = jest.spyOn(fs, 'stat').mockRejectedValueOnce(
Object.assign(new Error('Permission denied'), { code: 'EACCES' })
)
await expect(parseSBOMFromPath('/some/file.json')).rejects.toThrow(
/Permission denied/
)
statSpy.mockRestore()
})
it('should throw when file contains invalid JSON', async () => {
const filePath = path.join(tempDir, 'invalid.json')
await fs.writeFile(filePath, 'not valid json')
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(/JSON/)
})
it('should throw when file exceeds maximum size', async () => {
const filePath = path.join(tempDir, 'large.json')
const largeContent = 'x'.repeat(17 * 1024 * 1024)
await fs.writeFile(filePath, largeContent)
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/SBOM file exceeds maximum allowed size/
)
})
})
describe('SPDX format', () => {
const spdxSBOM = {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package',
packages: []
}
it('should parse valid SPDX SBOM', async () => {
const filePath = path.join(tempDir, 'sbom.spdx.json')
await fs.writeFile(filePath, JSON.stringify(spdxSBOM))
const result = await parseSBOMFromPath(filePath)
expect(result.type).toBe('spdx')
expect(result.object).toEqual(spdxSBOM)
})
})
describe('CycloneDX format', () => {
const cyclonedxSBOM = {
bomFormat: 'CycloneDX',
specVersion: '1.4',
serialNumber: 'urn:uuid:12345',
components: []
}
it('should parse valid CycloneDX SBOM', async () => {
const filePath = path.join(tempDir, 'sbom.cdx.json')
await fs.writeFile(filePath, JSON.stringify(cyclonedxSBOM))
const result = await parseSBOMFromPath(filePath)
expect(result.type).toBe('cyclonedx')
expect(result.object).toEqual(cyclonedxSBOM)
})
})
describe('unsupported formats', () => {
it('should throw for unrecognized SBOM format', async () => {
const filePath = path.join(tempDir, 'invalid-sbom.json')
await fs.writeFile(filePath, JSON.stringify({ random: 'data' }))
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/Unsupported SBOM format/
)
})
it('should throw for SPDX missing SPDXID', async () => {
const filePath = path.join(tempDir, 'partial-spdx.json')
await fs.writeFile(filePath, JSON.stringify({ spdxVersion: 'SPDX-2.3' }))
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/Unsupported SBOM format/
)
})
it('should throw for CycloneDX missing required fields', async () => {
const filePath = path.join(tempDir, 'partial-cdx.json')
await fs.writeFile(filePath, JSON.stringify({ bomFormat: 'CycloneDX' }))
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/Unsupported SBOM format/
)
})
})
})
describe('generateSBOMPredicate', () => {
describe('SPDX predicates', () => {
it('should generate predicate with correct SPDX type URL', () => {
const sbom: SBOM = {
type: 'spdx',
object: {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package'
}
}
const predicate = generateSBOMPredicate(sbom)
expect(predicate.type).toBe('https://spdx.dev/Document/v2.3')
expect(predicate.params).toEqual(sbom.object)
})
it('should throw when spdxVersion is missing', () => {
const sbom: SBOM = {
type: 'spdx',
object: { SPDXID: 'SPDXRef-DOCUMENT' }
}
expect(() => generateSBOMPredicate(sbom)).toThrow(
/Cannot find spdxVersion/
)
})
})
describe('CycloneDX predicates', () => {
it('should generate predicate with correct CycloneDX type URL', () => {
const sbom: SBOM = {
type: 'cyclonedx',
object: {
bomFormat: 'CycloneDX',
specVersion: '1.4',
serialNumber: 'urn:uuid:12345'
}
}
const predicate = generateSBOMPredicate(sbom)
expect(predicate.type).toBe('https://cyclonedx.org/bom')
expect(predicate.params).toEqual(sbom.object)
})
})
describe('unsupported types', () => {
it('should throw for unsupported SBOM type', () => {
const sbom = {
type: 'unknown' as SBOM['type'],
object: { foo: 'bar' }
}
expect(() => generateSBOMPredicate(sbom)).toThrow(/Unsupported SBOM format/)
})
})
})
+27
View File
@@ -0,0 +1,27 @@
import { highlight, mute } from '../../src/style'
describe('style', () => {
describe('highlight', () => {
it('should wrap text with cyan ANSI color codes', () => {
const result = highlight('test message')
expect(result).toBe('\x1B[36mtest message\x1B[39m')
})
it('should handle empty strings', () => {
const result = highlight('')
expect(result).toBe('\x1B[36m\x1B[39m')
})
})
describe('mute', () => {
it('should wrap text with gray ANSI color codes', () => {
const result = mute('test message')
expect(result).toBe('\x1B[38;5;244mtest message\x1B[39m')
})
it('should handle empty strings', () => {
const result = mute('')
expect(result).toBe('\x1B[38;5;244m\x1B[39m')
})
})
})
+462
View File
@@ -0,0 +1,462 @@
import crypto from 'crypto'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import {
subjectFromInputs,
formatSubjectDigest,
SubjectInputs
} from '../../src/subject'
describe('subjectFromInputs', () => {
const blankInputs: SubjectInputs = {
subjectPath: '',
subjectName: '',
subjectDigest: '',
subjectChecksums: ''
}
let tempDir: string
beforeEach(async () => {
tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'subject-test-'))
})
afterEach(async () => {
await fs.rm(tempDir, { recursive: true, force: true })
})
describe('input validation', () => {
it('should throw when no inputs are provided', async () => {
await expect(subjectFromInputs(blankInputs)).rejects.toThrow(
/one of subject-path, subject-digest, or subject-checksums must be provided/i
)
})
it('should throw when multiple subject inputs are provided', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: '/some/path',
subjectDigest: 'sha256:abc123'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/only one of subject-path, subject-digest, or subject-checksums may be provided/i
)
})
it('should throw when subject-digest is provided without subject-name', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-name must be provided when using subject-digest/i
)
})
})
describe('with subject-digest', () => {
const validDigest = 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
it('should return subject with provided name and digest', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'my-artifact',
subjectDigest: validDigest
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
expect(subjects[0].name).toBe('my-artifact')
expect(subjects[0].digest).toEqual({
sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
})
})
it('should lowercase name when downcaseName is true', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'ghcr.io/FOO/Bar',
subjectDigest: validDigest,
downcaseName: true
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('ghcr.io/foo/bar')
})
it('should throw for malformed digest format', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'artifact',
subjectDigest: 'invalid-digest'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format/
)
})
it('should throw for unsupported hash algorithm', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'artifact',
subjectDigest: 'md5:d41d8cd98f00b204e9800998ecf8427e'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format/
)
})
it('should throw for incorrect sha256 digest length', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'artifact',
subjectDigest: 'sha256:deadbeef'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format/
)
})
})
describe('with subject-path', () => {
const fileContent = 'test file content'
const expectedDigest = crypto.createHash('sha256').update(fileContent).digest('hex')
it('should calculate digest from file', async () => {
const filePath = path.join(tempDir, 'artifact.bin')
await fs.writeFile(filePath, fileContent)
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: filePath
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
expect(subjects[0].name).toBe('artifact.bin')
expect(subjects[0].digest).toEqual({ sha256: expectedDigest })
})
it('should use provided name instead of filename', async () => {
const filePath = path.join(tempDir, 'artifact.bin')
await fs.writeFile(filePath, fileContent)
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: filePath,
subjectName: 'custom-name'
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('custom-name')
})
it('should throw when file does not exist', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: '/nonexistent/file'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/could not find subject at path/i
)
})
describe('glob patterns', () => {
beforeEach(async () => {
for (let i = 0; i < 3; i++) {
await fs.writeFile(path.join(tempDir, `file-${i}.txt`), fileContent)
}
})
it('should expand glob pattern to multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(tempDir, 'file-*.txt')
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(3)
expect(subjects.map(s => s.name).sort()).toEqual([
'file-0.txt',
'file-1.txt',
'file-2.txt'
])
})
it('should handle comma-separated paths', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(tempDir, 'file-0.txt')},${path.join(tempDir, 'file-1.txt')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
})
it('should handle newline-separated paths', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(tempDir, 'file-0.txt')}\n${path.join(tempDir, 'file-2.txt')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
})
it('should support exclusion patterns', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(tempDir, 'file-*.txt')},!${path.join(tempDir, 'file-1.txt')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
expect(subjects.map(s => s.name)).not.toContain('file-1.txt')
})
it('should deduplicate subjects with same name and digest', async () => {
// Create another directory with same file
const otherDir = await fs.mkdtemp(path.join(os.tmpdir(), 'subject-dup-'))
await fs.writeFile(path.join(otherDir, 'file-0.txt'), fileContent)
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(tempDir, 'file-0.txt')},${path.join(otherDir, 'file-0.txt')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
await fs.rm(otherDir, { recursive: true, force: true })
})
})
it('should exclude directories from glob results', async () => {
await fs.mkdir(path.join(tempDir, 'subdir'))
await fs.writeFile(path.join(tempDir, 'file.txt'), fileContent)
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(tempDir, '*')
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
expect(subjects[0].name).toBe('file.txt')
})
it('should throw when too many subjects are specified', async () => {
// Create 1025 files (exceeds MAX_SUBJECT_COUNT of 1024)
for (let i = 0; i < 1025; i++) {
await fs.writeFile(path.join(tempDir, `file-${i}.txt`), `content-${i}`)
}
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(tempDir, 'file-*.txt')
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(/too many subjects/i)
})
})
describe('with subject-checksums', () => {
describe('from string', () => {
it('should parse sha256 checksums', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact-linux
9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 artifact-darwin`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'artifact-linux',
digest: { sha256: '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d' }
})
expect(subjects).toContainEqual({
name: 'artifact-darwin',
digest: { sha256: '9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5' }
})
})
it('should parse sha512 checksums', async () => {
const sha512 = '5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718'
const checksums = `${sha512} artifact-amd64`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
expect(subjects[0].digest).toEqual({ sha512 })
})
it('should handle binary mode flag (*)', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *artifact.bin`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('artifact.bin')
})
it('should handle text mode flag (space)', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact.txt`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('artifact.txt')
})
it('should handle checksums without mode flag', async () => {
// Single space between digest and name (no flag character)
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact-no-flag`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('artifact-no-flag')
})
it('should skip malformed lines', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d valid-artifact
badline
9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 another-artifact`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
})
it('should deduplicate identical entries', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact
187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
})
it('should throw for invalid digest characters', async () => {
const checksums = `!!!!e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e artifact`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(/invalid digest/i)
})
it('should throw for unknown digest algorithm', async () => {
const checksums = `f861e artifact`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(/unknown digest algorithm/i)
})
})
describe('from file', () => {
it('should read checksums from file', async () => {
const checksumFile = path.join(tempDir, 'SHA256SUMS')
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact-linux
9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 artifact-darwin`
await fs.writeFile(checksumFile, checksums)
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksumFile
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
})
it('should throw when checksums path is a directory', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: tempDir
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject checksums file not found/i
)
})
})
})
})
describe('formatSubjectDigest', () => {
it('should format digest as algorithm:hash', () => {
const subject = {
name: 'artifact',
digest: { sha256: 'abc123def456' }
}
expect(formatSubjectDigest(subject)).toBe('sha256:abc123def456')
})
it('should use first algorithm alphabetically when multiple exist', () => {
const subject = {
name: 'artifact',
digest: {
sha512: 'longer-hash',
sha256: 'shorter-hash'
}
}
expect(formatSubjectDigest(subject)).toBe('sha256:shorter-hash')
})
})
Generated Vendored
+4
View File
@@ -120896,6 +120896,7 @@ function getRegistryURL(subjectName) {
catch { catch {
url = new URL(`https://${subjectName}`); url = new URL(`https://${subjectName}`);
} }
/* istanbul ignore if */
if (url.protocol !== 'https:') { if (url.protocol !== 'https:') {
throw new Error(`Unsupported protocol ${url.protocol} in subject name ${subjectName}`); throw new Error(`Unsupported protocol ${url.protocol} in subject name ${subjectName}`);
} }
@@ -121141,6 +121142,7 @@ async function run(inputs) {
setOutput('attestation-id', att.attestationID); setOutput('attestation-id', att.attestationID);
setOutput('attestation-url', attestationURL(att.attestationID)); setOutput('attestation-url', attestationURL(att.attestationID));
} }
/* istanbul ignore if */
if (att.storageRecordIds) { if (att.storageRecordIds) {
setOutput('storage-record-ids', att.storageRecordIds.join(',')); setOutput('storage-record-ids', att.storageRecordIds.join(','));
} }
@@ -121175,6 +121177,7 @@ const logAttestation = (subjects, attestation, sigstoreInstance) => {
startGroup(highlight(`Attestation signed using certificate from ${instanceName} Sigstore instance`)); startGroup(highlight(`Attestation signed using certificate from ${instanceName} Sigstore instance`));
info(attestation.certificate); info(attestation.certificate);
endGroup(); endGroup();
/* istanbul ignore if */
if (attestation.tlogID) { if (attestation.tlogID) {
info(highlight('Attestation signature uploaded to Rekor transparency log')); info(highlight('Attestation signature uploaded to Rekor transparency log'));
info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`); info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`);
@@ -121188,6 +121191,7 @@ const logAttestation = (subjects, attestation, sigstoreInstance) => {
info(highlight('Attestation uploaded to registry')); info(highlight('Attestation uploaded to registry'));
info(`${subjects[0].name}@${attestation.attestationDigest}`); info(`${subjects[0].name}@${attestation.attestationDigest}`);
} }
/* istanbul ignore next */
if (attestation.storageRecordIds && attestation.storageRecordIds.length > 0) { if (attestation.storageRecordIds && attestation.storageRecordIds.length > 0) {
info(highlight('Storage record created')); info(highlight('Storage record created'));
info(`Storage record IDs: ${attestation.storageRecordIds.join(',')}`); info(`Storage record IDs: ${attestation.storageRecordIds.join(',')}`);
-10
View File
@@ -175,7 +175,6 @@
"integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==", "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"peer": true,
"dependencies": { "dependencies": {
"@babel/code-frame": "^7.29.0", "@babel/code-frame": "^7.29.0",
"@babel/generator": "^7.29.0", "@babel/generator": "^7.29.0",
@@ -1498,7 +1497,6 @@
"resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz", "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
"integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==", "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
"license": "MIT", "license": "MIT",
"peer": true,
"dependencies": { "dependencies": {
"@octokit/auth-token": "^6.0.0", "@octokit/auth-token": "^6.0.0",
"@octokit/graphql": "^9.0.3", "@octokit/graphql": "^9.0.3",
@@ -2367,7 +2365,6 @@
"integrity": "sha512-1y/MVSz0NglV1ijHC8OT49mPJ4qhPYjiK08YUQVbIOyu+5k862LKUHFkpKHWu//zmr7hDR2rhwUm6gnCGNmGBQ==", "integrity": "sha512-1y/MVSz0NglV1ijHC8OT49mPJ4qhPYjiK08YUQVbIOyu+5k862LKUHFkpKHWu//zmr7hDR2rhwUm6gnCGNmGBQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"peer": true,
"dependencies": { "dependencies": {
"@eslint-community/regexpp": "^4.12.2", "@eslint-community/regexpp": "^4.12.2",
"@typescript-eslint/scope-manager": "8.55.0", "@typescript-eslint/scope-manager": "8.55.0",
@@ -2407,7 +2404,6 @@
"integrity": "sha512-4z2nCSBfVIMnbuu8uinj+f0o4qOeggYJLbjpPHka3KH1om7e+H9yLKTYgksTaHcGco+NClhhY2vyO3HsMH1RGw==", "integrity": "sha512-4z2nCSBfVIMnbuu8uinj+f0o4qOeggYJLbjpPHka3KH1om7e+H9yLKTYgksTaHcGco+NClhhY2vyO3HsMH1RGw==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"peer": true,
"dependencies": { "dependencies": {
"@typescript-eslint/scope-manager": "8.55.0", "@typescript-eslint/scope-manager": "8.55.0",
"@typescript-eslint/types": "8.55.0", "@typescript-eslint/types": "8.55.0",
@@ -2924,7 +2920,6 @@
"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==", "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"peer": true,
"bin": { "bin": {
"acorn": "bin/acorn" "acorn": "bin/acorn"
}, },
@@ -3372,7 +3367,6 @@
} }
], ],
"license": "MIT", "license": "MIT",
"peer": true,
"dependencies": { "dependencies": {
"baseline-browser-mapping": "^2.9.0", "baseline-browser-mapping": "^2.9.0",
"caniuse-lite": "^1.0.30001759", "caniuse-lite": "^1.0.30001759",
@@ -4401,7 +4395,6 @@
"integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==", "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"peer": true,
"dependencies": { "dependencies": {
"@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/eslint-utils": "^4.8.0",
"@eslint-community/regexpp": "^4.12.1", "@eslint-community/regexpp": "^4.12.1",
@@ -6097,7 +6090,6 @@
"integrity": "sha512-F26gjC0yWN8uAA5m5Ss8ZQf5nDHWGlN/xWZIh8S5SRbsEKBovwZhxGd6LJlbZYxBgCYOtreSUyb8hpXyGC5O4A==", "integrity": "sha512-F26gjC0yWN8uAA5m5Ss8ZQf5nDHWGlN/xWZIh8S5SRbsEKBovwZhxGd6LJlbZYxBgCYOtreSUyb8hpXyGC5O4A==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"peer": true,
"dependencies": { "dependencies": {
"@jest/core": "30.2.0", "@jest/core": "30.2.0",
"@jest/types": "30.2.0", "@jest/types": "30.2.0",
@@ -9496,7 +9488,6 @@
"integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"peer": true,
"engines": { "engines": {
"node": ">=12" "node": ">=12"
}, },
@@ -9808,7 +9799,6 @@
"integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
"dev": true, "dev": true,
"license": "Apache-2.0", "license": "Apache-2.0",
"peer": true,
"bin": { "bin": {
"tsc": "bin/tsc", "tsc": "bin/tsc",
"tsserver": "bin/tsserver" "tsserver": "bin/tsserver"
+1
View File
@@ -126,6 +126,7 @@ function getRegistryURL(subjectName: string): string {
url = new URL(`https://${subjectName}`) url = new URL(`https://${subjectName}`)
} }
/* istanbul ignore if */
if (url.protocol !== 'https:') { if (url.protocol !== 'https:') {
throw new Error( throw new Error(
`Unsupported protocol ${url.protocol} in subject name ${subjectName}` `Unsupported protocol ${url.protocol} in subject name ${subjectName}`
+3
View File
@@ -129,6 +129,7 @@ export async function run(inputs: RunInputs): Promise<void> {
core.setOutput('attestation-url', attestationURL(att.attestationID)) core.setOutput('attestation-url', attestationURL(att.attestationID))
} }
/* istanbul ignore if */
if (att.storageRecordIds) { if (att.storageRecordIds) {
core.setOutput('storage-record-ids', att.storageRecordIds.join(',')) core.setOutput('storage-record-ids', att.storageRecordIds.join(','))
} }
@@ -182,6 +183,7 @@ const logAttestation = (
core.info(attestation.certificate) core.info(attestation.certificate)
core.endGroup() core.endGroup()
/* istanbul ignore if */
if (attestation.tlogID) { if (attestation.tlogID) {
core.info( core.info(
style.highlight( style.highlight(
@@ -202,6 +204,7 @@ const logAttestation = (
core.info(`${subjects[0].name}@${attestation.attestationDigest}`) core.info(`${subjects[0].name}@${attestation.attestationDigest}`)
} }
/* istanbul ignore next */
if (attestation.storageRecordIds && attestation.storageRecordIds.length > 0) { if (attestation.storageRecordIds && attestation.storageRecordIds.length > 0) {
core.info(style.highlight('Storage record created')) core.info(style.highlight('Storage record created'))
core.info(`Storage record IDs: ${attestation.storageRecordIds.join(',')}`) core.info(`Storage record IDs: ${attestation.storageRecordIds.join(',')}`)