new OCI compat mode flag
Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
+15
-21
@@ -95448,9 +95448,8 @@ exports.HTTPError = HTTPError;
|
||||
const ensureStatus = (expectedStatus) => {
|
||||
return (response) => {
|
||||
if (response.status !== expectedStatus) {
|
||||
const e = response.text();
|
||||
throw new HTTPError({
|
||||
message: `Error fetching ${response.url} - expected ${expectedStatus}, received ${response.status}: ${e}`,
|
||||
message: `Error fetching ${response.url} - expected ${expectedStatus}, received ${response.status}`,
|
||||
status: response.status,
|
||||
});
|
||||
}
|
||||
@@ -95505,21 +95504,17 @@ const fetchWithRetry = async (url, options = {}) => {
|
||||
const logRetry = (reason) => {
|
||||
proc_log_1.log.http('fetch', `${options.method} ${url} attempt ${attemptNum} failed with ${reason}`);
|
||||
};
|
||||
proc_log_1.log.http('fetch', `${options.method} ${url}`);
|
||||
const response = await (0, make_fetch_happen_1.default)(url, {
|
||||
...options,
|
||||
retry: false, // We're handling retries ourselves
|
||||
}).catch((reason) => {
|
||||
proc_log_1.log.http('fetch-response', 'caught error', reason);
|
||||
// logRetry(reason);
|
||||
logRetry(reason);
|
||||
return retry(reason);
|
||||
});
|
||||
if (retryable(response.status)) {
|
||||
proc_log_1.log.http('fetch-response', 'retryable error', response.status, response.text());
|
||||
// logRetry(response.status);
|
||||
logRetry(response.status);
|
||||
return retry(response);
|
||||
}
|
||||
proc_log_1.log.http('fetch-response', response.status);
|
||||
return response;
|
||||
}, retryOpts(options.retry)).catch((err) => {
|
||||
// If we got an actual error, throw it
|
||||
@@ -95559,7 +95554,6 @@ const retryOpts = (retry) => {
|
||||
return { retries: 0, ...retry };
|
||||
}
|
||||
};
|
||||
const base64Encode = (str) => Buffer.from(str).toString('base64');
|
||||
exports["default"] = fetchWithRetry;
|
||||
|
||||
|
||||
@@ -95603,7 +95597,12 @@ const constants_1 = __nccwpck_require__(90204);
|
||||
const error_1 = __nccwpck_require__(34031);
|
||||
const registry_1 = __nccwpck_require__(26198);
|
||||
const DOCKER_DEFAULT_REGISTRY = 'registry-1.docker.io';
|
||||
// https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidance-for-an-empty-descriptor
|
||||
const EMPTY_BLOB = Buffer.from('{}');
|
||||
// Certain registries have been found to have issues with the OCI-standard
|
||||
// empty blob (i.e. `{}`) when uploading an OCI artifact manifest. To work
|
||||
// around this, we use a non-standard empty blob that (containing an extra
|
||||
// white space character) that seems to wortk with these registries.
|
||||
const ALT_EMPTY_BLOB = Buffer.from('{ }');
|
||||
class OCIImage {
|
||||
constructor(image, creds, opts) {
|
||||
@@ -95628,7 +95627,7 @@ class OCIImage {
|
||||
// Upload the artifact blob
|
||||
const artifactBlob = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadBlob(opts.artifact);
|
||||
// Upload the empty blob (needed for the manifest config)
|
||||
const emptyBlob = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadBlob(ALT_EMPTY_BLOB);
|
||||
const emptyBlob = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadBlob(opts.compatibility ? ALT_EMPTY_BLOB : EMPTY_BLOB);
|
||||
// Construct artifact manifest
|
||||
const manifest = buildManifest({
|
||||
artifactDescriptor: { ...artifactBlob, mediaType: opts.mediaType },
|
||||
@@ -95874,7 +95873,6 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
const node_crypto_1 = __importDefault(__nccwpck_require__(77598));
|
||||
const proc_log_1 = __nccwpck_require__(6457);
|
||||
const constants_1 = __nccwpck_require__(90204);
|
||||
const credentials_1 = __nccwpck_require__(31855);
|
||||
const error_1 = __nccwpck_require__(34031);
|
||||
@@ -95915,7 +95913,6 @@ class RegistryClient {
|
||||
if (probeResponse.status === 200) {
|
||||
return;
|
||||
}
|
||||
proc_log_1.log.http('fetch', `${probeResponse.status} ${JSON.stringify(probeResponse.headers.raw())}`);
|
||||
// If we still need to authenticate, we must have credentials
|
||||
const { username, password } = creds;
|
||||
if (!username || !password) {
|
||||
@@ -96021,13 +96018,7 @@ class RegistryClient {
|
||||
if (options.etag) {
|
||||
headers[constants_1.HEADER_IF_MATCH] = options.etag;
|
||||
}
|
||||
const response = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/manifests/${reference}`, { method: 'PUT', body: manifest, headers })
|
||||
.then(async (r) => {
|
||||
const e = await r.text();
|
||||
proc_log_1.log.http('message', e);
|
||||
return r;
|
||||
})
|
||||
.then((0, error_1.ensureStatus)(201));
|
||||
const response = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/manifests/${reference}`, { method: 'PUT', body: manifest, headers }).then((0, error_1.ensureStatus)(201));
|
||||
const subjectDigest = response.headers.get(constants_1.HEADER_OCI_SUBJECT) || undefined;
|
||||
return {
|
||||
mediaType: contentType,
|
||||
@@ -96130,6 +96121,7 @@ const createAttestation = async (subjects, predicate, opts) => {
|
||||
'dev.sigstore.bundle.content': 'dsse-envelope',
|
||||
'dev.sigstore.bundle.predicateType': predicate.type
|
||||
},
|
||||
compatibility: opts.ociCompatMode,
|
||||
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
|
||||
});
|
||||
// Add the attestation's digest to the result
|
||||
@@ -96210,7 +96202,8 @@ const inputs = {
|
||||
showSummary: core.getBooleanInput('show-summary'),
|
||||
githubToken: core.getInput('github-token'),
|
||||
// undocumented -- not part of public interface
|
||||
privateSigning: ['true', 'True', 'TRUE', '1'].includes(core.getInput('private-signing'))
|
||||
privateSigning: ['true', 'True', 'TRUE', '1'].includes(core.getInput('private-signing')),
|
||||
ociCompatMode: ['true', 'True', 'TRUE', '1'].includes(core.getInput('oci-compatibility-mode'))
|
||||
};
|
||||
/* eslint-disable-next-line @typescript-eslint/no-floating-promises */
|
||||
(0, main_1.run)(inputs);
|
||||
@@ -96306,7 +96299,8 @@ async function run(inputs) {
|
||||
const att = await (0, attest_1.createAttestation)(subjects, predicate, {
|
||||
sigstoreInstance,
|
||||
pushToRegistry: inputs.pushToRegistry,
|
||||
githubToken: inputs.githubToken
|
||||
githubToken: inputs.githubToken,
|
||||
ociCompatMode: inputs.ociCompatMode
|
||||
});
|
||||
logAttestation(subjects, att, sigstoreInstance);
|
||||
// Write attestation bundle to output file
|
||||
|
||||
Reference in New Issue
Block a user