new OCI compat mode flag

Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer
2025-04-10 09:37:56 -07:00
parent 99cf707746
commit 8cb9193776
Generated Vendored
+15 -21
View File
@@ -95448,9 +95448,8 @@ exports.HTTPError = HTTPError;
const ensureStatus = (expectedStatus) => {
return (response) => {
if (response.status !== expectedStatus) {
const e = response.text();
throw new HTTPError({
message: `Error fetching ${response.url} - expected ${expectedStatus}, received ${response.status}: ${e}`,
message: `Error fetching ${response.url} - expected ${expectedStatus}, received ${response.status}`,
status: response.status,
});
}
@@ -95505,21 +95504,17 @@ const fetchWithRetry = async (url, options = {}) => {
const logRetry = (reason) => {
proc_log_1.log.http('fetch', `${options.method} ${url} attempt ${attemptNum} failed with ${reason}`);
};
proc_log_1.log.http('fetch', `${options.method} ${url}`);
const response = await (0, make_fetch_happen_1.default)(url, {
...options,
retry: false, // We're handling retries ourselves
}).catch((reason) => {
proc_log_1.log.http('fetch-response', 'caught error', reason);
// logRetry(reason);
logRetry(reason);
return retry(reason);
});
if (retryable(response.status)) {
proc_log_1.log.http('fetch-response', 'retryable error', response.status, response.text());
// logRetry(response.status);
logRetry(response.status);
return retry(response);
}
proc_log_1.log.http('fetch-response', response.status);
return response;
}, retryOpts(options.retry)).catch((err) => {
// If we got an actual error, throw it
@@ -95559,7 +95554,6 @@ const retryOpts = (retry) => {
return { retries: 0, ...retry };
}
};
const base64Encode = (str) => Buffer.from(str).toString('base64');
exports["default"] = fetchWithRetry;
@@ -95603,7 +95597,12 @@ const constants_1 = __nccwpck_require__(90204);
const error_1 = __nccwpck_require__(34031);
const registry_1 = __nccwpck_require__(26198);
const DOCKER_DEFAULT_REGISTRY = 'registry-1.docker.io';
// https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidance-for-an-empty-descriptor
const EMPTY_BLOB = Buffer.from('{}');
// Certain registries have been found to have issues with the OCI-standard
// empty blob (i.e. `{}`) when uploading an OCI artifact manifest. To work
// around this, we use a non-standard empty blob that (containing an extra
// white space character) that seems to wortk with these registries.
const ALT_EMPTY_BLOB = Buffer.from('{ }');
class OCIImage {
constructor(image, creds, opts) {
@@ -95628,7 +95627,7 @@ class OCIImage {
// Upload the artifact blob
const artifactBlob = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadBlob(opts.artifact);
// Upload the empty blob (needed for the manifest config)
const emptyBlob = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadBlob(ALT_EMPTY_BLOB);
const emptyBlob = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadBlob(opts.compatibility ? ALT_EMPTY_BLOB : EMPTY_BLOB);
// Construct artifact manifest
const manifest = buildManifest({
artifactDescriptor: { ...artifactBlob, mediaType: opts.mediaType },
@@ -95874,7 +95873,6 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
const node_crypto_1 = __importDefault(__nccwpck_require__(77598));
const proc_log_1 = __nccwpck_require__(6457);
const constants_1 = __nccwpck_require__(90204);
const credentials_1 = __nccwpck_require__(31855);
const error_1 = __nccwpck_require__(34031);
@@ -95915,7 +95913,6 @@ class RegistryClient {
if (probeResponse.status === 200) {
return;
}
proc_log_1.log.http('fetch', `${probeResponse.status} ${JSON.stringify(probeResponse.headers.raw())}`);
// If we still need to authenticate, we must have credentials
const { username, password } = creds;
if (!username || !password) {
@@ -96021,13 +96018,7 @@ class RegistryClient {
if (options.etag) {
headers[constants_1.HEADER_IF_MATCH] = options.etag;
}
const response = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/manifests/${reference}`, { method: 'PUT', body: manifest, headers })
.then(async (r) => {
const e = await r.text();
proc_log_1.log.http('message', e);
return r;
})
.then((0, error_1.ensureStatus)(201));
const response = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/manifests/${reference}`, { method: 'PUT', body: manifest, headers }).then((0, error_1.ensureStatus)(201));
const subjectDigest = response.headers.get(constants_1.HEADER_OCI_SUBJECT) || undefined;
return {
mediaType: contentType,
@@ -96130,6 +96121,7 @@ const createAttestation = async (subjects, predicate, opts) => {
'dev.sigstore.bundle.content': 'dsse-envelope',
'dev.sigstore.bundle.predicateType': predicate.type
},
compatibility: opts.ociCompatMode,
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
});
// Add the attestation's digest to the result
@@ -96210,7 +96202,8 @@ const inputs = {
showSummary: core.getBooleanInput('show-summary'),
githubToken: core.getInput('github-token'),
// undocumented -- not part of public interface
privateSigning: ['true', 'True', 'TRUE', '1'].includes(core.getInput('private-signing'))
privateSigning: ['true', 'True', 'TRUE', '1'].includes(core.getInput('private-signing')),
ociCompatMode: ['true', 'True', 'TRUE', '1'].includes(core.getInput('oci-compatibility-mode'))
};
/* eslint-disable-next-line @typescript-eslint/no-floating-promises */
(0, main_1.run)(inputs);
@@ -96306,7 +96299,8 @@ async function run(inputs) {
const att = await (0, attest_1.createAttestation)(subjects, predicate, {
sigstoreInstance,
pushToRegistry: inputs.pushToRegistry,
githubToken: inputs.githubToken
githubToken: inputs.githubToken,
ociCompatMode: inputs.ociCompatMode
});
logAttestation(subjects, att, sigstoreInstance);
// Write attestation bundle to output file