diff --git a/dist/index.js b/dist/index.js index 1f1fcdc..dce1d29 100644 --- a/dist/index.js +++ b/dist/index.js @@ -95448,9 +95448,8 @@ exports.HTTPError = HTTPError; const ensureStatus = (expectedStatus) => { return (response) => { if (response.status !== expectedStatus) { - const e = response.text(); throw new HTTPError({ - message: `Error fetching ${response.url} - expected ${expectedStatus}, received ${response.status}: ${e}`, + message: `Error fetching ${response.url} - expected ${expectedStatus}, received ${response.status}`, status: response.status, }); } @@ -95505,21 +95504,17 @@ const fetchWithRetry = async (url, options = {}) => { const logRetry = (reason) => { proc_log_1.log.http('fetch', `${options.method} ${url} attempt ${attemptNum} failed with ${reason}`); }; - proc_log_1.log.http('fetch', `${options.method} ${url}`); const response = await (0, make_fetch_happen_1.default)(url, { ...options, retry: false, // We're handling retries ourselves }).catch((reason) => { - proc_log_1.log.http('fetch-response', 'caught error', reason); - // logRetry(reason); + logRetry(reason); return retry(reason); }); if (retryable(response.status)) { - proc_log_1.log.http('fetch-response', 'retryable error', response.status, response.text()); - // logRetry(response.status); + logRetry(response.status); return retry(response); } - proc_log_1.log.http('fetch-response', response.status); return response; }, retryOpts(options.retry)).catch((err) => { // If we got an actual error, throw it @@ -95559,7 +95554,6 @@ const retryOpts = (retry) => { return { retries: 0, ...retry }; } }; -const base64Encode = (str) => Buffer.from(str).toString('base64'); exports["default"] = fetchWithRetry; @@ -95603,7 +95597,12 @@ const constants_1 = __nccwpck_require__(90204); const error_1 = __nccwpck_require__(34031); const registry_1 = __nccwpck_require__(26198); const DOCKER_DEFAULT_REGISTRY = 'registry-1.docker.io'; +// https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidance-for-an-empty-descriptor const EMPTY_BLOB = Buffer.from('{}'); +// Certain registries have been found to have issues with the OCI-standard +// empty blob (i.e. `{}`) when uploading an OCI artifact manifest. To work +// around this, we use a non-standard empty blob that (containing an extra +// white space character) that seems to wortk with these registries. const ALT_EMPTY_BLOB = Buffer.from('{ }'); class OCIImage { constructor(image, creds, opts) { @@ -95628,7 +95627,7 @@ class OCIImage { // Upload the artifact blob const artifactBlob = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadBlob(opts.artifact); // Upload the empty blob (needed for the manifest config) - const emptyBlob = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadBlob(ALT_EMPTY_BLOB); + const emptyBlob = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadBlob(opts.compatibility ? ALT_EMPTY_BLOB : EMPTY_BLOB); // Construct artifact manifest const manifest = buildManifest({ artifactDescriptor: { ...artifactBlob, mediaType: opts.mediaType }, @@ -95874,7 +95873,6 @@ See the License for the specific language governing permissions and limitations under the License. */ const node_crypto_1 = __importDefault(__nccwpck_require__(77598)); -const proc_log_1 = __nccwpck_require__(6457); const constants_1 = __nccwpck_require__(90204); const credentials_1 = __nccwpck_require__(31855); const error_1 = __nccwpck_require__(34031); @@ -95915,7 +95913,6 @@ class RegistryClient { if (probeResponse.status === 200) { return; } - proc_log_1.log.http('fetch', `${probeResponse.status} ${JSON.stringify(probeResponse.headers.raw())}`); // If we still need to authenticate, we must have credentials const { username, password } = creds; if (!username || !password) { @@ -96021,13 +96018,7 @@ class RegistryClient { if (options.etag) { headers[constants_1.HEADER_IF_MATCH] = options.etag; } - const response = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/manifests/${reference}`, { method: 'PUT', body: manifest, headers }) - .then(async (r) => { - const e = await r.text(); - proc_log_1.log.http('message', e); - return r; - }) - .then((0, error_1.ensureStatus)(201)); + const response = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/manifests/${reference}`, { method: 'PUT', body: manifest, headers }).then((0, error_1.ensureStatus)(201)); const subjectDigest = response.headers.get(constants_1.HEADER_OCI_SUBJECT) || undefined; return { mediaType: contentType, @@ -96130,6 +96121,7 @@ const createAttestation = async (subjects, predicate, opts) => { 'dev.sigstore.bundle.content': 'dsse-envelope', 'dev.sigstore.bundle.predicateType': predicate.type }, + compatibility: opts.ociCompatMode, fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY } }); // Add the attestation's digest to the result @@ -96210,7 +96202,8 @@ const inputs = { showSummary: core.getBooleanInput('show-summary'), githubToken: core.getInput('github-token'), // undocumented -- not part of public interface - privateSigning: ['true', 'True', 'TRUE', '1'].includes(core.getInput('private-signing')) + privateSigning: ['true', 'True', 'TRUE', '1'].includes(core.getInput('private-signing')), + ociCompatMode: ['true', 'True', 'TRUE', '1'].includes(core.getInput('oci-compatibility-mode')) }; /* eslint-disable-next-line @typescript-eslint/no-floating-promises */ (0, main_1.run)(inputs); @@ -96306,7 +96299,8 @@ async function run(inputs) { const att = await (0, attest_1.createAttestation)(subjects, predicate, { sigstoreInstance, pushToRegistry: inputs.pushToRegistry, - githubToken: inputs.githubToken + githubToken: inputs.githubToken, + ociCompatMode: inputs.ociCompatMode }); logAttestation(subjects, att, sigstoreInstance); // Write attestation bundle to output file