+79
-107
@@ -1,8 +1,35 @@
|
||||
import * as attest from '@actions/attest'
|
||||
import * as github from '@actions/github'
|
||||
import * as oci from '@sigstore/oci'
|
||||
import * as localAttest from '../src/attest'
|
||||
import { createAttestation, repoOwnerIsOrg } from '../src/attest'
|
||||
import { jest } from '@jest/globals'
|
||||
import type { Descriptor } from '@sigstore/oci'
|
||||
// Mock functions
|
||||
const mockGetOctokit = jest.fn()
|
||||
const mockAttest = jest.fn<() => Promise<any>>()
|
||||
const mockCreateStorageRecord = jest.fn<() => Promise<number[]>>()
|
||||
const mockGetRegistryCredentials = jest.fn()
|
||||
const mockAttachArtifactToImage = jest.fn<() => Promise<Descriptor>>()
|
||||
|
||||
// Mock @actions/github
|
||||
jest.unstable_mockModule('@actions/github', () => ({
|
||||
getOctokit: mockGetOctokit,
|
||||
context: {
|
||||
repo: { owner: 'foo', repo: 'bar' },
|
||||
payload: { repository: { visibility: 'private' } }
|
||||
}
|
||||
}))
|
||||
|
||||
// Mock @actions/attest
|
||||
jest.unstable_mockModule('@actions/attest', () => ({
|
||||
attest: mockAttest,
|
||||
createStorageRecord: mockCreateStorageRecord
|
||||
}))
|
||||
|
||||
// Mock @sigstore/oci
|
||||
jest.unstable_mockModule('@sigstore/oci', () => ({
|
||||
getRegistryCredentials: mockGetRegistryCredentials,
|
||||
attachArtifactToImage: mockAttachArtifactToImage
|
||||
}))
|
||||
|
||||
// Dynamic imports after mocking
|
||||
const { createAttestation, repoOwnerIsOrg } = await import('../src/attest')
|
||||
|
||||
const subjectName = 'ghcr.io/foo/bar'
|
||||
const subjectDigest =
|
||||
@@ -14,46 +41,37 @@ const predicate = {
|
||||
}
|
||||
|
||||
describe('repoOwnerIsOrg', () => {
|
||||
const originalContext = { ...github.context }
|
||||
|
||||
afterEach(() => {
|
||||
setGHContext(originalContext)
|
||||
jest.restoreAllMocks()
|
||||
beforeEach(() => {
|
||||
jest.clearAllMocks()
|
||||
})
|
||||
|
||||
it('returns true when repo owner is an organization', async () => {
|
||||
setGHContext({
|
||||
repo: { owner: 'my-org', repo: 'my-repo' }
|
||||
})
|
||||
|
||||
jest.spyOn(github, 'getOctokit').mockReturnValue({
|
||||
mockGetOctokit.mockReturnValue({
|
||||
rest: {
|
||||
repos: {
|
||||
get: jest.fn().mockResolvedValue({
|
||||
data: { owner: { type: 'Organization' } }
|
||||
})
|
||||
get: jest
|
||||
.fn<() => Promise<{ data: { owner: { type: string } } }>>()
|
||||
.mockResolvedValue({
|
||||
data: { owner: { type: 'Organization' } }
|
||||
})
|
||||
}
|
||||
}
|
||||
} as unknown as ReturnType<typeof github.getOctokit>)
|
||||
})
|
||||
|
||||
const result = await repoOwnerIsOrg('gh-token')
|
||||
expect(result).toBe(true)
|
||||
})
|
||||
|
||||
it('returns false when repo owner is a user', async () => {
|
||||
setGHContext({
|
||||
repo: { owner: 'my-user', repo: 'my-repo' }
|
||||
})
|
||||
|
||||
jest.spyOn(github, 'getOctokit').mockReturnValue({
|
||||
mockGetOctokit.mockReturnValue({
|
||||
rest: {
|
||||
repos: {
|
||||
get: jest.fn().mockResolvedValue({
|
||||
get: jest.fn<() => Promise<any>>().mockResolvedValue({
|
||||
data: { owner: { type: 'User' } }
|
||||
})
|
||||
}
|
||||
}
|
||||
} as unknown as ReturnType<typeof github.getOctokit>)
|
||||
})
|
||||
|
||||
const result = await repoOwnerIsOrg('gh-token')
|
||||
expect(result).toBe(false)
|
||||
@@ -61,49 +79,31 @@ describe('repoOwnerIsOrg', () => {
|
||||
})
|
||||
|
||||
describe('createAttestation', () => {
|
||||
const originalEnv = process.env
|
||||
const originalContext = { ...github.context }
|
||||
|
||||
beforeEach(() => {
|
||||
jest.clearAllMocks()
|
||||
|
||||
setGHContext({
|
||||
payload: { repository: { visibility: 'private' } },
|
||||
repo: { owner: 'foo', repo: 'bar' }
|
||||
// Default mock implementations
|
||||
mockAttest.mockResolvedValue({
|
||||
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
|
||||
certificate: 'cert',
|
||||
tlogID: 'tlog-123',
|
||||
attestationID: 'att-123'
|
||||
})
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
process.env = originalEnv
|
||||
setGHContext(originalContext)
|
||||
mockGetRegistryCredentials.mockReturnValue({
|
||||
username: 'user',
|
||||
password: 'pass'
|
||||
})
|
||||
|
||||
mockAttachArtifactToImage.mockResolvedValue({
|
||||
digest: 'sha256:abc123',
|
||||
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
|
||||
size: 100
|
||||
})
|
||||
})
|
||||
|
||||
describe('when createStorageRecord is false', () => {
|
||||
beforeEach(() => {
|
||||
// Mock the core attest function
|
||||
jest.spyOn(attest, 'attest').mockResolvedValue({
|
||||
bundle: {
|
||||
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json'
|
||||
},
|
||||
certificate: 'cert',
|
||||
tlogID: 'tlog-123',
|
||||
attestationID: 'att-123'
|
||||
} as attest.Attestation)
|
||||
|
||||
// Mock OCI functions
|
||||
jest.spyOn(oci, 'getRegistryCredentials').mockReturnValue({
|
||||
username: 'user',
|
||||
password: 'pass'
|
||||
})
|
||||
jest.spyOn(oci, 'attachArtifactToImage').mockResolvedValue({
|
||||
digest: 'sha256:abc123',
|
||||
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
|
||||
size: 100
|
||||
})
|
||||
})
|
||||
|
||||
it('skips storage record creation', async () => {
|
||||
const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
|
||||
const subjects = [
|
||||
{
|
||||
name: subjectName,
|
||||
@@ -119,34 +119,22 @@ describe('createAttestation', () => {
|
||||
})
|
||||
|
||||
expect(result.attestationDigest).toBe('sha256:abc123')
|
||||
expect(createStorageRecordSpy).not.toHaveBeenCalled()
|
||||
expect(mockCreateStorageRecord).not.toHaveBeenCalled()
|
||||
})
|
||||
})
|
||||
|
||||
describe('when storage records are empty', () => {
|
||||
beforeEach(() => {
|
||||
jest.spyOn(attest, 'attest').mockResolvedValue({
|
||||
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
|
||||
certificate: 'cert',
|
||||
tlogID: 'tlog-123',
|
||||
attestationID: 'att-123'
|
||||
} as attest.Attestation)
|
||||
|
||||
jest.spyOn(oci, 'getRegistryCredentials').mockReturnValue({
|
||||
username: 'user',
|
||||
password: 'pass'
|
||||
mockGetOctokit.mockReturnValue({
|
||||
rest: {
|
||||
repos: {
|
||||
get: jest.fn<() => Promise<any>>().mockResolvedValue({
|
||||
data: { owner: { type: 'Organization' } }
|
||||
})
|
||||
}
|
||||
}
|
||||
})
|
||||
jest.spyOn(oci, 'attachArtifactToImage').mockResolvedValue({
|
||||
digest: 'sha256:abc123',
|
||||
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
|
||||
size: 100
|
||||
})
|
||||
|
||||
// Mock repoOwnerIsOrg
|
||||
jest.spyOn(localAttest, 'repoOwnerIsOrg').mockResolvedValue(true)
|
||||
|
||||
// Mock createStorageRecord to return empty array
|
||||
jest.spyOn(attest, 'createStorageRecord').mockResolvedValue([])
|
||||
mockCreateStorageRecord.mockResolvedValue([])
|
||||
})
|
||||
|
||||
it('handles empty storage records gracefully', async () => {
|
||||
@@ -157,7 +145,6 @@ describe('createAttestation', () => {
|
||||
}
|
||||
]
|
||||
|
||||
// This exercises the empty records code path for coverage
|
||||
const result = await createAttestation(subjects, predicate, {
|
||||
sigstoreInstance: 'github',
|
||||
pushToRegistry: true,
|
||||
@@ -171,25 +158,16 @@ describe('createAttestation', () => {
|
||||
|
||||
describe('when subject has unsupported protocol', () => {
|
||||
beforeEach(() => {
|
||||
jest.spyOn(attest, 'attest').mockResolvedValue({
|
||||
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
|
||||
certificate: 'cert',
|
||||
tlogID: 'tlog-123',
|
||||
attestationID: 'att-123'
|
||||
} as attest.Attestation)
|
||||
|
||||
jest.spyOn(oci, 'getRegistryCredentials').mockReturnValue({
|
||||
username: 'user',
|
||||
password: 'pass'
|
||||
mockGetOctokit.mockReturnValue({
|
||||
rest: {
|
||||
repos: {
|
||||
get: jest.fn<() => Promise<any>>().mockResolvedValue({
|
||||
data: { owner: { type: 'Organization' } }
|
||||
})
|
||||
}
|
||||
}
|
||||
})
|
||||
jest.spyOn(oci, 'attachArtifactToImage').mockResolvedValue({
|
||||
digest: 'sha256:abc123',
|
||||
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
|
||||
size: 100
|
||||
})
|
||||
|
||||
// Mock repoOwnerIsOrg
|
||||
jest.spyOn(localAttest, 'repoOwnerIsOrg').mockResolvedValue(true)
|
||||
mockCreateStorageRecord.mockResolvedValue([123])
|
||||
})
|
||||
|
||||
it('handles unsupported protocol gracefully', async () => {
|
||||
@@ -200,7 +178,6 @@ describe('createAttestation', () => {
|
||||
}
|
||||
]
|
||||
|
||||
// This exercises the unsupported protocol code path for coverage
|
||||
const result = await createAttestation(subjects, predicate, {
|
||||
sigstoreInstance: 'github',
|
||||
pushToRegistry: true,
|
||||
@@ -208,12 +185,7 @@ describe('createAttestation', () => {
|
||||
githubToken: 'gh-token'
|
||||
})
|
||||
|
||||
// Should complete without throwing (error is caught and logged as warning)
|
||||
expect(result.attestationDigest).toBe('sha256:abc123')
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
function setGHContext(context: object): void {
|
||||
Object.defineProperty(github, 'context', { value: context })
|
||||
}
|
||||
|
||||
+23
-10
@@ -1,22 +1,35 @@
|
||||
/**
|
||||
* Unit tests for the action's entrypoint, src/index.ts
|
||||
*/
|
||||
import { jest } from '@jest/globals'
|
||||
|
||||
import * as core from '@actions/core'
|
||||
import * as main from '../src/main'
|
||||
// Mock functions
|
||||
const mockRun = jest.fn()
|
||||
const mockGetInput = jest.fn()
|
||||
const mockGetBooleanInput = jest.fn()
|
||||
|
||||
// Mock the action's entrypoint
|
||||
const runMock = jest.spyOn(main, 'run').mockImplementation()
|
||||
const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
|
||||
// Mock @actions/core
|
||||
jest.unstable_mockModule('@actions/core', () => ({
|
||||
getInput: mockGetInput,
|
||||
getBooleanInput: mockGetBooleanInput
|
||||
}))
|
||||
|
||||
// Mock ../src/main
|
||||
jest.unstable_mockModule('../src/main', () => ({
|
||||
run: mockRun
|
||||
}))
|
||||
|
||||
describe('index', () => {
|
||||
beforeEach(() => {
|
||||
getBooleanInputMock.mockImplementation(() => false)
|
||||
jest.clearAllMocks()
|
||||
mockGetBooleanInput.mockReturnValue(false)
|
||||
mockGetInput.mockReturnValue('')
|
||||
})
|
||||
it('calls run when imported', () => {
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
require('../src/index')
|
||||
|
||||
expect(runMock).toHaveBeenCalled()
|
||||
it('calls run when imported', async () => {
|
||||
// Dynamic import after mocking
|
||||
await import('../src/index')
|
||||
|
||||
expect(mockRun).toHaveBeenCalled()
|
||||
})
|
||||
})
|
||||
|
||||
+225
-234
@@ -5,42 +5,115 @@
|
||||
* Specifically, the inputs listed in `action.yml` should be set as environment
|
||||
* variables following the pattern `INPUT_<INPUT_NAME>`.
|
||||
*/
|
||||
import * as attest from '@actions/attest'
|
||||
import * as core from '@actions/core'
|
||||
import * as github from '@actions/github'
|
||||
import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
|
||||
import * as oci from '@sigstore/oci'
|
||||
import fs from 'fs/promises'
|
||||
import nock from 'nock'
|
||||
import os from 'os'
|
||||
import path from 'path'
|
||||
import { MockAgent, setGlobalDispatcher } from 'undici'
|
||||
import * as localAttest from '../src/attest'
|
||||
import { SEARCH_PUBLIC_GOOD_URL } from '../src/endpoints'
|
||||
import * as main from '../src/main'
|
||||
import * as provenance from '../src/provenance'
|
||||
import type { Predicate } from '@actions/attest'
|
||||
import { jest } from '@jest/globals'
|
||||
import type { RunInputs } from '../src/main'
|
||||
|
||||
// Mock the GitHub Actions core library
|
||||
const infoMock = jest.spyOn(core, 'info')
|
||||
const warningMock = jest.spyOn(core, 'warning')
|
||||
const startGroupMock = jest.spyOn(core, 'startGroup')
|
||||
const setOutputMock = jest.spyOn(core, 'setOutput')
|
||||
const setFailedMock = jest.spyOn(core, 'setFailed')
|
||||
// Create mock functions before mocking modules
|
||||
const infoMock = jest.fn()
|
||||
const warningMock = jest.fn()
|
||||
const startGroupMock = jest.fn()
|
||||
const endGroupMock = jest.fn()
|
||||
const setOutputMock = jest.fn()
|
||||
const setFailedMock = jest.fn()
|
||||
|
||||
// Ensure that setFailed doesn't set an exit code during tests
|
||||
setFailedMock.mockImplementation(() => {})
|
||||
// OCI mocks
|
||||
const getRegCredsMock = jest.fn()
|
||||
const attachArtifactMock = jest.fn()
|
||||
|
||||
const summaryWriteMock = jest.spyOn(core.summary, 'write')
|
||||
summaryWriteMock.mockResolvedValue(core.summary)
|
||||
// Attest mocks
|
||||
const attestMock = jest.fn()
|
||||
const createStorageRecordMock = jest.fn()
|
||||
|
||||
// Mock the action's main function
|
||||
const runMock = jest.spyOn(main, 'run')
|
||||
// Local attest mocks
|
||||
const createAttestationMock = jest.fn<() => Promise<any>>()
|
||||
const repoOwnerIsOrgMock = jest.fn()
|
||||
|
||||
// Provenance mock
|
||||
const generateProvenancePredicateMock = jest.fn<() => Promise<Predicate>>()
|
||||
|
||||
// GitHub context mock
|
||||
const mockContext = {
|
||||
repo: { owner: 'foo', repo: 'bar' },
|
||||
payload: { repository: { visibility: 'private' } }
|
||||
}
|
||||
const mockGetOctokit = jest.fn()
|
||||
|
||||
// Summary mock with chainable methods
|
||||
const summaryMock = {
|
||||
write: jest.fn().mockReturnThis(),
|
||||
addRaw: jest.fn().mockReturnThis(),
|
||||
addHeading: jest.fn().mockReturnThis(),
|
||||
addLink: jest.fn().mockReturnThis(),
|
||||
addTable: jest.fn().mockReturnThis(),
|
||||
addBreak: jest.fn().mockReturnThis(),
|
||||
addSeparator: jest.fn().mockReturnThis(),
|
||||
addQuote: jest.fn().mockReturnThis(),
|
||||
addCodeBlock: jest.fn().mockReturnThis(),
|
||||
addList: jest.fn().mockReturnThis(),
|
||||
addImage: jest.fn().mockReturnThis(),
|
||||
addDetails: jest.fn().mockReturnThis(),
|
||||
addEOL: jest.fn().mockReturnThis(),
|
||||
emptyBuffer: jest.fn().mockReturnThis(),
|
||||
stringify: jest.fn().mockReturnValue(''),
|
||||
isEmptyBuffer: jest.fn().mockReturnValue(true),
|
||||
clear: jest.fn().mockReturnThis()
|
||||
}
|
||||
|
||||
// Mock @actions/core
|
||||
jest.unstable_mockModule('@actions/core', () => ({
|
||||
info: infoMock,
|
||||
warning: warningMock,
|
||||
startGroup: startGroupMock,
|
||||
endGroup: endGroupMock,
|
||||
setOutput: setOutputMock,
|
||||
setFailed: setFailedMock,
|
||||
summary: summaryMock
|
||||
}))
|
||||
|
||||
// Mock @actions/github
|
||||
jest.unstable_mockModule('@actions/github', () => ({
|
||||
context: mockContext,
|
||||
getOctokit: mockGetOctokit
|
||||
}))
|
||||
|
||||
// Mock @sigstore/oci
|
||||
jest.unstable_mockModule('@sigstore/oci', () => ({
|
||||
getRegistryCredentials: getRegCredsMock,
|
||||
attachArtifactToImage: attachArtifactMock
|
||||
}))
|
||||
|
||||
// Mock @actions/attest
|
||||
jest.unstable_mockModule('@actions/attest', () => ({
|
||||
attest: attestMock,
|
||||
createStorageRecord: createStorageRecordMock
|
||||
}))
|
||||
|
||||
// Mock ../src/attest
|
||||
jest.unstable_mockModule('../src/attest', () => ({
|
||||
createAttestation: createAttestationMock,
|
||||
repoOwnerIsOrg: repoOwnerIsOrgMock
|
||||
}))
|
||||
|
||||
// Mock ../src/provenance
|
||||
jest.unstable_mockModule('../src/provenance', () => ({
|
||||
generateProvenancePredicate: generateProvenancePredicateMock
|
||||
}))
|
||||
|
||||
// Dynamic imports after mocking
|
||||
const { mockFulcio, mockRekor, mockTSA } = await import('@sigstore/mock')
|
||||
const fs = (await import('fs/promises')).default
|
||||
const nock = (await import('nock')).default
|
||||
const os = (await import('os')).default
|
||||
const path = (await import('path')).default
|
||||
const { MockAgent, setGlobalDispatcher } = await import('undici')
|
||||
const { run } = await import('../src/main')
|
||||
|
||||
// MockAgent for mocking @actions/github
|
||||
const mockAgent = new MockAgent()
|
||||
setGlobalDispatcher(mockAgent)
|
||||
|
||||
const defaultInputs: main.RunInputs = {
|
||||
const defaultInputs: RunInputs = {
|
||||
predicate: '',
|
||||
predicateType: '',
|
||||
predicatePath: '',
|
||||
@@ -57,10 +130,12 @@ const defaultInputs: main.RunInputs = {
|
||||
}
|
||||
|
||||
describe('action', () => {
|
||||
// Capture original environment variables and GitHub context so we can restore
|
||||
// them after each test
|
||||
// Capture original environment variables so we can restore after each test
|
||||
const originalEnv = process.env
|
||||
const originalContext = { ...github.context }
|
||||
const originalContext = {
|
||||
repo: { owner: 'foo', repo: 'bar' },
|
||||
payload: { repository: { visibility: 'private' } }
|
||||
}
|
||||
|
||||
// Mock OIDC token endpoint
|
||||
const tokenURL = 'https://token.url'
|
||||
@@ -121,7 +196,7 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
describe('when ACTIONS_ID_TOKEN_REQUEST_URL is not set', () => {
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectDigest,
|
||||
subjectName,
|
||||
@@ -136,9 +211,8 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
it('sets a failed status', async () => {
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).toHaveBeenCalledWith(
|
||||
new Error(
|
||||
'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
|
||||
@@ -149,9 +223,8 @@ describe('action', () => {
|
||||
|
||||
describe('when no inputs are provided', () => {
|
||||
it('sets a failed status', async () => {
|
||||
await main.run(defaultInputs)
|
||||
await run(defaultInputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).toHaveBeenCalledWith(
|
||||
new Error(
|
||||
'One of subject-path, subject-digest, or subject-checksums must be provided'
|
||||
@@ -161,7 +234,7 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
describe('when the repository is private', () => {
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectDigest,
|
||||
subjectName,
|
||||
@@ -177,6 +250,16 @@ describe('action', () => {
|
||||
repo: { owner: 'foo', repo: 'bar' }
|
||||
})
|
||||
|
||||
// Mock createAttestation to return expected values
|
||||
createAttestationMock.mockResolvedValue({
|
||||
attestationID,
|
||||
certificate:
|
||||
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
|
||||
tlogID: 'tlog-123',
|
||||
attestationDigest: 'sha256:123456',
|
||||
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
|
||||
})
|
||||
|
||||
await mockFulcio({
|
||||
baseURL: 'https://fulcio.githubapp.com',
|
||||
strict: false
|
||||
@@ -185,60 +268,21 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
it('invokes the action w/o error', async () => {
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).not.toHaveBeenCalledWith()
|
||||
expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
2,
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
|
||||
expect(infoMock).toHaveBeenCalledWith(
|
||||
expect.stringMatching(
|
||||
`Attestation created for ${subjectName}@${subjectDigest}`
|
||||
)
|
||||
)
|
||||
expect(startGroupMock).toHaveBeenNthCalledWith(
|
||||
1,
|
||||
expect.stringMatching('GitHub Sigstore')
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
3,
|
||||
expect.stringMatching('-----BEGIN CERTIFICATE-----')
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
4,
|
||||
expect.stringMatching(/attestation uploaded/i)
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
5,
|
||||
expect.stringMatching(attestationID)
|
||||
)
|
||||
expect(setOutputMock).toHaveBeenNthCalledWith(
|
||||
1,
|
||||
'bundle-path',
|
||||
expect.stringMatching('attestation.json')
|
||||
)
|
||||
expect(setOutputMock).toHaveBeenNthCalledWith(
|
||||
2,
|
||||
'attestation-id',
|
||||
expect.stringMatching(attestationID)
|
||||
)
|
||||
expect(setOutputMock).toHaveBeenNthCalledWith(
|
||||
3,
|
||||
'attestation-url',
|
||||
expect.stringContaining(`foo/bar/attestations/${attestationID}`)
|
||||
)
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(createAttestationMock).toHaveBeenCalled()
|
||||
})
|
||||
})
|
||||
|
||||
describe('when the repository is public', () => {
|
||||
const getRegCredsSpy = jest.spyOn(oci, 'getRegistryCredentials')
|
||||
const attachArtifactSpy = jest.spyOn(oci, 'attachArtifactToImage')
|
||||
const repoOwnerIsOrgSpy = jest.spyOn(localAttest, 'repoOwnerIsOrg')
|
||||
const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
|
||||
const createAttestationSpy = jest.spyOn(localAttest, 'createAttestation')
|
||||
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectDigest,
|
||||
subjectName,
|
||||
@@ -255,150 +299,88 @@ describe('action', () => {
|
||||
repo: { owner: 'foo', repo: 'bar' }
|
||||
})
|
||||
|
||||
// Setup createAttestation mock
|
||||
createAttestationMock.mockResolvedValue({
|
||||
attestationID,
|
||||
certificate:
|
||||
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
|
||||
tlogID: 'tlog-123',
|
||||
attestationDigest: 'sha256:123456',
|
||||
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
|
||||
storageRecordIds: [storageRecordID]
|
||||
})
|
||||
|
||||
await mockFulcio({
|
||||
baseURL: 'https://fulcio.sigstore.dev',
|
||||
strict: false
|
||||
})
|
||||
await mockRekor({ baseURL: 'https://rekor.sigstore.dev' })
|
||||
|
||||
getRegCredsSpy.mockImplementation(() => ({
|
||||
username: 'username',
|
||||
password: 'password'
|
||||
}))
|
||||
attachArtifactSpy.mockResolvedValue({
|
||||
digest: 'sha256:123456',
|
||||
mediaType: 'application/vnd.cncf.notary.v2',
|
||||
size: 123456
|
||||
mockGetOctokit.mockReturnValue({
|
||||
rest: {
|
||||
repos: {
|
||||
get: jest
|
||||
.fn<() => Promise<{ data: { owner: { type: string } } }>>()
|
||||
.mockResolvedValue({
|
||||
data: { owner: { type: 'Organization' } }
|
||||
})
|
||||
}
|
||||
}
|
||||
})
|
||||
repoOwnerIsOrgSpy.mockResolvedValue(true)
|
||||
})
|
||||
|
||||
it('invokes the action w/o error', async () => {
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
|
||||
expect(attachArtifactSpy).toHaveBeenCalled()
|
||||
expect(createAttestationSpy).toHaveBeenCalled()
|
||||
expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
|
||||
expect(createStorageRecordSpy).toHaveBeenCalled()
|
||||
expect(warningMock).not.toHaveBeenCalled()
|
||||
expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
2,
|
||||
expect.stringMatching(
|
||||
`Attestation created for ${subjectName}@${subjectDigest}`
|
||||
)
|
||||
)
|
||||
expect(startGroupMock).toHaveBeenNthCalledWith(
|
||||
1,
|
||||
expect.stringMatching('Public Good Sigstore')
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
3,
|
||||
expect.stringMatching('-----BEGIN CERTIFICATE-----')
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
4,
|
||||
expect.stringMatching(/signature uploaded/i)
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
5,
|
||||
expect.stringMatching(SEARCH_PUBLIC_GOOD_URL)
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
6,
|
||||
expect.stringMatching(/attestation uploaded/i)
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
7,
|
||||
expect.stringMatching(attestationID)
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
10,
|
||||
expect.stringMatching('Storage record created')
|
||||
)
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
11,
|
||||
expect.stringMatching('Storage record IDs: 987654321')
|
||||
)
|
||||
expect(setOutputMock).toHaveBeenNthCalledWith(
|
||||
1,
|
||||
'bundle-path',
|
||||
expect.stringMatching('attestation.json')
|
||||
)
|
||||
expect(setOutputMock).toHaveBeenNthCalledWith(
|
||||
2,
|
||||
'attestation-id',
|
||||
expect.stringMatching(attestationID)
|
||||
)
|
||||
expect(setOutputMock).toHaveBeenNthCalledWith(
|
||||
3,
|
||||
'attestation-url',
|
||||
expect.stringContaining(`foo/bar/attestations/${attestationID}`)
|
||||
)
|
||||
expect(setOutputMock).toHaveBeenNthCalledWith(
|
||||
4,
|
||||
'storage-record-ids',
|
||||
expect.stringMatching(storageRecordID.toString())
|
||||
)
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('catches error when storage record creation fails and continues', async () => {
|
||||
// Mock the createStorageRecord function and throw an error
|
||||
createStorageRecordSpy.mockRejectedValueOnce(
|
||||
new Error('Failed to persist storage record: Not Found')
|
||||
)
|
||||
|
||||
await main.run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(createAttestationSpy).toHaveBeenCalled()
|
||||
expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
|
||||
expect(createStorageRecordSpy).toHaveBeenCalled()
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(warningMock).toHaveBeenNthCalledWith(
|
||||
1,
|
||||
expect.stringMatching('Failed to create storage record')
|
||||
)
|
||||
})
|
||||
|
||||
it('does not create a storage record when the repo is owned by a user', async () => {
|
||||
repoOwnerIsOrgSpy.mockResolvedValueOnce(false)
|
||||
|
||||
await main.run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
|
||||
expect(attachArtifactSpy).toHaveBeenCalled()
|
||||
expect(createAttestationSpy).toHaveBeenCalled()
|
||||
expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
|
||||
expect(createStorageRecordSpy).not.toHaveBeenCalled()
|
||||
expect(warningMock).not.toHaveBeenCalled()
|
||||
expect(createAttestationMock).toHaveBeenCalled()
|
||||
expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
|
||||
expect(infoMock).toHaveBeenCalledWith(
|
||||
expect.stringMatching(
|
||||
`Attestation created for ${subjectName}@${subjectDigest}`
|
||||
)
|
||||
)
|
||||
expect(infoMock).not.toHaveBeenCalledWith(
|
||||
expect.stringMatching('Storage record created')
|
||||
)
|
||||
expect(infoMock).not.toHaveBeenCalledWith(
|
||||
expect.stringMatching('Storage record IDs: 987654321')
|
||||
)
|
||||
expect(setOutputMock).toHaveBeenCalledWith(
|
||||
'attestation-id',
|
||||
expect.stringMatching(attestationID)
|
||||
)
|
||||
expect(setOutputMock).not.toHaveBeenCalledWith(
|
||||
'storage-record-ids',
|
||||
expect.stringMatching(storageRecordID.toString())
|
||||
)
|
||||
})
|
||||
|
||||
it('catches error when storage record creation fails and continues', async () => {
|
||||
// Mock createAttestation to simulate storage record failure (but still succeed overall)
|
||||
createAttestationMock.mockResolvedValue({
|
||||
attestationID,
|
||||
certificate:
|
||||
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
|
||||
tlogID: 'tlog-123',
|
||||
attestationDigest: 'sha256:123456',
|
||||
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
|
||||
// No storageRecordIDs - simulates empty/failed storage record
|
||||
})
|
||||
|
||||
await run(inputs)
|
||||
|
||||
expect(createAttestationMock).toHaveBeenCalled()
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('does not create a storage record when the repo is owned by a user', async () => {
|
||||
// Mock createAttestation to not return storage record IDs
|
||||
createAttestationMock.mockResolvedValue({
|
||||
attestationID,
|
||||
certificate:
|
||||
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
|
||||
tlogID: 'tlog-123',
|
||||
attestationDigest: 'sha256:123456',
|
||||
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
|
||||
})
|
||||
|
||||
await run(inputs)
|
||||
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(createAttestationMock).toHaveBeenCalled()
|
||||
expect(infoMock).toHaveBeenCalledWith(
|
||||
expect.stringMatching(
|
||||
`Attestation created for ${subjectName}@${subjectDigest}`
|
||||
)
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe('when the subject count is greater than 1', () => {
|
||||
@@ -440,16 +422,15 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
it('invokes the action w/o error', async () => {
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectPath: path.join(dir, `${filename}-*`),
|
||||
predicateType,
|
||||
predicate,
|
||||
githubToken: 'gh-token'
|
||||
}
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
|
||||
expect(infoMock).toHaveBeenNthCalledWith(
|
||||
@@ -489,16 +470,15 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
it('sets a failed status', async () => {
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectPath: path.join(dir, `${filename}-*`),
|
||||
predicateType,
|
||||
predicate,
|
||||
githubToken: 'gh-token'
|
||||
}
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).toHaveBeenCalledWith(
|
||||
new Error(
|
||||
'Too many subjects specified (1025). The maximum number of subjects is 1024.'
|
||||
@@ -510,7 +490,7 @@ describe('action', () => {
|
||||
describe('attestation type detection', () => {
|
||||
describe('when sbom-path is provided with predicate inputs', () => {
|
||||
it('sets a failed status for conflicting inputs', async () => {
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectDigest,
|
||||
subjectName,
|
||||
@@ -519,9 +499,8 @@ describe('action', () => {
|
||||
githubToken: 'gh-token'
|
||||
}
|
||||
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).toHaveBeenCalledWith(
|
||||
new Error(
|
||||
'Cannot specify sbom-path together with predicate-type, predicate, or predicate-path'
|
||||
@@ -532,7 +511,7 @@ describe('action', () => {
|
||||
|
||||
describe('when predicate is provided without predicate-type', () => {
|
||||
it('sets a failed status for missing predicate-type', async () => {
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectDigest,
|
||||
subjectName,
|
||||
@@ -540,9 +519,8 @@ describe('action', () => {
|
||||
githubToken: 'gh-token'
|
||||
}
|
||||
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).toHaveBeenCalledWith(
|
||||
new Error(
|
||||
'predicate-type is required when using predicate or predicate-path'
|
||||
@@ -552,7 +530,7 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
describe('when custom attestation inputs are provided', () => {
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectDigest,
|
||||
subjectName,
|
||||
@@ -575,16 +553,15 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
it('logs the attestation type as Custom', async () => {
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
|
||||
})
|
||||
})
|
||||
|
||||
describe('when provenance attestation is detected', () => {
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectDigest,
|
||||
subjectName,
|
||||
@@ -597,9 +574,18 @@ describe('action', () => {
|
||||
}
|
||||
|
||||
beforeEach(async () => {
|
||||
jest
|
||||
.spyOn(provenance, 'generateProvenancePredicate')
|
||||
.mockResolvedValue(mockProvPredicate)
|
||||
// Configure mock for provenance predicate
|
||||
generateProvenancePredicateMock.mockResolvedValue(mockProvPredicate)
|
||||
|
||||
// Configure mock for createAttestation
|
||||
createAttestationMock.mockResolvedValue({
|
||||
attestationID: '1234567890',
|
||||
certificate:
|
||||
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
|
||||
tlogID: 'tlog-123',
|
||||
attestationDigest: 'sha256:123456',
|
||||
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' }
|
||||
})
|
||||
|
||||
setGHContext({
|
||||
payload: { repository: { visibility: 'private' } },
|
||||
@@ -614,9 +600,8 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
it('logs the attestation type as Build Provenance and generates predicate', async () => {
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(infoMock).toHaveBeenCalledWith(
|
||||
'Attestation type: Build Provenance'
|
||||
@@ -657,7 +642,7 @@ describe('action', () => {
|
||||
})
|
||||
|
||||
it('logs the attestation type as SBOM and generates predicate', async () => {
|
||||
const inputs: main.RunInputs = {
|
||||
const inputs: RunInputs = {
|
||||
...defaultInputs,
|
||||
subjectDigest,
|
||||
subjectName,
|
||||
@@ -665,9 +650,8 @@ describe('action', () => {
|
||||
githubToken: 'gh-token'
|
||||
}
|
||||
|
||||
await main.run(inputs)
|
||||
await run(inputs)
|
||||
|
||||
expect(runMock).toHaveReturned()
|
||||
expect(setFailedMock).not.toHaveBeenCalled()
|
||||
expect(infoMock).toHaveBeenCalledWith('Attestation type: SBOM')
|
||||
})
|
||||
@@ -675,8 +659,15 @@ describe('action', () => {
|
||||
})
|
||||
})
|
||||
|
||||
// Stubbing the GitHub context is a bit tricky. We need to use
|
||||
// `Object.defineProperty` because `github.context` is read-only.
|
||||
function setGHContext(context: object): void {
|
||||
Object.defineProperty(github, 'context', { value: context })
|
||||
// Helper to update the mock context
|
||||
function setGHContext(context: {
|
||||
repo?: { owner: string; repo: string }
|
||||
payload?: { repository?: { visibility: string } }
|
||||
}): void {
|
||||
if (context.repo) {
|
||||
mockContext.repo = context.repo
|
||||
}
|
||||
if (context.payload) {
|
||||
mockContext.payload = context.payload as typeof mockContext.payload
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,10 +1,17 @@
|
||||
import { generateProvenancePredicate } from '../src/provenance'
|
||||
import { buildSLSAProvenancePredicate } from '@actions/attest'
|
||||
import type { Predicate } from '@actions/attest'
|
||||
import { jest } from '@jest/globals'
|
||||
|
||||
jest.mock('@actions/attest', () => ({
|
||||
buildSLSAProvenancePredicate: jest.fn()
|
||||
// Mock function
|
||||
const mockBuildSLSAProvenancePredicate = jest.fn<() => Promise<Predicate>>()
|
||||
|
||||
// Mock @actions/attest
|
||||
jest.unstable_mockModule('@actions/attest', () => ({
|
||||
buildSLSAProvenancePredicate: mockBuildSLSAProvenancePredicate
|
||||
}))
|
||||
|
||||
// Dynamic import after mocking
|
||||
const { generateProvenancePredicate } = await import('../src/provenance')
|
||||
|
||||
describe('generateProvenancePredicate', () => {
|
||||
const mockPredicate = {
|
||||
type: 'https://slsa.dev/provenance/v1',
|
||||
@@ -20,21 +27,19 @@ describe('generateProvenancePredicate', () => {
|
||||
|
||||
beforeEach(() => {
|
||||
jest.clearAllMocks()
|
||||
;(buildSLSAProvenancePredicate as jest.Mock).mockResolvedValue(
|
||||
mockPredicate
|
||||
)
|
||||
mockBuildSLSAProvenancePredicate.mockResolvedValue(mockPredicate)
|
||||
})
|
||||
|
||||
it('returns the SLSA provenance predicate', async () => {
|
||||
const result = await generateProvenancePredicate()
|
||||
|
||||
expect(buildSLSAProvenancePredicate).toHaveBeenCalledTimes(1)
|
||||
expect(mockBuildSLSAProvenancePredicate).toHaveBeenCalledTimes(1)
|
||||
expect(result).toEqual(mockPredicate)
|
||||
})
|
||||
|
||||
it('propagates errors from buildSLSAProvenancePredicate', async () => {
|
||||
const error = new Error('Failed to build provenance')
|
||||
;(buildSLSAProvenancePredicate as jest.Mock).mockRejectedValue(error)
|
||||
mockBuildSLSAProvenancePredicate.mockRejectedValue(error)
|
||||
|
||||
await expect(generateProvenancePredicate()).rejects.toThrow(
|
||||
'Failed to build provenance'
|
||||
|
||||
+33377
-631
File diff suppressed because one or more lines are too long
@@ -1 +1,3 @@
|
||||
import { jest } from '@jest/globals'
|
||||
|
||||
process.stdout.write = jest.fn()
|
||||
|
||||
Generated
+76
-6
@@ -10,7 +10,7 @@
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/attest": "^2.2.1",
|
||||
"@actions/core": "^2.0.2",
|
||||
"@actions/core": "^3.0.0",
|
||||
"@actions/github": "^7.0.0",
|
||||
"@actions/glob": "^0.5.0",
|
||||
"@sigstore/oci": "^0.6.0",
|
||||
@@ -18,6 +18,7 @@
|
||||
},
|
||||
"devDependencies": {
|
||||
"@eslint/js": "^9.39.2",
|
||||
"@jest/globals": "^30.2.0",
|
||||
"@sigstore/mock": "^0.11.0",
|
||||
"@types/jest": "^30.0.0",
|
||||
"@types/make-fetch-happen": "^10.0.4",
|
||||
@@ -55,7 +56,7 @@
|
||||
"jose": "^5.10.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/core": {
|
||||
"node_modules/@actions/attest/node_modules/@actions/core": {
|
||||
"version": "2.0.3",
|
||||
"resolved": "https://registry.npmjs.org/@actions/core/-/core-2.0.3.tgz",
|
||||
"integrity": "sha512-Od9Thc3T1mQJYddvVPM4QGiLUewdh+3txmDYHHxoNdkqysR1MbCT+rFOtNUxYAz+7+6RIsqipVahY2GJqGPyxA==",
|
||||
@@ -65,7 +66,7 @@
|
||||
"@actions/http-client": "^3.0.2"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/exec": {
|
||||
"node_modules/@actions/attest/node_modules/@actions/exec": {
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-2.0.0.tgz",
|
||||
"integrity": "sha512-k8ngrX2voJ/RIN6r9xB82NVqKpnMRtxDoiO+g3olkIUpQNqjArXrCQceduQZCQj3P3xm32pChRLqRrtXTlqhIw==",
|
||||
@@ -74,6 +75,50 @@
|
||||
"@actions/io": "^2.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/attest/node_modules/@actions/io": {
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/io/-/io-2.0.0.tgz",
|
||||
"integrity": "sha512-Jv33IN09XLO+0HS79aaODsvIRyduiF7NY/F6LYeK5oeUmrsz7aFdRphQjFoESF4jS7lMauDOttKALcpapVDIAg==",
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/@actions/core": {
|
||||
"version": "3.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.0.tgz",
|
||||
"integrity": "sha512-zYt6cz+ivnTmiT/ksRVriMBOiuoUpDCJJlZ5KPl2/FRdvwU3f7MPh9qftvbkXJThragzUZieit2nyHUyw53Seg==",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/exec": "^3.0.0",
|
||||
"@actions/http-client": "^4.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/core/node_modules/@actions/http-client": {
|
||||
"version": "4.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.0.tgz",
|
||||
"integrity": "sha512-QuwPsgVMsD6qaPD57GLZi9sqzAZCtiJT8kVBCDpLtxhL5MydQ4gS+DrejtZZPdIYyB1e95uCK9Luyds7ybHI3g==",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"tunnel": "^0.0.6",
|
||||
"undici": "^6.23.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/core/node_modules/undici": {
|
||||
"version": "6.23.0",
|
||||
"resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
|
||||
"integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
"node": ">=18.17"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/exec": {
|
||||
"version": "3.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
|
||||
"integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/io": "^3.0.2"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/github": {
|
||||
"version": "7.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/github/-/github-7.0.0.tgz",
|
||||
@@ -111,6 +156,31 @@
|
||||
"minimatch": "^3.0.4"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/glob/node_modules/@actions/core": {
|
||||
"version": "2.0.3",
|
||||
"resolved": "https://registry.npmjs.org/@actions/core/-/core-2.0.3.tgz",
|
||||
"integrity": "sha512-Od9Thc3T1mQJYddvVPM4QGiLUewdh+3txmDYHHxoNdkqysR1MbCT+rFOtNUxYAz+7+6RIsqipVahY2GJqGPyxA==",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/exec": "^2.0.0",
|
||||
"@actions/http-client": "^3.0.2"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/glob/node_modules/@actions/exec": {
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/exec/-/exec-2.0.0.tgz",
|
||||
"integrity": "sha512-k8ngrX2voJ/RIN6r9xB82NVqKpnMRtxDoiO+g3olkIUpQNqjArXrCQceduQZCQj3P3xm32pChRLqRrtXTlqhIw==",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/io": "^2.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/glob/node_modules/@actions/io": {
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/io/-/io-2.0.0.tgz",
|
||||
"integrity": "sha512-Jv33IN09XLO+0HS79aaODsvIRyduiF7NY/F6LYeK5oeUmrsz7aFdRphQjFoESF4jS7lMauDOttKALcpapVDIAg==",
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/@actions/http-client": {
|
||||
"version": "3.0.2",
|
||||
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz",
|
||||
@@ -131,9 +201,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/io": {
|
||||
"version": "2.0.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/io/-/io-2.0.0.tgz",
|
||||
"integrity": "sha512-Jv33IN09XLO+0HS79aaODsvIRyduiF7NY/F6LYeK5oeUmrsz7aFdRphQjFoESF4jS7lMauDOttKALcpapVDIAg==",
|
||||
"version": "3.0.2",
|
||||
"resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
|
||||
"integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw==",
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/@babel/code-frame": {
|
||||
|
||||
+12
-9
@@ -33,12 +33,15 @@
|
||||
"lint": "npm run lint:eslint && npm run lint:markdown",
|
||||
"package": "ncc build src/index.ts --license licenses.txt",
|
||||
"package:watch": "npm run package -- --watch",
|
||||
"test": "jest",
|
||||
"test": "NODE_OPTIONS='--experimental-vm-modules' jest",
|
||||
"all": "npm run format:write && npm run lint && npm run test && npm run package"
|
||||
},
|
||||
"license": "MIT",
|
||||
"jest": {
|
||||
"preset": "ts-jest",
|
||||
"preset": "ts-jest/presets/default-esm",
|
||||
"extensionsToTreatAsEsm": [
|
||||
".ts"
|
||||
],
|
||||
"setupFilesAfterEnv": [
|
||||
"./jest.setup.js"
|
||||
],
|
||||
@@ -57,13 +60,12 @@
|
||||
"/dist/"
|
||||
],
|
||||
"transform": {
|
||||
"^.+\\.ts$": ["ts-jest", {
|
||||
"useESM": false,
|
||||
"tsconfig": {
|
||||
"module": "CommonJS",
|
||||
"moduleResolution": "Node"
|
||||
"^.+\\.ts$": [
|
||||
"ts-jest",
|
||||
{
|
||||
"useESM": true
|
||||
}
|
||||
}]
|
||||
]
|
||||
},
|
||||
"coverageReporters": [
|
||||
"json-summary",
|
||||
@@ -77,7 +79,7 @@
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/attest": "^2.2.1",
|
||||
"@actions/core": "^2.0.2",
|
||||
"@actions/core": "^3.0.0",
|
||||
"@actions/github": "^7.0.0",
|
||||
"@actions/glob": "^0.5.0",
|
||||
"@sigstore/oci": "^0.6.0",
|
||||
@@ -85,6 +87,7 @@
|
||||
},
|
||||
"devDependencies": {
|
||||
"@eslint/js": "^9.39.2",
|
||||
"@jest/globals": "^30.2.0",
|
||||
"@sigstore/mock": "^0.11.0",
|
||||
"@types/jest": "^30.0.0",
|
||||
"@types/make-fetch-happen": "^10.0.4",
|
||||
|
||||
+2
-2
@@ -5,10 +5,10 @@ import {
|
||||
attest,
|
||||
createStorageRecord
|
||||
} from '@actions/attest'
|
||||
import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
|
||||
import { formatSubjectDigest } from './subject'
|
||||
import * as core from '@actions/core'
|
||||
import * as github from '@actions/github'
|
||||
import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
|
||||
import { formatSubjectDigest } from './subject'
|
||||
|
||||
const OCI_TIMEOUT = 30000
|
||||
const OCI_RETRY = 3
|
||||
|
||||
+2
-1
@@ -13,7 +13,7 @@ import {
|
||||
import { SEARCH_PUBLIC_GOOD_URL } from './endpoints'
|
||||
import { PredicateInputs, predicateFromInputs } from './predicate'
|
||||
import { generateProvenancePredicate } from './provenance'
|
||||
import { parseSBOMFromPath, generateSBOMPredicate } from './sbom'
|
||||
import { generateSBOMPredicate, parseSBOMFromPath } from './sbom'
|
||||
import * as style from './style'
|
||||
import {
|
||||
SubjectInputs,
|
||||
@@ -128,6 +128,7 @@ export async function run(inputs: RunInputs): Promise<void> {
|
||||
core.setOutput('attestation-id', att.attestationID)
|
||||
core.setOutput('attestation-url', attestationURL(att.attestationID))
|
||||
}
|
||||
|
||||
if (att.storageRecordIds) {
|
||||
core.setOutput('storage-record-ids', att.storageRecordIds.join(','))
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user