Compare commits

...

8 Commits

Author SHA1 Message Date
Brian DeHamer a0e3b9618f hacking
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2026-02-24 20:10:53 -08:00
Brian DeHamer 8459a46a44 wip
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2026-02-24 19:10:07 -08:00
Brian DeHamer c32b4b8b19 bump version in package.json to v4.0.0 (#360)
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2026-02-24 15:48:06 -08:00
dependabot[bot] 1e73be196c Bump typescript-eslint in the npm-development group (#358)
Bumps the npm-development group with 1 update: [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `typescript-eslint` from 8.56.0 to 8.56.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.56.1/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-version: 8.56.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 15:45:28 -08:00
dependabot[bot] e1345cbec4 Bump the npm-development group across 1 directory with 3 updates (#357)
Bumps the npm-development group with 3 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `@types/node` from 25.2.3 to 25.3.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-jest` from 29.14.0 to 29.15.0
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v29.14.0...v29.15.0)

Updates `typescript-eslint` from 8.55.0 to 8.56.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.56.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: eslint-plugin-jest
  dependency-version: 29.15.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
- dependency-name: typescript-eslint
  dependency-version: 8.56.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm-development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-20 09:02:14 -08:00
dependabot[bot] 09cd5f66cb Bump tar from 7.5.7 to 7.5.9 (#354)
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.7 to 7.5.9.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](https://github.com/isaacs/node-tar/compare/v7.5.7...v7.5.9)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.9
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-19 10:20:40 -08:00
Brian DeHamer 19ad753d23 test suite re-write (#356)
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2026-02-19 10:14:47 -08:00
Brian DeHamer 7d7ff4475a ESM Conversion (#347)
* initial esm conversion

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* esm'ify jest tests

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* lint issues

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* debug mock

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* glob updated

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* async all file functions

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* update @actions/github

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* update @actions/attest

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* rebuild package-lock.json

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* use experimental flag for jest in ci

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* remove stray istanbul ignore

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* Optimize getSubjectFromPath to avoid concurrent stat calls

Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>

* Fix boundary condition for MAX_SUBJECT_COUNT check

Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>

* Improve error message clarity for subject count limit

Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>

* Update test to match new error message format

Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>

* rebuild dist

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* Fix parseSBOMFromPath to check file size before reading

Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>

* Build package with updated changes

Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>

---------

Signed-off-by: Brian DeHamer <bdehamer@github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>
2026-02-18 08:52:30 -08:00
33 changed files with 118983 additions and 60159 deletions
-219
View File
@@ -1,219 +0,0 @@
import * as attest from '@actions/attest'
import * as github from '@actions/github'
import * as oci from '@sigstore/oci'
import * as localAttest from '../src/attest'
import { createAttestation, repoOwnerIsOrg } from '../src/attest'
const subjectName = 'ghcr.io/foo/bar'
const subjectDigest =
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
const predicate = {
type: 'https://in-toto.io/attestation/release/v0.1',
params: {}
}
describe('repoOwnerIsOrg', () => {
const originalContext = { ...github.context }
afterEach(() => {
setGHContext(originalContext)
jest.restoreAllMocks()
})
it('returns true when repo owner is an organization', async () => {
setGHContext({
repo: { owner: 'my-org', repo: 'my-repo' }
})
jest.spyOn(github, 'getOctokit').mockReturnValue({
rest: {
repos: {
get: jest.fn().mockResolvedValue({
data: { owner: { type: 'Organization' } }
})
}
}
} as unknown as ReturnType<typeof github.getOctokit>)
const result = await repoOwnerIsOrg('gh-token')
expect(result).toBe(true)
})
it('returns false when repo owner is a user', async () => {
setGHContext({
repo: { owner: 'my-user', repo: 'my-repo' }
})
jest.spyOn(github, 'getOctokit').mockReturnValue({
rest: {
repos: {
get: jest.fn().mockResolvedValue({
data: { owner: { type: 'User' } }
})
}
}
} as unknown as ReturnType<typeof github.getOctokit>)
const result = await repoOwnerIsOrg('gh-token')
expect(result).toBe(false)
})
})
describe('createAttestation', () => {
const originalEnv = process.env
const originalContext = { ...github.context }
beforeEach(() => {
jest.clearAllMocks()
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
})
afterEach(() => {
process.env = originalEnv
setGHContext(originalContext)
})
describe('when createStorageRecord is false', () => {
beforeEach(() => {
// Mock the core attest function
jest.spyOn(attest, 'attest').mockResolvedValue({
bundle: {
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json'
},
certificate: 'cert',
tlogID: 'tlog-123',
attestationID: 'att-123'
} as attest.Attestation)
// Mock OCI functions
jest.spyOn(oci, 'getRegistryCredentials').mockReturnValue({
username: 'user',
password: 'pass'
})
jest.spyOn(oci, 'attachArtifactToImage').mockResolvedValue({
digest: 'sha256:abc123',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 100
})
})
it('skips storage record creation', async () => {
const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
const subjects = [
{
name: subjectName,
digest: { sha256: subjectDigest.replace('sha256:', '') }
}
]
const result = await createAttestation(subjects, predicate, {
sigstoreInstance: 'github',
pushToRegistry: true,
createStorageRecord: false,
githubToken: 'gh-token'
})
expect(result.attestationDigest).toBe('sha256:abc123')
expect(createStorageRecordSpy).not.toHaveBeenCalled()
})
})
describe('when storage records are empty', () => {
beforeEach(() => {
jest.spyOn(attest, 'attest').mockResolvedValue({
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
certificate: 'cert',
tlogID: 'tlog-123',
attestationID: 'att-123'
} as attest.Attestation)
jest.spyOn(oci, 'getRegistryCredentials').mockReturnValue({
username: 'user',
password: 'pass'
})
jest.spyOn(oci, 'attachArtifactToImage').mockResolvedValue({
digest: 'sha256:abc123',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 100
})
// Mock repoOwnerIsOrg
jest.spyOn(localAttest, 'repoOwnerIsOrg').mockResolvedValue(true)
// Mock createStorageRecord to return empty array
jest.spyOn(attest, 'createStorageRecord').mockResolvedValue([])
})
it('handles empty storage records gracefully', async () => {
const subjects = [
{
name: subjectName,
digest: { sha256: subjectDigest.replace('sha256:', '') }
}
]
// This exercises the empty records code path for coverage
const result = await createAttestation(subjects, predicate, {
sigstoreInstance: 'github',
pushToRegistry: true,
createStorageRecord: true,
githubToken: 'gh-token'
})
expect(result.attestationDigest).toBe('sha256:abc123')
})
})
describe('when subject has unsupported protocol', () => {
beforeEach(() => {
jest.spyOn(attest, 'attest').mockResolvedValue({
bundle: { mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' },
certificate: 'cert',
tlogID: 'tlog-123',
attestationID: 'att-123'
} as attest.Attestation)
jest.spyOn(oci, 'getRegistryCredentials').mockReturnValue({
username: 'user',
password: 'pass'
})
jest.spyOn(oci, 'attachArtifactToImage').mockResolvedValue({
digest: 'sha256:abc123',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 100
})
// Mock repoOwnerIsOrg
jest.spyOn(localAttest, 'repoOwnerIsOrg').mockResolvedValue(true)
})
it('handles unsupported protocol gracefully', async () => {
const subjects = [
{
name: 'http://registry.example.com/foo/bar',
digest: { sha256: subjectDigest.replace('sha256:', '') }
}
]
// This exercises the unsupported protocol code path for coverage
const result = await createAttestation(subjects, predicate, {
sigstoreInstance: 'github',
pushToRegistry: true,
createStorageRecord: true,
githubToken: 'gh-token'
})
// Should complete without throwing (error is caught and logged as warning)
expect(result.attestationDigest).toBe('sha256:abc123')
})
})
})
function setGHContext(context: object): void {
Object.defineProperty(github, 'context', { value: context })
}
+253
View File
@@ -0,0 +1,253 @@
import type { Attestation, Predicate, Subject } from '@actions/attest'
import { jest } from '@jest/globals'
import type { RestEndpointMethodTypes } from '@octokit/plugin-rest-endpoint-methods'
import type { Descriptor } from '@sigstore/oci'
// =============================================================================
// @actions/core mock factory
// =============================================================================
export type CoreMock = {
info: jest.Mock
warning: jest.Mock
debug: jest.Mock
startGroup: jest.Mock
endGroup: jest.Mock
setOutput: jest.Mock
setFailed: jest.Mock
summary: SummaryMock
}
export type SummaryMock = {
write: jest.Mock
addRaw: jest.Mock
addHeading: jest.Mock
addLink: jest.Mock
addTable: jest.Mock
addBreak: jest.Mock
addSeparator: jest.Mock
addQuote: jest.Mock
addCodeBlock: jest.Mock
addList: jest.Mock
addImage: jest.Mock
addDetails: jest.Mock
addEOL: jest.Mock
emptyBuffer: jest.Mock
stringify: jest.Mock
isEmptyBuffer: jest.Mock
clear: jest.Mock
}
export const createSummaryMock = (): SummaryMock => {
const mock: SummaryMock = {
write: jest.fn(),
addRaw: jest.fn(),
addHeading: jest.fn(),
addLink: jest.fn(),
addTable: jest.fn(),
addBreak: jest.fn(),
addSeparator: jest.fn(),
addQuote: jest.fn(),
addCodeBlock: jest.fn(),
addList: jest.fn(),
addImage: jest.fn(),
addDetails: jest.fn(),
addEOL: jest.fn(),
emptyBuffer: jest.fn(),
stringify: jest.fn().mockReturnValue(''),
isEmptyBuffer: jest.fn().mockReturnValue(true),
clear: jest.fn()
}
// Make chainable
for (const key of Object.keys(mock) as (keyof SummaryMock)[]) {
if (key !== 'stringify' && key !== 'isEmptyBuffer') {
mock[key].mockReturnThis()
}
}
return mock
}
export const createCoreMock = (): CoreMock => ({
info: jest.fn(),
warning: jest.fn(),
debug: jest.fn(),
startGroup: jest.fn(),
endGroup: jest.fn(),
setOutput: jest.fn(),
setFailed: jest.fn(),
summary: createSummaryMock()
})
// =============================================================================
// @actions/github mock factory
// =============================================================================
export type GitHubContextMock = {
repo: { owner: string; repo: string }
payload: { repository?: { visibility: string } }
serverUrl: string
}
export const createGitHubContextMock = (
overrides: Partial<GitHubContextMock> = {}
): GitHubContextMock => ({
repo: { owner: 'test-owner', repo: 'test-repo' },
payload: { repository: { visibility: 'public' } },
serverUrl: 'https://github.com',
...overrides
})
export type OctokitMock = {
rest: {
repos: {
get: jest.Mock
}
}
}
export const createOctokitMock = (
ownerType: 'Organization' | 'User' = 'Organization'
): OctokitMock => ({
rest: {
repos: {
get: jest
.fn<RestEndpointMethodTypes['repos']['get']['response']>()
.mockResolvedValue({
data: { owner: { type: ownerType } }
})
}
}
})
// =============================================================================
// @actions/attest mock factory
// =============================================================================
export type AttestMock = {
attest: jest.Mock
buildSLSAProvenancePredicate: jest.Mock
createStorageRecord: jest.Mock
}
export const createAttestMock = (): AttestMock => ({
attest: jest.fn(),
buildSLSAProvenancePredicate: jest.fn(),
createStorageRecord: jest.fn()
})
export const createAttestationResult = (
overrides: Partial<Attestation> = {}
): Attestation => ({
bundle: {
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json' as const,
verificationMaterial: {
certificate: { rawBytes: '' },
publicKey: undefined,
x509CertificateChain: undefined,
tlogEntries: [],
timestampVerificationData: undefined
},
dsseEnvelope: {
payload: '',
payloadType: '',
signatures: []
},
messageSignature: undefined
},
certificate: '-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
tlogID: 'tlog-123',
attestationID: 'att-123',
...overrides
})
// =============================================================================
// @sigstore/oci mock factory
// =============================================================================
export type OciMock = {
getRegistryCredentials: jest.Mock
attachArtifactToImage: jest.Mock
}
export const createOciMock = (): OciMock => ({
getRegistryCredentials: jest.fn().mockReturnValue({
username: 'test-user',
password: 'test-pass'
}),
attachArtifactToImage: jest
.fn<() => Promise<Descriptor>>()
.mockResolvedValue({
digest: 'sha256:abc123def456',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 1234
})
})
// =============================================================================
// Common test data
// =============================================================================
export const TEST_SUBJECT: Subject = {
name: 'test-artifact',
digest: {
sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
}
}
export const TEST_SUBJECT_WITH_REGISTRY: Subject = {
name: 'ghcr.io/test-owner/test-repo',
digest: {
sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
}
}
export const TEST_PREDICATE: Predicate = {
type: 'https://example.com/predicate/v1',
params: { foo: 'bar' }
}
export const TEST_PROVENANCE_PREDICATE: Predicate = {
type: 'https://slsa.dev/provenance/v1',
params: {
buildDefinition: {
buildType: 'https://actions.github.io/buildtypes/workflow/v1'
},
runDetails: {
builder: { id: 'https://github.com/actions/runner' }
}
}
}
// =============================================================================
// Environment helpers
// =============================================================================
export const setupTestEnvironment = (
env: Record<string, string> = {}
): (() => void) => {
const originalEnv = { ...process.env }
process.env = {
...process.env,
ACTIONS_ID_TOKEN_REQUEST_URL: 'https://token.url',
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'test-token',
RUNNER_TEMP: '/tmp',
...env
}
return () => {
process.env = originalEnv
}
}
// =============================================================================
// OIDC token helpers
// =============================================================================
export const createOidcToken = (subject = 'test@example.com'): string => {
const payload = {
sub: subject,
iss: 'https://token.actions.githubusercontent.com'
}
return `.${Buffer.from(JSON.stringify(payload)).toString('base64')}.`
}
@@ -0,0 +1,13 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:12345678-1234-1234-1234-123456789012",
"version": 1,
"components": [
{
"type": "library",
"name": "test-component",
"version": "1.0.0"
}
]
}
@@ -0,0 +1,9 @@
{
"buildType": "https://example.com/build/v1",
"builder": {
"id": "https://github.com/actions/runner"
},
"metadata": {
"buildStartedOn": "2024-01-01T00:00:00Z"
}
}
+15
View File
@@ -0,0 +1,15 @@
{
"spdxVersion": "SPDX-2.3",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "test-package",
"dataLicense": "CC0-1.0",
"documentNamespace": "https://example.com/test-package",
"packages": [
{
"SPDXID": "SPDXRef-Package",
"name": "test-package",
"versionInfo": "1.0.0",
"downloadLocation": "https://example.com/test-package-1.0.0.tar.gz"
}
]
}
+62 -13
View File
@@ -1,22 +1,71 @@
/**
* Unit tests for the action's entrypoint, src/index.ts
*/
import { jest } from '@jest/globals'
import * as core from '@actions/core'
import * as main from '../src/main'
// Mock functions
const mockRun = jest.fn()
const mockGetInput = jest.fn()
const mockGetBooleanInput = jest.fn()
// Mock the action's entrypoint
const runMock = jest.spyOn(main, 'run').mockImplementation()
const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
// Mock @actions/core
jest.unstable_mockModule('@actions/core', () => ({
getInput: mockGetInput,
getBooleanInput: mockGetBooleanInput
}))
// Mock ../src/main
jest.unstable_mockModule('../src/main', () => ({
run: mockRun
}))
describe('index', () => {
beforeEach(() => {
getBooleanInputMock.mockImplementation(() => false)
jest.clearAllMocks()
mockGetInput.mockReturnValue('')
mockGetBooleanInput.mockReturnValue(false)
})
it('calls run when imported', () => {
// eslint-disable-next-line @typescript-eslint/no-require-imports
require('../src/index')
expect(runMock).toHaveBeenCalled()
it('should call run with inputs from core.getInput', async () => {
mockGetInput.mockImplementation((name: string) => {
const inputs: Record<string, string> = {
'subject-path': '/path/to/subject',
'subject-name': 'my-artifact',
'subject-digest': '',
'subject-checksums': '',
'predicate-type': 'https://example.com/predicate',
predicate: '{}',
'predicate-path': '',
'sbom-path': '',
'github-token': 'test-token'
}
return inputs[name] || ''
})
mockGetBooleanInput.mockImplementation((name: string) => {
const inputs: Record<string, boolean> = {
'push-to-registry': false,
'create-storage-record': true,
'show-summary': true,
'private-signing': false
}
return inputs[name] || false
})
// Dynamic import triggers the module
await import('../src/index')
expect(mockRun).toHaveBeenCalledWith({
subjectPath: '/path/to/subject',
subjectName: 'my-artifact',
subjectDigest: '',
subjectChecksums: '',
predicateType: 'https://example.com/predicate',
predicate: '{}',
predicatePath: '',
sbomPath: '',
githubToken: 'test-token',
pushToRegistry: false,
createStorageRecord: true,
showSummary: true,
privateSigning: false
})
})
})
+228
View File
@@ -0,0 +1,228 @@
import { jest } from '@jest/globals'
import {
createAttestationResult,
createGitHubContextMock,
createOctokitMock,
TEST_PREDICATE,
TEST_SUBJECT_WITH_REGISTRY
} from '../fixtures/mocks'
import type { Attestation } from '@actions/attest'
import type { Descriptor } from '@sigstore/oci'
// Mock functions
const mockGetOctokit = jest.fn()
const mockAttest = jest.fn<() => Promise<Attestation>>()
const mockCreateStorageRecord = jest.fn<() => Promise<number[]>>()
const mockGetRegistryCredentials = jest.fn()
const mockAttachArtifactToImage = jest.fn<() => Promise<Descriptor>>()
// Mutable context for tests
const mockContext = createGitHubContextMock()
// Mock @actions/github
jest.unstable_mockModule('@actions/github', () => ({
getOctokit: mockGetOctokit,
context: mockContext
}))
// Mock @actions/attest
jest.unstable_mockModule('@actions/attest', () => ({
attest: mockAttest,
createStorageRecord: mockCreateStorageRecord
}))
// Mock @sigstore/oci
jest.unstable_mockModule('@sigstore/oci', () => ({
getRegistryCredentials: mockGetRegistryCredentials,
attachArtifactToImage: mockAttachArtifactToImage
}))
// Dynamic imports after mocking
const { createAttestation, repoOwnerIsOrg } = await import('../../src/attest')
describe('repoOwnerIsOrg', () => {
beforeEach(() => {
jest.clearAllMocks()
})
it('should return true when repo owner is an Organization', async () => {
mockGetOctokit.mockReturnValue(createOctokitMock('Organization'))
const result = await repoOwnerIsOrg('test-token')
expect(result).toBe(true)
expect(mockGetOctokit).toHaveBeenCalledWith('test-token')
})
it('should return false when repo owner is a User', async () => {
mockGetOctokit.mockReturnValue(createOctokitMock('User'))
const result = await repoOwnerIsOrg('test-token')
expect(result).toBe(false)
})
})
describe('createAttestation', () => {
const defaultOpts = {
sigstoreInstance: 'github' as const,
pushToRegistry: false,
createStorageRecord: false,
githubToken: 'test-token'
}
beforeEach(() => {
jest.clearAllMocks()
mockAttest.mockResolvedValue(createAttestationResult())
mockGetRegistryCredentials.mockReturnValue({
username: 'test-user',
password: 'test-pass'
})
mockAttachArtifactToImage.mockResolvedValue({
digest: 'sha256:attestation-digest',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 1234
})
mockCreateStorageRecord.mockResolvedValue([12345])
mockGetOctokit.mockReturnValue(createOctokitMock('Organization'))
})
describe('basic attestation', () => {
it('should call attest with correct parameters', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
await createAttestation(subjects, TEST_PREDICATE, defaultOpts)
expect(mockAttest).toHaveBeenCalledWith({
subjects,
predicateType: TEST_PREDICATE.type,
predicate: TEST_PREDICATE.params,
sigstore: 'github',
token: 'test-token'
})
})
it('should return attestation result', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(
subjects,
TEST_PREDICATE,
defaultOpts
)
expect(result.attestationID).toBe('att-123')
expect(result.certificate).toContain('BEGIN CERTIFICATE')
expect(result.tlogID).toBe('tlog-123')
})
})
describe('registry push', () => {
const pushOpts = { ...defaultOpts, pushToRegistry: true }
it('should push attestation to registry when enabled', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(subjects, TEST_PREDICATE, pushOpts)
expect(mockGetRegistryCredentials).toHaveBeenCalledWith(subjects[0].name)
expect(mockAttachArtifactToImage).toHaveBeenCalled()
expect(result.attestationDigest).toBe('sha256:attestation-digest')
})
it('should skip registry push for multiple subjects', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY, TEST_SUBJECT_WITH_REGISTRY]
await createAttestation(subjects, TEST_PREDICATE, pushOpts)
expect(mockAttachArtifactToImage).not.toHaveBeenCalled()
})
})
describe('storage record creation', () => {
const storageOpts = {
...defaultOpts,
pushToRegistry: true,
createStorageRecord: true
}
it('should create storage record when enabled and owner is org', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(
subjects,
TEST_PREDICATE,
storageOpts
)
expect(mockCreateStorageRecord).toHaveBeenCalled()
expect(result.storageRecordIds).toEqual([12345])
})
it('should skip storage record when owner is User', async () => {
mockGetOctokit.mockReturnValue(createOctokitMock('User'))
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(
subjects,
TEST_PREDICATE,
storageOpts
)
expect(mockCreateStorageRecord).not.toHaveBeenCalled()
expect(result.storageRecordIds).toBeUndefined()
})
it('should skip storage record when createStorageRecord is false', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const opts = { ...storageOpts, createStorageRecord: false }
await createAttestation(subjects, TEST_PREDICATE, opts)
expect(mockCreateStorageRecord).not.toHaveBeenCalled()
})
it('should handle empty storage records gracefully', async () => {
mockCreateStorageRecord.mockResolvedValue([])
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const result = await createAttestation(
subjects,
TEST_PREDICATE,
storageOpts
)
expect(result.storageRecordIds).toEqual([])
})
it('should continue when storage record creation fails', async () => {
mockCreateStorageRecord.mockRejectedValue(new Error('Permission denied'))
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
// Should not throw
const result = await createAttestation(
subjects,
TEST_PREDICATE,
storageOpts
)
expect(result.attestationID).toBe('att-123')
expect(result.storageRecordIds).toBeUndefined()
})
})
describe('sigstore instance selection', () => {
it('should use public-good sigstore instance when specified', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const opts = { ...defaultOpts, sigstoreInstance: 'public-good' as const }
await createAttestation(subjects, TEST_PREDICATE, opts)
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({ sigstore: 'public-good' })
)
})
})
})
+454
View File
@@ -0,0 +1,454 @@
import { jest } from '@jest/globals'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import {
createAttestationResult,
createOctokitMock,
TEST_PROVENANCE_PREDICATE
} from '../fixtures/mocks'
import type { Attestation, Predicate } from '@actions/attest'
import type { Descriptor } from '@sigstore/oci'
import type { RunInputs } from '../../src/main'
// Create persistent mock functions
const infoMock = jest.fn()
const warningMock = jest.fn()
const debugMock = jest.fn()
const startGroupMock = jest.fn()
const endGroupMock = jest.fn()
const setOutputMock = jest.fn()
const setFailedMock = jest.fn()
// Create chainable summary mock
const summaryMock = {
write: jest.fn().mockReturnThis(),
addRaw: jest.fn().mockReturnThis(),
addHeading: jest.fn().mockReturnThis(),
addLink: jest.fn().mockReturnThis(),
addTable: jest.fn().mockReturnThis(),
addBreak: jest.fn().mockReturnThis(),
addSeparator: jest.fn().mockReturnThis(),
addQuote: jest.fn().mockReturnThis(),
addCodeBlock: jest.fn().mockReturnThis(),
addList: jest.fn().mockReturnThis(),
addImage: jest.fn().mockReturnThis(),
addDetails: jest.fn().mockReturnThis(),
addEOL: jest.fn().mockReturnThis(),
emptyBuffer: jest.fn().mockReturnThis(),
stringify: jest.fn().mockReturnValue(''),
isEmptyBuffer: jest.fn().mockReturnValue(true),
clear: jest.fn().mockReturnThis()
}
const mockGetOctokit = jest.fn()
const mockAttest = jest.fn<() => Promise<Attestation>>()
const mockBuildSLSAProvenancePredicate = jest.fn<() => Promise<Predicate>>()
const mockCreateStorageRecord = jest.fn<() => Promise<number[]>>()
const mockGetRegistryCredentials = jest.fn()
const mockAttachArtifactToImage = jest.fn<() => Promise<Descriptor>>()
// Mutable context for tests
const mockContext = {
repo: { owner: 'test-owner', repo: 'test-repo' },
payload: { repository: { visibility: 'private' } },
serverUrl: 'https://github.com'
}
// Mock @actions/core
jest.unstable_mockModule('@actions/core', () => ({
info: infoMock,
warning: warningMock,
debug: debugMock,
startGroup: startGroupMock,
endGroup: endGroupMock,
setOutput: setOutputMock,
setFailed: setFailedMock,
summary: summaryMock
}))
// Mock @actions/github
jest.unstable_mockModule('@actions/github', () => ({
getOctokit: mockGetOctokit,
context: mockContext
}))
// Mock @actions/attest
jest.unstable_mockModule('@actions/attest', () => ({
attest: mockAttest,
buildSLSAProvenancePredicate: mockBuildSLSAProvenancePredicate,
createStorageRecord: mockCreateStorageRecord
}))
// Mock @sigstore/oci
jest.unstable_mockModule('@sigstore/oci', () => ({
getRegistryCredentials: mockGetRegistryCredentials,
attachArtifactToImage: mockAttachArtifactToImage
}))
// Dynamic import after mocking
const { run } = await import('../../src/main')
const defaultInputs: RunInputs = {
predicate: '',
predicateType: '',
predicatePath: '',
sbomPath: '',
subjectName: '',
subjectDigest: '',
subjectPath: '',
subjectChecksums: '',
pushToRegistry: false,
createStorageRecord: false,
showSummary: false,
githubToken: 'test-token',
privateSigning: false
}
describe('run', () => {
let tempDir: string
const originalEnv = { ...process.env }
beforeEach(async () => {
jest.clearAllMocks()
// Reset chainable summary mocks
for (const key of Object.keys(summaryMock)) {
if (key !== 'stringify' && key !== 'isEmptyBuffer') {
;(
summaryMock[key as keyof typeof summaryMock] as jest.Mock
).mockReturnThis()
}
}
mockAttest.mockResolvedValue(createAttestationResult())
mockBuildSLSAProvenancePredicate.mockResolvedValue(
TEST_PROVENANCE_PREDICATE
)
mockCreateStorageRecord.mockResolvedValue([12345])
mockGetOctokit.mockReturnValue(createOctokitMock('Organization'))
mockGetRegistryCredentials.mockReturnValue({ username: 'u', password: 'p' })
mockAttachArtifactToImage.mockResolvedValue({
digest: 'sha256:abc',
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
size: 100
})
// Reset context
mockContext.repo = { owner: 'test-owner', repo: 'test-repo' }
mockContext.payload = { repository: { visibility: 'private' } }
// Create temp directory
tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'main-test-'))
// Set required environment
process.env.ACTIONS_ID_TOKEN_REQUEST_URL = 'https://token.url'
process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'test-token'
process.env.RUNNER_TEMP = tempDir
})
afterEach(async () => {
process.env = { ...originalEnv }
await fs.rm(tempDir, { recursive: true, force: true })
})
describe('environment validation', () => {
it('should fail when ACTIONS_ID_TOKEN_REQUEST_URL is not set', async () => {
delete process.env.ACTIONS_ID_TOKEN_REQUEST_URL
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}'
})
expect(setFailedMock).toHaveBeenCalledWith(
expect.objectContaining({
message: expect.stringContaining('id-token')
})
)
})
})
describe('subject validation', () => {
it('should fail when no subject inputs are provided', async () => {
await run(defaultInputs)
expect(setFailedMock).toHaveBeenCalledWith(
expect.objectContaining({
message: expect.stringContaining('subject-path')
})
)
})
})
describe('attestation type detection', () => {
it('should detect provenance attestation when no predicate inputs provided', async () => {
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
})
expect(infoMock).toHaveBeenCalledWith(
'Attestation type: Build Provenance'
)
expect(mockBuildSLSAProvenancePredicate).toHaveBeenCalled()
})
it('should detect custom attestation when predicate inputs provided', async () => {
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}'
})
expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
expect(mockBuildSLSAProvenancePredicate).not.toHaveBeenCalled()
})
it('should detect SBOM attestation when sbom-path provided', async () => {
const sbomPath = path.join(tempDir, 'sbom.json')
await fs.writeFile(
sbomPath,
JSON.stringify({
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test'
})
)
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
sbomPath
})
expect(infoMock).toHaveBeenCalledWith('Attestation type: SBOM')
})
it('should fail when sbom-path is combined with predicate inputs', async () => {
await run({
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
sbomPath: '/path/to/sbom.json',
predicateType: 'https://example.com/predicate'
})
expect(setFailedMock).toHaveBeenCalledWith(
expect.objectContaining({
message: expect.stringContaining(
'Cannot specify sbom-path together with'
)
})
)
})
})
describe('successful attestation', () => {
const validInputs: RunInputs = {
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}'
}
it('should create attestation successfully', async () => {
await run(validInputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(mockAttest).toHaveBeenCalled()
})
it('should set output for attestation-id', async () => {
await run(validInputs)
expect(setOutputMock).toHaveBeenCalledWith('attestation-id', 'att-123')
})
it('should set output for attestation-url', async () => {
await run(validInputs)
expect(setOutputMock).toHaveBeenCalledWith(
'attestation-url',
'https://github.com/test-owner/test-repo/attestations/att-123'
)
})
it('should set output for bundle-path', async () => {
await run(validInputs)
expect(setOutputMock).toHaveBeenCalledWith(
'bundle-path',
expect.stringContaining('attestation.json')
)
})
it('should write attestation bundle to file', async () => {
await run(validInputs)
const bundlePath = setOutputMock.mock.calls.find(
(call: unknown[]) => call[0] === 'bundle-path'
)?.[1] as string
const content = await fs.readFile(bundlePath, 'utf-8')
expect(content).toContain('mediaType')
})
})
describe('sigstore instance selection', () => {
const validInputs: RunInputs = {
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}'
}
it('should use github sigstore for private repos', async () => {
mockContext.payload = { repository: { visibility: 'private' } }
await run(validInputs)
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({ sigstore: 'github' })
)
})
it('should use public-good sigstore for public repos', async () => {
mockContext.payload = { repository: { visibility: 'public' } }
await run(validInputs)
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({ sigstore: 'public-good' })
)
})
it('should use github sigstore when privateSigning is true', async () => {
mockContext.payload = { repository: { visibility: 'public' } }
await run({ ...validInputs, privateSigning: true })
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({ sigstore: 'github' })
)
})
})
describe('multiple subjects', () => {
it('should handle multiple subjects from glob pattern', async () => {
// Create test files
for (let i = 0; i < 3; i++) {
await fs.writeFile(path.join(tempDir, `file-${i}.txt`), `content-${i}`)
}
await run({
...defaultInputs,
subjectPath: path.join(tempDir, 'file-*.txt'),
predicateType: 'https://example.com/predicate',
predicate: '{}'
})
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith(
expect.stringContaining('3 subjects')
)
})
it('should fail when subject count exceeds maximum', async () => {
// Create too many files
for (let i = 0; i < 1025; i++) {
await fs.writeFile(path.join(tempDir, `file-${i}.txt`), `content-${i}`)
}
await run({
...defaultInputs,
subjectPath: path.join(tempDir, 'file-*.txt'),
predicateType: 'https://example.com/predicate',
predicate: '{}'
})
expect(setFailedMock).toHaveBeenCalledWith(
expect.objectContaining({
message: expect.stringContaining('Too many subjects')
})
)
})
})
describe('summary output', () => {
const validInputs: RunInputs = {
...defaultInputs,
subjectName: 'artifact',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}',
showSummary: true
}
it('should write summary when showSummary is true', async () => {
await run(validInputs)
expect(summaryMock.addHeading).toHaveBeenCalled()
expect(summaryMock.write).toHaveBeenCalled()
})
it('should not write summary when showSummary is false', async () => {
await run({ ...validInputs, showSummary: false })
expect(summaryMock.write).not.toHaveBeenCalled()
})
})
describe('registry push', () => {
const registryInputs: RunInputs = {
...defaultInputs,
subjectName: 'ghcr.io/test-owner/test-repo',
subjectDigest:
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32',
predicateType: 'https://example.com/predicate',
predicate: '{}',
pushToRegistry: true
}
it('should push attestation to registry when enabled', async () => {
await run(registryInputs)
expect(mockAttachArtifactToImage).toHaveBeenCalled()
})
it('should lowercase subject name for registry push', async () => {
await run({
...registryInputs,
subjectName: 'ghcr.io/TEST-OWNER/Test-Repo'
})
expect(mockAttest).toHaveBeenCalledWith(
expect.objectContaining({
subjects: [
expect.objectContaining({
name: 'ghcr.io/test-owner/test-repo'
})
]
})
)
})
})
})
+37
View File
@@ -0,0 +1,37 @@
import type { Predicate } from '@actions/attest'
import { jest } from '@jest/globals'
import { TEST_PROVENANCE_PREDICATE } from '../fixtures/mocks'
// Mock function
const mockBuildSLSAProvenancePredicate = jest.fn<() => Promise<Predicate>>()
// Mock @actions/attest
jest.unstable_mockModule('@actions/attest', () => ({
buildSLSAProvenancePredicate: mockBuildSLSAProvenancePredicate
}))
// Dynamic import after mocking
const { generateProvenancePredicate } = await import('../../src/provenance')
describe('generateProvenancePredicate', () => {
beforeEach(() => {
jest.clearAllMocks()
mockBuildSLSAProvenancePredicate.mockResolvedValue(TEST_PROVENANCE_PREDICATE)
})
it('should delegate to buildSLSAProvenancePredicate', async () => {
const result = await generateProvenancePredicate()
expect(mockBuildSLSAProvenancePredicate).toHaveBeenCalledTimes(1)
expect(result).toEqual(TEST_PROVENANCE_PREDICATE)
})
it('should propagate errors from the underlying function', async () => {
const error = new Error('Failed to build provenance predicate')
mockBuildSLSAProvenancePredicate.mockRejectedValue(error)
await expect(generateProvenancePredicate()).rejects.toThrow(
'Failed to build provenance predicate'
)
})
})
-682
View File
@@ -1,682 +0,0 @@
/**
* Unit tests for the action's main functionality, src/main.ts
*
* These should be run as if the action was called from a workflow.
* Specifically, the inputs listed in `action.yml` should be set as environment
* variables following the pattern `INPUT_<INPUT_NAME>`.
*/
import * as attest from '@actions/attest'
import * as core from '@actions/core'
import * as github from '@actions/github'
import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
import * as oci from '@sigstore/oci'
import fs from 'fs/promises'
import nock from 'nock'
import os from 'os'
import path from 'path'
import { MockAgent, setGlobalDispatcher } from 'undici'
import * as localAttest from '../src/attest'
import { SEARCH_PUBLIC_GOOD_URL } from '../src/endpoints'
import * as main from '../src/main'
import * as provenance from '../src/provenance'
// Mock the GitHub Actions core library
const infoMock = jest.spyOn(core, 'info')
const warningMock = jest.spyOn(core, 'warning')
const startGroupMock = jest.spyOn(core, 'startGroup')
const setOutputMock = jest.spyOn(core, 'setOutput')
const setFailedMock = jest.spyOn(core, 'setFailed')
// Ensure that setFailed doesn't set an exit code during tests
setFailedMock.mockImplementation(() => {})
const summaryWriteMock = jest.spyOn(core.summary, 'write')
summaryWriteMock.mockResolvedValue(core.summary)
// Mock the action's main function
const runMock = jest.spyOn(main, 'run')
// MockAgent for mocking @actions/github
const mockAgent = new MockAgent()
setGlobalDispatcher(mockAgent)
const defaultInputs: main.RunInputs = {
predicate: '',
predicateType: '',
predicatePath: '',
sbomPath: '',
subjectName: '',
subjectDigest: '',
subjectPath: '',
subjectChecksums: '',
pushToRegistry: false,
createStorageRecord: true,
showSummary: true,
githubToken: '',
privateSigning: false
}
describe('action', () => {
// Capture original environment variables and GitHub context so we can restore
// them after each test
const originalEnv = process.env
const originalContext = { ...github.context }
// Mock OIDC token endpoint
const tokenURL = 'https://token.url'
// Fake an OIDC token
const oidcSubject = 'foo@bar.com'
const oidcPayload = { sub: oidcSubject, iss: '' }
const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
'base64'
)}.}`
const subjectName = 'ghcr.io/registry/foo/bar'
const subjectDigest =
'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
const predicate = '{}'
const predicateType = 'https://in-toto.io/attestation/release/v0.1'
const attestationID = '1234567890'
const storageRecordID = 987654321
beforeEach(() => {
jest.clearAllMocks()
nock(tokenURL)
.get('/')
.query({ audience: 'sigstore' })
.reply(200, { value: oidcToken })
const pool = mockAgent.get('https://api.github.com')
pool
.intercept({
path: /^\/repos\/.*\/.*\/attestations$/,
method: 'post'
})
.reply(201, { id: attestationID })
pool
.intercept({
path: /^\/orgs\/.*\/artifacts\/metadata\/storage-record$/,
method: 'post'
})
.reply(200, { storage_records: [{ id: storageRecordID }] })
process.env = {
...originalEnv,
ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
RUNNER_TEMP: process.env.RUNNER_TEMP || '/tmp'
}
})
afterEach(() => {
// Restore the original environment
process.env = originalEnv
// Restore the original github.context
setGHContext(originalContext)
})
describe('when ACTIONS_ID_TOKEN_REQUEST_URL is not set', () => {
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicateType,
predicate,
githubToken: 'gh-token'
}
beforeEach(() => {
// Nullify the OIDC token URL
process.env.ACTIONS_ID_TOKEN_REQUEST_URL = ''
})
it('sets a failed status', async () => {
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
)
)
})
})
describe('when no inputs are provided', () => {
it('sets a failed status', async () => {
await main.run(defaultInputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'One of subject-path, subject-digest, or subject-checksums must be provided'
)
)
})
})
describe('when the repository is private', () => {
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicateType,
predicate,
githubToken: 'gh-token'
}
beforeEach(async () => {
// Set the GH context with private repository visibility and a repo owner.
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
it('invokes the action w/o error', async () => {
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalledWith()
expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
expect(infoMock).toHaveBeenNthCalledWith(
2,
expect.stringMatching(
`Attestation created for ${subjectName}@${subjectDigest}`
)
)
expect(startGroupMock).toHaveBeenNthCalledWith(
1,
expect.stringMatching('GitHub Sigstore')
)
expect(infoMock).toHaveBeenNthCalledWith(
3,
expect.stringMatching('-----BEGIN CERTIFICATE-----')
)
expect(infoMock).toHaveBeenNthCalledWith(
4,
expect.stringMatching(/attestation uploaded/i)
)
expect(infoMock).toHaveBeenNthCalledWith(
5,
expect.stringMatching(attestationID)
)
expect(setOutputMock).toHaveBeenNthCalledWith(
1,
'bundle-path',
expect.stringMatching('attestation.json')
)
expect(setOutputMock).toHaveBeenNthCalledWith(
2,
'attestation-id',
expect.stringMatching(attestationID)
)
expect(setOutputMock).toHaveBeenNthCalledWith(
3,
'attestation-url',
expect.stringContaining(`foo/bar/attestations/${attestationID}`)
)
expect(setFailedMock).not.toHaveBeenCalled()
})
})
describe('when the repository is public', () => {
const getRegCredsSpy = jest.spyOn(oci, 'getRegistryCredentials')
const attachArtifactSpy = jest.spyOn(oci, 'attachArtifactToImage')
const repoOwnerIsOrgSpy = jest.spyOn(localAttest, 'repoOwnerIsOrg')
const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
const createAttestationSpy = jest.spyOn(localAttest, 'createAttestation')
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicateType,
predicate,
githubToken: 'gh-token',
pushToRegistry: true
}
beforeEach(async () => {
// Set the GH context with public repository visibility and a repo owner.
setGHContext({
payload: { repository: { visibility: 'public' } },
repo: { owner: 'foo', repo: 'bar' }
})
await mockFulcio({
baseURL: 'https://fulcio.sigstore.dev',
strict: false
})
await mockRekor({ baseURL: 'https://rekor.sigstore.dev' })
getRegCredsSpy.mockImplementation(() => ({
username: 'username',
password: 'password'
}))
attachArtifactSpy.mockResolvedValue({
digest: 'sha256:123456',
mediaType: 'application/vnd.cncf.notary.v2',
size: 123456
})
repoOwnerIsOrgSpy.mockResolvedValue(true)
})
it('invokes the action w/o error', async () => {
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalled()
expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
expect(attachArtifactSpy).toHaveBeenCalled()
expect(createAttestationSpy).toHaveBeenCalled()
expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
expect(createStorageRecordSpy).toHaveBeenCalled()
expect(warningMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
expect(infoMock).toHaveBeenNthCalledWith(
2,
expect.stringMatching(
`Attestation created for ${subjectName}@${subjectDigest}`
)
)
expect(startGroupMock).toHaveBeenNthCalledWith(
1,
expect.stringMatching('Public Good Sigstore')
)
expect(infoMock).toHaveBeenNthCalledWith(
3,
expect.stringMatching('-----BEGIN CERTIFICATE-----')
)
expect(infoMock).toHaveBeenNthCalledWith(
4,
expect.stringMatching(/signature uploaded/i)
)
expect(infoMock).toHaveBeenNthCalledWith(
5,
expect.stringMatching(SEARCH_PUBLIC_GOOD_URL)
)
expect(infoMock).toHaveBeenNthCalledWith(
6,
expect.stringMatching(/attestation uploaded/i)
)
expect(infoMock).toHaveBeenNthCalledWith(
7,
expect.stringMatching(attestationID)
)
expect(infoMock).toHaveBeenNthCalledWith(
10,
expect.stringMatching('Storage record created')
)
expect(infoMock).toHaveBeenNthCalledWith(
11,
expect.stringMatching('Storage record IDs: 987654321')
)
expect(setOutputMock).toHaveBeenNthCalledWith(
1,
'bundle-path',
expect.stringMatching('attestation.json')
)
expect(setOutputMock).toHaveBeenNthCalledWith(
2,
'attestation-id',
expect.stringMatching(attestationID)
)
expect(setOutputMock).toHaveBeenNthCalledWith(
3,
'attestation-url',
expect.stringContaining(`foo/bar/attestations/${attestationID}`)
)
expect(setOutputMock).toHaveBeenNthCalledWith(
4,
'storage-record-ids',
expect.stringMatching(storageRecordID.toString())
)
expect(setFailedMock).not.toHaveBeenCalled()
})
it('catches error when storage record creation fails and continues', async () => {
// Mock the createStorageRecord function and throw an error
createStorageRecordSpy.mockRejectedValueOnce(
new Error('Failed to persist storage record: Not Found')
)
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(createAttestationSpy).toHaveBeenCalled()
expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
expect(createStorageRecordSpy).toHaveBeenCalled()
expect(setFailedMock).not.toHaveBeenCalled()
expect(warningMock).toHaveBeenNthCalledWith(
1,
expect.stringMatching('Failed to create storage record')
)
})
it('does not create a storage record when the repo is owned by a user', async () => {
repoOwnerIsOrgSpy.mockResolvedValueOnce(false)
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalled()
expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
expect(attachArtifactSpy).toHaveBeenCalled()
expect(createAttestationSpy).toHaveBeenCalled()
expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
expect(createStorageRecordSpy).not.toHaveBeenCalled()
expect(warningMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith(
expect.stringMatching(
`Attestation created for ${subjectName}@${subjectDigest}`
)
)
expect(infoMock).not.toHaveBeenCalledWith(
expect.stringMatching('Storage record created')
)
expect(infoMock).not.toHaveBeenCalledWith(
expect.stringMatching('Storage record IDs: 987654321')
)
expect(setOutputMock).toHaveBeenCalledWith(
'attestation-id',
expect.stringMatching(attestationID)
)
expect(setOutputMock).not.toHaveBeenCalledWith(
'storage-record-ids',
expect.stringMatching(storageRecordID.toString())
)
expect(setFailedMock).not.toHaveBeenCalled()
})
})
describe('when the subject count is greater than 1', () => {
let dir = ''
const filename = 'subject'
beforeEach(async () => {
const subjectCount = 5
const content = 'file content'
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
dir = await fs.mkdtemp(tmpDir + path.sep)
// Add files for glob testing
for (let i = 0; i < subjectCount; i++) {
await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
}
// Set the GH context with private repository visibility and a repo owner.
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
// Set-up a Fulcio mock for each subject
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
// Set-up a TSA mock for each subject
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(dir, { recursive: true })
})
it('invokes the action w/o error', async () => {
const inputs: main.RunInputs = {
...defaultInputs,
subjectPath: path.join(dir, `${filename}-*`),
predicateType,
predicate,
githubToken: 'gh-token'
}
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenNthCalledWith(1, 'Attestation type: Custom')
expect(infoMock).toHaveBeenNthCalledWith(
2,
expect.stringMatching('Attestation created for 5 subjects')
)
})
})
describe('when the subject count exceeds the max', () => {
let dir = ''
const filename = 'subject'
beforeEach(async () => {
const subjectCount = 1025
const content = 'file content'
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
dir = await fs.mkdtemp(tmpDir + path.sep)
// Add files for glob testing
for (let i = 0; i < subjectCount; i++) {
await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
}
// Set the GH context with private repository visibility and a repo owner.
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(dir, { recursive: true })
})
it('sets a failed status', async () => {
const inputs: main.RunInputs = {
...defaultInputs,
subjectPath: path.join(dir, `${filename}-*`),
predicateType,
predicate,
githubToken: 'gh-token'
}
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'Too many subjects specified (1025). The maximum number of subjects is 1024.'
)
)
})
})
describe('attestation type detection', () => {
describe('when sbom-path is provided with predicate inputs', () => {
it('sets a failed status for conflicting inputs', async () => {
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
sbomPath: '/path/to/sbom.json',
predicateType: 'https://example.com/predicate',
githubToken: 'gh-token'
}
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'Cannot specify sbom-path together with predicate-type, predicate, or predicate-path'
)
)
})
})
describe('when predicate is provided without predicate-type', () => {
it('sets a failed status for missing predicate-type', async () => {
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicate: '{}',
githubToken: 'gh-token'
}
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'predicate-type is required when using predicate or predicate-path'
)
)
})
})
describe('when custom attestation inputs are provided', () => {
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
predicateType,
predicate,
githubToken: 'gh-token'
}
beforeEach(async () => {
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
it('logs the attestation type as Custom', async () => {
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith('Attestation type: Custom')
})
})
describe('when provenance attestation is detected', () => {
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
githubToken: 'gh-token'
}
const mockProvPredicate = {
type: 'https://slsa.dev/provenance/v1',
params: { buildDefinition: {}, runDetails: {} }
}
beforeEach(async () => {
jest
.spyOn(provenance, 'generateProvenancePredicate')
.mockResolvedValue(mockProvPredicate)
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
it('logs the attestation type as Build Provenance and generates predicate', async () => {
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith(
'Attestation type: Build Provenance'
)
})
})
describe('when sbom attestation is detected', () => {
let tmpDir: string
let sbomFilePath: string
const spdxSBOM = {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package',
packages: []
}
beforeEach(async () => {
tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'main-test-'))
sbomFilePath = path.join(tmpDir, 'sbom.spdx.json')
await fs.writeFile(sbomFilePath, JSON.stringify(spdxSBOM))
setGHContext({
payload: { repository: { visibility: 'private' } },
repo: { owner: 'foo', repo: 'bar' }
})
await mockFulcio({
baseURL: 'https://fulcio.githubapp.com',
strict: false
})
await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
})
afterEach(async () => {
await fs.rm(tmpDir, { recursive: true })
})
it('logs the attestation type as SBOM and generates predicate', async () => {
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
sbomPath: sbomFilePath,
githubToken: 'gh-token'
}
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith('Attestation type: SBOM')
})
})
})
})
// Stubbing the GitHub context is a bit tricky. We need to use
// `Object.defineProperty` because `github.context` is read-only.
function setGHContext(context: object): void {
Object.defineProperty(github, 'context', { value: context })
}
-129
View File
@@ -1,129 +0,0 @@
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { predicateFromInputs, PredicateInputs } from '../src/predicate'
describe('subjectFromInputs', () => {
const blankInputs: PredicateInputs = {
predicateType: '',
predicate: '',
predicatePath: ''
}
describe('when no inputs are provided', () => {
it('throws an error', () => {
expect(() => predicateFromInputs(blankInputs)).toThrow(/predicate-type/i)
})
})
describe('when neither predicate path nor predicate are provided', () => {
it('throws an error', () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate'
}
expect(() => predicateFromInputs(inputs)).toThrow(
/one of predicate-path or predicate must be provided/i
)
})
})
describe('when both predicate path and predicate are provided', () => {
it('throws an error', () => {
const inputs: PredicateInputs = {
predicateType: 'https://example.com/predicate',
predicate: '{}',
predicatePath: 'path/to/predicate'
}
expect(() => predicateFromInputs(inputs)).toThrow(
/only one of predicate-path or predicate may be provided/i
)
})
})
describe('when specifying a predicate path', () => {
const predicateType = 'https://example.com/predicate'
const content = '{}'
let predicatePath = ''
beforeEach(async () => {
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
const dir = await fs.mkdtemp(tmpDir + path.sep)
const filename = 'subject'
predicatePath = path.join(dir, filename)
// Write file to temp directory
await fs.writeFile(predicatePath, content)
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(path.parse(predicatePath).dir, { recursive: true })
})
it('returns the predicate', () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicatePath
}
expect(predicateFromInputs(inputs)).toEqual({
type: predicateType,
params: JSON.parse(content)
})
})
})
describe('when specifying a predicate path that does not exist', () => {
const predicateType = 'https://example.com/predicate'
const predicatePath = 'foo'
it('returns the predicate', () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicatePath
}
expect(() => predicateFromInputs(inputs)).toThrow(/file not found/)
})
})
describe('when specifying a predicate value', () => {
const predicateType = 'https://example.com/predicate'
const content = '{}'
it('returns the predicate', () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicate: content
}
expect(predicateFromInputs(inputs)).toEqual({
type: predicateType,
params: JSON.parse(content)
})
})
})
describe('when specifying a predicate value exceeding the max size', () => {
const predicateType = 'https://example.com/predicate'
const content = JSON.stringify({ a: 'a'.repeat(16 * 1024 * 1024) })
it('throws an error', () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicate: content
}
expect(() => predicateFromInputs(inputs)).toThrow(
/predicate string exceeds maximum/
)
})
})
})
-43
View File
@@ -1,43 +0,0 @@
import { generateProvenancePredicate } from '../src/provenance'
import { buildSLSAProvenancePredicate } from '@actions/attest'
jest.mock('@actions/attest', () => ({
buildSLSAProvenancePredicate: jest.fn()
}))
describe('generateProvenancePredicate', () => {
const mockPredicate = {
type: 'https://slsa.dev/provenance/v1',
params: {
buildDefinition: {
buildType: 'https://actions.github.io/buildtypes/workflow/v1'
},
runDetails: {
builder: { id: 'https://github.com/actions/runner' }
}
}
}
beforeEach(() => {
jest.clearAllMocks()
;(buildSLSAProvenancePredicate as jest.Mock).mockResolvedValue(
mockPredicate
)
})
it('returns the SLSA provenance predicate', async () => {
const result = await generateProvenancePredicate()
expect(buildSLSAProvenancePredicate).toHaveBeenCalledTimes(1)
expect(result).toEqual(mockPredicate)
})
it('propagates errors from buildSLSAProvenancePredicate', async () => {
const error = new Error('Failed to build provenance')
;(buildSLSAProvenancePredicate as jest.Mock).mockRejectedValue(error)
await expect(generateProvenancePredicate()).rejects.toThrow(
'Failed to build provenance'
)
})
})
-161
View File
@@ -1,161 +0,0 @@
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { parseSBOMFromPath, generateSBOMPredicate, SBOM } from '../src/sbom'
describe('parseSBOMFromPath', () => {
let tmpDir: string
beforeEach(async () => {
tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'sbom-test-'))
})
afterEach(async () => {
await fs.rm(tmpDir, { recursive: true })
})
describe('when file does not exist', () => {
it('throws an error', async () => {
await expect(parseSBOMFromPath('/nonexistent/file.json')).rejects.toThrow(
/SBOM file not found/
)
})
})
describe('when file contains valid SPDX SBOM', () => {
const spdxSBOM = {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package',
packages: []
}
it('returns SBOM with type spdx', async () => {
const filePath = path.join(tmpDir, 'sbom.spdx.json')
await fs.writeFile(filePath, JSON.stringify(spdxSBOM))
const result = await parseSBOMFromPath(filePath)
expect(result.type).toBe('spdx')
expect(result.object).toEqual(spdxSBOM)
})
})
describe('when file contains valid CycloneDX SBOM', () => {
const cyclonedxSBOM = {
bomFormat: 'CycloneDX',
specVersion: '1.4',
serialNumber: 'urn:uuid:12345',
components: []
}
it('returns SBOM with type cyclonedx', async () => {
const filePath = path.join(tmpDir, 'sbom.cdx.json')
await fs.writeFile(filePath, JSON.stringify(cyclonedxSBOM))
const result = await parseSBOMFromPath(filePath)
expect(result.type).toBe('cyclonedx')
expect(result.object).toEqual(cyclonedxSBOM)
})
})
describe('when file contains invalid SBOM format', () => {
it('throws an error', async () => {
const filePath = path.join(tmpDir, 'invalid.json')
await fs.writeFile(filePath, JSON.stringify({ random: 'data' }))
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/Unsupported SBOM format/
)
})
})
describe('when file contains invalid JSON', () => {
it('throws an error', async () => {
const filePath = path.join(tmpDir, 'invalid.json')
await fs.writeFile(filePath, 'not valid json')
await expect(parseSBOMFromPath(filePath)).rejects.toThrow()
})
})
describe('when file exceeds maximum size', () => {
it('throws an error', async () => {
const filePath = path.join(tmpDir, 'large.json')
// Create a file larger than 16MB
const largeContent = 'x'.repeat(17 * 1024 * 1024)
await fs.writeFile(filePath, largeContent)
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/SBOM file exceeds maximum allowed size/
)
})
})
})
describe('generateSBOMPredicate', () => {
describe('for SPDX SBOM', () => {
const spdxSBOM: SBOM = {
type: 'spdx',
object: {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package'
}
}
it('returns predicate with correct SPDX type', () => {
const predicate = generateSBOMPredicate(spdxSBOM)
expect(predicate.type).toBe('https://spdx.dev/Document/v2.3')
expect(predicate.params).toEqual(spdxSBOM.object)
})
})
describe('for CycloneDX SBOM', () => {
const cyclonedxSBOM: SBOM = {
type: 'cyclonedx',
object: {
bomFormat: 'CycloneDX',
specVersion: '1.4',
serialNumber: 'urn:uuid:12345'
}
}
it('returns predicate with correct CycloneDX type', () => {
const predicate = generateSBOMPredicate(cyclonedxSBOM)
expect(predicate.type).toBe('https://cyclonedx.org/bom')
expect(predicate.params).toEqual(cyclonedxSBOM.object)
})
})
describe('for SPDX without version', () => {
const invalidSBOM: SBOM = {
type: 'spdx',
object: {
SPDXID: 'SPDXRef-DOCUMENT'
}
}
it('throws an error', () => {
expect(() => generateSBOMPredicate(invalidSBOM)).toThrow(
/Cannot find spdxVersion/
)
})
})
describe('for unsupported SBOM type', () => {
const unsupportedSBOM = {
type: 'unknown' as SBOM['type'],
object: { foo: 'bar' }
}
it('throws an error', () => {
expect(() => generateSBOMPredicate(unsupportedSBOM)).toThrow(
/Unsupported SBOM format/
)
})
})
})
-15
View File
@@ -1,15 +0,0 @@
import { highlight, mute } from '../src/style'
describe('style', () => {
describe('highlight', () => {
it('adds cyan color to the string', () => {
expect(highlight('foo')).toBe('\x1B[36mfoo\x1B[39m')
})
})
describe('mute', () => {
it('adds gray color to the string', () => {
expect(mute('foo')).toBe('\x1B[38;5;244mfoo\x1B[39m')
})
})
})
-600
View File
@@ -1,600 +0,0 @@
import crypto from 'crypto'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import {
formatSubjectDigest,
subjectFromInputs,
SubjectInputs
} from '../src/subject'
describe('subjectFromInputs', () => {
const blankInputs: SubjectInputs = {
subjectPath: '',
subjectName: '',
subjectDigest: '',
subjectChecksums: ''
}
describe('when no inputs are provided', () => {
it('throws an error', async () => {
await expect(subjectFromInputs(blankInputs)).rejects.toThrow(
/one of subject-path, subject-digest, or subject-checksums must be provided/i
)
})
})
describe('when both subject path and subject digest are provided', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
subjectName: 'foo',
subjectPath: 'path/to/subject',
subjectDigest: 'digest',
subjectChecksums: ''
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/only one of subject-path, subject-digest, or subject-checksums may be provided/i
)
})
})
describe('when both subject path and subject checksums are provided', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
subjectName: '',
subjectPath: 'path/to/subject',
subjectDigest: '',
subjectChecksums: 'path/to/checksums'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/only one of subject-path, subject-digest, or subject-checksums may be provided/i
)
})
})
describe('when both subject digest and subject checksums are provided', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
subjectName: 'foo',
subjectPath: '',
subjectDigest: 'digest',
subjectChecksums: 'path/to/checksums'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/only one of subject-path, subject-digest, or subject-checksums may be provided/i
)
})
})
describe('when subject digest is provided but not the name', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'digest'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-name must be provided when using subject-digest/i
)
})
})
describe('when specifying a subject digest', () => {
const name = 'Subject'
describe('when the digest is malformed', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'digest',
subjectName: name
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format "sha256:<hex-digest>"/i
)
})
})
describe('when the algorithm is not supported', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'md5:deadbeef',
subjectName: name
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format "sha256:<hex-digest>"/i
)
})
})
describe('when the sha256 digest is malformed', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'sha256:deadbeef',
subjectName: name
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format "sha256:<hex-digest>"/i
)
})
})
describe('when the sha256 digest is valid', () => {
const alg = 'sha256'
const digest =
'7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
it('returns the subject', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: `${alg}:${digest}`,
subjectName: name
}
const subject = await subjectFromInputs(inputs)
expect(subject).toBeDefined()
expect(subject).toHaveLength(1)
expect(subject[0].name).toEqual(name)
expect(subject[0].digest).toEqual({ [alg]: digest })
})
})
describe('when the downcaseName is true', () => {
const imageName = 'ghcr.io/FOO/bar'
const alg = 'sha256'
const digest =
'7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
it('returns the subject (with name downcased)', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: `${alg}:${digest}`,
subjectName: imageName,
downcaseName: true
}
const subject = await subjectFromInputs(inputs)
expect(subject).toBeDefined()
expect(subject).toHaveLength(1)
expect(subject[0].name).toEqual(imageName.toLowerCase())
expect(subject[0].digest).toEqual({ [alg]: digest })
})
})
})
describe('when specifying a subject path', () => {
describe('when the file does NOT exist', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: '/f/a/k/e'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/could not find subject at path/i
)
})
})
})
describe('when the file exists', () => {
let dir = ''
const filename = 'subject'
const content = 'file content'
const expectedDigest = crypto
.createHash('sha256')
.update(content)
.digest('hex')
beforeEach(async () => {
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
dir = await fs.mkdtemp(tmpDir + path.sep)
// Write file to temp directory
await fs.writeFile(path.join(dir, filename), content)
// Add files for glob testing
for (let i = 0; i < 3; i++) {
await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
await fs.writeFile(path.join(dir, `other-${i}`), content)
}
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(dir, { recursive: true })
})
describe('when no name is provided', () => {
it('returns the subject', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(dir, filename)
}
const subject = await subjectFromInputs(inputs)
expect(subject).toBeDefined()
expect(subject).toHaveLength(1)
expect(subject[0].name).toEqual(filename)
expect(subject[0].digest).toEqual({ sha256: expectedDigest })
})
})
describe('when a name is provided', () => {
const name = 'mysubject'
it('returns the subject', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(dir, filename),
subjectName: name
}
const subject = await subjectFromInputs(inputs)
expect(subject).toBeDefined()
expect(subject).toHaveLength(1)
expect(subject[0].name).toEqual(name)
expect(subject[0].digest).toEqual({ sha256: expectedDigest })
})
})
describe('when a file glob is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(dir, 'subject-*')
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(3)
subjects.forEach((subject, i) => {
expect(subject.name).toEqual(`${filename}-${i}`)
expect(subject.digest).toEqual({ sha256: expectedDigest })
})
})
})
describe('when a file glob is supplied which also matches non-files', () => {
it('returns the subjects (excluding non-files)', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${dir}*`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(7)
})
})
describe('when a comma-separated list is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'subject-1',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-2',
digest: { sha256: expectedDigest }
})
})
})
describe('when a multi-line list is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'subject-0',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-2',
digest: { sha256: expectedDigest }
})
})
})
describe('when an excluding glob is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject-*')},!${path.join(dir, 'subject-1')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'subject-0',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-2',
digest: { sha256: expectedDigest }
})
})
})
describe('when a multi-line glob list is supplied', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject-*')}\n ${path.join(dir, 'other-*')} `
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(6)
expect(subjects).toContainEqual({
name: 'subject-0',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-1',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'subject-2',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'other-0',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'other-1',
digest: { sha256: expectedDigest }
})
expect(subjects).toContainEqual({
name: 'other-2',
digest: { sha256: expectedDigest }
})
})
})
describe('when duplicate subjects are supplied', () => {
let otherDir = ''
// Add duplicate subject in alternate directory
beforeEach(async () => {
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
otherDir = await fs.mkdtemp(tmpDir + path.sep)
// Write file to temp directory
await fs.writeFile(path.join(otherDir, filename), content)
})
it('returns de-duplicated subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(dir, 'subject')}, ${path.join(otherDir, 'subject')} `
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(1)
})
})
})
describe('when specifying a subject checksums file', () => {
const checksums = `
187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d demo_0.0.1_linux_amd64
badline
5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718 demo_0.0.1_darwin_arm64`
let dir = ''
const filename = 'checksums'
beforeEach(async () => {
// Set-up temp directory
const tmpDir = await fs.realpath(os.tmpdir())
dir = await fs.mkdtemp(tmpDir + path.sep)
// Write file to temp directory
await fs.writeFile(path.join(dir, filename), checksums)
})
afterEach(async () => {
// Clean-up temp directory
await fs.rm(dir, { recursive: true })
})
describe('when the specified path is NOT a file', () => {
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: dir
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject checksums file not found/i
)
})
})
describe('when the specific path is a file', () => {
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: path.join(dir, filename)
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_amd64',
digest: {
sha256:
'187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
}
})
expect(subjects).toContainEqual({
name: 'demo_0.0.1_darwin_arm64',
digest: {
sha512:
'5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718'
}
})
})
})
})
describe('when specifying a subject checksums string', () => {
const checksums = `
f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386
187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *demo_0.0.1_linux_amd64
9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 demo_0.0.1_linux_arm64`
it('returns the multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(3)
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_386',
digest: {
sha256:
'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e'
}
})
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_amd64',
digest: {
sha256:
'187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
}
})
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_arm64',
digest: {
sha256:
'9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5'
}
})
})
})
describe('when specifying a subject checksums string with duplicates', () => {
const checksums = `
f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386
f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386
187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *demo_0.0.1_linux_amd64`
it('returns de-duplicated subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_386',
digest: {
sha256:
'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e'
}
})
expect(subjects).toContainEqual({
name: 'demo_0.0.1_linux_amd64',
digest: {
sha256:
'187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
}
})
})
})
describe('when specifying a subject checksums string with an unrecognized digest', () => {
const checksums = `f861e demo_0.0.1_linux_386`
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/unknown digest algorithm/i
)
})
})
describe('when specifying a subject checksums string with an invalid digest', () => {
const checksums =
'!!!!e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e demo_0.0.1_linux_386'
it('throws an error', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(/invalid digest/i)
})
})
})
describe('subjectDigest', () => {
it('returns the digest', () => {
const subject = {
name: 'foo',
digest: { sha1: 'deadbeef' }
}
const digest = formatSubjectDigest(subject)
expect(digest).toEqual('sha1:deadbeef')
})
})
@@ -2,7 +2,7 @@ import {
detectAttestationType,
validateAttestationInputs,
DetectionInputs
} from '../src/detect'
} from '../../src/detect'
describe('detectAttestationType', () => {
const blankInputs: DetectionInputs = {
@@ -12,14 +12,12 @@ describe('detectAttestationType', () => {
predicatePath: ''
}
describe('when no inputs are provided', () => {
it('returns provenance', () => {
expect(detectAttestationType(blankInputs)).toBe('provenance')
})
it('should return provenance when no inputs are provided', () => {
expect(detectAttestationType(blankInputs)).toBe('provenance')
})
describe('when sbom-path is provided', () => {
it('returns sbom', () => {
describe('SBOM detection', () => {
it('should return sbom when sbom-path is provided', () => {
const inputs: DetectionInputs = {
...blankInputs,
sbomPath: '/path/to/sbom.json'
@@ -27,7 +25,7 @@ describe('detectAttestationType', () => {
expect(detectAttestationType(inputs)).toBe('sbom')
})
it('returns sbom even when predicate inputs are also provided', () => {
it('should prioritize sbom over custom predicate inputs', () => {
const inputs: DetectionInputs = {
...blankInputs,
sbomPath: '/path/to/sbom.json',
@@ -37,38 +35,32 @@ describe('detectAttestationType', () => {
})
})
describe('when predicate-type is provided', () => {
it('returns custom', () => {
describe('custom detection', () => {
it('should return custom when predicate-type is provided', () => {
const inputs: DetectionInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate'
}
expect(detectAttestationType(inputs)).toBe('custom')
})
})
describe('when predicate is provided', () => {
it('returns custom', () => {
it('should return custom when predicate is provided', () => {
const inputs: DetectionInputs = {
...blankInputs,
predicate: '{}'
}
expect(detectAttestationType(inputs)).toBe('custom')
})
})
describe('when predicate-path is provided', () => {
it('returns custom', () => {
it('should return custom when predicate-path is provided', () => {
const inputs: DetectionInputs = {
...blankInputs,
predicatePath: '/path/to/predicate.json'
}
expect(detectAttestationType(inputs)).toBe('custom')
})
})
describe('when predicate-type and predicate are provided', () => {
it('returns custom', () => {
it('should return custom when predicate-type and predicate are both provided', () => {
const inputs: DetectionInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate',
@@ -87,24 +79,20 @@ describe('validateAttestationInputs', () => {
predicatePath: ''
}
describe('when no inputs are provided', () => {
it('does not throw', () => {
expect(() => validateAttestationInputs(blankInputs)).not.toThrow()
})
it('should not throw when no inputs are provided', () => {
expect(() => validateAttestationInputs(blankInputs)).not.toThrow()
})
describe('when sbom-path is provided alone', () => {
it('does not throw', () => {
const inputs: DetectionInputs = {
...blankInputs,
sbomPath: '/path/to/sbom.json'
}
expect(() => validateAttestationInputs(inputs)).not.toThrow()
})
it('should not throw when sbom-path is provided alone', () => {
const inputs: DetectionInputs = {
...blankInputs,
sbomPath: '/path/to/sbom.json'
}
expect(() => validateAttestationInputs(inputs)).not.toThrow()
})
describe('when sbom-path is combined with predicate-type', () => {
it('throws an error', () => {
describe('sbom-path conflicts', () => {
it('should throw when sbom-path is combined with predicate-type', () => {
const inputs: DetectionInputs = {
...blankInputs,
sbomPath: '/path/to/sbom.json',
@@ -114,10 +102,8 @@ describe('validateAttestationInputs', () => {
/Cannot specify sbom-path together with/
)
})
})
describe('when sbom-path is combined with predicate', () => {
it('throws an error', () => {
it('should throw when sbom-path is combined with predicate', () => {
const inputs: DetectionInputs = {
...blankInputs,
sbomPath: '/path/to/sbom.json',
@@ -127,10 +113,8 @@ describe('validateAttestationInputs', () => {
/Cannot specify sbom-path together with/
)
})
})
describe('when sbom-path is combined with predicate-path', () => {
it('throws an error', () => {
it('should throw when sbom-path is combined with predicate-path', () => {
const inputs: DetectionInputs = {
...blankInputs,
sbomPath: '/path/to/sbom.json',
@@ -142,8 +126,8 @@ describe('validateAttestationInputs', () => {
})
})
describe('when predicate is provided without predicate-type', () => {
it('throws an error', () => {
describe('predicate-type requirements', () => {
it('should throw when predicate is provided without predicate-type', () => {
const inputs: DetectionInputs = {
...blankInputs,
predicate: '{}'
@@ -152,10 +136,8 @@ describe('validateAttestationInputs', () => {
/predicate-type is required/
)
})
})
describe('when predicate-path is provided without predicate-type', () => {
it('throws an error', () => {
it('should throw when predicate-path is provided without predicate-type', () => {
const inputs: DetectionInputs = {
...blankInputs,
predicatePath: '/path/to/predicate.json'
@@ -164,10 +146,8 @@ describe('validateAttestationInputs', () => {
/predicate-type is required/
)
})
})
describe('when predicate-type and predicate are provided', () => {
it('does not throw', () => {
it('should not throw when predicate-type and predicate are provided', () => {
const inputs: DetectionInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate',
@@ -175,10 +155,8 @@ describe('validateAttestationInputs', () => {
}
expect(() => validateAttestationInputs(inputs)).not.toThrow()
})
})
describe('when predicate-type and predicate-path are provided', () => {
it('does not throw', () => {
it('should not throw when predicate-type and predicate-path are provided', () => {
const inputs: DetectionInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate',
+142
View File
@@ -0,0 +1,142 @@
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { predicateFromInputs, PredicateInputs } from '../../src/predicate'
describe('predicateFromInputs', () => {
const blankInputs: PredicateInputs = {
predicateType: '',
predicate: '',
predicatePath: ''
}
let tempDir: string
beforeEach(async () => {
tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'predicate-test-'))
})
afterEach(async () => {
await fs.rm(tempDir, { recursive: true, force: true })
})
describe('input validation', () => {
it('should throw when predicate-type is not provided', async () => {
await expect(predicateFromInputs(blankInputs)).rejects.toThrow(
/predicate-type must be provided/
)
})
it('should throw when neither predicate nor predicate-path is provided', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/one of predicate-path or predicate must be provided/i
)
})
it('should throw when both predicate and predicate-path are provided', async () => {
const inputs: PredicateInputs = {
predicateType: 'https://example.com/predicate',
predicate: '{}',
predicatePath: '/path/to/predicate.json'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/only one of predicate-path or predicate may be provided/i
)
})
})
describe('with predicate string', () => {
it('should parse and return the predicate', async () => {
const predicateType = 'https://example.com/predicate'
const predicateContent = { foo: 'bar', nested: { value: 123 } }
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicate: JSON.stringify(predicateContent)
}
const result = await predicateFromInputs(inputs)
expect(result).toEqual({
type: predicateType,
params: predicateContent
})
})
it('should throw when predicate string exceeds max size', async () => {
const predicateType = 'https://example.com/predicate'
const largeContent = JSON.stringify({ data: 'x'.repeat(16 * 1024 * 1024) })
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicate: largeContent
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(
/predicate string exceeds maximum/
)
})
it('should throw when predicate is invalid JSON', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate',
predicate: 'not valid json'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(/JSON/)
})
})
describe('with predicate path', () => {
it('should read and parse predicate from file', async () => {
const predicateType = 'https://example.com/predicate'
const predicateContent = { buildType: 'test', metadata: { version: '1.0' } }
const filePath = path.join(tempDir, 'predicate.json')
await fs.writeFile(filePath, JSON.stringify(predicateContent))
const inputs: PredicateInputs = {
...blankInputs,
predicateType,
predicatePath: filePath
}
const result = await predicateFromInputs(inputs)
expect(result).toEqual({
type: predicateType,
params: predicateContent
})
})
it('should throw when predicate file does not exist', async () => {
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate',
predicatePath: '/nonexistent/file.json'
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(/file not found/)
})
it('should throw when predicate file contains invalid JSON', async () => {
const filePath = path.join(tempDir, 'invalid.json')
await fs.writeFile(filePath, 'not valid json')
const inputs: PredicateInputs = {
...blankInputs,
predicateType: 'https://example.com/predicate',
predicatePath: filePath
}
await expect(predicateFromInputs(inputs)).rejects.toThrow(/JSON/)
})
})
})
+181
View File
@@ -0,0 +1,181 @@
import { jest } from '@jest/globals'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { parseSBOMFromPath, generateSBOMPredicate, SBOM } from '../../src/sbom'
describe('parseSBOMFromPath', () => {
let tempDir: string
beforeEach(async () => {
tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'sbom-test-'))
})
afterEach(async () => {
await fs.rm(tempDir, { recursive: true, force: true })
})
describe('file handling', () => {
it('should throw when file does not exist', async () => {
await expect(parseSBOMFromPath('/nonexistent/file.json')).rejects.toThrow(
/SBOM file not found/
)
})
it('should rethrow non-ENOENT errors', async () => {
const statSpy = jest.spyOn(fs, 'stat').mockRejectedValueOnce(
Object.assign(new Error('Permission denied'), { code: 'EACCES' })
)
await expect(parseSBOMFromPath('/some/file.json')).rejects.toThrow(
/Permission denied/
)
statSpy.mockRestore()
})
it('should throw when file contains invalid JSON', async () => {
const filePath = path.join(tempDir, 'invalid.json')
await fs.writeFile(filePath, 'not valid json')
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(/JSON/)
})
it('should throw when file exceeds maximum size', async () => {
const filePath = path.join(tempDir, 'large.json')
const largeContent = 'x'.repeat(17 * 1024 * 1024)
await fs.writeFile(filePath, largeContent)
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/SBOM file exceeds maximum allowed size/
)
})
})
describe('SPDX format', () => {
const spdxSBOM = {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package',
packages: []
}
it('should parse valid SPDX SBOM', async () => {
const filePath = path.join(tempDir, 'sbom.spdx.json')
await fs.writeFile(filePath, JSON.stringify(spdxSBOM))
const result = await parseSBOMFromPath(filePath)
expect(result.type).toBe('spdx')
expect(result.object).toEqual(spdxSBOM)
})
})
describe('CycloneDX format', () => {
const cyclonedxSBOM = {
bomFormat: 'CycloneDX',
specVersion: '1.4',
serialNumber: 'urn:uuid:12345',
components: []
}
it('should parse valid CycloneDX SBOM', async () => {
const filePath = path.join(tempDir, 'sbom.cdx.json')
await fs.writeFile(filePath, JSON.stringify(cyclonedxSBOM))
const result = await parseSBOMFromPath(filePath)
expect(result.type).toBe('cyclonedx')
expect(result.object).toEqual(cyclonedxSBOM)
})
})
describe('unsupported formats', () => {
it('should throw for unrecognized SBOM format', async () => {
const filePath = path.join(tempDir, 'invalid-sbom.json')
await fs.writeFile(filePath, JSON.stringify({ random: 'data' }))
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/Unsupported SBOM format/
)
})
it('should throw for SPDX missing SPDXID', async () => {
const filePath = path.join(tempDir, 'partial-spdx.json')
await fs.writeFile(filePath, JSON.stringify({ spdxVersion: 'SPDX-2.3' }))
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/Unsupported SBOM format/
)
})
it('should throw for CycloneDX missing required fields', async () => {
const filePath = path.join(tempDir, 'partial-cdx.json')
await fs.writeFile(filePath, JSON.stringify({ bomFormat: 'CycloneDX' }))
await expect(parseSBOMFromPath(filePath)).rejects.toThrow(
/Unsupported SBOM format/
)
})
})
})
describe('generateSBOMPredicate', () => {
describe('SPDX predicates', () => {
it('should generate predicate with correct SPDX type URL', () => {
const sbom: SBOM = {
type: 'spdx',
object: {
spdxVersion: 'SPDX-2.3',
SPDXID: 'SPDXRef-DOCUMENT',
name: 'test-package'
}
}
const predicate = generateSBOMPredicate(sbom)
expect(predicate.type).toBe('https://spdx.dev/Document/v2.3')
expect(predicate.params).toEqual(sbom.object)
})
it('should throw when spdxVersion is missing', () => {
const sbom: SBOM = {
type: 'spdx',
object: { SPDXID: 'SPDXRef-DOCUMENT' }
}
expect(() => generateSBOMPredicate(sbom)).toThrow(
/Cannot find spdxVersion/
)
})
})
describe('CycloneDX predicates', () => {
it('should generate predicate with correct CycloneDX type URL', () => {
const sbom: SBOM = {
type: 'cyclonedx',
object: {
bomFormat: 'CycloneDX',
specVersion: '1.4',
serialNumber: 'urn:uuid:12345'
}
}
const predicate = generateSBOMPredicate(sbom)
expect(predicate.type).toBe('https://cyclonedx.org/bom')
expect(predicate.params).toEqual(sbom.object)
})
})
describe('unsupported types', () => {
it('should throw for unsupported SBOM type', () => {
const sbom = {
type: 'unknown' as SBOM['type'],
object: { foo: 'bar' }
}
expect(() => generateSBOMPredicate(sbom)).toThrow(/Unsupported SBOM format/)
})
})
})
+27
View File
@@ -0,0 +1,27 @@
import { highlight, mute } from '../../src/style'
describe('style', () => {
describe('highlight', () => {
it('should wrap text with cyan ANSI color codes', () => {
const result = highlight('test message')
expect(result).toBe('\x1B[36mtest message\x1B[39m')
})
it('should handle empty strings', () => {
const result = highlight('')
expect(result).toBe('\x1B[36m\x1B[39m')
})
})
describe('mute', () => {
it('should wrap text with gray ANSI color codes', () => {
const result = mute('test message')
expect(result).toBe('\x1B[38;5;244mtest message\x1B[39m')
})
it('should handle empty strings', () => {
const result = mute('')
expect(result).toBe('\x1B[38;5;244m\x1B[39m')
})
})
})
+462
View File
@@ -0,0 +1,462 @@
import crypto from 'crypto'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import {
subjectFromInputs,
formatSubjectDigest,
SubjectInputs
} from '../../src/subject'
describe('subjectFromInputs', () => {
const blankInputs: SubjectInputs = {
subjectPath: '',
subjectName: '',
subjectDigest: '',
subjectChecksums: ''
}
let tempDir: string
beforeEach(async () => {
tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'subject-test-'))
})
afterEach(async () => {
await fs.rm(tempDir, { recursive: true, force: true })
})
describe('input validation', () => {
it('should throw when no inputs are provided', async () => {
await expect(subjectFromInputs(blankInputs)).rejects.toThrow(
/one of subject-path, subject-digest, or subject-checksums must be provided/i
)
})
it('should throw when multiple subject inputs are provided', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: '/some/path',
subjectDigest: 'sha256:abc123'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/only one of subject-path, subject-digest, or subject-checksums may be provided/i
)
})
it('should throw when subject-digest is provided without subject-name', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectDigest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-name must be provided when using subject-digest/i
)
})
})
describe('with subject-digest', () => {
const validDigest = 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
it('should return subject with provided name and digest', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'my-artifact',
subjectDigest: validDigest
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
expect(subjects[0].name).toBe('my-artifact')
expect(subjects[0].digest).toEqual({
sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
})
})
it('should lowercase name when downcaseName is true', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'ghcr.io/FOO/Bar',
subjectDigest: validDigest,
downcaseName: true
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('ghcr.io/foo/bar')
})
it('should throw for malformed digest format', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'artifact',
subjectDigest: 'invalid-digest'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format/
)
})
it('should throw for unsupported hash algorithm', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'artifact',
subjectDigest: 'md5:d41d8cd98f00b204e9800998ecf8427e'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format/
)
})
it('should throw for incorrect sha256 digest length', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectName: 'artifact',
subjectDigest: 'sha256:deadbeef'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject-digest must be in the format/
)
})
})
describe('with subject-path', () => {
const fileContent = 'test file content'
const expectedDigest = crypto.createHash('sha256').update(fileContent).digest('hex')
it('should calculate digest from file', async () => {
const filePath = path.join(tempDir, 'artifact.bin')
await fs.writeFile(filePath, fileContent)
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: filePath
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
expect(subjects[0].name).toBe('artifact.bin')
expect(subjects[0].digest).toEqual({ sha256: expectedDigest })
})
it('should use provided name instead of filename', async () => {
const filePath = path.join(tempDir, 'artifact.bin')
await fs.writeFile(filePath, fileContent)
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: filePath,
subjectName: 'custom-name'
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('custom-name')
})
it('should throw when file does not exist', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: '/nonexistent/file'
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/could not find subject at path/i
)
})
describe('glob patterns', () => {
beforeEach(async () => {
for (let i = 0; i < 3; i++) {
await fs.writeFile(path.join(tempDir, `file-${i}.txt`), fileContent)
}
})
it('should expand glob pattern to multiple subjects', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(tempDir, 'file-*.txt')
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(3)
expect(subjects.map(s => s.name).sort()).toEqual([
'file-0.txt',
'file-1.txt',
'file-2.txt'
])
})
it('should handle comma-separated paths', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(tempDir, 'file-0.txt')},${path.join(tempDir, 'file-1.txt')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
})
it('should handle newline-separated paths', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(tempDir, 'file-0.txt')}\n${path.join(tempDir, 'file-2.txt')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
})
it('should support exclusion patterns', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(tempDir, 'file-*.txt')},!${path.join(tempDir, 'file-1.txt')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
expect(subjects.map(s => s.name)).not.toContain('file-1.txt')
})
it('should deduplicate subjects with same name and digest', async () => {
// Create another directory with same file
const otherDir = await fs.mkdtemp(path.join(os.tmpdir(), 'subject-dup-'))
await fs.writeFile(path.join(otherDir, 'file-0.txt'), fileContent)
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: `${path.join(tempDir, 'file-0.txt')},${path.join(otherDir, 'file-0.txt')}`
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
await fs.rm(otherDir, { recursive: true, force: true })
})
})
it('should exclude directories from glob results', async () => {
await fs.mkdir(path.join(tempDir, 'subdir'))
await fs.writeFile(path.join(tempDir, 'file.txt'), fileContent)
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(tempDir, '*')
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
expect(subjects[0].name).toBe('file.txt')
})
it('should throw when too many subjects are specified', async () => {
// Create 1025 files (exceeds MAX_SUBJECT_COUNT of 1024)
for (let i = 0; i < 1025; i++) {
await fs.writeFile(path.join(tempDir, `file-${i}.txt`), `content-${i}`)
}
const inputs: SubjectInputs = {
...blankInputs,
subjectPath: path.join(tempDir, 'file-*.txt')
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(/too many subjects/i)
})
})
describe('with subject-checksums', () => {
describe('from string', () => {
it('should parse sha256 checksums', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact-linux
9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 artifact-darwin`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
expect(subjects).toContainEqual({
name: 'artifact-linux',
digest: { sha256: '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d' }
})
expect(subjects).toContainEqual({
name: 'artifact-darwin',
digest: { sha256: '9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5' }
})
})
it('should parse sha512 checksums', async () => {
const sha512 = '5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718'
const checksums = `${sha512} artifact-amd64`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
expect(subjects[0].digest).toEqual({ sha512 })
})
it('should handle binary mode flag (*)', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *artifact.bin`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('artifact.bin')
})
it('should handle text mode flag (space)', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact.txt`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('artifact.txt')
})
it('should handle checksums without mode flag', async () => {
// Single space between digest and name (no flag character)
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact-no-flag`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects[0].name).toBe('artifact-no-flag')
})
it('should skip malformed lines', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d valid-artifact
badline
9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 another-artifact`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
})
it('should deduplicate identical entries', async () => {
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact
187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(1)
})
it('should throw for invalid digest characters', async () => {
const checksums = `!!!!e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e artifact`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(/invalid digest/i)
})
it('should throw for unknown digest algorithm', async () => {
const checksums = `f861e artifact`
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksums
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(/unknown digest algorithm/i)
})
})
describe('from file', () => {
it('should read checksums from file', async () => {
const checksumFile = path.join(tempDir, 'SHA256SUMS')
const checksums = `187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d artifact-linux
9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 artifact-darwin`
await fs.writeFile(checksumFile, checksums)
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: checksumFile
}
const subjects = await subjectFromInputs(inputs)
expect(subjects).toHaveLength(2)
})
it('should throw when checksums path is a directory', async () => {
const inputs: SubjectInputs = {
...blankInputs,
subjectChecksums: tempDir
}
await expect(subjectFromInputs(inputs)).rejects.toThrow(
/subject checksums file not found/i
)
})
})
})
})
describe('formatSubjectDigest', () => {
it('should format digest as algorithm:hash', () => {
const subject = {
name: 'artifact',
digest: { sha256: 'abc123def456' }
}
expect(formatSubjectDigest(subject)).toBe('sha256:abc123def456')
})
it('should use first algorithm alphabetically when multiple exist', () => {
const subject = {
name: 'artifact',
digest: {
sha512: 'longer-hash',
sha256: 'shorter-hash'
}
}
expect(formatSubjectDigest(subject)).toBe('sha256:shorter-hash')
})
})
Generated Vendored
+3 -5
View File
@@ -1,7 +1,6 @@
"use strict";
exports.id = 606;
exports.ids = [606];
exports.modules = {
export const id = 606;
export const ids = [606];
export const modules = {
/***/ 606:
/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
@@ -298,4 +297,3 @@ const pMapSkip = Symbol('skip');
/***/ })
};
;
Generated Vendored
+297
View File
@@ -0,0 +1,297 @@
export const id = 717;
export const ids = [717];
export const modules = {
/***/ 4717:
/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
/* harmony export */ __webpack_require__.d(__webpack_exports__, {
/* harmony export */ "default": () => (/* binding */ pMap)
/* harmony export */ });
/* unused harmony exports pMapIterable, pMapSkip */
async function pMap(
iterable,
mapper,
{
concurrency = Number.POSITIVE_INFINITY,
stopOnError = true,
signal,
} = {},
) {
return new Promise((resolve_, reject_) => {
if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
}
if (typeof mapper !== 'function') {
throw new TypeError('Mapper function is required');
}
if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
}
const result = [];
const errors = [];
const skippedIndexesMap = new Map();
let isRejected = false;
let isResolved = false;
let isIterableDone = false;
let resolvingCount = 0;
let currentIndex = 0;
const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
const signalListener = () => {
reject(signal.reason);
};
const cleanup = () => {
signal?.removeEventListener('abort', signalListener);
};
const resolve = value => {
resolve_(value);
cleanup();
};
const reject = reason => {
isRejected = true;
isResolved = true;
reject_(reason);
cleanup();
};
if (signal) {
if (signal.aborted) {
reject(signal.reason);
}
signal.addEventListener('abort', signalListener, {once: true});
}
const next = async () => {
if (isResolved) {
return;
}
const nextItem = await iterator.next();
const index = currentIndex;
currentIndex++;
// Note: `iterator.next()` can be called many times in parallel.
// This can cause multiple calls to this `next()` function to
// receive a `nextItem` with `done === true`.
// The shutdown logic that rejects/resolves must be protected
// so it runs only one time as the `skippedIndex` logic is
// non-idempotent.
if (nextItem.done) {
isIterableDone = true;
if (resolvingCount === 0 && !isResolved) {
if (!stopOnError && errors.length > 0) {
reject(new AggregateError(errors)); // eslint-disable-line unicorn/error-message
return;
}
isResolved = true;
if (skippedIndexesMap.size === 0) {
resolve(result);
return;
}
const pureResult = [];
// Support multiple `pMapSkip`'s.
for (const [index, value] of result.entries()) {
if (skippedIndexesMap.get(index) === pMapSkip) {
continue;
}
pureResult.push(value);
}
resolve(pureResult);
}
return;
}
resolvingCount++;
// Intentionally detached
(async () => {
try {
const element = await nextItem.value;
if (isResolved) {
return;
}
const value = await mapper(element, index);
// Use Map to stage the index of the element.
if (value === pMapSkip) {
skippedIndexesMap.set(index, value);
}
result[index] = value;
resolvingCount--;
await next();
} catch (error) {
if (stopOnError) {
reject(error);
} else {
errors.push(error);
resolvingCount--;
// In that case we can't really continue regardless of `stopOnError` state
// since an iterable is likely to continue throwing after it throws once.
// If we continue calling `next()` indefinitely we will likely end up
// in an infinite loop of failed iteration.
try {
await next();
} catch (error) {
reject(error);
}
}
}
})();
};
// Create the concurrent runners in a detached (non-awaited)
// promise. We need this so we can await the `next()` calls
// to stop creating runners before hitting the concurrency limit
// if the iterable has already been marked as done.
// NOTE: We *must* do this for async iterators otherwise we'll spin up
// infinite `next()` calls by default and never start the event loop.
(async () => {
for (let index = 0; index < concurrency; index++) {
try {
// eslint-disable-next-line no-await-in-loop
await next();
} catch (error) {
reject(error);
break;
}
if (isIterableDone || isRejected) {
break;
}
}
})();
});
}
function pMapIterable(
iterable,
mapper,
{
concurrency = Number.POSITIVE_INFINITY,
backpressure = concurrency,
} = {},
) {
if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
}
if (typeof mapper !== 'function') {
throw new TypeError('Mapper function is required');
}
if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
}
if (!((Number.isSafeInteger(backpressure) && backpressure >= concurrency) || backpressure === Number.POSITIVE_INFINITY)) {
throw new TypeError(`Expected \`backpressure\` to be an integer from \`concurrency\` (${concurrency}) and up or \`Infinity\`, got \`${backpressure}\` (${typeof backpressure})`);
}
return {
async * [Symbol.asyncIterator]() {
const iterator = iterable[Symbol.asyncIterator] === undefined ? iterable[Symbol.iterator]() : iterable[Symbol.asyncIterator]();
const promises = [];
let runningMappersCount = 0;
let isDone = false;
let index = 0;
function trySpawn() {
if (isDone || !(runningMappersCount < concurrency && promises.length < backpressure)) {
return;
}
const promise = (async () => {
const {done, value} = await iterator.next();
if (done) {
return {done: true};
}
runningMappersCount++;
// Spawn if still below concurrency and backpressure limit
trySpawn();
try {
const returnValue = await mapper(await value, index++);
runningMappersCount--;
if (returnValue === pMapSkip) {
const index = promises.indexOf(promise);
if (index > 0) {
promises.splice(index, 1);
}
}
// Spawn if still below backpressure limit and just dropped below concurrency limit
trySpawn();
return {done: false, value: returnValue};
} catch (error) {
isDone = true;
return {error};
}
})();
promises.push(promise);
}
trySpawn();
while (promises.length > 0) {
const {error, done, value} = await promises[0]; // eslint-disable-line no-await-in-loop
promises.shift();
if (error) {
throw error;
}
if (done) {
return;
}
// Spawn if just dropped below backpressure limit and below the concurrency limit
trySpawn();
if (value === pMapSkip) {
continue;
}
yield value;
}
},
};
}
const pMapSkip = Symbol('skip');
/***/ })
};
Generated Vendored
+116237 -57835
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+3
View File
@@ -0,0 +1,3 @@
{
"type": "module"
}
+2
View File
@@ -1 +1,3 @@
import { jest } from '@jest/globals'
process.stdout.write = jest.fn()
+443 -358
View File
File diff suppressed because it is too large Load Diff
+22 -12
View File
@@ -1,9 +1,10 @@
{
"name": "actions/attest",
"description": "Generate signed attestations for workflow artifacts",
"version": "3.2.0",
"version": "4.0.0",
"author": "",
"private": true,
"type": "module",
"homepage": "https://github.com/actions/attest",
"repository": {
"type": "git",
@@ -24,7 +25,7 @@
},
"scripts": {
"bundle": "npm run format:write && npm run package",
"ci-test": "jest",
"ci-test": "NODE_OPTIONS='--experimental-vm-modules' jest",
"format:write": "prettier --write **/*.ts",
"format:check": "prettier --check **/*.ts",
"lint:eslint": "npx eslint",
@@ -32,12 +33,15 @@
"lint": "npm run lint:eslint && npm run lint:markdown",
"package": "ncc build src/index.ts --license licenses.txt",
"package:watch": "npm run package -- --watch",
"test": "jest",
"test": "NODE_OPTIONS='--experimental-vm-modules' jest",
"all": "npm run format:write && npm run lint && npm run test && npm run package"
},
"license": "MIT",
"jest": {
"preset": "ts-jest",
"preset": "ts-jest/presets/default-esm",
"extensionsToTreatAsEsm": [
".ts"
],
"setupFilesAfterEnv": [
"./jest.setup.js"
],
@@ -56,7 +60,12 @@
"/dist/"
],
"transform": {
"^.+\\.ts$": "ts-jest"
"^.+\\.ts$": [
"ts-jest",
{
"useESM": true
}
]
},
"coverageReporters": [
"json-summary",
@@ -69,23 +78,24 @@
]
},
"dependencies": {
"@actions/attest": "^2.2.1",
"@actions/core": "^2.0.2",
"@actions/github": "^7.0.0",
"@actions/glob": "^0.5.0",
"@actions/attest": "^3.0.0",
"@actions/core": "^3.0.0",
"@actions/github": "^9.0.0",
"@actions/glob": "^0.6.1",
"@sigstore/oci": "^0.6.0",
"csv-parse": "^5.6.0"
},
"devDependencies": {
"@eslint/js": "^9.39.2",
"@jest/globals": "^30.2.0",
"@sigstore/mock": "^0.11.0",
"@types/jest": "^30.0.0",
"@types/make-fetch-happen": "^10.0.4",
"@types/node": "^25.2.0",
"@types/node": "^25.3.0",
"@vercel/ncc": "^0.38.4",
"eslint": "^9.39.2",
"eslint-plugin-import": "^2.32.0",
"eslint-plugin-jest": "^29.12.1",
"eslint-plugin-jest": "^29.15.0",
"jest": "^30.2.0",
"js-yaml": "^4.1.1",
"markdownlint-cli": "^0.47.0",
@@ -93,7 +103,7 @@
"prettier": "^3.8.1",
"ts-jest": "^29.4.6",
"typescript": "^5.9.3",
"typescript-eslint": "^8.54.0",
"typescript-eslint": "^8.56.1",
"undici": "^7.20.0"
}
}
+3 -2
View File
@@ -5,10 +5,10 @@ import {
attest,
createStorageRecord
} from '@actions/attest'
import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
import { formatSubjectDigest } from './subject'
import * as core from '@actions/core'
import * as github from '@actions/github'
import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
import { formatSubjectDigest } from './subject'
const OCI_TIMEOUT = 30000
const OCI_RETRY = 3
@@ -126,6 +126,7 @@ function getRegistryURL(subjectName: string): string {
url = new URL(`https://${subjectName}`)
}
/* istanbul ignore if */
if (url.protocol !== 'https:') {
throw new Error(
`Unsupported protocol ${url.protocol} in subject name ${subjectName}`
+11 -7
View File
@@ -1,6 +1,6 @@
import * as core from '@actions/core'
import * as github from '@actions/github'
import fs from 'fs'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { AttestResult, SigstoreInstance, createAttestation } from './attest'
@@ -13,7 +13,7 @@ import {
import { SEARCH_PUBLIC_GOOD_URL } from './endpoints'
import { PredicateInputs, predicateFromInputs } from './predicate'
import { generateProvenancePredicate } from './provenance'
import { parseSBOMFromPath, generateSBOMPredicate } from './sbom'
import { generateSBOMPredicate, parseSBOMFromPath } from './sbom'
import * as style from './style'
import {
SubjectInputs,
@@ -90,7 +90,7 @@ export async function run(inputs: RunInputs): Promise<void> {
// Generate predicate based on attestation type
const predicate = await getPredicateForType(attestationType, inputs)
const outputPath = path.join(tempDir(), ATTESTATION_FILE_NAME)
const outputPath = path.join(await tempDir(), ATTESTATION_FILE_NAME)
core.setOutput('bundle-path', outputPath)
const att = await createAttestation(subjects, predicate, {
@@ -103,7 +103,7 @@ export async function run(inputs: RunInputs): Promise<void> {
logAttestation(subjects, att, sigstoreInstance)
// Write attestation bundle to output file
fs.writeFileSync(outputPath, JSON.stringify(att.bundle) + os.EOL, {
await fs.writeFile(outputPath, JSON.stringify(att.bundle) + os.EOL, {
encoding: 'utf-8',
flag: 'a'
})
@@ -113,7 +113,7 @@ export async function run(inputs: RunInputs): Promise<void> {
if (baseDir) {
const outputSummaryPath = path.join(baseDir, ATTESTATION_PATHS_FILE_NAME)
// Append the output path to the attestations paths file
fs.appendFileSync(outputSummaryPath, outputPath + os.EOL, {
await fs.appendFile(outputSummaryPath, outputPath + os.EOL, {
encoding: 'utf-8',
flag: 'a'
})
@@ -128,6 +128,8 @@ export async function run(inputs: RunInputs): Promise<void> {
core.setOutput('attestation-id', att.attestationID)
core.setOutput('attestation-url', attestationURL(att.attestationID))
}
/* istanbul ignore if */
if (att.storageRecordIds) {
core.setOutput('storage-record-ids', att.storageRecordIds.join(','))
}
@@ -181,6 +183,7 @@ const logAttestation = (
core.info(attestation.certificate)
core.endGroup()
/* istanbul ignore if */
if (attestation.tlogID) {
core.info(
style.highlight(
@@ -201,6 +204,7 @@ const logAttestation = (
core.info(`${subjects[0].name}@${attestation.attestationDigest}`)
}
/* istanbul ignore next */
if (attestation.storageRecordIds && attestation.storageRecordIds.length > 0) {
core.info(style.highlight('Storage record created'))
core.info(`Storage record IDs: ${attestation.storageRecordIds.join(',')}`)
@@ -220,7 +224,7 @@ const logSummary = async (attestation: AttestResult): Promise<void> => {
}
}
const tempDir = (): string => {
const tempDir = async (): Promise<string> => {
const basePath = process.env['RUNNER_TEMP']
/* istanbul ignore if */
@@ -228,7 +232,7 @@ const tempDir = (): string => {
throw new Error('Missing RUNNER_TEMP environment variable')
}
return fs.mkdtempSync(path.join(basePath, path.sep))
return fs.mkdtemp(path.join(basePath, path.sep))
}
const attestationURL = (id: string): string =>
+11 -5
View File
@@ -1,4 +1,4 @@
import fs from 'fs'
import fs from 'fs/promises'
import type { Predicate } from '@actions/attest'
@@ -12,7 +12,9 @@ const MAX_PREDICATE_SIZE_BYTES = 16 * 1024 * 1024
// Returns the predicate specified by the action's inputs. The predicate value
// may be specified as a path to a file or as a string.
export const predicateFromInputs = (inputs: PredicateInputs): Predicate => {
export const predicateFromInputs = async (
inputs: PredicateInputs
): Promise<Predicate> => {
const { predicateType, predicate, predicatePath } = inputs
if (!predicateType) {
@@ -30,18 +32,22 @@ export const predicateFromInputs = (inputs: PredicateInputs): Predicate => {
let params: string = predicate
if (predicatePath) {
if (!fs.existsSync(predicatePath)) {
try {
await fs.access(predicatePath)
} catch {
throw new Error(`predicate file not found: ${predicatePath}`)
}
const stat = await fs.stat(predicatePath)
/* istanbul ignore next */
if (fs.statSync(predicatePath).size > MAX_PREDICATE_SIZE_BYTES) {
if (stat.size > MAX_PREDICATE_SIZE_BYTES) {
throw new Error(
`predicate file exceeds maximum allowed size: ${MAX_PREDICATE_SIZE_BYTES} bytes`
)
}
params = fs.readFileSync(predicatePath, 'utf-8')
params = await fs.readFile(predicatePath, 'utf-8')
} else {
if (predicate.length > MAX_PREDICATE_SIZE_BYTES) {
throw new Error(
+11 -5
View File
@@ -1,4 +1,4 @@
import fs from 'fs'
import fs from 'fs/promises'
import type { Predicate } from '@actions/attest'
@@ -11,18 +11,24 @@ export type SBOM = {
const MAX_SBOM_SIZE_BYTES = 16 * 1024 * 1024
export const parseSBOMFromPath = async (filePath: string): Promise<SBOM> => {
if (!fs.existsSync(filePath)) {
throw new Error(`SBOM file not found: ${filePath}`)
let stats
try {
stats = await fs.stat(filePath)
} catch (error) {
const err = error as NodeJS.ErrnoException
if (err.code === 'ENOENT') {
throw new Error('SBOM file not found')
}
throw error
}
const stats = fs.statSync(filePath)
if (stats.size > MAX_SBOM_SIZE_BYTES) {
throw new Error(
`SBOM file exceeds maximum allowed size: ${MAX_SBOM_SIZE_BYTES} bytes`
)
}
const fileContent = await fs.promises.readFile(filePath, 'utf8')
const fileContent = await fs.readFile(filePath, 'utf8')
const sbom = JSON.parse(fileContent) as object
if (checkIsSPDX(sbom)) {
+27 -16
View File
@@ -2,7 +2,8 @@ import * as glob from '@actions/glob'
import assert from 'assert'
import crypto from 'crypto'
import { parse } from 'csv-parse/sync'
import fs from 'fs'
import { createReadStream } from 'fs'
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
@@ -64,7 +65,7 @@ export const subjectFromInputs = async (
case !!subjectDigest:
return [getSubjectFromDigest(subjectDigest, name)]
case !!subjectChecksums:
return getSubjectFromChecksums(subjectChecksums)
return await getSubjectFromChecksums(subjectChecksums)
/* istanbul ignore next */
default:
// This should be unreachable, but TS requires a default case
@@ -93,13 +94,18 @@ const getSubjectFromPath = async (
// Expand the globbed paths to a list of actual paths
const paths = await glob.create(subjectPaths).then(async g => g.glob())
// Filter path list to just the files (not directories)
const files = paths.filter(p => fs.statSync(p).isFile())
if (files.length > MAX_SUBJECT_COUNT) {
throw new Error(
`Too many subjects specified (${files.length}). The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
)
// Filter path list to just the files (not directories), enforcing the maximum
const files: string[] = []
for (const p of paths) {
const stat = await fs.stat(p)
if (stat.isFile()) {
if (files.length >= MAX_SUBJECT_COUNT) {
throw new Error(
`Too many subjects specified (>${MAX_SUBJECT_COUNT}). The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
)
}
files.push(p)
}
}
for (const file of files) {
@@ -142,16 +148,21 @@ const getSubjectFromDigest = (
}
}
const getSubjectFromChecksums = (subjectChecksums: string): Subject[] => {
if (fs.existsSync(subjectChecksums)) {
const getSubjectFromChecksums = async (
subjectChecksums: string
): Promise<Subject[]> => {
try {
await fs.access(subjectChecksums)
return getSubjectFromChecksumsFile(subjectChecksums)
} else {
} catch {
return getSubjectFromChecksumsString(subjectChecksums)
}
}
const getSubjectFromChecksumsFile = (checksumsPath: string): Subject[] => {
const stats = fs.statSync(checksumsPath)
const getSubjectFromChecksumsFile = async (
checksumsPath: string
): Promise<Subject[]> => {
const stats = await fs.stat(checksumsPath)
if (!stats.isFile()) {
throw new Error(`subject checksums file not found: ${checksumsPath}`)
}
@@ -163,7 +174,7 @@ const getSubjectFromChecksumsFile = (checksumsPath: string): Subject[] => {
)
}
const checksums = fs.readFileSync(checksumsPath, 'utf-8')
const checksums = await fs.readFile(checksumsPath, 'utf-8')
return getSubjectFromChecksumsString(checksums)
}
@@ -218,7 +229,7 @@ const digestFile = async (
): Promise<string> => {
return new Promise((resolve, reject) => {
const hash = crypto.createHash(algorithm).setEncoding('hex')
fs.createReadStream(filePath)
createReadStream(filePath)
.once('error', reject)
.pipe(hash)
.once('finish', () => resolve(hash.read()))
+2 -2
View File
@@ -2,9 +2,9 @@
"$schema": "https://json.schemastore.org/tsconfig",
"compilerOptions": {
"target": "ES2022",
"module": "NodeNext",
"module": "ESNext",
"rootDir": "./src",
"moduleResolution": "NodeNext",
"moduleResolution": "Bundler",
"isolatedModules": true,
"baseUrl": "./",
"sourceMap": true,