Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 309649c98d | |||
| e36bd1a2fc |
+65
-55
@@ -40,66 +40,76 @@ export const createAttestation = async (
|
|||||||
|
|
||||||
const result: AttestResult = attestation
|
const result: AttestResult = attestation
|
||||||
|
|
||||||
if (subjects.length === 1 && opts.pushToRegistry) {
|
// If there are multiple subjects or if pushToRegistry is false,
|
||||||
const subject = subjects[0]
|
// return early without pushing the attestation to the registry
|
||||||
const credentials = getRegistryCredentials(subject.name)
|
if (!(subjects.length === 1 && opts.pushToRegistry)) {
|
||||||
const subjectDigest = formatSubjectDigest(subject)
|
return result
|
||||||
const artifact = await attachArtifactToImage({
|
}
|
||||||
credentials,
|
|
||||||
imageName: subject.name,
|
|
||||||
imageDigest: subjectDigest,
|
|
||||||
artifact: Buffer.from(JSON.stringify(attestation.bundle)),
|
|
||||||
mediaType: attestation.bundle.mediaType,
|
|
||||||
annotations: {
|
|
||||||
'dev.sigstore.bundle.content': 'dsse-envelope',
|
|
||||||
'dev.sigstore.bundle.predicateType': predicate.type
|
|
||||||
},
|
|
||||||
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
|
|
||||||
})
|
|
||||||
|
|
||||||
// Add the attestation's digest to the result
|
// If we have a single subject and pushToRegistry is true,
|
||||||
result.attestationDigest = artifact.digest
|
// push the attestation to the OCI registry
|
||||||
|
// and create a storage record if requested
|
||||||
|
const subject = subjects[0]
|
||||||
|
const credentials = getRegistryCredentials(subject.name)
|
||||||
|
const subjectDigest = formatSubjectDigest(subject)
|
||||||
|
const artifact = await attachArtifactToImage({
|
||||||
|
credentials,
|
||||||
|
imageName: subject.name,
|
||||||
|
imageDigest: subjectDigest,
|
||||||
|
artifact: Buffer.from(JSON.stringify(attestation.bundle)),
|
||||||
|
mediaType: attestation.bundle.mediaType,
|
||||||
|
annotations: {
|
||||||
|
'dev.sigstore.bundle.content': 'dsse-envelope',
|
||||||
|
'dev.sigstore.bundle.predicateType': predicate.type
|
||||||
|
},
|
||||||
|
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
|
||||||
|
})
|
||||||
|
|
||||||
// Because creating a storage record requires the 'artifact-metadata:write'
|
// Add the attestation's digest to the result
|
||||||
// permission, we wrap this in a try/catch to avoid failing the entire
|
result.attestationDigest = artifact.digest
|
||||||
// attestation process if the token does not have the correct permissions.
|
|
||||||
if (opts.createStorageRecord) {
|
|
||||||
try {
|
|
||||||
const token = opts.githubToken
|
|
||||||
const isOrg = await repoOwnerIsOrg(token)
|
|
||||||
if (!isOrg) {
|
|
||||||
// The Artifact Metadata Storage Record API is only available to
|
|
||||||
// organizations. So if the repo owner is not an organization,
|
|
||||||
// storage record creation should not be attempted.
|
|
||||||
return result
|
|
||||||
}
|
|
||||||
|
|
||||||
const registryUrl = getRegistryURL(subject.name)
|
// If createStorageRecord is false, return early
|
||||||
const artifactOpts = {
|
if (!opts.createStorageRecord) {
|
||||||
name: subject.name,
|
return result
|
||||||
digest: subjectDigest
|
}
|
||||||
}
|
|
||||||
const packageRegistryOpts = {
|
|
||||||
registryUrl
|
|
||||||
}
|
|
||||||
const records = await createStorageRecord(
|
|
||||||
artifactOpts,
|
|
||||||
packageRegistryOpts,
|
|
||||||
token
|
|
||||||
)
|
|
||||||
|
|
||||||
if (!records || records.length === 0) {
|
// Because creating a storage record requires the 'artifact-metadata:write'
|
||||||
core.warning('No storage records were created.')
|
// permission, we wrap this in a try/catch to avoid failing the entire
|
||||||
}
|
// attestation process if the token does not have the correct permissions.
|
||||||
|
try {
|
||||||
result.storageRecordIds = records
|
const token = opts.githubToken
|
||||||
} catch (error) {
|
const isOrg = await repoOwnerIsOrg(token)
|
||||||
core.warning(`Failed to create storage record: ${error}`)
|
if (!isOrg) {
|
||||||
core.warning(
|
// The Artifact Metadata Storage Record API is only available to
|
||||||
'Please check that the "artifact-metadata:write" permission has been included'
|
// organizations. So if the repo owner is not an organization,
|
||||||
)
|
// storage record creation should not be attempted.
|
||||||
}
|
return result
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const registryUrl = getRegistryURL(subject.name)
|
||||||
|
const artifactOpts = {
|
||||||
|
name: subject.name,
|
||||||
|
digest: subjectDigest
|
||||||
|
}
|
||||||
|
const packageRegistryOpts = {
|
||||||
|
registryUrl
|
||||||
|
}
|
||||||
|
const records = await createStorageRecord(
|
||||||
|
artifactOpts,
|
||||||
|
packageRegistryOpts,
|
||||||
|
token
|
||||||
|
)
|
||||||
|
|
||||||
|
if (!records || records.length === 0) {
|
||||||
|
core.warning('No storage records were created.')
|
||||||
|
}
|
||||||
|
|
||||||
|
result.storageRecordIds = records
|
||||||
|
} catch (error) {
|
||||||
|
core.warning(`Failed to create storage record: ${error}`)
|
||||||
|
core.warning(
|
||||||
|
'Please check that the "artifact-metadata:write" permission has been included'
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
return result
|
return result
|
||||||
|
|||||||
Reference in New Issue
Block a user