Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 69989a9c31 |
@@ -28,11 +28,11 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
uses: actions/checkout@v6.0.2
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
||||
uses: actions/setup-node@v6.2.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
@@ -60,7 +60,7 @@ jobs:
|
||||
- if: ${{ failure() && steps.diff.outcome == 'failure' }}
|
||||
name: Upload Artifact
|
||||
id: upload
|
||||
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
||||
uses: actions/upload-artifact@v6
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
|
||||
@@ -25,7 +25,7 @@ jobs:
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
||||
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
|
||||
@@ -32,19 +32,19 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
uses: actions/checkout@v6.0.2
|
||||
|
||||
- name: Initialize CodeQL
|
||||
id: initialize
|
||||
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
||||
uses: github/codeql-action/init@v4
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
source-root: src
|
||||
|
||||
- name: Autobuild
|
||||
id: autobuild
|
||||
uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
||||
uses: github/codeql-action/autobuild@v4
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
id: analyze
|
||||
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
|
||||
uses: github/codeql-action/analyze@v4
|
||||
|
||||
@@ -1,18 +0,0 @@
|
||||
name: GitHub Sigstore Prober
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
# run every 5 minutes, as often as Github Actions allows
|
||||
- cron: '*/5 * * * *'
|
||||
|
||||
jobs:
|
||||
prober:
|
||||
if: github.repository_owner == 'actions'
|
||||
permissions:
|
||||
attestations: write
|
||||
id-token: write
|
||||
secrets: inherit
|
||||
uses: ./.github/workflows/prober.yml
|
||||
with:
|
||||
sigstore: github
|
||||
@@ -1,18 +0,0 @@
|
||||
name: Public-Good Sigstore Prober
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
# run every 5 minutes, as often as Github Actions allows
|
||||
- cron: '*/5 * * * *'
|
||||
|
||||
jobs:
|
||||
prober:
|
||||
if: github.repository_owner == 'actions'
|
||||
permissions:
|
||||
attestations: write
|
||||
id-token: write
|
||||
secrets: inherit
|
||||
uses: ./.github/workflows/prober.yml
|
||||
with:
|
||||
sigstore: public-good
|
||||
@@ -1,84 +0,0 @@
|
||||
name: Prober Workflow
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
sigstore:
|
||||
description: 'Which Sigstore instance to use for signing'
|
||||
required: true
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
probe:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
attestations: write
|
||||
id-token: write
|
||||
|
||||
steps:
|
||||
- name: Request OIDC Token
|
||||
run: |
|
||||
curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
|
||||
-H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
|
||||
-H "Accept: application/json; api-version=2.0" \
|
||||
-H "Content-Type: application/json" \
|
||||
--silent | jq -r '.value' | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson'
|
||||
|
||||
- name: Create artifact
|
||||
run: |
|
||||
date > artifact
|
||||
|
||||
- name: Attest build provenance
|
||||
uses: actions/attest@main
|
||||
env:
|
||||
INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
|
||||
with:
|
||||
subject-path: artifact
|
||||
|
||||
- name: Verify build artifact
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
run: |
|
||||
gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
|
||||
|
||||
- name: Upload build artifact
|
||||
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
||||
with:
|
||||
path: "artifact"
|
||||
|
||||
- name: Report attestation prober success
|
||||
if: ${{ success() }}
|
||||
uses: masci/datadog@d7cb6cfc2ba13f7c2ae5227a26f2e2f42a7d179e # v2.0.2
|
||||
with:
|
||||
api-key: "${{ secrets.DATADOG_API_KEY }}"
|
||||
service-checks: |
|
||||
- check: "attestation-integration.actions.prober"
|
||||
status: 0
|
||||
host_name: github.com
|
||||
tags:
|
||||
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
|
||||
- "service:${{ secrets.CATALOG_SERVICE }}"
|
||||
- "stamp:${{ secrets.STAMP }}"
|
||||
- "env:production"
|
||||
- "repo:${{ github.repository }}"
|
||||
- "team:${{ secrets.TEAM }}"
|
||||
- "sigstore:${{ inputs.sigstore }}"
|
||||
|
||||
- name: Report attestation prober failure
|
||||
if: ${{ failure() }}
|
||||
uses: masci/datadog@d7cb6cfc2ba13f7c2ae5227a26f2e2f42a7d179e # v2.0.2
|
||||
with:
|
||||
api-key: "${{ secrets.DATADOG_API_KEY }}"
|
||||
service-checks: |
|
||||
- check: "attestation-integration.actions.prober"
|
||||
message: "${{ github.repository_owner }} failed prober check"
|
||||
status: 2
|
||||
host_name: github.com
|
||||
tags:
|
||||
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
|
||||
- "service:${{ secrets.CATALOG_SERVICE }}"
|
||||
- "stamp:${{ secrets.STAMP }}"
|
||||
- "env:production"
|
||||
- "repo:${{ github.repository }}"
|
||||
- "team:${{ secrets.TEAM }}"
|
||||
- "sigstore:${{ inputs.sigstore }}"
|
||||
@@ -48,11 +48,11 @@ the inputs you provide:
|
||||
|
||||
<!-- markdownlint-disable MD013 -->
|
||||
|
||||
| Mode | When Used | Description |
|
||||
| -------------- | ------------------------------------------------------ | ----------------------------------------------- |
|
||||
| **Provenance** | No `sbom-path` or predicate inputs | Auto-generates [SLSA build provenance][10] |
|
||||
| **SBOM** | `sbom-path` is provided | Creates attestation from SPDX or CycloneDX SBOM |
|
||||
| **Custom** | `predicate-type`/`predicate`/`predicate-path` provided | User-supplied predicate |
|
||||
| Mode | When Used | Description |
|
||||
| -------------- | ------------------------------------------------------ | ------------------------------------------------ |
|
||||
| **Provenance** | No `sbom-path` or predicate inputs | Auto-generates [SLSA build provenance][10] |
|
||||
| **SBOM** | `sbom-path` is provided | Creates attestation from SPDX or CycloneDX SBOM |
|
||||
| **Custom** | `predicate-type`/`predicate`/`predicate-path` provided | User-supplied predicate |
|
||||
|
||||
<!-- markdownlint-enable MD013 -->
|
||||
|
||||
@@ -159,7 +159,7 @@ See [action.yml](action.yml)
|
||||
<!-- markdownlint-disable MD013 -->
|
||||
|
||||
| Name | Description | Example |
|
||||
| -------------------- | -------------------------------------------------------------- | ------------------------------------------------ |
|
||||
| ------------------- | -------------------------------------------------------------- | ------------------------------------------------ |
|
||||
| `attestation-id` | GitHub ID for the attestation | `123456` |
|
||||
| `attestation-url` | URL for the attestation summary | `https://github.com/foo/bar/attestations/123456` |
|
||||
| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.json` |
|
||||
@@ -320,25 +320,9 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
|
||||
"acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
|
||||
the specific image being attested is identified by the supplied digest.
|
||||
|
||||
#### Artifact Metadata Storage Records
|
||||
|
||||
When generating a build provenance attestation, if the `push-to-registry` option
|
||||
is set to true, the Action will also emit an
|
||||
[Artifact Metadata Storage Record](https://docs.github.com/en/rest/orgs/artifact-metadata?apiVersion=2022-11-28#create-artifact-metadata-storage-record).
|
||||
Storage records enrich artifact metadata by capturing storage related details,
|
||||
such as which registry an image is hosted on and whether it's marked as active.
|
||||
|
||||
If you do not want to emit a storage record, set `create-storage-record` to
|
||||
`false`.
|
||||
|
||||
> **NOTE**: Storage records can only be created for artifacts built from
|
||||
> [organization-owned](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations)
|
||||
> repositories.
|
||||
|
||||
Artifacts associated with a storage record can be viewed by navigating to the
|
||||
`Linked Artifacts` page in your organization:
|
||||
`https://github.com/orgs/YOUR_ORG/artifacts` (replace `YOUR_ORG` with your
|
||||
organization name).
|
||||
If the `push-to-registry` option is set to true, the Action will also
|
||||
emit an Artifact Metadata Storage Record. If you do not want to emit a
|
||||
storage record, set `create-storage-record` to `false`.
|
||||
|
||||
> **NOTE**: When pushing to Docker Hub, please use "docker.io" as the registry
|
||||
> portion of the image name.
|
||||
|
||||
+2
@@ -297,3 +297,5 @@ const pMapSkip = Symbol('skip');
|
||||
/***/ })
|
||||
|
||||
};
|
||||
|
||||
//# sourceMappingURL=606.index.js.map
|
||||
+1
File diff suppressed because one or more lines are too long
+14
-121268
File diff suppressed because one or more lines are too long
+1
File diff suppressed because one or more lines are too long
+1
File diff suppressed because one or more lines are too long
Generated
+559
-490
File diff suppressed because it is too large
Load Diff
+11
-11
@@ -31,7 +31,7 @@
|
||||
"lint:eslint": "npx eslint",
|
||||
"lint:markdown": "npx markdownlint --config .markdown-lint.yml \"*.md\"",
|
||||
"lint": "npm run lint:eslint && npm run lint:markdown",
|
||||
"package": "ncc build src/index.ts --license licenses.txt",
|
||||
"package": "ncc build src/index.ts --license licenses.txt --minify --source-map",
|
||||
"package:watch": "npm run package -- --watch",
|
||||
"test": "NODE_OPTIONS='--experimental-vm-modules' jest",
|
||||
"all": "npm run format:write && npm run lint && npm run test && npm run package"
|
||||
@@ -87,23 +87,23 @@
|
||||
},
|
||||
"devDependencies": {
|
||||
"@eslint/js": "^9.39.2",
|
||||
"@jest/globals": "^30.3.0",
|
||||
"@sigstore/mock": "^0.12.0",
|
||||
"@jest/globals": "^30.2.0",
|
||||
"@sigstore/mock": "^0.11.0",
|
||||
"@types/jest": "^30.0.0",
|
||||
"@types/make-fetch-happen": "^10.0.4",
|
||||
"@types/node": "^25.6.0",
|
||||
"@types/node": "^25.3.0",
|
||||
"@vercel/ncc": "^0.38.4",
|
||||
"eslint": "^9.39.2",
|
||||
"eslint-plugin-import": "^2.32.0",
|
||||
"eslint-plugin-jest": "^29.15.2",
|
||||
"jest": "^30.3.0",
|
||||
"eslint-plugin-jest": "^29.15.0",
|
||||
"jest": "^30.2.0",
|
||||
"js-yaml": "^4.1.1",
|
||||
"markdownlint-cli": "^0.48.0",
|
||||
"markdownlint-cli": "^0.47.0",
|
||||
"nock": "^13.5.6",
|
||||
"prettier": "^3.8.3",
|
||||
"ts-jest": "^29.4.9",
|
||||
"prettier": "^3.8.1",
|
||||
"ts-jest": "^29.4.6",
|
||||
"typescript": "^5.9.3",
|
||||
"typescript-eslint": "^8.58.2",
|
||||
"undici": "^7.24.4"
|
||||
"typescript-eslint": "^8.56.1",
|
||||
"undici": "^7.20.0"
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user