Compare commits

..

2 Commits

Author SHA1 Message Date
Brian DeHamer a0e3b9618f hacking
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2026-02-24 20:10:53 -08:00
Brian DeHamer 8459a46a44 wip
Signed-off-by: Brian DeHamer <bdehamer@github.com>
2026-02-24 19:10:07 -08:00
18 changed files with 92317 additions and 24295 deletions
+3 -3
View File
@@ -28,11 +28,11 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@v6.0.2
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
uses: actions/setup-node@v6.2.0
with:
node-version-file: .node-version
cache: npm
@@ -60,7 +60,7 @@ jobs:
- if: ${{ failure() && steps.diff.outcome == 'failure' }}
name: Upload Artifact
id: upload
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
uses: actions/upload-artifact@v6
with:
name: dist
path: dist/
+1 -1
View File
@@ -25,7 +25,7 @@ jobs:
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version-file: .node-version
cache: npm
+4 -4
View File
@@ -32,19 +32,19 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@v6.0.2
- name: Initialize CodeQL
id: initialize
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
source-root: src
- name: Autobuild
id: autobuild
uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
uses: github/codeql-action/autobuild@v4
- name: Perform CodeQL Analysis
id: analyze
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
uses: github/codeql-action/analyze@v4
-18
View File
@@ -1,18 +0,0 @@
name: GitHub Sigstore Prober
on:
workflow_dispatch:
schedule:
# run every 5 minutes, as often as Github Actions allows
- cron: '*/5 * * * *'
jobs:
prober:
if: github.repository_owner == 'actions'
permissions:
attestations: write
id-token: write
secrets: inherit
uses: ./.github/workflows/prober.yml
with:
sigstore: github
-18
View File
@@ -1,18 +0,0 @@
name: Public-Good Sigstore Prober
on:
workflow_dispatch:
schedule:
# run every 5 minutes, as often as Github Actions allows
- cron: '*/5 * * * *'
jobs:
prober:
if: github.repository_owner == 'actions'
permissions:
attestations: write
id-token: write
secrets: inherit
uses: ./.github/workflows/prober.yml
with:
sigstore: public-good
-84
View File
@@ -1,84 +0,0 @@
name: Prober Workflow
on:
workflow_call:
inputs:
sigstore:
description: 'Which Sigstore instance to use for signing'
required: true
type: string
jobs:
probe:
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write
steps:
- name: Request OIDC Token
run: |
curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
-H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
-H "Accept: application/json; api-version=2.0" \
-H "Content-Type: application/json" \
--silent | jq -r '.value' | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson'
- name: Create artifact
run: |
date > artifact
- name: Attest build provenance
uses: actions/attest@main
env:
INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
with:
subject-path: artifact
- name: Verify build artifact
env:
GH_TOKEN: ${{ github.token }}
run: |
gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
- name: Upload build artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
path: "artifact"
- name: Report attestation prober success
if: ${{ success() }}
uses: masci/datadog@d7cb6cfc2ba13f7c2ae5227a26f2e2f42a7d179e # v2.0.2
with:
api-key: "${{ secrets.DATADOG_API_KEY }}"
service-checks: |
- check: "attestation-integration.actions.prober"
status: 0
host_name: github.com
tags:
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
- "service:${{ secrets.CATALOG_SERVICE }}"
- "stamp:${{ secrets.STAMP }}"
- "env:production"
- "repo:${{ github.repository }}"
- "team:${{ secrets.TEAM }}"
- "sigstore:${{ inputs.sigstore }}"
- name: Report attestation prober failure
if: ${{ failure() }}
uses: masci/datadog@d7cb6cfc2ba13f7c2ae5227a26f2e2f42a7d179e # v2.0.2
with:
api-key: "${{ secrets.DATADOG_API_KEY }}"
service-checks: |
- check: "attestation-integration.actions.prober"
message: "${{ github.repository_owner }} failed prober check"
status: 2
host_name: github.com
tags:
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
- "service:${{ secrets.CATALOG_SERVICE }}"
- "stamp:${{ secrets.STAMP }}"
- "env:production"
- "repo:${{ github.repository }}"
- "team:${{ secrets.TEAM }}"
- "sigstore:${{ inputs.sigstore }}"
+9 -25
View File
@@ -48,11 +48,11 @@ the inputs you provide:
<!-- markdownlint-disable MD013 -->
| Mode | When Used | Description |
| -------------- | ------------------------------------------------------ | ----------------------------------------------- |
| **Provenance** | No `sbom-path` or predicate inputs | Auto-generates [SLSA build provenance][10] |
| **SBOM** | `sbom-path` is provided | Creates attestation from SPDX or CycloneDX SBOM |
| **Custom** | `predicate-type`/`predicate`/`predicate-path` provided | User-supplied predicate |
| Mode | When Used | Description |
| -------------- | ------------------------------------------------------ | ------------------------------------------------ |
| **Provenance** | No `sbom-path` or predicate inputs | Auto-generates [SLSA build provenance][10] |
| **SBOM** | `sbom-path` is provided | Creates attestation from SPDX or CycloneDX SBOM |
| **Custom** | `predicate-type`/`predicate`/`predicate-path` provided | User-supplied predicate |
<!-- markdownlint-enable MD013 -->
@@ -159,7 +159,7 @@ See [action.yml](action.yml)
<!-- markdownlint-disable MD013 -->
| Name | Description | Example |
| -------------------- | -------------------------------------------------------------- | ------------------------------------------------ |
| ------------------- | -------------------------------------------------------------- | ------------------------------------------------ |
| `attestation-id` | GitHub ID for the attestation | `123456` |
| `attestation-url` | URL for the attestation summary | `https://github.com/foo/bar/attestations/123456` |
| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.json` |
@@ -320,25 +320,9 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
"acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
the specific image being attested is identified by the supplied digest.
#### Artifact Metadata Storage Records
When generating a build provenance attestation, if the `push-to-registry` option
is set to true, the Action will also emit an
[Artifact Metadata Storage Record](https://docs.github.com/en/rest/orgs/artifact-metadata?apiVersion=2022-11-28#create-artifact-metadata-storage-record).
Storage records enrich artifact metadata by capturing storage related details,
such as which registry an image is hosted on and whether it's marked as active.
If you do not want to emit a storage record, set `create-storage-record` to
`false`.
> **NOTE**: Storage records can only be created for artifacts built from
> [organization-owned](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations)
> repositories.
Artifacts associated with a storage record can be viewed by navigating to the
`Linked Artifacts` page in your organization:
`https://github.com/orgs/YOUR_ORG/artifacts` (replace `YOUR_ORG` with your
organization name).
If the `push-to-registry` option is set to true, the Action will also
emit an Artifact Metadata Storage Record. If you do not want to emit a
storage record, set `create-storage-record` to `false`.
> **NOTE**: When pushing to Docker Hub, please use "docker.io" as the registry
> portion of the image name.
-2
View File
@@ -30,7 +30,6 @@ describe('index', () => {
'subject-name': 'my-artifact',
'subject-digest': '',
'subject-checksums': '',
'subject-version': '',
'predicate-type': 'https://example.com/predicate',
predicate: '{}',
'predicate-path': '',
@@ -58,7 +57,6 @@ describe('index', () => {
subjectName: 'my-artifact',
subjectDigest: '',
subjectChecksums: '',
subjectVersion: '',
predicateType: 'https://example.com/predicate',
predicate: '{}',
predicatePath: '',
+2 -20
View File
@@ -145,8 +145,7 @@ describe('createAttestation', () => {
const storageOpts = {
...defaultOpts,
pushToRegistry: true,
createStorageRecord: true,
subjectVersion: '1.2.3'
createStorageRecord: true
}
it('should create storage record when enabled and owner is org', async () => {
@@ -158,27 +157,10 @@ describe('createAttestation', () => {
storageOpts
)
expect(mockCreateStorageRecord).toHaveBeenCalledWith(
expect.objectContaining({ version: '1.2.3' }),
expect.anything(),
expect.anything()
)
expect(mockCreateStorageRecord).toHaveBeenCalled()
expect(result.storageRecordIds).toEqual([12345])
})
it('should omit version from storage record when subjectVersion is empty', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const opts = { ...storageOpts, subjectVersion: '' }
await createAttestation(subjects, TEST_PREDICATE, opts)
expect(mockCreateStorageRecord).toHaveBeenCalledWith(
expect.objectContaining({ version: undefined }),
expect.anything(),
expect.anything()
)
})
it('should skip storage record when owner is User', async () => {
mockGetOctokit.mockReturnValue(createOctokitMock('User'))
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
-1
View File
@@ -101,7 +101,6 @@ const defaultInputs: RunInputs = {
subjectChecksums: '',
pushToRegistry: false,
createStorageRecord: false,
subjectVersion: '',
showSummary: false,
githubToken: 'test-token',
privateSigning: false
-5
View File
@@ -30,11 +30,6 @@ inputs:
attestation. Must specify exactly one of "subject-path", "subject-digest",
or "subject-checksums".
required: false
subject-version:
description: >
Version of the subject for the attestation. Only used when
"push-to-registry" and "create-storage-record" are both set to true.
required: false
sbom-path:
description: >
Path to the JSON-formatted SBOM file (SPDX or CycloneDX) to attest.
Generated Vendored
+297
View File
@@ -0,0 +1,297 @@
export const id = 717;
export const ids = [717];
export const modules = {
/***/ 4717:
/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
/* harmony export */ __webpack_require__.d(__webpack_exports__, {
/* harmony export */ "default": () => (/* binding */ pMap)
/* harmony export */ });
/* unused harmony exports pMapIterable, pMapSkip */
async function pMap(
iterable,
mapper,
{
concurrency = Number.POSITIVE_INFINITY,
stopOnError = true,
signal,
} = {},
) {
return new Promise((resolve_, reject_) => {
if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
}
if (typeof mapper !== 'function') {
throw new TypeError('Mapper function is required');
}
if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
}
const result = [];
const errors = [];
const skippedIndexesMap = new Map();
let isRejected = false;
let isResolved = false;
let isIterableDone = false;
let resolvingCount = 0;
let currentIndex = 0;
const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
const signalListener = () => {
reject(signal.reason);
};
const cleanup = () => {
signal?.removeEventListener('abort', signalListener);
};
const resolve = value => {
resolve_(value);
cleanup();
};
const reject = reason => {
isRejected = true;
isResolved = true;
reject_(reason);
cleanup();
};
if (signal) {
if (signal.aborted) {
reject(signal.reason);
}
signal.addEventListener('abort', signalListener, {once: true});
}
const next = async () => {
if (isResolved) {
return;
}
const nextItem = await iterator.next();
const index = currentIndex;
currentIndex++;
// Note: `iterator.next()` can be called many times in parallel.
// This can cause multiple calls to this `next()` function to
// receive a `nextItem` with `done === true`.
// The shutdown logic that rejects/resolves must be protected
// so it runs only one time as the `skippedIndex` logic is
// non-idempotent.
if (nextItem.done) {
isIterableDone = true;
if (resolvingCount === 0 && !isResolved) {
if (!stopOnError && errors.length > 0) {
reject(new AggregateError(errors)); // eslint-disable-line unicorn/error-message
return;
}
isResolved = true;
if (skippedIndexesMap.size === 0) {
resolve(result);
return;
}
const pureResult = [];
// Support multiple `pMapSkip`'s.
for (const [index, value] of result.entries()) {
if (skippedIndexesMap.get(index) === pMapSkip) {
continue;
}
pureResult.push(value);
}
resolve(pureResult);
}
return;
}
resolvingCount++;
// Intentionally detached
(async () => {
try {
const element = await nextItem.value;
if (isResolved) {
return;
}
const value = await mapper(element, index);
// Use Map to stage the index of the element.
if (value === pMapSkip) {
skippedIndexesMap.set(index, value);
}
result[index] = value;
resolvingCount--;
await next();
} catch (error) {
if (stopOnError) {
reject(error);
} else {
errors.push(error);
resolvingCount--;
// In that case we can't really continue regardless of `stopOnError` state
// since an iterable is likely to continue throwing after it throws once.
// If we continue calling `next()` indefinitely we will likely end up
// in an infinite loop of failed iteration.
try {
await next();
} catch (error) {
reject(error);
}
}
}
})();
};
// Create the concurrent runners in a detached (non-awaited)
// promise. We need this so we can await the `next()` calls
// to stop creating runners before hitting the concurrency limit
// if the iterable has already been marked as done.
// NOTE: We *must* do this for async iterators otherwise we'll spin up
// infinite `next()` calls by default and never start the event loop.
(async () => {
for (let index = 0; index < concurrency; index++) {
try {
// eslint-disable-next-line no-await-in-loop
await next();
} catch (error) {
reject(error);
break;
}
if (isIterableDone || isRejected) {
break;
}
}
})();
});
}
function pMapIterable(
iterable,
mapper,
{
concurrency = Number.POSITIVE_INFINITY,
backpressure = concurrency,
} = {},
) {
if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
}
if (typeof mapper !== 'function') {
throw new TypeError('Mapper function is required');
}
if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
}
if (!((Number.isSafeInteger(backpressure) && backpressure >= concurrency) || backpressure === Number.POSITIVE_INFINITY)) {
throw new TypeError(`Expected \`backpressure\` to be an integer from \`concurrency\` (${concurrency}) and up or \`Infinity\`, got \`${backpressure}\` (${typeof backpressure})`);
}
return {
async * [Symbol.asyncIterator]() {
const iterator = iterable[Symbol.asyncIterator] === undefined ? iterable[Symbol.iterator]() : iterable[Symbol.asyncIterator]();
const promises = [];
let runningMappersCount = 0;
let isDone = false;
let index = 0;
function trySpawn() {
if (isDone || !(runningMappersCount < concurrency && promises.length < backpressure)) {
return;
}
const promise = (async () => {
const {done, value} = await iterator.next();
if (done) {
return {done: true};
}
runningMappersCount++;
// Spawn if still below concurrency and backpressure limit
trySpawn();
try {
const returnValue = await mapper(await value, index++);
runningMappersCount--;
if (returnValue === pMapSkip) {
const index = promises.indexOf(promise);
if (index > 0) {
promises.splice(index, 1);
}
}
// Spawn if still below backpressure limit and just dropped below concurrency limit
trySpawn();
return {done: false, value: returnValue};
} catch (error) {
isDone = true;
return {error};
}
})();
promises.push(promise);
}
trySpawn();
while (promises.length > 0) {
const {error, done, value} = await promises[0]; // eslint-disable-line no-await-in-loop
promises.shift();
if (error) {
throw error;
}
if (done) {
return;
}
// Spawn if just dropped below backpressure limit and below the concurrency limit
trySpawn();
if (value === pMapSkip) {
continue;
}
yield value;
}
},
};
}
const pMapSkip = Symbol('skip');
/***/ })
};
Generated Vendored
+91423 -23600
View File
File diff suppressed because one or more lines are too long
+565 -496
View File
File diff suppressed because it is too large Load Diff
+12 -12
View File
@@ -1,7 +1,7 @@
{
"name": "actions/attest",
"description": "Generate signed attestations for workflow artifacts",
"version": "4.1.0",
"version": "4.0.0",
"author": "",
"private": true,
"type": "module",
@@ -78,7 +78,7 @@
]
},
"dependencies": {
"@actions/attest": "^3.2.0",
"@actions/attest": "^3.0.0",
"@actions/core": "^3.0.0",
"@actions/github": "^9.0.0",
"@actions/glob": "^0.6.1",
@@ -87,23 +87,23 @@
},
"devDependencies": {
"@eslint/js": "^9.39.2",
"@jest/globals": "^30.3.0",
"@sigstore/mock": "^0.12.0",
"@jest/globals": "^30.2.0",
"@sigstore/mock": "^0.11.0",
"@types/jest": "^30.0.0",
"@types/make-fetch-happen": "^10.0.4",
"@types/node": "^25.6.0",
"@types/node": "^25.3.0",
"@vercel/ncc": "^0.38.4",
"eslint": "^9.39.2",
"eslint-plugin-import": "^2.32.0",
"eslint-plugin-jest": "^29.15.2",
"jest": "^30.3.0",
"eslint-plugin-jest": "^29.15.0",
"jest": "^30.2.0",
"js-yaml": "^4.1.1",
"markdownlint-cli": "^0.48.0",
"markdownlint-cli": "^0.47.0",
"nock": "^13.5.6",
"prettier": "^3.8.3",
"ts-jest": "^29.4.9",
"prettier": "^3.8.1",
"ts-jest": "^29.4.6",
"typescript": "^5.9.3",
"typescript-eslint": "^8.58.2",
"undici": "^7.24.4"
"typescript-eslint": "^8.56.1",
"undici": "^7.20.0"
}
}
+1 -3
View File
@@ -26,7 +26,6 @@ export const createAttestation = async (
sigstoreInstance: SigstoreInstance
pushToRegistry: boolean
createStorageRecord: boolean
subjectVersion?: string
githubToken: string
}
): Promise<AttestResult> => {
@@ -78,8 +77,7 @@ export const createAttestation = async (
const registryUrl = getRegistryURL(subject.name)
const artifactOpts = {
name: subject.name,
digest: subjectDigest,
version: opts.subjectVersion || undefined
digest: subjectDigest
}
const packageRegistryOpts = {
registryUrl
-1
View File
@@ -15,7 +15,6 @@ const inputs: RunInputs = {
predicatePath: core.getInput('predicate-path'),
pushToRegistry: core.getBooleanInput('push-to-registry'),
createStorageRecord: core.getBooleanInput('create-storage-record'),
subjectVersion: core.getInput('subject-version'),
showSummary: core.getBooleanInput('show-summary'),
githubToken: core.getInput('github-token'),
// undocumented -- not part of public interface
-2
View File
@@ -35,7 +35,6 @@ export type RunInputs = SubjectInputs &
SBOMInputs & {
pushToRegistry: boolean
createStorageRecord: boolean
subjectVersion: string
githubToken: string
showSummary: boolean
privateSigning: boolean
@@ -98,7 +97,6 @@ export async function run(inputs: RunInputs): Promise<void> {
sigstoreInstance,
pushToRegistry: inputs.pushToRegistry,
createStorageRecord: inputs.createStorageRecord,
subjectVersion: inputs.subjectVersion,
githubToken: inputs.githubToken
})