Compare commits

..

2 Commits

Author SHA1 Message Date
Meredith Lancaster 309649c98d flip if-else logic for creating storage records to remove nesting
Signed-off-by: Meredith Lancaster <malancas@github.com>
2026-01-26 11:32:34 -08:00
Meredith Lancaster e36bd1a2fc flip if logic for checking attestation upload logic to remove nesting
Signed-off-by: Meredith Lancaster <malancas@github.com>
2026-01-26 11:31:23 -08:00
21 changed files with 56730 additions and 33472 deletions
+2 -2
View File
@@ -28,11 +28,11 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.1
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@v6.2.0
uses: actions/setup-node@v6.1.0
with:
node-version-file: .node-version
cache: npm
+3 -3
View File
@@ -21,11 +21,11 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v5.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
with:
node-version-file: .node-version
cache: npm
@@ -58,7 +58,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v5.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
- name: Calculate subject digest
id: subject
env:
+1 -1
View File
@@ -32,7 +32,7 @@ jobs:
steps:
- name: Checkout
id: checkout
uses: actions/checkout@v6.0.2
uses: actions/checkout@v6.0.1
- name: Initialize CodeQL
id: initialize
+9 -15
View File
@@ -2,26 +2,20 @@
* Unit tests for the action's entrypoint, src/index.ts
*/
import { jest, describe, expect, beforeEach } from '@jest/globals'
import * as core from '@actions/core'
import * as main from '../src/main'
// Mock modules before importing them
const runMock = jest.fn<() => Promise<void>>()
jest.unstable_mockModule('../src/main', () => ({
run: runMock
}))
jest.unstable_mockModule('@actions/core', () => ({
getInput: jest.fn(() => ''),
getBooleanInput: jest.fn(() => false)
}))
// Mock the action's entrypoint
const runMock = jest.spyOn(main, 'run').mockImplementation()
const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
describe('index', () => {
beforeEach(() => {
jest.clearAllMocks()
getBooleanInputMock.mockImplementation(() => false)
})
it('calls run when imported', async () => {
await import('../src/index.js')
it('calls run when imported', () => {
// eslint-disable-next-line @typescript-eslint/no-require-imports
require('../src/index')
expect(runMock).toHaveBeenCalled()
})
+83 -180
View File
@@ -5,110 +5,41 @@
* Specifically, the inputs listed in `action.yml` should be set as environment
* variables following the pattern `INPUT_<INPUT_NAME>`.
*/
import {
jest,
describe,
expect,
beforeEach,
afterEach,
it
} from '@jest/globals'
import type { RunInputs } from '../src/main.js'
import * as core from '@actions/core'
import * as github from '@actions/github'
import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
import * as oci from '@sigstore/oci'
import * as attest from '@actions/attest'
import * as localAttest from '../src/attest'
import fs from 'fs/promises'
import nock from 'nock'
import os from 'os'
import path from 'path'
import { MockAgent, setGlobalDispatcher } from 'undici'
import { SEARCH_PUBLIC_GOOD_URL } from '../src/endpoints'
import * as main from '../src/main'
// Create mock functions for core
const infoMock = jest.fn()
const warningMock = jest.fn()
const startGroupMock = jest.fn()
const endGroupMock = jest.fn()
const setOutputMock = jest.fn()
const setFailedMock = jest.fn()
const summaryWriteMock = jest.fn<() => Promise<void>>()
// Mock the GitHub Actions core library
const infoMock = jest.spyOn(core, 'info')
const warningMock = jest.spyOn(core, 'warning')
const startGroupMock = jest.spyOn(core, 'startGroup')
const setOutputMock = jest.spyOn(core, 'setOutput')
const setFailedMock = jest.spyOn(core, 'setFailed')
// Create a mock summary object
const mockSummary = {
addHeading: jest.fn().mockReturnThis(),
addRaw: jest.fn().mockReturnThis(),
addTable: jest.fn().mockReturnThis(),
addSeparator: jest.fn().mockReturnThis(),
addLink: jest.fn().mockReturnThis(),
addBreak: jest.fn().mockReturnThis(),
addList: jest.fn().mockReturnThis(),
write: summaryWriteMock.mockResolvedValue(undefined)
}
// Ensure that setFailed doesn't set an exit code during tests
setFailedMock.mockImplementation(() => {})
// Mock @actions/core before importing
jest.unstable_mockModule('@actions/core', () => ({
info: infoMock,
warning: warningMock,
startGroup: startGroupMock,
endGroup: endGroupMock,
setOutput: setOutputMock,
setFailed: setFailedMock,
summary: mockSummary
}))
const summaryWriteMock = jest.spyOn(core.summary, 'write')
summaryWriteMock.mockResolvedValue(core.summary)
// Create mocks for OCI and attest modules
/* eslint-disable @typescript-eslint/no-explicit-any */
const getRegistryCredentialsMock = jest.fn<(...args: any[]) => any>()
const attachArtifactToImageMock = jest.fn<(...args: any[]) => any>()
const createStorageRecordMock = jest.fn<(...args: any[]) => any>()
const attestMock = jest.fn<(...args: any[]) => any>()
/* eslint-enable @typescript-eslint/no-explicit-any */
// Mock @sigstore/oci
jest.unstable_mockModule('@sigstore/oci', () => ({
getRegistryCredentials: getRegistryCredentialsMock,
attachArtifactToImage: attachArtifactToImageMock
}))
// Mock @actions/attest
jest.unstable_mockModule('@actions/attest', () => ({
attest: attestMock,
createStorageRecord: createStorageRecordMock
}))
// Create a mutable context object for @actions/github
const mockContext: Record<string, unknown> = {}
// Mock for getOctokit to return a mock octokit client
// eslint-disable-next-line @typescript-eslint/no-explicit-any
const mockReposGet = jest.fn<(...args: any[]) => any>()
const mockOctokit = {
rest: {
repos: {
get: mockReposGet
}
}
}
jest.unstable_mockModule('@actions/github', () => ({
context: mockContext,
getOctokit: jest.fn(() => mockOctokit)
}))
// Helper to set the mocked GitHub context
function setGHContext(context: object): void {
Object.keys(mockContext).forEach(key => delete mockContext[key])
Object.assign(mockContext, context)
}
// Now import the modules after mocking
const { mockFulcio, mockRekor, mockTSA } = await import('@sigstore/mock')
const fs = (await import('fs/promises')).default
const nock = (await import('nock')).default
const os = (await import('os')).default
const path = (await import('path')).default
const { MockAgent, setGlobalDispatcher } = await import('undici')
const { SEARCH_PUBLIC_GOOD_URL } = await import('../src/endpoints.js')
const { run } = (await import('../src/main.js')) as {
run: (inputs: RunInputs) => Promise<void>
}
// Mock the action's main function
const runMock = jest.spyOn(main, 'run')
// MockAgent for mocking @actions/github
const mockAgent = new MockAgent()
setGlobalDispatcher(mockAgent)
const defaultInputs: RunInputs = {
const defaultInputs: main.RunInputs = {
predicate: '',
predicateType: '',
predicatePath: '',
@@ -124,8 +55,10 @@ const defaultInputs: RunInputs = {
}
describe('action', () => {
// Capture original environment variables so we can restore them after each test
// Capture original environment variables and GitHub context so we can restore
// them after each test
const originalEnv = process.env
const originalContext = { ...github.context }
// Mock OIDC token endpoint
const tokenURL = 'https://token.url'
@@ -149,34 +82,6 @@ describe('action', () => {
beforeEach(() => {
jest.clearAllMocks()
// Set up default GitHub context with empty payload
setGHContext({
payload: {},
repo: { owner: 'test-owner', repo: 'test-repo' }
})
// Set up default return value for attestMock (without tlogID for private/GitHub sigstore)
attestMock.mockResolvedValue({
attestationID,
bundle: {
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
verificationMaterial: {
certificate: {
rawBytes: Buffer.from(
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----'
).toString('base64')
},
tlogEntries: []
},
content: {}
},
certificate:
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----'
})
// Set up default return value for createStorageRecordMock (returns array of record IDs)
createStorageRecordMock.mockResolvedValue([storageRecordID])
nock(tokenURL)
.get('/')
.query({ audience: 'sigstore' })
@@ -209,12 +114,12 @@ describe('action', () => {
// Restore the original environment
process.env = originalEnv
// Clear the github context
setGHContext({ payload: {}, repo: { owner: '', repo: '' } })
// Restore the original github.context
setGHContext(originalContext)
})
describe('when ACTIONS_ID_TOKEN_REQUEST_URL is not set', () => {
const inputs: RunInputs = {
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
@@ -229,8 +134,9 @@ describe('action', () => {
})
it('sets a failed status', async () => {
await run(inputs)
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
@@ -241,8 +147,9 @@ describe('action', () => {
describe('when no inputs are provided', () => {
it('sets a failed status', async () => {
await run(defaultInputs)
await main.run(defaultInputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'One of subject-path, subject-digest, or subject-checksums must be provided'
@@ -252,7 +159,7 @@ describe('action', () => {
})
describe('when the repository is private', () => {
const inputs: RunInputs = {
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
@@ -276,9 +183,10 @@ describe('action', () => {
})
it('invokes the action w/o error', async () => {
await run(inputs)
await main.run(inputs)
expect(setFailedMock).not.toHaveBeenCalled()
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalledWith()
expect(infoMock).toHaveBeenNthCalledWith(
1,
expect.stringMatching(
@@ -321,7 +229,13 @@ describe('action', () => {
})
describe('when the repository is public', () => {
const inputs: RunInputs = {
const getRegCredsSpy = jest.spyOn(oci, 'getRegistryCredentials')
const attachArtifactSpy = jest.spyOn(oci, 'attachArtifactToImage')
const repoOwnerIsOrgSpy = jest.spyOn(localAttest, 'repoOwnerIsOrg')
const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
const createAttestationSpy = jest.spyOn(localAttest, 'createAttestation')
const inputs: main.RunInputs = {
...defaultInputs,
subjectDigest,
subjectName,
@@ -344,50 +258,28 @@ describe('action', () => {
})
await mockRekor({ baseURL: 'https://rekor.sigstore.dev' })
getRegistryCredentialsMock.mockImplementation(() => ({
getRegCredsSpy.mockImplementation(() => ({
username: 'username',
password: 'password'
}))
attachArtifactToImageMock.mockResolvedValue({
attachArtifactSpy.mockResolvedValue({
digest: 'sha256:123456',
mediaType: 'application/vnd.cncf.notary.v2',
size: 123456
})
// Set up attestMock with tlogID for public good sigstore
attestMock.mockResolvedValue({
attestationID,
bundle: {
mediaType: 'application/vnd.dev.sigstore.bundle.v0.3+json',
verificationMaterial: {
certificate: {
rawBytes: Buffer.from(
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----'
).toString('base64')
},
tlogEntries: [{ logIndex: '123' }]
},
content: {}
},
certificate:
'-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----',
tlogID: '123'
})
// Mock the repos.get API call for repoOwnerIsOrg check
mockReposGet.mockResolvedValue({
data: { owner: { type: 'Organization' } }
})
repoOwnerIsOrgSpy.mockResolvedValue(true)
})
it('invokes the action w/o error', async () => {
await run(inputs)
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalled()
expect(getRegistryCredentialsMock).toHaveBeenCalledWith(subjectName)
expect(attachArtifactToImageMock).toHaveBeenCalled()
expect(attestMock).toHaveBeenCalled()
expect(createStorageRecordMock).toHaveBeenCalled()
expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
expect(attachArtifactSpy).toHaveBeenCalled()
expect(createAttestationSpy).toHaveBeenCalled()
expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
expect(createStorageRecordSpy).toHaveBeenCalled()
expect(warningMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenNthCalledWith(
1,
@@ -452,14 +344,16 @@ describe('action', () => {
it('catches error when storage record creation fails and continues', async () => {
// Mock the createStorageRecord function and throw an error
createStorageRecordMock.mockRejectedValueOnce(
createStorageRecordSpy.mockRejectedValueOnce(
new Error('Failed to persist storage record: Not Found')
)
await run(inputs)
await main.run(inputs)
expect(attestMock).toHaveBeenCalled()
expect(createStorageRecordMock).toHaveBeenCalled()
expect(runMock).toHaveReturned()
expect(createAttestationSpy).toHaveBeenCalled()
expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
expect(createStorageRecordSpy).toHaveBeenCalled()
expect(setFailedMock).not.toHaveBeenCalled()
expect(warningMock).toHaveBeenNthCalledWith(
1,
@@ -468,16 +362,17 @@ describe('action', () => {
})
it('does not create a storage record when the repo is owned by a user', async () => {
// Mock the repos.get API to return a user-owned repo
mockReposGet.mockResolvedValueOnce({ data: { owner: { type: 'User' } } })
repoOwnerIsOrgSpy.mockResolvedValueOnce(false)
await run(inputs)
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalled()
expect(getRegistryCredentialsMock).toHaveBeenCalledWith(subjectName)
expect(attachArtifactToImageMock).toHaveBeenCalled()
expect(attestMock).toHaveBeenCalled()
expect(createStorageRecordMock).not.toHaveBeenCalled()
expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
expect(attachArtifactSpy).toHaveBeenCalled()
expect(createAttestationSpy).toHaveBeenCalled()
expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
expect(createStorageRecordSpy).not.toHaveBeenCalled()
expect(warningMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenCalledWith(
expect.stringMatching(
@@ -541,15 +436,16 @@ describe('action', () => {
})
it('invokes the action w/o error', async () => {
const inputs: RunInputs = {
const inputs: main.RunInputs = {
...defaultInputs,
subjectPath: path.join(dir, `${filename}-*`),
predicateType,
predicate,
githubToken: 'gh-token'
}
await run(inputs)
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).not.toHaveBeenCalled()
expect(infoMock).toHaveBeenNthCalledWith(
1,
@@ -588,15 +484,16 @@ describe('action', () => {
})
it('sets a failed status', async () => {
const inputs: RunInputs = {
const inputs: main.RunInputs = {
...defaultInputs,
subjectPath: path.join(dir, `${filename}-*`),
predicateType,
predicate,
githubToken: 'gh-token'
}
await run(inputs)
await main.run(inputs)
expect(runMock).toHaveReturned()
expect(setFailedMock).toHaveBeenCalledWith(
new Error(
'Too many subjects specified. The maximum number of subjects is 1024.'
@@ -605,3 +502,9 @@ describe('action', () => {
})
})
})
// Stubbing the GitHub context is a bit tricky. We need to use
// `Object.defineProperty` because `github.context` is read-only.
function setGHContext(context: object): void {
Object.defineProperty(github, 'context', { value: context })
}
+1 -1
View File
@@ -1,7 +1,7 @@
import fs from 'fs/promises'
import os from 'os'
import path from 'path'
import { predicateFromInputs, PredicateInputs } from '../src/predicate.js'
import { predicateFromInputs, PredicateInputs } from '../src/predicate'
describe('subjectFromInputs', () => {
const blankInputs: PredicateInputs = {
+1 -1
View File
@@ -1,4 +1,4 @@
import { highlight, mute } from '../src/style.js'
import { highlight, mute } from '../src/style'
describe('style', () => {
describe('highlight', () => {
+5 -10
View File
@@ -6,7 +6,7 @@ import {
formatSubjectDigest,
subjectFromInputs,
SubjectInputs
} from '../src/subject.js'
} from '../src/subject'
describe('subjectFromInputs', () => {
const blankInputs: SubjectInputs = {
@@ -264,15 +264,10 @@ describe('subjectFromInputs', () => {
expect(subjects).toBeDefined()
expect(subjects).toHaveLength(3)
subjects.forEach(
(
subject: { name: string; digest: Record<string, string> },
i: number
) => {
expect(subject.name).toEqual(`${filename}-${i}`)
expect(subject.digest).toEqual({ sha256: expectedDigest })
}
)
subjects.forEach((subject, i) => {
expect(subject.name).toEqual(`${filename}-${i}`)
expect(subject.digest).toEqual({ sha256: expectedDigest })
})
})
})
Generated Vendored
+14 -26
View File
@@ -1,6 +1,7 @@
export const id = 606;
export const ids = [606];
export const modules = {
"use strict";
exports.id = 606;
exports.ids = [606];
exports.modules = {
/***/ 606:
/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
@@ -18,7 +19,7 @@ async function pMap(
signal,
} = {},
) {
return new Promise((resolve_, reject_) => {
return new Promise((resolve, reject_) => {
if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
}
@@ -41,24 +42,10 @@ async function pMap(
let currentIndex = 0;
const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
const signalListener = () => {
reject(signal.reason);
};
const cleanup = () => {
signal?.removeEventListener('abort', signalListener);
};
const resolve = value => {
resolve_(value);
cleanup();
};
const reject = reason => {
isRejected = true;
isResolved = true;
reject_(reason);
cleanup();
};
if (signal) {
@@ -66,7 +53,9 @@ async function pMap(
reject(signal.reason);
}
signal.addEventListener('abort', signalListener, {once: true});
signal.addEventListener('abort', () => {
reject(signal.reason);
});
}
const next = async () => {
@@ -214,32 +203,31 @@ function pMapIterable(
const iterator = iterable[Symbol.asyncIterator] === undefined ? iterable[Symbol.iterator]() : iterable[Symbol.asyncIterator]();
const promises = [];
let pendingPromisesCount = 0;
let runningMappersCount = 0;
let isDone = false;
let index = 0;
function trySpawn() {
if (isDone || !(pendingPromisesCount < concurrency && promises.length < backpressure)) {
if (isDone || !(runningMappersCount < concurrency && promises.length < backpressure)) {
return;
}
pendingPromisesCount++;
const promise = (async () => {
const {done, value} = await iterator.next();
if (done) {
pendingPromisesCount--;
return {done: true};
}
runningMappersCount++;
// Spawn if still below concurrency and backpressure limit
trySpawn();
try {
const returnValue = await mapper(await value, index++);
pendingPromisesCount--;
runningMappersCount--;
if (returnValue === pMapSkip) {
const index = promises.indexOf(promise);
@@ -254,7 +242,6 @@ function pMapIterable(
return {done: false, value: returnValue};
} catch (error) {
pendingPromisesCount--;
isDone = true;
return {error};
}
@@ -297,3 +284,4 @@ const pMapSkip = Symbol('skip');
/***/ })
};
;
Generated Vendored
+48736 -31119
View File
File diff suppressed because one or more lines are too long
Generated Vendored
-3
View File
@@ -1,3 +0,0 @@
{
"type": "module"
}
-7
View File
@@ -89,13 +89,6 @@ export default tseslint.config(
allowObject: true
}
]
},
settings: {
'import/resolver': {
typescript: {
project: './tsconfig.lint.json'
}
}
}
}
)
-37
View File
@@ -1,37 +0,0 @@
export default {
preset: "ts-jest",
verbose: true,
clearMocks: true,
testEnvironment: 'node',
moduleFileExtensions: ['js', 'ts'],
testMatch: ['**/*.test.ts'],
testPathIgnorePatterns: [
"/node_modules/",
"/dist/"
],
transform: {
'^.+\\.ts$': [
'ts-jest',
{
useESM: true,
diagnostics: {
ignoreCodes: [151002]
}
}
]
},
coverageReporters: [
"json-summary",
"text",
"lcov"
],
collectCoverage: true,
collectCoverageFrom: [
"./src/**"
],
extensionsToTreatAsEsm: ['.ts'],
transformIgnorePatterns: ['node_modules/(?!(@actions)/)'],
moduleNameMapper: {
'^(\\.{1,2}/.*)\\.js$': '$1'
},
}
+1
View File
@@ -0,0 +1 @@
process.stdout.write = jest.fn()
+7757 -1988
View File
File diff suppressed because it is too large Load Diff
+42 -13
View File
@@ -2,7 +2,6 @@
"name": "actions/attest",
"description": "Generate signed attestations for workflow artifacts",
"version": "3.2.0",
"type": "module",
"author": "",
"private": true,
"homepage": "https://github.com/actions/attest",
@@ -25,7 +24,7 @@
},
"scripts": {
"bundle": "npm run format:write && npm run package",
"ci-test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
"ci-test": "jest",
"format:write": "prettier --write **/*.ts",
"format:check": "prettier --check **/*.ts",
"lint:eslint": "npx eslint",
@@ -33,38 +32,68 @@
"lint": "npm run lint:eslint && npm run lint:markdown",
"package": "ncc build src/index.ts --license licenses.txt",
"package:watch": "npm run package -- --watch",
"test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
"test": "jest",
"all": "npm run format:write && npm run lint && npm run test && npm run package"
},
"license": "MIT",
"jest": {
"preset": "ts-jest",
"setupFilesAfterEnv": [
"./jest.setup.js"
],
"verbose": true,
"clearMocks": true,
"testEnvironment": "node",
"moduleFileExtensions": [
"js",
"ts"
],
"testMatch": [
"**/*.test.ts"
],
"testPathIgnorePatterns": [
"/node_modules/",
"/dist/"
],
"transform": {
"^.+\\.ts$": "ts-jest"
},
"coverageReporters": [
"json-summary",
"text",
"lcov"
],
"collectCoverage": true,
"collectCoverageFrom": [
"./src/**"
]
},
"dependencies": {
"@actions/attest": "^2.2.1",
"@actions/core": "^2.0.2",
"@actions/github": "^7.0.0",
"@actions/attest": "^2.1.0",
"@actions/core": "^2.0.1",
"@actions/github": "^6.0.1",
"@actions/glob": "^0.5.0",
"@sigstore/oci": "^0.6.0",
"csv-parse": "^5.6.0"
},
"devDependencies": {
"@eslint/js": "^9.39.2",
"@jest/globals": "^30.2.0",
"@sigstore/mock": "^0.11.0",
"@types/jest": "^30.0.0",
"@types/make-fetch-happen": "^10.0.4",
"@types/node": "^25.2.0",
"@types/node": "^25.0.3",
"@vercel/ncc": "^0.38.4",
"eslint": "^9.39.2",
"eslint-import-resolver-typescript": "^4.4.4",
"eslint-plugin-import": "^2.32.0",
"eslint-plugin-jest": "^29.12.1",
"eslint-plugin-jest": "^29.9.0",
"jest": "^30.2.0",
"js-yaml": "^4.1.1",
"markdownlint-cli": "^0.47.0",
"nock": "^13.5.6",
"prettier": "^3.8.1",
"prettier": "^3.7.4",
"ts-jest": "^29.4.6",
"typescript": "^5.9.3",
"typescript-eslint": "^8.54.0",
"undici": "^7.20.0"
"typescript-eslint": "^8.50.1",
"undici": "^7.18.2"
}
}
+66 -56
View File
@@ -6,7 +6,7 @@ import {
createStorageRecord
} from '@actions/attest'
import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
import { formatSubjectDigest } from './subject.js'
import { formatSubjectDigest } from './subject'
import * as core from '@actions/core'
import * as github from '@actions/github'
@@ -40,66 +40,76 @@ export const createAttestation = async (
const result: AttestResult = attestation
if (subjects.length === 1 && opts.pushToRegistry) {
const subject = subjects[0]
const credentials = getRegistryCredentials(subject.name)
const subjectDigest = formatSubjectDigest(subject)
const artifact = await attachArtifactToImage({
credentials,
imageName: subject.name,
imageDigest: subjectDigest,
artifact: Buffer.from(JSON.stringify(attestation.bundle)),
mediaType: attestation.bundle.mediaType,
annotations: {
'dev.sigstore.bundle.content': 'dsse-envelope',
'dev.sigstore.bundle.predicateType': predicate.type
},
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
})
// If there are multiple subjects or if pushToRegistry is false,
// return early without pushing the attestation to the registry
if (!(subjects.length === 1 && opts.pushToRegistry)) {
return result
}
// Add the attestation's digest to the result
result.attestationDigest = artifact.digest
// If we have a single subject and pushToRegistry is true,
// push the attestation to the OCI registry
// and create a storage record if requested
const subject = subjects[0]
const credentials = getRegistryCredentials(subject.name)
const subjectDigest = formatSubjectDigest(subject)
const artifact = await attachArtifactToImage({
credentials,
imageName: subject.name,
imageDigest: subjectDigest,
artifact: Buffer.from(JSON.stringify(attestation.bundle)),
mediaType: attestation.bundle.mediaType,
annotations: {
'dev.sigstore.bundle.content': 'dsse-envelope',
'dev.sigstore.bundle.predicateType': predicate.type
},
fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
})
// Because creating a storage record requires the 'artifact-metadata:write'
// permission, we wrap this in a try/catch to avoid failing the entire
// attestation process if the token does not have the correct permissions.
if (opts.createStorageRecord) {
try {
const token = opts.githubToken
const isOrg = await repoOwnerIsOrg(token)
if (!isOrg) {
// The Artifact Metadata Storage Record API is only available to
// organizations. So if the repo owner is not an organization,
// storage record creation should not be attempted.
return result
}
// Add the attestation's digest to the result
result.attestationDigest = artifact.digest
const registryUrl = getRegistryURL(subject.name)
const artifactOpts = {
name: subject.name,
digest: subjectDigest
}
const packageRegistryOpts = {
registryUrl
}
const records = await createStorageRecord(
artifactOpts,
packageRegistryOpts,
token
)
// If createStorageRecord is false, return early
if (!opts.createStorageRecord) {
return result
}
if (!records || records.length === 0) {
core.warning('No storage records were created.')
}
result.storageRecordIds = records
} catch (error) {
core.warning(`Failed to create storage record: ${error}`)
core.warning(
'Please check that the "artifact-metadata:write" permission has been included'
)
}
// Because creating a storage record requires the 'artifact-metadata:write'
// permission, we wrap this in a try/catch to avoid failing the entire
// attestation process if the token does not have the correct permissions.
try {
const token = opts.githubToken
const isOrg = await repoOwnerIsOrg(token)
if (!isOrg) {
// The Artifact Metadata Storage Record API is only available to
// organizations. So if the repo owner is not an organization,
// storage record creation should not be attempted.
return result
}
const registryUrl = getRegistryURL(subject.name)
const artifactOpts = {
name: subject.name,
digest: subjectDigest
}
const packageRegistryOpts = {
registryUrl
}
const records = await createStorageRecord(
artifactOpts,
packageRegistryOpts,
token
)
if (!records || records.length === 0) {
core.warning('No storage records were created.')
}
result.storageRecordIds = records
} catch (error) {
core.warning(`Failed to create storage record: ${error}`)
core.warning(
'Please check that the "artifact-metadata:write" permission has been included'
)
}
return result
+1 -1
View File
@@ -2,7 +2,7 @@
* The entrypoint for the action.
*/
import * as core from '@actions/core'
import { run, RunInputs } from './main.js'
import { run, RunInputs } from './main'
const inputs: RunInputs = {
subjectPath: core.getInput('subject-path'),
+5 -5
View File
@@ -3,15 +3,15 @@ import * as github from '@actions/github'
import fs from 'fs'
import os from 'os'
import path from 'path'
import { AttestResult, SigstoreInstance, createAttestation } from './attest.js'
import { SEARCH_PUBLIC_GOOD_URL } from './endpoints.js'
import { PredicateInputs, predicateFromInputs } from './predicate.js'
import * as style from './style.js'
import { AttestResult, SigstoreInstance, createAttestation } from './attest'
import { SEARCH_PUBLIC_GOOD_URL } from './endpoints'
import { PredicateInputs, predicateFromInputs } from './predicate'
import * as style from './style'
import {
SubjectInputs,
formatSubjectDigest,
subjectFromInputs
} from './subject.js'
} from './subject'
import type { Subject } from '@actions/attest'
+1 -1
View File
@@ -16,5 +16,5 @@
"skipLibCheck": true,
"newLine": "lf"
},
"exclude": ["./dist", "./node_modules", "./__tests__", "./coverage", "./jest.config.ts"]
"exclude": ["./dist", "./node_modules", "./__tests__", "./coverage"]
}
+2 -3
View File
@@ -2,9 +2,8 @@
"$schema": "https://json.schemastore.org/tsconfig",
"extends": "./tsconfig.json",
"compilerOptions": {
"noEmit": true,
"rootDir": "."
"noEmit": true
},
"include": ["./__tests__/**/*", "./src/**/*", "./jest.config.ts"],
"include": ["./__tests__/**/*", "./src/**/*"],
"exclude": ["./dist", "./node_modules", "./coverage", "*.json"]
}