update attest dep and send IA header

This commit is contained in:
Conor Sloan
2024-08-21 11:11:46 +01:00
parent 7af620c09c
commit 8c9931350a
4 changed files with 32 additions and 10 deletions
Generated Vendored
+24 -4
View File
@@ -52,7 +52,7 @@ function attest(options) {
// Store the attestation
let attestationID;
if (options.skipWrite !== true) {
attestationID = yield (0, store_1.writeAttestation)((0, bundle_1.bundleToJSON)(bundle), options.token);
attestationID = yield (0, store_1.writeAttestation)((0, bundle_1.bundleToJSON)(bundle), options.token, { headers: options.headers });
}
return toAttestation(bundle, attestationID);
});
@@ -249,6 +249,10 @@ const core_1 = __nccwpck_require__(42186);
const http_client_1 = __nccwpck_require__(96255);
const jose = __importStar(__nccwpck_require__(34061));
const OIDC_AUDIENCE = 'nobody';
const VALID_SERVER_URLS = [
'https://github.com',
new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
];
const REQUIRED_CLAIMS = [
'iss',
'ref',
@@ -264,6 +268,7 @@ const REQUIRED_CLAIMS = [
'run_attempt'
];
const getIDTokenClaims = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
issuer = issuer || getIssuer();
try {
const token = yield (0, core_1.getIDToken)(OIDC_AUDIENCE);
const claims = yield decodeOIDCToken(token, issuer);
@@ -307,6 +312,19 @@ function assertClaimSet(claims) {
throw new Error(`Missing claims: ${missingClaims.join(', ')}`);
}
}
// Derive the current OIDC issuer based on the server URL
function getIssuer() {
const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com';
// Ensure the server URL is a valid GitHub server URL
if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
throw new Error(`Invalid server URL: ${serverURL}`);
}
let host = new URL(serverURL).hostname;
if (host === 'github.com') {
host = 'githubusercontent.com';
}
return `https://token.actions.${host}`;
}
//# sourceMappingURL=oidc.js.map
/***/ }),
@@ -331,7 +349,6 @@ const attest_1 = __nccwpck_require__(46373);
const oidc_1 = __nccwpck_require__(95847);
const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1';
const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1';
const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com';
/**
* Builds an SLSA (Supply Chain Levels for Software Artifacts) provenance
* predicate using the GitHub Actions Workflow build type.
@@ -341,7 +358,7 @@ const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com';
* issuer.
* @returns The SLSA provenance predicate.
*/
const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void 0, void 0, void 0, function* () {
const buildSLSAProvenancePredicate = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
const serverURL = process.env.GITHUB_SERVER_URL;
const claims = yield (0, oidc_1.getIDTokenClaims)(issuer);
// Split just the path and ref from the workflow string.
@@ -540,6 +557,7 @@ const writeAttestation = (attestation, token, options = {}) => __awaiter(void 0,
const response = yield octokit.request(CREATE_ATTESTATION_REQUEST, {
owner: github.context.repo.owner,
repo: github.context.repo.repo,
headers: options.headers,
data: { bundle: attestation }
});
const data = typeof response.data == 'string'
@@ -106928,7 +106946,9 @@ async function generateAttestation(manifestDigest, semverTag, options) {
token: options.token,
sigstore: 'github',
// Always store the attestation using the GitHub Attestations API
skipWrite: false
skipWrite: false,
// Identify the attestation to our API as an Immutable Action
headers: { 'X-GitHub-Publish-Action': subjectName }
});
}
function removePrefix(str, prefix) {
+4 -4
View File
@@ -9,7 +9,7 @@
"version": "0.0.0",
"license": "MIT",
"dependencies": {
"@actions/attest": "^1.3.1",
"@actions/attest": "^1.4.0",
"@actions/core": "^1.10.1",
"@actions/exec": "^1.1.1",
"@actions/github": "^6.0.0",
@@ -56,9 +56,9 @@
}
},
"node_modules/@actions/attest": {
"version": "1.3.1",
"resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.3.1.tgz",
"integrity": "sha512-4q09+4QvNROKHsjpusyRhtmUz8kHpFg45n5LqJAYrMQh8mU5O5t9shpGU3Z44rtUebgBTH8Ge0lTzLxfUOVvHw==",
"version": "1.4.0",
"resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.4.0.tgz",
"integrity": "sha512-vyiv8VuONuIqktf4DdLqYL5sKEPPNTBlmjik+DP+7HqTiOgmrBa4Nn1eKh50aHjxa6tz+VSIYPaw0XG3Zc7zJw==",
"dependencies": {
"@actions/core": "^1.10.1",
"@actions/github": "^6.0.0",
+1 -1
View File
@@ -67,7 +67,7 @@
]
},
"dependencies": {
"@actions/attest": "^1.3.1",
"@actions/attest": "^1.4.0",
"@actions/core": "^1.10.1",
"@actions/exec": "^1.1.1",
"@actions/github": "^6.0.0",
+3 -1
View File
@@ -128,7 +128,9 @@ async function generateAttestation(
token: options.token,
sigstore: 'github',
// Always store the attestation using the GitHub Attestations API
skipWrite: false
skipWrite: false,
// Identify the attestation to our API as an Immutable Action
headers: { 'X-GitHub-Publish-Action': subjectName }
})
}