update attest dep and send IA header
This commit is contained in:
+24
-4
@@ -52,7 +52,7 @@ function attest(options) {
|
||||
// Store the attestation
|
||||
let attestationID;
|
||||
if (options.skipWrite !== true) {
|
||||
attestationID = yield (0, store_1.writeAttestation)((0, bundle_1.bundleToJSON)(bundle), options.token);
|
||||
attestationID = yield (0, store_1.writeAttestation)((0, bundle_1.bundleToJSON)(bundle), options.token, { headers: options.headers });
|
||||
}
|
||||
return toAttestation(bundle, attestationID);
|
||||
});
|
||||
@@ -249,6 +249,10 @@ const core_1 = __nccwpck_require__(42186);
|
||||
const http_client_1 = __nccwpck_require__(96255);
|
||||
const jose = __importStar(__nccwpck_require__(34061));
|
||||
const OIDC_AUDIENCE = 'nobody';
|
||||
const VALID_SERVER_URLS = [
|
||||
'https://github.com',
|
||||
new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
|
||||
];
|
||||
const REQUIRED_CLAIMS = [
|
||||
'iss',
|
||||
'ref',
|
||||
@@ -264,6 +268,7 @@ const REQUIRED_CLAIMS = [
|
||||
'run_attempt'
|
||||
];
|
||||
const getIDTokenClaims = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
|
||||
issuer = issuer || getIssuer();
|
||||
try {
|
||||
const token = yield (0, core_1.getIDToken)(OIDC_AUDIENCE);
|
||||
const claims = yield decodeOIDCToken(token, issuer);
|
||||
@@ -307,6 +312,19 @@ function assertClaimSet(claims) {
|
||||
throw new Error(`Missing claims: ${missingClaims.join(', ')}`);
|
||||
}
|
||||
}
|
||||
// Derive the current OIDC issuer based on the server URL
|
||||
function getIssuer() {
|
||||
const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com';
|
||||
// Ensure the server URL is a valid GitHub server URL
|
||||
if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
|
||||
throw new Error(`Invalid server URL: ${serverURL}`);
|
||||
}
|
||||
let host = new URL(serverURL).hostname;
|
||||
if (host === 'github.com') {
|
||||
host = 'githubusercontent.com';
|
||||
}
|
||||
return `https://token.actions.${host}`;
|
||||
}
|
||||
//# sourceMappingURL=oidc.js.map
|
||||
|
||||
/***/ }),
|
||||
@@ -331,7 +349,6 @@ const attest_1 = __nccwpck_require__(46373);
|
||||
const oidc_1 = __nccwpck_require__(95847);
|
||||
const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1';
|
||||
const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1';
|
||||
const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com';
|
||||
/**
|
||||
* Builds an SLSA (Supply Chain Levels for Software Artifacts) provenance
|
||||
* predicate using the GitHub Actions Workflow build type.
|
||||
@@ -341,7 +358,7 @@ const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com';
|
||||
* issuer.
|
||||
* @returns The SLSA provenance predicate.
|
||||
*/
|
||||
const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void 0, void 0, void 0, function* () {
|
||||
const buildSLSAProvenancePredicate = (issuer) => __awaiter(void 0, void 0, void 0, function* () {
|
||||
const serverURL = process.env.GITHUB_SERVER_URL;
|
||||
const claims = yield (0, oidc_1.getIDTokenClaims)(issuer);
|
||||
// Split just the path and ref from the workflow string.
|
||||
@@ -540,6 +557,7 @@ const writeAttestation = (attestation, token, options = {}) => __awaiter(void 0,
|
||||
const response = yield octokit.request(CREATE_ATTESTATION_REQUEST, {
|
||||
owner: github.context.repo.owner,
|
||||
repo: github.context.repo.repo,
|
||||
headers: options.headers,
|
||||
data: { bundle: attestation }
|
||||
});
|
||||
const data = typeof response.data == 'string'
|
||||
@@ -106928,7 +106946,9 @@ async function generateAttestation(manifestDigest, semverTag, options) {
|
||||
token: options.token,
|
||||
sigstore: 'github',
|
||||
// Always store the attestation using the GitHub Attestations API
|
||||
skipWrite: false
|
||||
skipWrite: false,
|
||||
// Identify the attestation to our API as an Immutable Action
|
||||
headers: { 'X-GitHub-Publish-Action': subjectName }
|
||||
});
|
||||
}
|
||||
function removePrefix(str, prefix) {
|
||||
|
||||
Generated
+4
-4
@@ -9,7 +9,7 @@
|
||||
"version": "0.0.0",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/attest": "^1.3.1",
|
||||
"@actions/attest": "^1.4.0",
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/exec": "^1.1.1",
|
||||
"@actions/github": "^6.0.0",
|
||||
@@ -56,9 +56,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/attest": {
|
||||
"version": "1.3.1",
|
||||
"resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.3.1.tgz",
|
||||
"integrity": "sha512-4q09+4QvNROKHsjpusyRhtmUz8kHpFg45n5LqJAYrMQh8mU5O5t9shpGU3Z44rtUebgBTH8Ge0lTzLxfUOVvHw==",
|
||||
"version": "1.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.4.0.tgz",
|
||||
"integrity": "sha512-vyiv8VuONuIqktf4DdLqYL5sKEPPNTBlmjik+DP+7HqTiOgmrBa4Nn1eKh50aHjxa6tz+VSIYPaw0XG3Zc7zJw==",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/github": "^6.0.0",
|
||||
|
||||
+1
-1
@@ -67,7 +67,7 @@
|
||||
]
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/attest": "^1.3.1",
|
||||
"@actions/attest": "^1.4.0",
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/exec": "^1.1.1",
|
||||
"@actions/github": "^6.0.0",
|
||||
|
||||
+3
-1
@@ -128,7 +128,9 @@ async function generateAttestation(
|
||||
token: options.token,
|
||||
sigstore: 'github',
|
||||
// Always store the attestation using the GitHub Attestations API
|
||||
skipWrite: false
|
||||
skipWrite: false,
|
||||
// Identify the attestation to our API as an Immutable Action
|
||||
headers: { 'X-GitHub-Publish-Action': subjectName }
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user