diff --git a/dist/index.js b/dist/index.js index 8b4a6ea..de11e31 100644 --- a/dist/index.js +++ b/dist/index.js @@ -52,7 +52,7 @@ function attest(options) { // Store the attestation let attestationID; if (options.skipWrite !== true) { - attestationID = yield (0, store_1.writeAttestation)((0, bundle_1.bundleToJSON)(bundle), options.token); + attestationID = yield (0, store_1.writeAttestation)((0, bundle_1.bundleToJSON)(bundle), options.token, { headers: options.headers }); } return toAttestation(bundle, attestationID); }); @@ -249,6 +249,10 @@ const core_1 = __nccwpck_require__(42186); const http_client_1 = __nccwpck_require__(96255); const jose = __importStar(__nccwpck_require__(34061)); const OIDC_AUDIENCE = 'nobody'; +const VALID_SERVER_URLS = [ + 'https://github.com', + new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$') +]; const REQUIRED_CLAIMS = [ 'iss', 'ref', @@ -264,6 +268,7 @@ const REQUIRED_CLAIMS = [ 'run_attempt' ]; const getIDTokenClaims = (issuer) => __awaiter(void 0, void 0, void 0, function* () { + issuer = issuer || getIssuer(); try { const token = yield (0, core_1.getIDToken)(OIDC_AUDIENCE); const claims = yield decodeOIDCToken(token, issuer); @@ -307,6 +312,19 @@ function assertClaimSet(claims) { throw new Error(`Missing claims: ${missingClaims.join(', ')}`); } } +// Derive the current OIDC issuer based on the server URL +function getIssuer() { + const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'; + // Ensure the server URL is a valid GitHub server URL + if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) { + throw new Error(`Invalid server URL: ${serverURL}`); + } + let host = new URL(serverURL).hostname; + if (host === 'github.com') { + host = 'githubusercontent.com'; + } + return `https://token.actions.${host}`; +} //# sourceMappingURL=oidc.js.map /***/ }), @@ -331,7 +349,6 @@ const attest_1 = __nccwpck_require__(46373); const oidc_1 = __nccwpck_require__(95847); const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'; const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'; -const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'; /** * Builds an SLSA (Supply Chain Levels for Software Artifacts) provenance * predicate using the GitHub Actions Workflow build type. @@ -341,7 +358,7 @@ const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'; * issuer. * @returns The SLSA provenance predicate. */ -const buildSLSAProvenancePredicate = (issuer = DEFAULT_ISSUER) => __awaiter(void 0, void 0, void 0, function* () { +const buildSLSAProvenancePredicate = (issuer) => __awaiter(void 0, void 0, void 0, function* () { const serverURL = process.env.GITHUB_SERVER_URL; const claims = yield (0, oidc_1.getIDTokenClaims)(issuer); // Split just the path and ref from the workflow string. @@ -540,6 +557,7 @@ const writeAttestation = (attestation, token, options = {}) => __awaiter(void 0, const response = yield octokit.request(CREATE_ATTESTATION_REQUEST, { owner: github.context.repo.owner, repo: github.context.repo.repo, + headers: options.headers, data: { bundle: attestation } }); const data = typeof response.data == 'string' @@ -106928,7 +106946,9 @@ async function generateAttestation(manifestDigest, semverTag, options) { token: options.token, sigstore: 'github', // Always store the attestation using the GitHub Attestations API - skipWrite: false + skipWrite: false, + // Identify the attestation to our API as an Immutable Action + headers: { 'X-GitHub-Publish-Action': subjectName } }); } function removePrefix(str, prefix) { diff --git a/package-lock.json b/package-lock.json index 803f02f..12663b9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,7 +9,7 @@ "version": "0.0.0", "license": "MIT", "dependencies": { - "@actions/attest": "^1.3.1", + "@actions/attest": "^1.4.0", "@actions/core": "^1.10.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", @@ -56,9 +56,9 @@ } }, "node_modules/@actions/attest": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.3.1.tgz", - "integrity": "sha512-4q09+4QvNROKHsjpusyRhtmUz8kHpFg45n5LqJAYrMQh8mU5O5t9shpGU3Z44rtUebgBTH8Ge0lTzLxfUOVvHw==", + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.4.0.tgz", + "integrity": "sha512-vyiv8VuONuIqktf4DdLqYL5sKEPPNTBlmjik+DP+7HqTiOgmrBa4Nn1eKh50aHjxa6tz+VSIYPaw0XG3Zc7zJw==", "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", diff --git a/package.json b/package.json index 76f707a..31af38a 100644 --- a/package.json +++ b/package.json @@ -67,7 +67,7 @@ ] }, "dependencies": { - "@actions/attest": "^1.3.1", + "@actions/attest": "^1.4.0", "@actions/core": "^1.10.1", "@actions/exec": "^1.1.1", "@actions/github": "^6.0.0", diff --git a/src/main.ts b/src/main.ts index e930a4b..a9fe215 100644 --- a/src/main.ts +++ b/src/main.ts @@ -128,7 +128,9 @@ async function generateAttestation( token: options.token, sigstore: 'github', // Always store the attestation using the GitHub Attestations API - skipWrite: false + skipWrite: false, + // Identify the attestation to our API as an Immutable Action + headers: { 'X-GitHub-Publish-Action': subjectName } }) }