Brian DeHamer
69f29a1b1c
Update packages/attest/src/artifactMetadata.ts
...
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2026-02-25 17:40:10 -08:00
Brian DeHamer
7987771a2b
new user-agent string for storage record API reqs
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2026-02-25 15:36:27 -08:00
Brian DeHamer
27e5a955bf
custom user-agent string for attestation API reqs
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2026-02-25 11:20:54 -08:00
Daniel Kennedy
0be0a6ef89
@actions/attest: convert to an ESM module (#2278 )
2026-01-29 15:19:39 -05:00
Meredith Lancaster
701191f50e
fix linter issues
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-09 11:40:40 -08:00
Meredith Lancaster
539724611c
param name
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-09 11:39:12 -08:00
Meredith Lancaster
d75223fd4a
split mega param into several different ones
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-09 11:37:04 -08:00
Meredith Lancaster
0380590fdd
fix expected endpoint response
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-09 08:02:38 -08:00
Meredith Lancaster
c40fa0d905
formatting
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 19:19:11 -08:00
Meredith Lancaster
dc9f635a0d
Update packages/attest/src/artifactMetadata.ts
...
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-12-08 16:30:37 -08:00
Meredith Lancaster
10d3b034e0
fix linter issues
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 16:22:59 -08:00
Meredith Lancaster
8eca440361
fix test and function calls
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 15:59:25 -08:00
Meredith Lancaster
6ec87f46b7
add back param parsing function
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 15:39:26 -08:00
Meredith Lancaster
d1f9584cda
fix test calls
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 15:33:01 -08:00
Meredith Lancaster
b8933d0495
reorganize function options and document
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 15:25:34 -08:00
Meredith Lancaster
0a988d204e
rename file
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 15:16:26 -08:00
Meredith Lancaster
c034e76488
fix function exporting and test results
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 13:49:54 -08:00
Meredith Lancaster
417dbfff73
use parameter objects and add tests
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 13:17:08 -08:00
Meredith Lancaster
79efd648ac
condense parameters
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 11:02:59 -08:00
Meredith Lancaster
e8c242695d
add function for creating storage record
...
Signed-off-by: Meredith Lancaster <malancas@github.com >
2025-12-08 10:49:24 -08:00
Eugene
5e0fa1aaaa
Remove unnecessary Buffer to Uint8Array conversion
...
Removed unnecessary conversion of Buffer to Uint8Array for compatibility.
2025-10-16 12:08:05 -04:00
Salman Muin Kayser Chishti
48e42b1fdd
linting
2025-09-04 15:24:57 +01:00
Salman Muin Kayser Chishti
8f32f385e0
Bump package versions, and fix issues
2025-09-04 14:16:27 +01:00
Brian DeHamer
0bc338adab
set workflow.ref provenance field from ref claim
...
Updates the `buildSLSAProvenancePredicate` function to populate the
`workflow.ref` field from the `ref` claim in the OIDC token.
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2025-02-26 08:47:27 -08:00
Brian DeHamer
339447c5d3
Merge pull request #1863 from meriadec/attest-provenance-tags
...
Handle tags containing "@" character in `buildSLSAProvenancePredicate`
2024-11-01 09:35:13 -07:00
Brian DeHamer
265a5be8bc
support multi-subject attestations
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-11-01 09:08:19 -07:00
Meriadec Pillet
717ba9d9a4
Handle tags containing "@" character in buildSLSAProvenancePredicate
...
When using some monorepo-related tools (like [changesets](https://github.com/changesets/changesets )),
the produced tags have a special format that includes `@` character.
For example, a `foo` package on a monorepo will produce Git tags looking
like `foo@1.0.0` if using changesets.
When used in combination with `actions/attest-build-provenance`, the
action was not properly re-crafting the tag in `buildSLSAProvenancePredicate` because
it was always splitting the workflow ref by `@` and taking the second
element.
This result in this error on CI:
```
Error: Error: Failed to persist attestation: Invalid Argument - values do not match: refs/tags/foo != refs/tags/foo@1.0.0 - https://docs.github.com/rest/repos/repos#create-an-attestation
````
This PR slightly update the logic there, and rather take "everything
located after the first '@'". This shouldn't introduce any breaking
change, while giving support for custom tags.
I've added the corresponding test case, it passes, however I couldn't
successfully run the full test suite (neither on `main`). Looking
forward for CI outcome.
Thanks in advance for the review 🙏 .
2024-10-30 14:29:42 +01:00
Brian DeHamer
c6c5ef6b8e
bump @sigstore/sign from 2.3.2 to 3.0.0
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-10-14 12:06:26 -07:00
Brian DeHamer
2a07de1333
fix bug with customized oidc issuer
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-09-04 10:24:28 -07:00
Brian DeHamer
fa6cc53297
derive default OIDC issuer from current tenant
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-08-16 12:07:23 -07:00
Brian DeHamer
340a1033a5
support for headers param in attest functions
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-08-15 15:35:32 -07:00
Brian DeHamer
b28406bd1f
fix proxy support for jwks retrieval
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-07-26 15:03:40 -07:00
Brian DeHamer
dddc440d56
config rekor to fetch on conflict
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-06-12 11:57:18 -07:00
Brian DeHamer
73100a7f85
new GHA build provenance
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-06-05 14:54:34 -07:00
Fredrik Skogman
d3d7736bae
Fixed a spelling error
2024-05-20 07:57:44 +02:00
Fredrik Skogman
7d18e7aa0d
PR feedback. Juse more JS idiomatic code
2024-05-20 07:52:36 +02:00
Fredrik Skogman
e60694077d
Read the server url from the environment variable.
...
Instead of having the urls hardcoded, read them from the environment.
I opted to read from the environment variable instead of the github context
because it would be easier to test.
2024-05-16 17:00:35 +02:00
Brian DeHamer
0e8fe8af62
retry request on failure to save attestation
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-04-24 15:07:39 -07:00
Brian DeHamer
2961d73391
remove dep on make-fetch-happen
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-04-23 09:39:17 -07:00
Brian DeHamer
f8d95a85df
generate v0.3 bundles in attest package
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-04-03 12:12:26 -07:00
Brian DeHamer
a0e6af1e53
build provenance stmt from OIDC claims
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-03-22 12:34:42 -07:00
Brian DeHamer
6079dea4c4
add new @actions/attest package
...
Signed-off-by: Brian DeHamer <bdehamer@github.com >
2024-02-26 08:52:20 -08:00