Compare commits
55 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 51465dd530 | |||
| 77f247b2f3 | |||
| d13839fcf4 | |||
| 7e54468896 | |||
| 339447c5d3 | |||
| 43ce96d373 | |||
| 265a5be8bc | |||
| 65ee4d33af | |||
| 717ba9d9a4 | |||
| 7f5921cddd | |||
| 29d342f176 | |||
| 72113fe791 | |||
| 7b4d9763cc | |||
| 26c752f562 | |||
| ac1332a8e2 | |||
| c6c5ef6b8e | |||
| ee93b05ee9 | |||
| 799f8f5f3d | |||
| 201b082ce1 | |||
| 49cbbbcd99 | |||
| 545e0e6b95 | |||
| 6435e050d3 | |||
| c18a7d2f73 | |||
| b33c92d686 | |||
| d14afd7973 | |||
| 884cfe7772 | |||
| 22a72ac3d7 | |||
| 6ca0d9b637 | |||
| 650f7c6aa3 | |||
| 78af634e7e | |||
| 2a8f1c5ddd | |||
| 5a62022195 | |||
| 8551843690 | |||
| d6694e491d | |||
| 7f19a7886a | |||
| 6dd369c0e6 | |||
| 2a07de1333 | |||
| 2e1998fc42 | |||
| b7a914b73b | |||
| 6c4e082c18 | |||
| 1e69bffbba | |||
| d1aa255c7f | |||
| 7298ff3219 | |||
| 571d782946 | |||
| ada9e00cda | |||
| faf9cb2ea2 | |||
| ac3a063583 | |||
| 7cc96bb976 | |||
| fa6cc53297 | |||
| f299e8ba1e | |||
| 1b9927d1c7 | |||
| 279e891118 | |||
| 340a1033a5 | |||
| 50f2977cce | |||
| 48a65377c0 |
@@ -32,7 +32,7 @@ jobs:
|
||||
run: npm run bootstrap
|
||||
|
||||
- name: audit tools (without allow-list)
|
||||
run: npm audit --audit-level=moderate
|
||||
run: npm audit --audit-level=moderate --omit dev
|
||||
|
||||
- name: audit packages
|
||||
run: npm run audit-all
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
name: Publish NPM
|
||||
|
||||
run-name: Publish NPM - ${{ github.event.inputs.package }}
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
@@ -9,7 +11,7 @@ on:
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: macos-latest
|
||||
runs-on: macos-latest-large
|
||||
|
||||
steps:
|
||||
- name: setup repo
|
||||
@@ -46,7 +48,7 @@ jobs:
|
||||
path: packages/${{ github.event.inputs.package }}/*.tgz
|
||||
|
||||
publish:
|
||||
runs-on: macos-latest
|
||||
runs-on: macos-latest-large
|
||||
needs: test
|
||||
environment: npm-publish
|
||||
permissions:
|
||||
|
||||
@@ -16,7 +16,11 @@ jobs:
|
||||
|
||||
strategy:
|
||||
matrix:
|
||||
runs-on: [ubuntu-latest, macos-latest, windows-latest]
|
||||
runs-on: [ubuntu-latest, macos-latest-large, windows-latest]
|
||||
|
||||
# Node 18 is the current default Node version in hosted runners, so users may still use the toolkit with it when running tests (see https://github.com/actions/toolkit/issues/1841)
|
||||
# Node 20 is the currently support Node version for actions - https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runsusing-for-javascript-actions
|
||||
node-version: [18.x, 20.x]
|
||||
fail-fast: false
|
||||
|
||||
runs-on: ${{ matrix.runs-on }}
|
||||
@@ -25,10 +29,10 @@ jobs:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Set Node.js 20.x
|
||||
- name: Set up Node ${{ matrix.node-version }}
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20.x
|
||||
node-version: ${{ matrix.node-version }}
|
||||
|
||||
- name: npm install
|
||||
run: npm install
|
||||
|
||||
@@ -1,5 +1,15 @@
|
||||
# @actions/artifact Releases
|
||||
|
||||
### 2.1.11
|
||||
|
||||
- Fixed a bug with relative symlinks resolution [#1844](https://github.com/actions/toolkit/pull/1844)
|
||||
- Use native `crypto` [#1815](https://github.com/actions/toolkit/pull/1815)
|
||||
|
||||
### 2.1.10
|
||||
|
||||
- Fixed a regression with symlinks not being automatically resolved [#1830](https://github.com/actions/toolkit/pull/1830)
|
||||
- Fixed a regression with chunk timeout [#1786](https://github.com/actions/toolkit/pull/1786)
|
||||
|
||||
### 2.1.9
|
||||
|
||||
- Fixed artifact upload chunk timeout logic [#1774](https://github.com/actions/toolkit/pull/1774)
|
||||
|
||||
@@ -10,6 +10,7 @@ import {FilesNotFoundError} from '../src/internal/shared/errors'
|
||||
import {BlockBlobUploadStreamOptions} from '@azure/storage-blob'
|
||||
import * as fs from 'fs'
|
||||
import * as path from 'path'
|
||||
import unzip from 'unzip-stream'
|
||||
|
||||
const uploadStreamMock = jest.fn()
|
||||
const blockBlobClientMock = jest.fn().mockImplementation(() => ({
|
||||
@@ -27,9 +28,25 @@ jest.mock('@azure/storage-blob', () => ({
|
||||
const fixtures = {
|
||||
uploadDirectory: path.join(__dirname, '_temp', 'plz-upload'),
|
||||
files: [
|
||||
['file1.txt', 'test 1 file content'],
|
||||
['file2.txt', 'test 2 file content'],
|
||||
['file3.txt', 'test 3 file content']
|
||||
{name: 'file1.txt', content: 'test 1 file content'},
|
||||
{name: 'file2.txt', content: 'test 2 file content'},
|
||||
{name: 'file3.txt', content: 'test 3 file content'},
|
||||
{
|
||||
name: 'real.txt',
|
||||
content: 'from a symlink'
|
||||
},
|
||||
{
|
||||
name: 'relative.txt',
|
||||
content: 'from a symlink',
|
||||
symlink: 'real.txt',
|
||||
relative: true
|
||||
},
|
||||
{
|
||||
name: 'absolute.txt',
|
||||
content: 'from a symlink',
|
||||
symlink: 'real.txt',
|
||||
relative: false
|
||||
}
|
||||
],
|
||||
backendIDs: {
|
||||
workflowRunBackendId: '67dbcc20-e851-4452-a7c3-2cc0d2e0ec67',
|
||||
@@ -50,12 +67,30 @@ const fixtures = {
|
||||
|
||||
describe('upload-artifact', () => {
|
||||
beforeAll(() => {
|
||||
if (!fs.existsSync(fixtures.uploadDirectory)) {
|
||||
fs.mkdirSync(fixtures.uploadDirectory, {recursive: true})
|
||||
}
|
||||
fs.mkdirSync(fixtures.uploadDirectory, {
|
||||
recursive: true
|
||||
})
|
||||
|
||||
for (const [file, content] of fixtures.files) {
|
||||
fs.writeFileSync(path.join(fixtures.uploadDirectory, file), content)
|
||||
for (const file of fixtures.files) {
|
||||
if (file.symlink) {
|
||||
let symlinkPath = file.symlink
|
||||
if (!file.relative) {
|
||||
symlinkPath = path.join(fixtures.uploadDirectory, file.symlink)
|
||||
}
|
||||
|
||||
if (!fs.existsSync(path.join(fixtures.uploadDirectory, file.name))) {
|
||||
fs.symlinkSync(
|
||||
symlinkPath,
|
||||
path.join(fixtures.uploadDirectory, file.name),
|
||||
'file'
|
||||
)
|
||||
}
|
||||
} else {
|
||||
fs.writeFileSync(
|
||||
path.join(fixtures.uploadDirectory, file.name),
|
||||
file.content
|
||||
)
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
@@ -71,8 +106,9 @@ describe('upload-artifact', () => {
|
||||
.spyOn(uploadZipSpecification, 'getUploadZipSpecification')
|
||||
.mockReturnValue(
|
||||
fixtures.files.map(file => ({
|
||||
sourcePath: path.join(fixtures.uploadDirectory, file[0]),
|
||||
destinationPath: file[0]
|
||||
sourcePath: path.join(fixtures.uploadDirectory, file.name),
|
||||
destinationPath: file.name,
|
||||
stats: new fs.Stats()
|
||||
}))
|
||||
)
|
||||
jest.spyOn(config, 'getRuntimeToken').mockReturnValue(fixtures.runtimeToken)
|
||||
@@ -185,6 +221,10 @@ describe('upload-artifact', () => {
|
||||
})
|
||||
|
||||
it('should successfully upload an artifact', async () => {
|
||||
jest
|
||||
.spyOn(uploadZipSpecification, 'getUploadZipSpecification')
|
||||
.mockRestore()
|
||||
|
||||
jest
|
||||
.spyOn(ArtifactServiceClientJSON.prototype, 'CreateArtifact')
|
||||
.mockReturnValue(
|
||||
@@ -202,6 +242,12 @@ describe('upload-artifact', () => {
|
||||
})
|
||||
)
|
||||
|
||||
let loadedBytes = 0
|
||||
const uploadedZip = path.join(
|
||||
fixtures.uploadDirectory,
|
||||
'..',
|
||||
'uploaded.zip'
|
||||
)
|
||||
uploadStreamMock.mockImplementation(
|
||||
async (
|
||||
stream: NodeJS.ReadableStream,
|
||||
@@ -209,31 +255,69 @@ describe('upload-artifact', () => {
|
||||
maxConcurrency?: number,
|
||||
options?: BlockBlobUploadStreamOptions
|
||||
) => {
|
||||
const {onProgress, abortSignal} = options || {}
|
||||
const {onProgress} = options || {}
|
||||
|
||||
if (fs.existsSync(uploadedZip)) {
|
||||
fs.unlinkSync(uploadedZip)
|
||||
}
|
||||
const uploadedZipStream = fs.createWriteStream(uploadedZip)
|
||||
|
||||
onProgress?.({loadedBytes: 0})
|
||||
|
||||
return new Promise(resolve => {
|
||||
const timerId = setTimeout(() => {
|
||||
onProgress?.({loadedBytes: 256})
|
||||
resolve({})
|
||||
}, 1_000)
|
||||
abortSignal?.addEventListener('abort', () => {
|
||||
clearTimeout(timerId)
|
||||
return new Promise((resolve, reject) => {
|
||||
stream.on('data', chunk => {
|
||||
loadedBytes += chunk.length
|
||||
uploadedZipStream.write(chunk)
|
||||
onProgress?.({loadedBytes})
|
||||
})
|
||||
stream.on('end', () => {
|
||||
onProgress?.({loadedBytes})
|
||||
uploadedZipStream.end()
|
||||
resolve({})
|
||||
})
|
||||
stream.on('error', err => {
|
||||
reject(err)
|
||||
})
|
||||
})
|
||||
}
|
||||
)
|
||||
|
||||
const {id, size} = await uploadArtifact(
|
||||
fixtures.inputs.artifactName,
|
||||
fixtures.inputs.files,
|
||||
fixtures.inputs.rootDirectory
|
||||
fixtures.files.map(file =>
|
||||
path.join(fixtures.uploadDirectory, file.name)
|
||||
),
|
||||
fixtures.uploadDirectory
|
||||
)
|
||||
|
||||
expect(id).toBe(1)
|
||||
expect(size).toBe(256)
|
||||
expect(size).toBe(loadedBytes)
|
||||
|
||||
const extractedDirectory = path.join(
|
||||
fixtures.uploadDirectory,
|
||||
'..',
|
||||
'extracted'
|
||||
)
|
||||
if (fs.existsSync(extractedDirectory)) {
|
||||
fs.rmdirSync(extractedDirectory, {recursive: true})
|
||||
}
|
||||
|
||||
const extract = new Promise((resolve, reject) => {
|
||||
fs.createReadStream(uploadedZip)
|
||||
.pipe(unzip.Extract({path: extractedDirectory}))
|
||||
.on('close', () => {
|
||||
resolve(true)
|
||||
})
|
||||
.on('error', err => {
|
||||
reject(err)
|
||||
})
|
||||
})
|
||||
|
||||
await expect(extract).resolves.toBe(true)
|
||||
for (const file of fixtures.files) {
|
||||
const filePath = path.join(extractedDirectory, file.name)
|
||||
expect(fs.existsSync(filePath)).toBe(true)
|
||||
expect(fs.readFileSync(filePath, 'utf8')).toBe(file.content)
|
||||
}
|
||||
})
|
||||
|
||||
it('should throw an error uploading blob chunks get delayed', async () => {
|
||||
|
||||
@@ -305,4 +305,22 @@ describe('Search', () => {
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
it('Upload Specification - Includes symlinks', async () => {
|
||||
const targetPath = path.join(root, 'link-dir', 'symlink-me.txt')
|
||||
await fs.mkdir(path.dirname(targetPath), {recursive: true})
|
||||
await fs.writeFile(targetPath, 'symlink file content')
|
||||
|
||||
const uploadPath = path.join(root, 'upload-dir', 'symlink.txt')
|
||||
await fs.mkdir(path.dirname(uploadPath), {recursive: true})
|
||||
await fs.symlink(targetPath, uploadPath, 'file')
|
||||
|
||||
const specifications = getUploadZipSpecification([uploadPath], root)
|
||||
expect(specifications.length).toEqual(1)
|
||||
expect(specifications[0].sourcePath).toEqual(uploadPath)
|
||||
expect(specifications[0].destinationPath).toEqual(
|
||||
path.join('/upload-dir', 'symlink.txt')
|
||||
)
|
||||
expect(specifications[0].stats.isSymbolicLink()).toBe(true)
|
||||
})
|
||||
})
|
||||
|
||||
Generated
+5
-12
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "@actions/artifact",
|
||||
"version": "2.1.9",
|
||||
"version": "2.1.11",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "@actions/artifact",
|
||||
"version": "2.1.9",
|
||||
"version": "2.1.11",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.0",
|
||||
@@ -19,7 +19,6 @@
|
||||
"@octokit/request-error": "^5.0.0",
|
||||
"@protobuf-ts/plugin": "^2.2.3-alpha.1",
|
||||
"archiver": "^7.0.1",
|
||||
"crypto": "^1.0.1",
|
||||
"jwt-decode": "^3.1.2",
|
||||
"twirp-ts": "^2.5.0",
|
||||
"unzip-stream": "^0.3.1"
|
||||
@@ -852,12 +851,6 @@
|
||||
"node": ">= 8"
|
||||
}
|
||||
},
|
||||
"node_modules/crypto": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/crypto/-/crypto-1.0.1.tgz",
|
||||
"integrity": "sha512-VxBKmeNcqQdiUQUW2Tzq0t377b54N2bMtXO/qiLa+6eRRmmC4qT3D4OnTGoT/U6O9aklQ/jTwbOtRMTTY8G0Ig==",
|
||||
"deprecated": "This package is no longer supported. It's now a built-in Node module. If you've depended on crypto, you should switch to the one that's built-in."
|
||||
},
|
||||
"node_modules/delayed-stream": {
|
||||
"version": "1.0.0",
|
||||
"resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz",
|
||||
@@ -1315,9 +1308,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/path-to-regexp": {
|
||||
"version": "6.2.1",
|
||||
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.2.1.tgz",
|
||||
"integrity": "sha512-JLyh7xT1kizaEvcaXOQwOc2/Yhw6KZOvPf1S8401UyLk86CU79LN3vl7ztXGm/pZ+YjoyAJ4rxmHwbkBXJX+yw=="
|
||||
"version": "6.3.0",
|
||||
"resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-6.3.0.tgz",
|
||||
"integrity": "sha512-Yhpw4T9C6hPpgPeA28us07OJeqZ5EzQTkbfwuhsUg0c237RomFoETJgmp2sa3F/41gfLE6G5cqcYwznmeEeOlQ=="
|
||||
},
|
||||
"node_modules/prettier": {
|
||||
"version": "2.8.8",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@actions/artifact",
|
||||
"version": "2.1.9",
|
||||
"version": "2.1.11",
|
||||
"preview": true,
|
||||
"description": "Actions artifact lib",
|
||||
"keywords": [
|
||||
@@ -50,7 +50,6 @@
|
||||
"@octokit/request-error": "^5.0.0",
|
||||
"@protobuf-ts/plugin": "^2.2.3-alpha.1",
|
||||
"archiver": "^7.0.1",
|
||||
"crypto": "^1.0.1",
|
||||
"jwt-decode": "^3.1.2",
|
||||
"twirp-ts": "^2.5.0",
|
||||
"unzip-stream": "^0.3.1"
|
||||
|
||||
@@ -13,6 +13,12 @@ export interface UploadZipSpecification {
|
||||
* The destination path in a zip for a file
|
||||
*/
|
||||
destinationPath: string
|
||||
|
||||
/**
|
||||
* Information about the file
|
||||
* https://nodejs.org/api/fs.html#class-fsstats
|
||||
*/
|
||||
stats: fs.Stats
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -75,10 +81,11 @@ export function getUploadZipSpecification(
|
||||
- file3.txt
|
||||
*/
|
||||
for (let file of filesToZip) {
|
||||
if (!fs.existsSync(file)) {
|
||||
const stats = fs.lstatSync(file, {throwIfNoEntry: false})
|
||||
if (!stats) {
|
||||
throw new Error(`File ${file} does not exist`)
|
||||
}
|
||||
if (!fs.statSync(file).isDirectory()) {
|
||||
if (!stats.isDirectory()) {
|
||||
// Normalize and resolve, this allows for either absolute or relative paths to be used
|
||||
file = normalize(file)
|
||||
file = resolve(file)
|
||||
@@ -94,7 +101,8 @@ export function getUploadZipSpecification(
|
||||
|
||||
specification.push({
|
||||
sourcePath: file,
|
||||
destinationPath: uploadPath
|
||||
destinationPath: uploadPath,
|
||||
stats
|
||||
})
|
||||
} else {
|
||||
// Empty directory
|
||||
@@ -103,7 +111,8 @@ export function getUploadZipSpecification(
|
||||
|
||||
specification.push({
|
||||
sourcePath: null,
|
||||
destinationPath: directoryPath
|
||||
destinationPath: directoryPath,
|
||||
stats
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import * as stream from 'stream'
|
||||
import {realpath} from 'fs/promises'
|
||||
import * as archiver from 'archiver'
|
||||
import * as core from '@actions/core'
|
||||
import {UploadZipSpecification} from './upload-zip-specification'
|
||||
@@ -42,8 +43,14 @@ export async function createZipUploadStream(
|
||||
|
||||
for (const file of uploadSpecification) {
|
||||
if (file.sourcePath !== null) {
|
||||
// Add a normal file to the zip
|
||||
zip.file(file.sourcePath, {
|
||||
// Check if symlink and resolve the source path
|
||||
let sourcePath = file.sourcePath
|
||||
if (file.stats.isSymbolicLink()) {
|
||||
sourcePath = await realpath(file.sourcePath)
|
||||
}
|
||||
|
||||
// Add the file to the zip
|
||||
zip.file(sourcePath, {
|
||||
name: file.destinationPath
|
||||
})
|
||||
} else {
|
||||
|
||||
+25
-13
@@ -32,8 +32,7 @@ async function run() {
|
||||
const ghToken = core.getInput('gh-token');
|
||||
|
||||
const attestation = await attest({
|
||||
subjectName: 'my-artifact-name',
|
||||
subjectDigest: { 'sha256': '36ab4667...'},
|
||||
subjects: [{name: 'my-artifact-name', digest: { 'sha256': '36ab4667...'}}],
|
||||
predicateType: 'https://in-toto.io/attestation/release',
|
||||
predicate: { . . . },
|
||||
token: ghToken
|
||||
@@ -49,11 +48,12 @@ The `attest` function supports the following options:
|
||||
|
||||
```typescript
|
||||
export type AttestOptions = {
|
||||
// The name of the subject to be attested.
|
||||
subjectName: string
|
||||
// The digest of the subject to be attested. Should be a map of digest
|
||||
// algorithms to their hex-encoded values.
|
||||
subjectDigest: Record<string, string>
|
||||
// Deprecated. Use 'subjects' instead.
|
||||
subjectName?: string
|
||||
// Deprecated. Use 'subjects' instead.
|
||||
subjectDigest?: Record<string, string>
|
||||
// Collection of subjects to be attested
|
||||
subjects?: Subject[]
|
||||
// URI identifying the content type of the predicate being attested.
|
||||
predicateType: string
|
||||
// Predicate to be attested.
|
||||
@@ -63,9 +63,18 @@ export type AttestOptions = {
|
||||
// Sigstore instance to use for signing. Must be one of "public-good" or
|
||||
// "github".
|
||||
sigstore?: 'public-good' | 'github'
|
||||
// HTTP headers to include in request to attestations API.
|
||||
headers?: {[header: string]: string | number | undefined}
|
||||
// Whether to skip writing the attestation to the GH attestations API.
|
||||
skipWrite?: boolean
|
||||
}
|
||||
|
||||
export type Subject = {
|
||||
// Name of the subject.
|
||||
name: string
|
||||
// Digests of the subject. Should be a map of digest algorithms to their hex-encoded values.
|
||||
digest: Record<string, string>
|
||||
}
|
||||
```
|
||||
|
||||
### `attestProvenance`
|
||||
@@ -103,16 +112,19 @@ The `attestProvenance` function supports the following options:
|
||||
|
||||
```typescript
|
||||
export type AttestProvenanceOptions = {
|
||||
// The name of the subject to be attested.
|
||||
subjectName: string
|
||||
// The digest of the subject to be attested. Should be a map of digest
|
||||
// algorithms to their hex-encoded values.
|
||||
subjectDigest: Record<string, string>
|
||||
// GitHub token for writing attestations.
|
||||
// Deprecated. Use 'subjects' instead.
|
||||
subjectName?: string
|
||||
// Deprecated. Use 'subjects' instead.
|
||||
subjectDigest?: Record<string, string>
|
||||
// Collection of subjects to be attested
|
||||
subjects?: Subject[]
|
||||
// URI identifying the content type of the predicate being attested.
|
||||
token: string
|
||||
// Sigstore instance to use for signing. Must be one of "public-good" or
|
||||
// "github".
|
||||
sigstore?: 'public-good' | 'github'
|
||||
// HTTP headers to include in request to attestations API.
|
||||
headers?: {[header: string]: string | number | undefined}
|
||||
// Whether to skip writing the attestation to the GH attestations API.
|
||||
skipWrite?: boolean
|
||||
// Issuer URL responsible for minting the OIDC token from which the
|
||||
|
||||
+32
-12
@@ -1,31 +1,51 @@
|
||||
# @actions/attest Releases
|
||||
|
||||
### 1.5.0
|
||||
|
||||
- Bump @actions/core from 1.10.1 to 1.11.1 [#1847](https://github.com/actions/toolkit/pull/1847)
|
||||
- Bump @sigstore/bundle from 2.3.2 to 3.0.0 [#1846](https://github.com/actions/toolkit/pull/1846)
|
||||
- Bump @sigstore/sign from 2.3.2 to 3.0.0 [#1846](https://github.com/actions/toolkit/pull/1846)
|
||||
- Support for generating multi-subject attestations [#1864](https://github.com/actions/toolkit/pull/1865)
|
||||
- Fix bug in `buildSLSAProvenancePredicate` related to `workflow_ref` OIDC token claims containing the "@" symbol in the tag name [#1863](https://github.com/actions/toolkit/pull/1863)
|
||||
|
||||
### 1.4.2
|
||||
|
||||
- Fix bug in `buildSLSAProvenancePredicate`/`attestProvenance` when generating provenance statement for enterprise account using customized OIDC issuer value [#1823](https://github.com/actions/toolkit/pull/1823)
|
||||
|
||||
### 1.4.1
|
||||
|
||||
- Bump @actions/http-client from 2.2.1 to 2.2.3 [#1805](https://github.com/actions/toolkit/pull/1805)
|
||||
|
||||
### 1.4.0
|
||||
|
||||
- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790)
|
||||
- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796](https://github.com/actions/toolkit/pull/1796)
|
||||
### 1.3.1
|
||||
|
||||
- Fix bug with proxy support when retrieving JWKS for OIDC issuer
|
||||
- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776](https://github.com/actions/toolkit/pull/1776)
|
||||
|
||||
### 1.3.0
|
||||
|
||||
- Dynamic construction of Sigstore API URLs
|
||||
- Switch to new GH provenance build type
|
||||
- Fetch existing Rekor entry on 409 conflict error
|
||||
- Bump @sigstore/bundle from 2.3.0 to 2.3.2
|
||||
- Bump @sigstore/sign from 2.3.0 to 2.3.2
|
||||
- Dynamic construction of Sigstore API URLs [#1735](https://github.com/actions/toolkit/pull/1735)
|
||||
- Switch to new GH provenance build type [#1745](https://github.com/actions/toolkit/pull/1745)
|
||||
- Fetch existing Rekor entry on 409 conflict error [#1759](https://github.com/actions/toolkit/pull/1759)
|
||||
- Bump @sigstore/bundle from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738)
|
||||
- Bump @sigstore/sign from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738)
|
||||
|
||||
### 1.2.1
|
||||
|
||||
- Retry request on attestation persistence failure
|
||||
- Retry request on attestation persistence failure [#1725](https://github.com/actions/toolkit/pull/1725)
|
||||
|
||||
### 1.2.0
|
||||
|
||||
- Generate attestations using the v0.3 Sigstore bundle format.
|
||||
- Bump @sigstore/bundle from 2.2.0 to 2.3.0.
|
||||
- Bump @sigstore/sign from 2.2.3 to 2.3.0.
|
||||
- Remove dependency on make-fetch-happen
|
||||
- Generate attestations using the v0.3 Sigstore bundle format [#1701](https://github.com/actions/toolkit/pull/1701)
|
||||
- Bump @sigstore/bundle from 2.2.0 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701)
|
||||
- Bump @sigstore/sign from 2.2.3 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701)
|
||||
- Remove dependency on make-fetch-happen [#1714](https://github.com/actions/toolkit/pull/1714)
|
||||
|
||||
### 1.1.0
|
||||
|
||||
- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement.
|
||||
- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement [#1693](https://github.com/actions/toolkit/pull/1693)
|
||||
|
||||
### 1.0.0
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
// Jest Snapshot v1, https://goo.gl/fbAQLP
|
||||
|
||||
exports[`provenance functions buildSLSAProvenancePredicate returns a provenance hydrated from an OIDC token 1`] = `
|
||||
exports[`provenance functions buildSLSAProvenancePredicate handle tags including "@" character 1`] = `
|
||||
{
|
||||
"params": {
|
||||
"buildDefinition": {
|
||||
@@ -8,8 +8,8 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
|
||||
"externalParameters": {
|
||||
"workflow": {
|
||||
"path": ".github/workflows/main.yml",
|
||||
"ref": "main",
|
||||
"repository": "https://github.com/owner/repo",
|
||||
"ref": "foo@1.0.0",
|
||||
"repository": "https://foo.ghe.com/owner/repo",
|
||||
},
|
||||
},
|
||||
"internalParameters": {
|
||||
@@ -25,16 +25,58 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
|
||||
"digest": {
|
||||
"gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
|
||||
},
|
||||
"uri": "git+https://github.com/owner/repo@refs/heads/main",
|
||||
"uri": "git+https://foo.ghe.com/owner/repo@refs/heads/main",
|
||||
},
|
||||
],
|
||||
},
|
||||
"runDetails": {
|
||||
"builder": {
|
||||
"id": "https://github.com/owner/workflows/.github/workflows/publish.yml@main",
|
||||
"id": "https://foo.ghe.com/owner/workflows/.github/workflows/publish.yml@main",
|
||||
},
|
||||
"metadata": {
|
||||
"invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
|
||||
"invocationId": "https://foo.ghe.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
|
||||
},
|
||||
},
|
||||
},
|
||||
"type": "https://slsa.dev/provenance/v1",
|
||||
}
|
||||
`;
|
||||
|
||||
exports[`provenance functions buildSLSAProvenancePredicate returns a provenance hydrated from an OIDC token 1`] = `
|
||||
{
|
||||
"params": {
|
||||
"buildDefinition": {
|
||||
"buildType": "https://actions.github.io/buildtypes/workflow/v1",
|
||||
"externalParameters": {
|
||||
"workflow": {
|
||||
"path": ".github/workflows/main.yml",
|
||||
"ref": "main",
|
||||
"repository": "https://foo.ghe.com/owner/repo",
|
||||
},
|
||||
},
|
||||
"internalParameters": {
|
||||
"github": {
|
||||
"event_name": "push",
|
||||
"repository_id": "repo-id",
|
||||
"repository_owner_id": "owner-id",
|
||||
"runner_environment": "github-hosted",
|
||||
},
|
||||
},
|
||||
"resolvedDependencies": [
|
||||
{
|
||||
"digest": {
|
||||
"gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
|
||||
},
|
||||
"uri": "git+https://foo.ghe.com/owner/repo@refs/heads/main",
|
||||
},
|
||||
],
|
||||
},
|
||||
"runDetails": {
|
||||
"builder": {
|
||||
"id": "https://foo.ghe.com/owner/workflows/.github/workflows/publish.yml@main",
|
||||
},
|
||||
"metadata": {
|
||||
"invocationId": "https://foo.ghe.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
import {attest} from '../src/attest'
|
||||
|
||||
describe('attest', () => {
|
||||
describe('when no subject information is provided', () => {
|
||||
it('throws an error', async () => {
|
||||
const options = {
|
||||
predicateType: 'foo',
|
||||
predicate: {bar: 'baz'},
|
||||
token: 'token'
|
||||
}
|
||||
expect(attest(options)).rejects.toThrowError(
|
||||
'Must provide either subjectName and subjectDigest or subjects'
|
||||
)
|
||||
})
|
||||
})
|
||||
})
|
||||
@@ -17,7 +17,7 @@ describe('buildIntotoStatement', () => {
|
||||
}
|
||||
|
||||
it('returns an intoto statement', () => {
|
||||
const statement = buildIntotoStatement(subject, predicate)
|
||||
const statement = buildIntotoStatement([subject], predicate)
|
||||
expect(statement).toMatchSnapshot()
|
||||
})
|
||||
})
|
||||
|
||||
@@ -68,6 +68,55 @@ describe('getIDTokenClaims', () => {
|
||||
})
|
||||
})
|
||||
|
||||
describe('when ID token is valid (w/ enterprise slug)', () => {
|
||||
const claims = {
|
||||
iss: `${issuer}/foo-bar`,
|
||||
aud: audience,
|
||||
ref: 'ref',
|
||||
sha: 'sha',
|
||||
repository: 'repo',
|
||||
event_name: 'push',
|
||||
job_workflow_ref: 'job_workflow_ref',
|
||||
workflow_ref: 'workflow',
|
||||
repository_id: '1',
|
||||
repository_owner_id: '1',
|
||||
runner_environment: 'github-hosted',
|
||||
run_id: '1',
|
||||
run_attempt: '1'
|
||||
}
|
||||
|
||||
beforeEach(async () => {
|
||||
const jwt = await new jose.SignJWT(claims)
|
||||
.setProtectedHeader({alg: 'PS256'})
|
||||
.sign(key.privateKey)
|
||||
|
||||
nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
|
||||
})
|
||||
|
||||
it('returns the ID token claims', async () => {
|
||||
const result = await getIDTokenClaims(issuer)
|
||||
expect(result).toEqual(claims)
|
||||
})
|
||||
})
|
||||
|
||||
describe('when ID token is missing the "iss" claim', () => {
|
||||
const claims = {
|
||||
aud: audience
|
||||
}
|
||||
|
||||
beforeEach(async () => {
|
||||
const jwt = await new jose.SignJWT(claims)
|
||||
.setProtectedHeader({alg: 'PS256'})
|
||||
.sign(key.privateKey)
|
||||
|
||||
nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
|
||||
})
|
||||
|
||||
it('throws an error', async () => {
|
||||
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/missing "iss"/i)
|
||||
})
|
||||
})
|
||||
|
||||
describe('when ID token is missing required claims', () => {
|
||||
const claims = {
|
||||
iss: issuer,
|
||||
@@ -99,7 +148,9 @@ describe('getIDTokenClaims', () => {
|
||||
})
|
||||
|
||||
it('throws an error', async () => {
|
||||
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/unexpected "iss"/)
|
||||
await expect(getIDTokenClaims(issuer)).rejects.toThrow(
|
||||
/unexpected "iss"/i
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ import {attestProvenance, buildSLSAProvenancePredicate} from '../src/provenance'
|
||||
|
||||
describe('provenance functions', () => {
|
||||
const originalEnv = process.env
|
||||
const issuer = 'https://example.com'
|
||||
const issuer = 'https://token.actions.foo.ghe.com'
|
||||
const audience = 'nobody'
|
||||
const jwksPath = '/.well-known/jwks.json'
|
||||
const tokenPath = '/token'
|
||||
@@ -33,15 +33,7 @@ describe('provenance functions', () => {
|
||||
runner_environment: 'github-hosted'
|
||||
}
|
||||
|
||||
beforeEach(async () => {
|
||||
process.env = {
|
||||
...originalEnv,
|
||||
ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
|
||||
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
|
||||
GITHUB_SERVER_URL: 'https://github.com',
|
||||
GITHUB_REPOSITORY: claims.repository
|
||||
}
|
||||
|
||||
const mockIssuer = async (claims: jose.JWTPayload): Promise<void> => {
|
||||
// Generate JWT signing key
|
||||
const key = await jose.generateKeyPair('PS256')
|
||||
|
||||
@@ -60,6 +52,18 @@ describe('provenance functions', () => {
|
||||
|
||||
// Mock OIDC token endpoint for populating the provenance
|
||||
nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
|
||||
}
|
||||
|
||||
beforeEach(async () => {
|
||||
process.env = {
|
||||
...originalEnv,
|
||||
ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
|
||||
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
|
||||
GITHUB_SERVER_URL: 'https://foo.ghe.com',
|
||||
GITHUB_REPOSITORY: claims.repository
|
||||
}
|
||||
|
||||
await mockIssuer(claims)
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
@@ -68,7 +72,17 @@ describe('provenance functions', () => {
|
||||
|
||||
describe('buildSLSAProvenancePredicate', () => {
|
||||
it('returns a provenance hydrated from an OIDC token', async () => {
|
||||
const predicate = await buildSLSAProvenancePredicate(issuer)
|
||||
const predicate = await buildSLSAProvenancePredicate()
|
||||
expect(predicate).toMatchSnapshot()
|
||||
})
|
||||
|
||||
it('handle tags including "@" character', async () => {
|
||||
nock.cleanAll()
|
||||
await mockIssuer({
|
||||
...claims,
|
||||
workflow_ref: 'owner/repo/.github/workflows/main.yml@foo@1.0.0'
|
||||
})
|
||||
const predicate = await buildSLSAProvenancePredicate()
|
||||
expect(predicate).toMatchSnapshot()
|
||||
})
|
||||
})
|
||||
@@ -96,9 +110,9 @@ describe('provenance functions', () => {
|
||||
})
|
||||
|
||||
describe('when using the github Sigstore instance', () => {
|
||||
const {fulcioURL, tsaServerURL} = signingEndpoints('github')
|
||||
|
||||
beforeEach(async () => {
|
||||
const {fulcioURL, tsaServerURL} = signingEndpoints('github')
|
||||
|
||||
// Mock Sigstore
|
||||
await mockFulcio({baseURL: fulcioURL, strict: false})
|
||||
await mockTSA({baseURL: tsaServerURL})
|
||||
@@ -115,11 +129,9 @@ describe('provenance functions', () => {
|
||||
describe('when the sigstore instance is explicitly set', () => {
|
||||
it('attests provenance', async () => {
|
||||
const attestation = await attestProvenance({
|
||||
subjectName,
|
||||
subjectDigest,
|
||||
subjects: [{name: subjectName, digest: subjectDigest}],
|
||||
token: 'token',
|
||||
sigstore: 'github',
|
||||
issuer
|
||||
sigstore: 'github'
|
||||
})
|
||||
|
||||
expect(attestation).toBeDefined()
|
||||
@@ -144,10 +156,8 @@ describe('provenance functions', () => {
|
||||
|
||||
it('attests provenance', async () => {
|
||||
const attestation = await attestProvenance({
|
||||
subjectName,
|
||||
subjectDigest,
|
||||
token: 'token',
|
||||
issuer
|
||||
subjects: [{name: subjectName, digest: subjectDigest}],
|
||||
token: 'token'
|
||||
})
|
||||
|
||||
expect(attestation).toBeDefined()
|
||||
@@ -180,11 +190,9 @@ describe('provenance functions', () => {
|
||||
describe('when the sigstore instance is explicitly set', () => {
|
||||
it('attests provenance', async () => {
|
||||
const attestation = await attestProvenance({
|
||||
subjectName,
|
||||
subjectDigest,
|
||||
subjects: [{name: subjectName, digest: subjectDigest}],
|
||||
token: 'token',
|
||||
sigstore: 'public-good',
|
||||
issuer
|
||||
sigstore: 'public-good'
|
||||
})
|
||||
|
||||
expect(attestation).toBeDefined()
|
||||
@@ -209,10 +217,8 @@ describe('provenance functions', () => {
|
||||
|
||||
it('attests provenance', async () => {
|
||||
const attestation = await attestProvenance({
|
||||
subjectName,
|
||||
subjectDigest,
|
||||
token: 'token',
|
||||
issuer
|
||||
subjects: [{name: subjectName, digest: subjectDigest}],
|
||||
token: 'token'
|
||||
})
|
||||
|
||||
expect(attestation).toBeDefined()
|
||||
@@ -238,8 +244,7 @@ describe('provenance functions', () => {
|
||||
subjectDigest,
|
||||
token: 'token',
|
||||
sigstore: 'public-good',
|
||||
skipWrite: true,
|
||||
issuer
|
||||
skipWrite: true
|
||||
})
|
||||
|
||||
expect(attestation).toBeDefined()
|
||||
|
||||
@@ -5,6 +5,7 @@ describe('writeAttestation', () => {
|
||||
const originalEnv = process.env
|
||||
const attestation = {foo: 'bar '}
|
||||
const token = 'token'
|
||||
const headers = {'X-GitHub-Foo': 'true'}
|
||||
|
||||
const mockAgent = new MockAgent()
|
||||
setGlobalDispatcher(mockAgent)
|
||||
@@ -27,14 +28,16 @@ describe('writeAttestation', () => {
|
||||
.intercept({
|
||||
path: '/repos/foo/bar/attestations',
|
||||
method: 'POST',
|
||||
headers: {authorization: `token ${token}`},
|
||||
headers: {authorization: `token ${token}`, ...headers},
|
||||
body: JSON.stringify({bundle: attestation})
|
||||
})
|
||||
.reply(201, {id: '123'})
|
||||
})
|
||||
|
||||
it('persists the attestation', async () => {
|
||||
await expect(writeAttestation(attestation, token)).resolves.toEqual('123')
|
||||
await expect(
|
||||
writeAttestation(attestation, token, {headers})
|
||||
).resolves.toEqual('123')
|
||||
})
|
||||
})
|
||||
|
||||
|
||||
Generated
+751
-683
File diff suppressed because it is too large
Load Diff
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@actions/attest",
|
||||
"version": "1.3.1",
|
||||
"version": "1.5.0",
|
||||
"description": "Actions attestation lib",
|
||||
"keywords": [
|
||||
"github",
|
||||
@@ -35,19 +35,19 @@
|
||||
"url": "https://github.com/actions/toolkit/issues"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@sigstore/mock": "^0.7.4",
|
||||
"@sigstore/rekor-types": "^2.0.0",
|
||||
"@sigstore/mock": "^0.8.0",
|
||||
"@sigstore/rekor-types": "^3.0.0",
|
||||
"@types/jsonwebtoken": "^9.0.6",
|
||||
"nock": "^13.5.1",
|
||||
"undici": "^5.28.4"
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/core": "^1.11.1",
|
||||
"@actions/github": "^6.0.0",
|
||||
"@actions/http-client": "^2.2.1",
|
||||
"@actions/http-client": "^2.2.3",
|
||||
"@octokit/plugin-retry": "^6.0.1",
|
||||
"@sigstore/bundle": "^2.3.2",
|
||||
"@sigstore/sign": "^2.3.2",
|
||||
"@sigstore/bundle": "^3.0.0",
|
||||
"@sigstore/sign": "^3.0.0",
|
||||
"jose": "^5.2.3"
|
||||
},
|
||||
"overrides": {
|
||||
|
||||
@@ -14,11 +14,16 @@ const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'
|
||||
* Options for attesting a subject / predicate.
|
||||
*/
|
||||
export type AttestOptions = {
|
||||
// The name of the subject to be attested.
|
||||
subjectName: string
|
||||
// The digest of the subject to be attested. Should be a map of digest
|
||||
// algorithms to their hex-encoded values.
|
||||
subjectDigest: Record<string, string>
|
||||
/**
|
||||
* @deprecated Use `subjects` instead.
|
||||
**/
|
||||
subjectName?: string
|
||||
/**
|
||||
* @deprecated Use `subjects` instead.
|
||||
**/
|
||||
subjectDigest?: Record<string, string>
|
||||
// Subjects to be attested.
|
||||
subjects?: Subject[]
|
||||
// Content type of the predicate being attested.
|
||||
predicateType: string
|
||||
// Predicate to be attested.
|
||||
@@ -28,6 +33,8 @@ export type AttestOptions = {
|
||||
// Sigstore instance to use for signing. Must be one of "public-good" or
|
||||
// "github".
|
||||
sigstore?: SigstoreInstance
|
||||
// HTTP headers to include in request to attestations API.
|
||||
headers?: {[header: string]: string | number | undefined}
|
||||
// Whether to skip writing the attestation to the GH attestations API.
|
||||
skipWrite?: boolean
|
||||
}
|
||||
@@ -40,15 +47,24 @@ export type AttestOptions = {
|
||||
* @returns A promise that resolves to the attestation.
|
||||
*/
|
||||
export async function attest(options: AttestOptions): Promise<Attestation> {
|
||||
const subject: Subject = {
|
||||
name: options.subjectName,
|
||||
digest: options.subjectDigest
|
||||
let subjects: Subject[]
|
||||
|
||||
if (options.subjects) {
|
||||
subjects = options.subjects
|
||||
} else if (options.subjectName && options.subjectDigest) {
|
||||
subjects = [{name: options.subjectName, digest: options.subjectDigest}]
|
||||
} else {
|
||||
throw new Error(
|
||||
'Must provide either subjectName and subjectDigest or subjects'
|
||||
)
|
||||
}
|
||||
|
||||
const predicate: Predicate = {
|
||||
type: options.predicateType,
|
||||
params: options.predicate
|
||||
}
|
||||
const statement = buildIntotoStatement(subject, predicate)
|
||||
|
||||
const statement = buildIntotoStatement(subjects, predicate)
|
||||
|
||||
// Sign the provenance statement
|
||||
const payload: Payload = {
|
||||
@@ -61,7 +77,11 @@ export async function attest(options: AttestOptions): Promise<Attestation> {
|
||||
// Store the attestation
|
||||
let attestationID: string | undefined
|
||||
if (options.skipWrite !== true) {
|
||||
attestationID = await writeAttestation(bundleToJSON(bundle), options.token)
|
||||
attestationID = await writeAttestation(
|
||||
bundleToJSON(bundle),
|
||||
options.token,
|
||||
{headers: options.headers}
|
||||
)
|
||||
}
|
||||
|
||||
return toAttestation(bundle, attestationID)
|
||||
|
||||
@@ -20,12 +20,12 @@ export type InTotoStatement = {
|
||||
* @returns The constructed in-toto statement.
|
||||
*/
|
||||
export const buildIntotoStatement = (
|
||||
subject: Subject,
|
||||
subjects: Subject[],
|
||||
predicate: Predicate
|
||||
): InTotoStatement => {
|
||||
return {
|
||||
_type: INTOTO_STATEMENT_V1_TYPE,
|
||||
subject: [subject],
|
||||
subject: subjects,
|
||||
predicateType: predicate.type,
|
||||
predicate: predicate.params
|
||||
}
|
||||
|
||||
@@ -4,6 +4,11 @@ import * as jose from 'jose'
|
||||
|
||||
const OIDC_AUDIENCE = 'nobody'
|
||||
|
||||
const VALID_SERVER_URLS = [
|
||||
'https://github.com',
|
||||
new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
|
||||
] as const
|
||||
|
||||
const REQUIRED_CLAIMS = [
|
||||
'iss',
|
||||
'ref',
|
||||
@@ -25,7 +30,8 @@ type OIDCConfig = {
|
||||
jwks_uri: string
|
||||
}
|
||||
|
||||
export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => {
|
||||
export const getIDTokenClaims = async (issuer?: string): Promise<ClaimSet> => {
|
||||
issuer = issuer || getIssuer()
|
||||
try {
|
||||
const token = await getIDToken(OIDC_AUDIENCE)
|
||||
const claims = await decodeOIDCToken(token, issuer)
|
||||
@@ -43,10 +49,19 @@ const decodeOIDCToken = async (
|
||||
// Verify and decode token
|
||||
const jwks = jose.createLocalJWKSet(await getJWKS(issuer))
|
||||
const {payload} = await jose.jwtVerify(token, jwks, {
|
||||
audience: OIDC_AUDIENCE,
|
||||
issuer
|
||||
audience: OIDC_AUDIENCE
|
||||
})
|
||||
|
||||
if (!payload.iss) {
|
||||
throw new Error('Missing "iss" claim')
|
||||
}
|
||||
|
||||
// Check that the issuer STARTS WITH the expected issuer URL to account for
|
||||
// the fact that the value may include an enterprise-specific slug
|
||||
if (!payload.iss.startsWith(issuer)) {
|
||||
throw new Error(`Unexpected "iss" claim: ${payload.iss}`)
|
||||
}
|
||||
|
||||
return payload
|
||||
}
|
||||
|
||||
@@ -82,3 +97,21 @@ function assertClaimSet(claims: jose.JWTPayload): asserts claims is ClaimSet {
|
||||
throw new Error(`Missing claims: ${missingClaims.join(', ')}`)
|
||||
}
|
||||
}
|
||||
|
||||
// Derive the current OIDC issuer based on the server URL
|
||||
function getIssuer(): string {
|
||||
const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'
|
||||
|
||||
// Ensure the server URL is a valid GitHub server URL
|
||||
if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
|
||||
throw new Error(`Invalid server URL: ${serverURL}`)
|
||||
}
|
||||
|
||||
let host = new URL(serverURL).hostname
|
||||
|
||||
if (host === 'github.com') {
|
||||
host = 'githubusercontent.com'
|
||||
}
|
||||
|
||||
return `https://token.actions.${host}`
|
||||
}
|
||||
|
||||
@@ -5,8 +5,6 @@ import type {Attestation, Predicate} from './shared.types'
|
||||
const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
|
||||
const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'
|
||||
|
||||
const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'
|
||||
|
||||
export type AttestProvenanceOptions = Omit<
|
||||
AttestOptions,
|
||||
'predicate' | 'predicateType'
|
||||
@@ -24,7 +22,7 @@ export type AttestProvenanceOptions = Omit<
|
||||
* @returns The SLSA provenance predicate.
|
||||
*/
|
||||
export const buildSLSAProvenancePredicate = async (
|
||||
issuer: string = DEFAULT_ISSUER
|
||||
issuer?: string
|
||||
): Promise<Predicate> => {
|
||||
const serverURL = process.env.GITHUB_SERVER_URL
|
||||
const claims = await getIDTokenClaims(issuer)
|
||||
@@ -32,9 +30,11 @@ export const buildSLSAProvenancePredicate = async (
|
||||
// Split just the path and ref from the workflow string.
|
||||
// owner/repo/.github/workflows/main.yml@main =>
|
||||
// .github/workflows/main.yml, main
|
||||
const [workflowPath, workflowRef] = claims.workflow_ref
|
||||
const [workflowPath, ...workflowRefChunks] = claims.workflow_ref
|
||||
.replace(`${claims.repository}/`, '')
|
||||
.split('@')
|
||||
// Handle case where tag contains `@` (e.g: when using changesets in a monorepo context),
|
||||
const workflowRef = workflowRefChunks.join('@')
|
||||
|
||||
return {
|
||||
type: SLSA_PREDICATE_V1_TYPE,
|
||||
|
||||
@@ -86,7 +86,6 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
|
||||
witnesses.push(
|
||||
new RekorWitness({
|
||||
rekorBaseURL: opts.rekorURL,
|
||||
entryType: 'dsse',
|
||||
fetchOnConflict: true,
|
||||
timeout,
|
||||
retry
|
||||
@@ -106,5 +105,5 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
|
||||
|
||||
// Build the bundle with the singleCertificate option which will
|
||||
// trigger the creation of v0.3 DSSE bundles
|
||||
return new DSSEBundleBuilder({signer, witnesses, singleCertificate: true})
|
||||
return new DSSEBundleBuilder({signer, witnesses})
|
||||
}
|
||||
|
||||
@@ -1,11 +1,13 @@
|
||||
import * as github from '@actions/github'
|
||||
import {retry} from '@octokit/plugin-retry'
|
||||
import {RequestHeaders} from '@octokit/types'
|
||||
|
||||
const CREATE_ATTESTATION_REQUEST = 'POST /repos/{owner}/{repo}/attestations'
|
||||
const DEFAULT_RETRY_COUNT = 5
|
||||
|
||||
export type WriteOptions = {
|
||||
retry?: number
|
||||
headers?: RequestHeaders
|
||||
}
|
||||
/**
|
||||
* Writes an attestation to the repository's attestations endpoint.
|
||||
@@ -26,6 +28,7 @@ export const writeAttestation = async (
|
||||
const response = await octokit.request(CREATE_ATTESTATION_REQUEST, {
|
||||
owner: github.context.repo.owner,
|
||||
repo: github.context.repo.repo,
|
||||
headers: options.headers,
|
||||
data: {bundle: attestation}
|
||||
})
|
||||
|
||||
|
||||
Vendored
+5
-1
@@ -1,9 +1,13 @@
|
||||
# @actions/cache Releases
|
||||
|
||||
### 3.3.0
|
||||
- Update `@actions/core` to `1.11.1`
|
||||
- Remove dependency on `uuid` package [#1824](https://github.com/actions/toolkit/pull/1824), [#1842](https://github.com/actions/toolkit/pull/1842)
|
||||
|
||||
### 3.2.4
|
||||
|
||||
- Updated `isGhes` check to include `.ghe.com` and `.ghe.localhost` as accepted hosts
|
||||
|
||||
|
||||
### 3.2.3
|
||||
|
||||
- Fixed a bug that mutated path arguments to `getCacheVersion` [#1378](https://github.com/actions/toolkit/pull/1378)
|
||||
|
||||
+14
-57
@@ -1,15 +1,15 @@
|
||||
{
|
||||
"name": "@actions/cache",
|
||||
"version": "3.2.4",
|
||||
"version": "3.3.0",
|
||||
"lockfileVersion": 2,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "@actions/cache",
|
||||
"version": "3.2.4",
|
||||
"version": "3.3.0",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.0",
|
||||
"@actions/core": "^1.11.1",
|
||||
"@actions/exec": "^1.0.1",
|
||||
"@actions/glob": "^0.1.0",
|
||||
"@actions/http-client": "^2.1.1",
|
||||
@@ -17,30 +17,20 @@
|
||||
"@azure/abort-controller": "^1.1.0",
|
||||
"@azure/ms-rest-js": "^2.6.0",
|
||||
"@azure/storage-blob": "^12.13.0",
|
||||
"semver": "^6.3.1",
|
||||
"uuid": "^3.3.3"
|
||||
"semver": "^6.3.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/semver": "^6.0.0",
|
||||
"@types/uuid": "^3.4.5",
|
||||
"typescript": "^5.2.2"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/core": {
|
||||
"version": "1.10.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
|
||||
"integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
|
||||
"version": "1.11.1",
|
||||
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
|
||||
"integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
|
||||
"dependencies": {
|
||||
"@actions/http-client": "^2.0.1",
|
||||
"uuid": "^8.3.2"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/core/node_modules/uuid": {
|
||||
"version": "8.3.2",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
|
||||
"integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
|
||||
"bin": {
|
||||
"uuid": "dist/bin/uuid"
|
||||
"@actions/exec": "^1.1.1",
|
||||
"@actions/http-client": "^2.0.1"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/exec": {
|
||||
@@ -296,12 +286,6 @@
|
||||
"@types/node": "*"
|
||||
}
|
||||
},
|
||||
"node_modules/@types/uuid": {
|
||||
"version": "3.4.10",
|
||||
"resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-3.4.10.tgz",
|
||||
"integrity": "sha512-BgeaZuElf7DEYZhWYDTc/XcLZXdVgFkVSTa13BqKvbnmUrxr3TJFKofUxCtDO9UQOdhnV+HPOESdHiHKZOJV1A==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/abort-controller": {
|
||||
"version": "3.0.0",
|
||||
"resolved": "https://registry.npmjs.org/abort-controller/-/abort-controller-3.0.0.tgz",
|
||||
@@ -486,15 +470,6 @@
|
||||
"node": ">=14.17"
|
||||
}
|
||||
},
|
||||
"node_modules/uuid": {
|
||||
"version": "3.4.0",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz",
|
||||
"integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==",
|
||||
"deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.",
|
||||
"bin": {
|
||||
"uuid": "bin/uuid"
|
||||
}
|
||||
},
|
||||
"node_modules/webidl-conversions": {
|
||||
"version": "3.0.1",
|
||||
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
|
||||
@@ -532,19 +507,12 @@
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/core": {
|
||||
"version": "1.10.0",
|
||||
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
|
||||
"integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
|
||||
"version": "1.11.1",
|
||||
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
|
||||
"integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
|
||||
"requires": {
|
||||
"@actions/http-client": "^2.0.1",
|
||||
"uuid": "^8.3.2"
|
||||
},
|
||||
"dependencies": {
|
||||
"uuid": {
|
||||
"version": "8.3.2",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
|
||||
"integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
|
||||
}
|
||||
"@actions/exec": "^1.1.1",
|
||||
"@actions/http-client": "^2.0.1"
|
||||
}
|
||||
},
|
||||
"@actions/exec": {
|
||||
@@ -764,12 +732,6 @@
|
||||
"@types/node": "*"
|
||||
}
|
||||
},
|
||||
"@types/uuid": {
|
||||
"version": "3.4.10",
|
||||
"resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-3.4.10.tgz",
|
||||
"integrity": "sha512-BgeaZuElf7DEYZhWYDTc/XcLZXdVgFkVSTa13BqKvbnmUrxr3TJFKofUxCtDO9UQOdhnV+HPOESdHiHKZOJV1A==",
|
||||
"dev": true
|
||||
},
|
||||
"abort-controller": {
|
||||
"version": "3.0.0",
|
||||
"resolved": "https://registry.npmjs.org/abort-controller/-/abort-controller-3.0.0.tgz",
|
||||
@@ -900,11 +862,6 @@
|
||||
"integrity": "sha512-mI4WrpHsbCIcwT9cF4FZvr80QUeKvsUsUvKDoR+X/7XHQH98xYD8YHZg7ANtz2GtZt/CBq2QJ0thkGJMHfqc1w==",
|
||||
"dev": true
|
||||
},
|
||||
"uuid": {
|
||||
"version": "3.4.0",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz",
|
||||
"integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A=="
|
||||
},
|
||||
"webidl-conversions": {
|
||||
"version": "3.0.1",
|
||||
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
|
||||
|
||||
Vendored
+3
-5
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@actions/cache",
|
||||
"version": "3.2.4",
|
||||
"version": "3.3.0",
|
||||
"preview": true,
|
||||
"description": "Actions cache lib",
|
||||
"keywords": [
|
||||
@@ -37,7 +37,7 @@
|
||||
"url": "https://github.com/actions/toolkit/issues"
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.0",
|
||||
"@actions/core": "^1.11.1",
|
||||
"@actions/exec": "^1.0.1",
|
||||
"@actions/glob": "^0.1.0",
|
||||
"@actions/http-client": "^2.1.1",
|
||||
@@ -45,12 +45,10 @@
|
||||
"@azure/abort-controller": "^1.1.0",
|
||||
"@azure/ms-rest-js": "^2.6.0",
|
||||
"@azure/storage-blob": "^12.13.0",
|
||||
"semver": "^6.3.1",
|
||||
"uuid": "^3.3.3"
|
||||
"semver": "^6.3.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/semver": "^6.0.0",
|
||||
"@types/uuid": "^3.4.5",
|
||||
"typescript": "^5.2.2"
|
||||
}
|
||||
}
|
||||
|
||||
+2
-2
@@ -2,11 +2,11 @@ import * as core from '@actions/core'
|
||||
import * as exec from '@actions/exec'
|
||||
import * as glob from '@actions/glob'
|
||||
import * as io from '@actions/io'
|
||||
import * as crypto from 'crypto'
|
||||
import * as fs from 'fs'
|
||||
import * as path from 'path'
|
||||
import * as semver from 'semver'
|
||||
import * as util from 'util'
|
||||
import {v4 as uuidV4} from 'uuid'
|
||||
import {
|
||||
CacheFilename,
|
||||
CompressionMethod,
|
||||
@@ -34,7 +34,7 @@ export async function createTempDirectory(): Promise<string> {
|
||||
tempDirectory = path.join(baseLocation, 'actions', 'temp')
|
||||
}
|
||||
|
||||
const dest = path.join(tempDirectory, uuidV4())
|
||||
const dest = path.join(tempDirectory, crypto.randomUUID())
|
||||
await io.mkdirP(dest)
|
||||
return dest
|
||||
}
|
||||
|
||||
@@ -1,5 +1,12 @@
|
||||
# @actions/core Releases
|
||||
|
||||
### 1.11.1
|
||||
- Fix uses of `crypto.randomUUID` on Node 18 and earlier [#1842](https://github.com/actions/toolkit/pull/1842)
|
||||
|
||||
### 1.11.0
|
||||
- Add platform info utilities [#1551](https://github.com/actions/toolkit/pull/1551)
|
||||
- Remove dependency on `uuid` package [#1824](https://github.com/actions/toolkit/pull/1824)
|
||||
|
||||
### 1.10.1
|
||||
- Fix error message reference in oidc utils [#1511](https://github.com/actions/toolkit/pull/1511)
|
||||
|
||||
|
||||
@@ -4,9 +4,6 @@ import * as path from 'path'
|
||||
import * as core from '../src/core'
|
||||
import {HttpClient} from '@actions/http-client'
|
||||
import {toCommandProperties} from '../src/utils'
|
||||
import * as uuid from 'uuid'
|
||||
|
||||
jest.mock('uuid')
|
||||
|
||||
/* eslint-disable @typescript-eslint/unbound-method */
|
||||
|
||||
@@ -49,11 +46,23 @@ const testEnvVars = {
|
||||
const UUID = '9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d'
|
||||
const DELIMITER = `ghadelimiter_${UUID}`
|
||||
|
||||
jest.mock('crypto', () => ({
|
||||
...jest.requireActual('crypto'),
|
||||
randomUUID: jest.fn(() => UUID)
|
||||
}))
|
||||
|
||||
const TEMP_DIR = path.join(__dirname, '_temp')
|
||||
|
||||
describe('@actions/core', () => {
|
||||
beforeAll(() => {
|
||||
const filePath = path.join(__dirname, `test`)
|
||||
const filePath = TEMP_DIR
|
||||
if (!fs.existsSync(filePath)) {
|
||||
fs.mkdirSync(filePath)
|
||||
} else {
|
||||
// Clear out the temp directory
|
||||
for (const file of fs.readdirSync(filePath)) {
|
||||
fs.unlinkSync(path.join(filePath, file))
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
@@ -62,10 +71,6 @@ describe('@actions/core', () => {
|
||||
process.env[key] = testEnvVars[key as keyof typeof testEnvVars]
|
||||
}
|
||||
process.stdout.write = jest.fn()
|
||||
|
||||
jest.spyOn(uuid, 'v4').mockImplementation(() => {
|
||||
return UUID
|
||||
})
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
@@ -141,7 +146,7 @@ describe('@actions/core', () => {
|
||||
`Unexpected input: value should not contain the delimiter "${DELIMITER}"`
|
||||
)
|
||||
|
||||
const filePath = path.join(__dirname, `test/${command}`)
|
||||
const filePath = path.join(TEMP_DIR, command)
|
||||
fs.unlinkSync(filePath)
|
||||
})
|
||||
|
||||
@@ -155,7 +160,7 @@ describe('@actions/core', () => {
|
||||
`Unexpected input: name should not contain the delimiter "${DELIMITER}"`
|
||||
)
|
||||
|
||||
const filePath = path.join(__dirname, `test/${command}`)
|
||||
const filePath = path.join(TEMP_DIR, command)
|
||||
fs.unlinkSync(filePath)
|
||||
})
|
||||
|
||||
@@ -347,7 +352,7 @@ describe('@actions/core', () => {
|
||||
`Unexpected input: value should not contain the delimiter "${DELIMITER}"`
|
||||
)
|
||||
|
||||
const filePath = path.join(__dirname, `test/${command}`)
|
||||
const filePath = path.join(TEMP_DIR, command)
|
||||
fs.unlinkSync(filePath)
|
||||
})
|
||||
|
||||
@@ -361,7 +366,7 @@ describe('@actions/core', () => {
|
||||
`Unexpected input: name should not contain the delimiter "${DELIMITER}"`
|
||||
)
|
||||
|
||||
const filePath = path.join(__dirname, `test/${command}`)
|
||||
const filePath = path.join(TEMP_DIR, command)
|
||||
fs.unlinkSync(filePath)
|
||||
})
|
||||
|
||||
@@ -585,7 +590,7 @@ describe('@actions/core', () => {
|
||||
`Unexpected input: value should not contain the delimiter "${DELIMITER}"`
|
||||
)
|
||||
|
||||
const filePath = path.join(__dirname, `test/${command}`)
|
||||
const filePath = path.join(TEMP_DIR, command)
|
||||
fs.unlinkSync(filePath)
|
||||
})
|
||||
|
||||
@@ -599,7 +604,7 @@ describe('@actions/core', () => {
|
||||
`Unexpected input: name should not contain the delimiter "${DELIMITER}"`
|
||||
)
|
||||
|
||||
const filePath = path.join(__dirname, `test/${command}`)
|
||||
const filePath = path.join(TEMP_DIR, command)
|
||||
fs.unlinkSync(filePath)
|
||||
})
|
||||
|
||||
@@ -641,7 +646,7 @@ function assertWriteCalls(calls: string[]): void {
|
||||
}
|
||||
|
||||
function createFileCommandFile(command: string): void {
|
||||
const filePath = path.join(__dirname, `test/${command}`)
|
||||
const filePath = path.join(__dirname, `_temp/${command}`)
|
||||
process.env[`GITHUB_${command}`] = filePath
|
||||
fs.appendFileSync(filePath, '', {
|
||||
encoding: 'utf8'
|
||||
@@ -649,7 +654,7 @@ function createFileCommandFile(command: string): void {
|
||||
}
|
||||
|
||||
function verifyFileCommand(command: string, expectedContents: string): void {
|
||||
const filePath = path.join(__dirname, `test/${command}`)
|
||||
const filePath = path.join(__dirname, `_temp/${command}`)
|
||||
const contents = fs.readFileSync(filePath, 'utf8')
|
||||
try {
|
||||
expect(contents).toEqual(expectedContents)
|
||||
|
||||
Generated
+10
-37
@@ -1,21 +1,19 @@
|
||||
{
|
||||
"name": "@actions/core",
|
||||
"version": "1.10.1",
|
||||
"version": "1.11.1",
|
||||
"lockfileVersion": 2,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "@actions/core",
|
||||
"version": "1.10.1",
|
||||
"version": "1.11.1",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/exec": "^1.1.1",
|
||||
"@actions/http-client": "^2.0.1",
|
||||
"uuid": "^8.3.2"
|
||||
"@actions/http-client": "^2.0.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/node": "^12.0.2",
|
||||
"@types/uuid": "^8.3.4"
|
||||
"@types/node": "^16.18.112"
|
||||
}
|
||||
},
|
||||
"node_modules/@actions/exec": {
|
||||
@@ -40,15 +38,9 @@
|
||||
"integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="
|
||||
},
|
||||
"node_modules/@types/node": {
|
||||
"version": "12.0.2",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-12.0.2.tgz",
|
||||
"integrity": "sha512-5tabW/i+9mhrfEOUcLDu2xBPsHJ+X5Orqy9FKpale3SjDA17j5AEpYq5vfy3oAeAHGcvANRCO3NV3d2D6q3NiA==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/@types/uuid": {
|
||||
"version": "8.3.4",
|
||||
"resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-8.3.4.tgz",
|
||||
"integrity": "sha512-c/I8ZRb51j+pYGAu5CrFMRxqZ2ke4y2grEBO5AUjgSkSk+qT2Ea+OdWElz/OiMf5MNpn2b17kuVBwZLQJXzihw==",
|
||||
"version": "16.18.112",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-16.18.112.tgz",
|
||||
"integrity": "sha512-EKrbKUGJROm17+dY/gMi31aJlGLJ75e1IkTojt9n6u+hnaTBDs+M1bIdOawpk2m6YUAXq/R2W0SxCng1tndHCg==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/tunnel": {
|
||||
@@ -58,14 +50,6 @@
|
||||
"engines": {
|
||||
"node": ">=0.6.11 <=0.7.0 || >=0.7.3"
|
||||
}
|
||||
},
|
||||
"node_modules/uuid": {
|
||||
"version": "8.3.2",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
|
||||
"integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
|
||||
"bin": {
|
||||
"uuid": "dist/bin/uuid"
|
||||
}
|
||||
}
|
||||
},
|
||||
"dependencies": {
|
||||
@@ -91,26 +75,15 @@
|
||||
"integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="
|
||||
},
|
||||
"@types/node": {
|
||||
"version": "12.0.2",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-12.0.2.tgz",
|
||||
"integrity": "sha512-5tabW/i+9mhrfEOUcLDu2xBPsHJ+X5Orqy9FKpale3SjDA17j5AEpYq5vfy3oAeAHGcvANRCO3NV3d2D6q3NiA==",
|
||||
"dev": true
|
||||
},
|
||||
"@types/uuid": {
|
||||
"version": "8.3.4",
|
||||
"resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-8.3.4.tgz",
|
||||
"integrity": "sha512-c/I8ZRb51j+pYGAu5CrFMRxqZ2ke4y2grEBO5AUjgSkSk+qT2Ea+OdWElz/OiMf5MNpn2b17kuVBwZLQJXzihw==",
|
||||
"version": "16.18.112",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-16.18.112.tgz",
|
||||
"integrity": "sha512-EKrbKUGJROm17+dY/gMi31aJlGLJ75e1IkTojt9n6u+hnaTBDs+M1bIdOawpk2m6YUAXq/R2W0SxCng1tndHCg==",
|
||||
"dev": true
|
||||
},
|
||||
"tunnel": {
|
||||
"version": "0.0.6",
|
||||
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
|
||||
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
|
||||
},
|
||||
"uuid": {
|
||||
"version": "8.3.2",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
|
||||
"integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@actions/core",
|
||||
"version": "1.10.1",
|
||||
"version": "1.11.1",
|
||||
"description": "Actions core lib",
|
||||
"keywords": [
|
||||
"github",
|
||||
@@ -37,11 +37,9 @@
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/exec": "^1.1.1",
|
||||
"@actions/http-client": "^2.0.1",
|
||||
"uuid": "^8.3.2"
|
||||
"@actions/http-client": "^2.0.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/node": "^12.0.2",
|
||||
"@types/uuid": "^8.3.4"
|
||||
"@types/node": "^16.18.112"
|
||||
}
|
||||
}
|
||||
@@ -3,9 +3,9 @@
|
||||
// We use any as a valid input type
|
||||
/* eslint-disable @typescript-eslint/no-explicit-any */
|
||||
|
||||
import * as crypto from 'crypto'
|
||||
import * as fs from 'fs'
|
||||
import * as os from 'os'
|
||||
import {v4 as uuidv4} from 'uuid'
|
||||
import {toCommandValue} from './utils'
|
||||
|
||||
export function issueFileCommand(command: string, message: any): void {
|
||||
@@ -25,7 +25,7 @@ export function issueFileCommand(command: string, message: any): void {
|
||||
}
|
||||
|
||||
export function prepareKeyValueMessage(key: string, value: any): string {
|
||||
const delimiter = `ghadelimiter_${uuidv4()}`
|
||||
const delimiter = `ghadelimiter_${crypto.randomUUID()}`
|
||||
const convertedValue = toCommandValue(value)
|
||||
|
||||
// These should realistically never happen, but just in case someone finds a
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
# @actions/glob Releases
|
||||
|
||||
### 0.5.0
|
||||
- Added `excludeHiddenFiles` option, which is disabled by default to preserve existing behavior [#1791: Add glob option to ignore hidden files](https://github.com/actions/toolkit/pull/1791)
|
||||
|
||||
### 0.4.0
|
||||
- Pass in the current workspace as a parameter to HashFiles [#1318](https://github.com/actions/toolkit/pull/1318)
|
||||
|
||||
|
||||
@@ -708,7 +708,7 @@ describe('globber', () => {
|
||||
expect(itemPaths).toEqual([])
|
||||
})
|
||||
|
||||
it('returns hidden files', async () => {
|
||||
it('returns hidden files by default', async () => {
|
||||
// Create the following layout:
|
||||
// <root>
|
||||
// <root>/.emptyFolder
|
||||
@@ -734,6 +734,26 @@ describe('globber', () => {
|
||||
])
|
||||
})
|
||||
|
||||
it('ignores hidden files when excludeHiddenFiles is set', async () => {
|
||||
// Create the following layout:
|
||||
// <root>
|
||||
// <root>/.emptyFolder
|
||||
// <root>/.file
|
||||
// <root>/.folder
|
||||
// <root>/.folder/file
|
||||
const root = path.join(getTestTemp(), 'ignores-hidden-files')
|
||||
await createHiddenDirectory(path.join(root, '.emptyFolder'))
|
||||
await createHiddenDirectory(path.join(root, '.folder'))
|
||||
await createHiddenFile(path.join(root, '.file'), 'test .file content')
|
||||
await fs.writeFile(
|
||||
path.join(root, '.folder', 'file'),
|
||||
'test .folder/file content'
|
||||
)
|
||||
|
||||
const itemPaths = await glob(root, {excludeHiddenFiles: true})
|
||||
expect(itemPaths).toEqual([root])
|
||||
})
|
||||
|
||||
it('returns normalized paths', async () => {
|
||||
// Create the following layout:
|
||||
// <root>/hello/world.txt
|
||||
|
||||
Generated
+1
-1
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@actions/glob",
|
||||
"version": "0.4.0",
|
||||
"version": "0.5.0",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"description": "Actions glob lib",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@actions/glob",
|
||||
"version": "0.4.0",
|
||||
"version": "0.5.0",
|
||||
"preview": true,
|
||||
"description": "Actions glob lib",
|
||||
"keywords": [
|
||||
|
||||
@@ -9,7 +9,8 @@ export function getOptions(copy?: GlobOptions): GlobOptions {
|
||||
followSymbolicLinks: true,
|
||||
implicitDescendants: true,
|
||||
matchDirectories: true,
|
||||
omitBrokenSymbolicLinks: true
|
||||
omitBrokenSymbolicLinks: true,
|
||||
excludeHiddenFiles: false
|
||||
}
|
||||
|
||||
if (copy) {
|
||||
@@ -32,6 +33,11 @@ export function getOptions(copy?: GlobOptions): GlobOptions {
|
||||
result.omitBrokenSymbolicLinks = copy.omitBrokenSymbolicLinks
|
||||
core.debug(`omitBrokenSymbolicLinks '${result.omitBrokenSymbolicLinks}'`)
|
||||
}
|
||||
|
||||
if (typeof copy.excludeHiddenFiles === 'boolean') {
|
||||
result.excludeHiddenFiles = copy.excludeHiddenFiles
|
||||
core.debug(`excludeHiddenFiles '${result.excludeHiddenFiles}'`)
|
||||
}
|
||||
}
|
||||
|
||||
return result
|
||||
|
||||
@@ -36,4 +36,13 @@ export interface GlobOptions {
|
||||
* @default true
|
||||
*/
|
||||
omitBrokenSymbolicLinks?: boolean
|
||||
|
||||
/**
|
||||
* Indicates whether to exclude hidden files (files and directories starting with a `.`).
|
||||
* This does not apply to Windows files and directories with the hidden attribute unless
|
||||
* they are also prefixed with a `.`.
|
||||
*
|
||||
* @default false
|
||||
*/
|
||||
excludeHiddenFiles?: boolean
|
||||
}
|
||||
|
||||
@@ -128,6 +128,11 @@ export class DefaultGlobber implements Globber {
|
||||
continue
|
||||
}
|
||||
|
||||
// Hidden file or directory?
|
||||
if (options.excludeHiddenFiles && path.basename(item.path).match(/^\./)) {
|
||||
continue
|
||||
}
|
||||
|
||||
// Directory
|
||||
if (stats.isDirectory()) {
|
||||
// Matched
|
||||
|
||||
@@ -1,5 +1,14 @@
|
||||
## Releases
|
||||
|
||||
## 2.2.3
|
||||
- Fixed an issue where proxy username and password were not handled correctly [#1799](https://github.com/actions/toolkit/pull/1799)
|
||||
|
||||
## 2.2.2
|
||||
- Better handling of url encoded usernames and passwords in proxy config [#1782](https://github.com/actions/toolkit/pull/1782)
|
||||
|
||||
## 2.2.1
|
||||
- Make sure RequestOptions.keepAlive is applied properly on node20 runtime [#1572](https://github.com/actions/toolkit/pull/1572)
|
||||
|
||||
## 2.2.0
|
||||
- Add function to return proxy agent dispatcher for compatibility with latest octokit packages [#1547](https://github.com/actions/toolkit/pull/1547)
|
||||
|
||||
|
||||
@@ -307,6 +307,18 @@ describe('proxy', () => {
|
||||
console.log(agent)
|
||||
expect(agent instanceof ProxyAgent).toBe(true)
|
||||
})
|
||||
|
||||
it('proxyAuth is set in tunnel agent when authentication is provided with URIencoding', async () => {
|
||||
process.env['https_proxy'] =
|
||||
'http://user%40github.com:p%40ssword@127.0.0.1:8080'
|
||||
const httpClient = new httpm.HttpClient()
|
||||
const agent: any = httpClient.getAgent('https://some-url')
|
||||
// eslint-disable-next-line no-console
|
||||
console.log(agent)
|
||||
expect(agent.proxyOptions.host).toBe('127.0.0.1')
|
||||
expect(agent.proxyOptions.port).toBe('8080')
|
||||
expect(agent.proxyOptions.proxyAuth).toBe('user@github.com:p@ssword')
|
||||
})
|
||||
})
|
||||
|
||||
function _clearVars(): void {
|
||||
|
||||
Generated
+1
-1
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@actions/http-client",
|
||||
"version": "2.2.1",
|
||||
"version": "2.2.3",
|
||||
"lockfileVersion": 2,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@actions/http-client",
|
||||
"version": "2.2.1",
|
||||
"version": "2.2.3",
|
||||
"description": "Actions Http Client",
|
||||
"keywords": [
|
||||
"github",
|
||||
|
||||
@@ -726,7 +726,9 @@ export class HttpClient {
|
||||
uri: proxyUrl.href,
|
||||
pipelining: !this._keepAlive ? 0 : 1,
|
||||
...((proxyUrl.username || proxyUrl.password) && {
|
||||
token: `${proxyUrl.username}:${proxyUrl.password}`
|
||||
token: `Basic ${Buffer.from(
|
||||
`${proxyUrl.username}:${proxyUrl.password}`
|
||||
).toString('base64')}`
|
||||
})
|
||||
})
|
||||
this._proxyAgentDispatcher = proxyAgent
|
||||
|
||||
@@ -15,10 +15,10 @@ export function getProxyUrl(reqUrl: URL): URL | undefined {
|
||||
|
||||
if (proxyVar) {
|
||||
try {
|
||||
return new URL(proxyVar)
|
||||
return new DecodedURL(proxyVar)
|
||||
} catch {
|
||||
if (!proxyVar.startsWith('http://') && !proxyVar.startsWith('https://'))
|
||||
return new URL(`http://${proxyVar}`)
|
||||
return new DecodedURL(`http://${proxyVar}`)
|
||||
}
|
||||
} else {
|
||||
return undefined
|
||||
@@ -87,3 +87,22 @@ function isLoopbackAddress(host: string): boolean {
|
||||
hostLower.startsWith('[0:0:0:0:0:0:0:1]')
|
||||
)
|
||||
}
|
||||
|
||||
class DecodedURL extends URL {
|
||||
private _decodedUsername: string
|
||||
private _decodedPassword: string
|
||||
|
||||
constructor(url: string | URL, base?: string | URL) {
|
||||
super(url, base)
|
||||
this._decodedUsername = decodeURIComponent(super.username)
|
||||
this._decodedPassword = decodeURIComponent(super.password)
|
||||
}
|
||||
|
||||
get username(): string {
|
||||
return this._decodedUsername
|
||||
}
|
||||
|
||||
get password(): string {
|
||||
return this._decodedPassword
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
# @actions/tool-cache Releases
|
||||
|
||||
### Unreleased
|
||||
- Remove dependency on `uuid` package [#1824](https://github.com/actions/toolkit/pull/1824), [#1842](https://github.com/actions/toolkit/pull/1842)
|
||||
|
||||
### 2.0.1
|
||||
- Update to v2.0.1 of `@actions/http-client` [#1087](https://github.com/actions/toolkit/pull/1087)
|
||||
|
||||
|
||||
Generated
+1
-47
@@ -13,13 +13,11 @@
|
||||
"@actions/exec": "^1.0.0",
|
||||
"@actions/http-client": "^2.0.1",
|
||||
"@actions/io": "^1.1.1",
|
||||
"semver": "^6.1.0",
|
||||
"uuid": "^3.3.2"
|
||||
"semver": "^6.1.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/nock": "^11.1.0",
|
||||
"@types/semver": "^6.0.0",
|
||||
"@types/uuid": "^3.4.4",
|
||||
"nock": "^13.2.9"
|
||||
}
|
||||
},
|
||||
@@ -71,27 +69,12 @@
|
||||
"nock": "*"
|
||||
}
|
||||
},
|
||||
"node_modules/@types/node": {
|
||||
"version": "12.7.0",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-12.7.0.tgz",
|
||||
"integrity": "sha512-vqcj1MVm2Sla4PpMfYKh1MyDN4D2f/mPIZD7RdAGqEsbE+JxfeqQHHVbRDQ0Nqn8i73gJa1HQ1Pu3+nH4Q0Yiw==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/@types/semver": {
|
||||
"version": "6.0.1",
|
||||
"resolved": "https://registry.npmjs.org/@types/semver/-/semver-6.0.1.tgz",
|
||||
"integrity": "sha512-ffCdcrEE5h8DqVxinQjo+2d1q+FV5z7iNtPofw3JsrltSoSVlOGaW0rY8XxtO9XukdTn8TaCGWmk2VFGhI70mg==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/@types/uuid": {
|
||||
"version": "3.4.5",
|
||||
"resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-3.4.5.tgz",
|
||||
"integrity": "sha512-MNL15wC3EKyw1VLF+RoVO4hJJdk9t/Hlv3rt1OL65Qvuadm4BYo6g9ZJQqoq7X8NBFSsQXgAujWciovh2lpVjA==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@types/node": "*"
|
||||
}
|
||||
},
|
||||
"node_modules/debug": {
|
||||
"version": "4.3.4",
|
||||
"resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
|
||||
@@ -166,15 +149,6 @@
|
||||
"engines": {
|
||||
"node": ">=0.6.11 <=0.7.0 || >=0.7.3"
|
||||
}
|
||||
},
|
||||
"node_modules/uuid": {
|
||||
"version": "3.3.2",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-3.3.2.tgz",
|
||||
"integrity": "sha512-yXJmeNaw3DnnKAOKJE51sL/ZaYfWJRl1pK9dr19YFCu0ObS231AB1/LbqTKRAQ5kw8A90rA6fr4riOUpTZvQZA==",
|
||||
"deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.",
|
||||
"bin": {
|
||||
"uuid": "bin/uuid"
|
||||
}
|
||||
}
|
||||
},
|
||||
"dependencies": {
|
||||
@@ -224,27 +198,12 @@
|
||||
"nock": "*"
|
||||
}
|
||||
},
|
||||
"@types/node": {
|
||||
"version": "12.7.0",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-12.7.0.tgz",
|
||||
"integrity": "sha512-vqcj1MVm2Sla4PpMfYKh1MyDN4D2f/mPIZD7RdAGqEsbE+JxfeqQHHVbRDQ0Nqn8i73gJa1HQ1Pu3+nH4Q0Yiw==",
|
||||
"dev": true
|
||||
},
|
||||
"@types/semver": {
|
||||
"version": "6.0.1",
|
||||
"resolved": "https://registry.npmjs.org/@types/semver/-/semver-6.0.1.tgz",
|
||||
"integrity": "sha512-ffCdcrEE5h8DqVxinQjo+2d1q+FV5z7iNtPofw3JsrltSoSVlOGaW0rY8XxtO9XukdTn8TaCGWmk2VFGhI70mg==",
|
||||
"dev": true
|
||||
},
|
||||
"@types/uuid": {
|
||||
"version": "3.4.5",
|
||||
"resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-3.4.5.tgz",
|
||||
"integrity": "sha512-MNL15wC3EKyw1VLF+RoVO4hJJdk9t/Hlv3rt1OL65Qvuadm4BYo6g9ZJQqoq7X8NBFSsQXgAujWciovh2lpVjA==",
|
||||
"dev": true,
|
||||
"requires": {
|
||||
"@types/node": "*"
|
||||
}
|
||||
},
|
||||
"debug": {
|
||||
"version": "4.3.4",
|
||||
"resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
|
||||
@@ -299,11 +258,6 @@
|
||||
"version": "0.0.6",
|
||||
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
|
||||
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
|
||||
},
|
||||
"uuid": {
|
||||
"version": "3.3.2",
|
||||
"resolved": "https://registry.npmjs.org/uuid/-/uuid-3.3.2.tgz",
|
||||
"integrity": "sha512-yXJmeNaw3DnnKAOKJE51sL/ZaYfWJRl1pK9dr19YFCu0ObS231AB1/LbqTKRAQ5kw8A90rA6fr4riOUpTZvQZA=="
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -40,13 +40,11 @@
|
||||
"@actions/exec": "^1.0.0",
|
||||
"@actions/http-client": "^2.0.1",
|
||||
"@actions/io": "^1.1.1",
|
||||
"semver": "^6.1.0",
|
||||
"uuid": "^3.3.2"
|
||||
"semver": "^6.1.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/nock": "^11.1.0",
|
||||
"@types/semver": "^6.0.0",
|
||||
"@types/uuid": "^3.4.4",
|
||||
"nock": "^13.2.9"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import * as core from '@actions/core'
|
||||
import * as io from '@actions/io'
|
||||
import * as crypto from 'crypto'
|
||||
import * as fs from 'fs'
|
||||
import * as mm from './manifest'
|
||||
import * as os from 'os'
|
||||
@@ -10,7 +11,6 @@ import * as stream from 'stream'
|
||||
import * as util from 'util'
|
||||
import {ok} from 'assert'
|
||||
import {OutgoingHttpHeaders} from 'http'
|
||||
import uuidV4 from 'uuid/v4'
|
||||
import {exec} from '@actions/exec/lib/exec'
|
||||
import {ExecOptions} from '@actions/exec/lib/interfaces'
|
||||
import {RetryHelper} from './retry-helper'
|
||||
@@ -41,7 +41,7 @@ export async function downloadTool(
|
||||
auth?: string,
|
||||
headers?: OutgoingHttpHeaders
|
||||
): Promise<string> {
|
||||
dest = dest || path.join(_getTempDirectory(), uuidV4())
|
||||
dest = dest || path.join(_getTempDirectory(), crypto.randomUUID())
|
||||
await io.mkdirP(path.dirname(dest))
|
||||
core.debug(`Downloading ${url}`)
|
||||
core.debug(`Destination ${dest}`)
|
||||
@@ -651,7 +651,7 @@ export async function findFromManifest(
|
||||
async function _createExtractFolder(dest?: string): Promise<string> {
|
||||
if (!dest) {
|
||||
// create a temp dir
|
||||
dest = path.join(_getTempDirectory(), uuidV4())
|
||||
dest = path.join(_getTempDirectory(), crypto.randomUUID())
|
||||
}
|
||||
await io.mkdirP(dest)
|
||||
return dest
|
||||
|
||||
Reference in New Issue
Block a user