Merge branch 'actions:main' into main

2024-08-23 18:21:11 -07:00 · 2024-08-23 18:21:11 -07:00 · 409ad328b6
parent a5b91a9c3c 6c4e082c18
commit 409ad328b6
8 changed files with 38 additions and 29 deletions
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@ -32,7 +32,7 @@ jobs:
      run: npm run bootstrap

    - name: audit tools (without allow-list)
-      run: npm audit --audit-level=moderate
+      run: npm audit --audit-level=moderate --omit dev

    - name: audit packages
      run: npm run audit-all
--- a/packages/attest/RELEASES.md
+++ b/packages/attest/RELEASES.md
@ -1,36 +1,40 @@
 # @actions/attest Releases

+### 1.4.1
+
+- Bump @actions/http-client from 2.2.1 to 2.2.3 [#1805](https://github.com/actions/toolkit/pull/1805)
+
 ### 1.4.0

- Add new `headers` parameter to the `attest` and `attestProvenance` functions.
- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context.
+- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790)
+- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796](https://github.com/actions/toolkit/pull/1796)

 ### 1.3.1

- Fix bug with proxy support when retrieving JWKS for OIDC issuer
+- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776](https://github.com/actions/toolkit/pull/1776)

 ### 1.3.0

- Dynamic construction of Sigstore API URLs
- Switch to new GH provenance build type
- Fetch existing Rekor entry on 409 conflict error
- Bump @sigstore/bundle from 2.3.0 to 2.3.2
- Bump @sigstore/sign from 2.3.0 to 2.3.2
+- Dynamic construction of Sigstore API URLs [#1735](https://github.com/actions/toolkit/pull/1735)
+- Switch to new GH provenance build type [#1745](https://github.com/actions/toolkit/pull/1745)
+- Fetch existing Rekor entry on 409 conflict error [#1759](https://github.com/actions/toolkit/pull/1759)
+- Bump @sigstore/bundle from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738)
+- Bump @sigstore/sign from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738)

 ### 1.2.1

- Retry request on attestation persistence failure
+- Retry request on attestation persistence failure [#1725](https://github.com/actions/toolkit/pull/1725)

 ### 1.2.0

- Generate attestations using the v0.3 Sigstore bundle format.
- Bump @sigstore/bundle from 2.2.0 to 2.3.0.
- Bump @sigstore/sign from 2.2.3 to 2.3.0.
- Remove dependency on make-fetch-happen
+- Generate attestations using the v0.3 Sigstore bundle format [#1701](https://github.com/actions/toolkit/pull/1701)
+- Bump @sigstore/bundle from 2.2.0 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701)
+- Bump @sigstore/sign from 2.2.3 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701)
+- Remove dependency on make-fetch-happen [#1714](https://github.com/actions/toolkit/pull/1714)

 ### 1.1.0

- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement.
+- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement [#1693](https://github.com/actions/toolkit/pull/1693)

 ### 1.0.0

--- a/packages/attest/package-lock.json
+++ b/packages/attest/package-lock.json
@ -1,17 +1,17 @@
 {
  "name": "@actions/attest",
-  "version": "1.4.0",
+  "version": "1.4.1",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "@actions/attest",
-      "version": "1.4.0",
+      "version": "1.4.1",
      "license": "MIT",
      "dependencies": {
        "@actions/core": "^1.10.1",
        "@actions/github": "^6.0.0",
-        "@actions/http-client": "^2.2.1",
+        "@actions/http-client": "^2.2.3",
        "@octokit/plugin-retry": "^6.0.1",
        "@sigstore/bundle": "^2.3.2",
        "@sigstore/sign": "^2.3.2",
@ -46,9 +46,9 @@
      }
    },
    "node_modules/@actions/http-client": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz",
-      "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==",
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
+      "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
      "dependencies": {
        "tunnel": "^0.0.6",
        "undici": "^5.25.4"
@ -1767,9 +1767,9 @@
      }
    },
    "@actions/http-client": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz",
-      "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==",
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
+      "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
      "requires": {
        "tunnel": "^0.0.6",
        "undici": "^5.25.4"
--- a/packages/attest/package.json
+++ b/packages/attest/package.json
@ -1,6 +1,6 @@
 {
  "name": "@actions/attest",
-  "version": "1.4.0",
+  "version": "1.4.1",
  "description": "Actions attestation lib",
  "keywords": [
    "github",
@ -44,7 +44,7 @@
  "dependencies": {
    "@actions/core": "^1.10.1",
    "@actions/github": "^6.0.0",
-    "@actions/http-client": "^2.2.1",
+    "@actions/http-client": "^2.2.3",
    "@octokit/plugin-retry": "^6.0.1",
    "@sigstore/bundle": "^2.3.2",
    "@sigstore/sign": "^2.3.2",
--- a/packages/http-client/RELEASES.md
+++ b/packages/http-client/RELEASES.md
@ -1,5 +1,8 @@
 ## Releases

+## 2.2.3
+- Fixed an issue where proxy username and password were not handled correctly [#1799](https://github.com/actions/toolkit/pull/1799)
+
 ## 2.2.2
 - Better handling of url encoded usernames and passwords in proxy config [#1782](https://github.com/actions/toolkit/pull/1782)

--- a/packages/http-client/package-lock.json
+++ b/packages/http-client/package-lock.json
@ -1,6 +1,6 @@
 {
  "name": "@actions/http-client",
-  "version": "2.2.2",
+  "version": "2.2.3",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
--- a/packages/http-client/package.json
+++ b/packages/http-client/package.json
@ -1,6 +1,6 @@
 {
  "name": "@actions/http-client",
-  "version": "2.2.2",
+  "version": "2.2.3",
  "description": "Actions Http Client",
  "keywords": [
    "github",
--- a/packages/http-client/src/index.ts
+++ b/packages/http-client/src/index.ts
@ -726,7 +726,9 @@ export class HttpClient {
      uri: proxyUrl.href,
      pipelining: !this._keepAlive ? 0 : 1,
      ...((proxyUrl.username || proxyUrl.password) && {
-        token: `${proxyUrl.username}:${proxyUrl.password}`
+        token: `Basic ${Buffer.from(
+          `${proxyUrl.username}:${proxyUrl.password}`
+        ).toString('base64')}`
      })
    })
    this._proxyAgentDispatcher = proxyAgent