From ac3a0635834fe9b4f822995c8a8faef33c5f338f Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Fri, 16 Aug 2024 12:38:04 -0700 Subject: [PATCH 1/4] improve release notes for @actions/attest Signed-off-by: Brian DeHamer --- packages/attest/RELEASES.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/packages/attest/RELEASES.md b/packages/attest/RELEASES.md index 9b68907f..981bda9d 100644 --- a/packages/attest/RELEASES.md +++ b/packages/attest/RELEASES.md @@ -2,35 +2,35 @@ ### 1.4.0 -- Add new `headers` parameter to the `attest` and `attestProvenance` functions. -- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context. +- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790) +- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796](https://github.com/actions/toolkit/pull/1796) ### 1.3.1 -- Fix bug with proxy support when retrieving JWKS for OIDC issuer +- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776](https://github.com/actions/toolkit/pull/1776) ### 1.3.0 -- Dynamic construction of Sigstore API URLs -- Switch to new GH provenance build type -- Fetch existing Rekor entry on 409 conflict error -- Bump @sigstore/bundle from 2.3.0 to 2.3.2 -- Bump @sigstore/sign from 2.3.0 to 2.3.2 +- Dynamic construction of Sigstore API URLs [#1735](https://github.com/actions/toolkit/pull/1735) +- Switch to new GH provenance build type [#1745](https://github.com/actions/toolkit/pull/1745) +- Fetch existing Rekor entry on 409 conflict error [#1759](https://github.com/actions/toolkit/pull/1759) +- Bump @sigstore/bundle from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738) +- Bump @sigstore/sign from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738) ### 1.2.1 -- Retry request on attestation persistence failure +- Retry request on attestation persistence failure [#1725](https://github.com/actions/toolkit/pull/1725) ### 1.2.0 -- Generate attestations using the v0.3 Sigstore bundle format. -- Bump @sigstore/bundle from 2.2.0 to 2.3.0. -- Bump @sigstore/sign from 2.2.3 to 2.3.0. -- Remove dependency on make-fetch-happen +- Generate attestations using the v0.3 Sigstore bundle format [#1701](https://github.com/actions/toolkit/pull/1701) +- Bump @sigstore/bundle from 2.2.0 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701) +- Bump @sigstore/sign from 2.2.3 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701) +- Remove dependency on make-fetch-happen [#1714](https://github.com/actions/toolkit/pull/1714) ### 1.1.0 -- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement. +- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement [#1693](https://github.com/actions/toolkit/pull/1693) ### 1.0.0 From ada9e00cdaa133d77c9e983d1cac615ddfbf3cf0 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Fri, 16 Aug 2024 15:03:40 -0700 Subject: [PATCH 2/4] fix encoding for proxy auth token Signed-off-by: Brian DeHamer --- packages/http-client/src/index.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/http-client/src/index.ts b/packages/http-client/src/index.ts index 6f575f7d..6ee9ae43 100644 --- a/packages/http-client/src/index.ts +++ b/packages/http-client/src/index.ts @@ -726,7 +726,9 @@ export class HttpClient { uri: proxyUrl.href, pipelining: !this._keepAlive ? 0 : 1, ...((proxyUrl.username || proxyUrl.password) && { - token: `${proxyUrl.username}:${proxyUrl.password}` + token: `Basic ${Buffer.from( + `${proxyUrl.username}:${proxyUrl.password}` + ).toString('base64')}` }) }) this._proxyAgentDispatcher = proxyAgent From d1aa255c7fc5c25f2faebbb54d35bd98d9894150 Mon Sep 17 00:00:00 2001 From: Thomas Boop <52323235+thboop@users.noreply.github.com> Date: Thu, 22 Aug 2024 10:13:36 -0400 Subject: [PATCH 3/4] HTTP Client 2.2.3 Release (#1804) * http-client 2.2.3 * fix audit * Revert "fix audit" 724956ffa7d2369e0fcc7e0a4f0ae7f6fb2ff034 * update versions * Revert "update versions" 139b3391a00f8d8a03a2bc782f40e7cefbe9354c * exclude dev dependencies while we work on removing lerna --- .github/workflows/audit.yml | 2 +- packages/http-client/RELEASES.md | 3 +++ packages/http-client/package-lock.json | 2 +- packages/http-client/package.json | 2 +- 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index a8f5be4a..6633406b 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -32,7 +32,7 @@ jobs: run: npm run bootstrap - name: audit tools (without allow-list) - run: npm audit --audit-level=moderate + run: npm audit --audit-level=moderate --omit dev - name: audit packages run: npm run audit-all diff --git a/packages/http-client/RELEASES.md b/packages/http-client/RELEASES.md index 02a933b6..6d9ccf5d 100644 --- a/packages/http-client/RELEASES.md +++ b/packages/http-client/RELEASES.md @@ -1,5 +1,8 @@ ## Releases +## 2.2.3 +- Fixed an issue where proxy username and password were not handled correctly [#1799](https://github.com/actions/toolkit/pull/1799) + ## 2.2.2 - Better handling of url encoded usernames and passwords in proxy config [#1782](https://github.com/actions/toolkit/pull/1782) diff --git a/packages/http-client/package-lock.json b/packages/http-client/package-lock.json index e58eb440..823b38b7 100644 --- a/packages/http-client/package-lock.json +++ b/packages/http-client/package-lock.json @@ -1,6 +1,6 @@ { "name": "@actions/http-client", - "version": "2.2.2", + "version": "2.2.3", "lockfileVersion": 2, "requires": true, "packages": { diff --git a/packages/http-client/package.json b/packages/http-client/package.json index df29f961..3960a83a 100644 --- a/packages/http-client/package.json +++ b/packages/http-client/package.json @@ -1,6 +1,6 @@ { "name": "@actions/http-client", - "version": "2.2.2", + "version": "2.2.3", "description": "Actions Http Client", "keywords": [ "github", From 1e69bffbbabdf69158a83d09b78334185673dcad Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Thu, 22 Aug 2024 07:50:49 -0700 Subject: [PATCH 4/4] bump @actions/http-client from 2.2.1 to 2.2.3 Signed-off-by: Brian DeHamer --- packages/attest/RELEASES.md | 4 ++++ packages/attest/package-lock.json | 18 +++++++++--------- packages/attest/package.json | 4 ++-- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/packages/attest/RELEASES.md b/packages/attest/RELEASES.md index 981bda9d..4e85ca38 100644 --- a/packages/attest/RELEASES.md +++ b/packages/attest/RELEASES.md @@ -1,5 +1,9 @@ # @actions/attest Releases +### 1.4.1 + +- Bump @actions/http-client from 2.2.1 to 2.2.3 [#1805](https://github.com/actions/toolkit/pull/1805) + ### 1.4.0 - Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790) diff --git a/packages/attest/package-lock.json b/packages/attest/package-lock.json index e7fafa40..17b72849 100644 --- a/packages/attest/package-lock.json +++ b/packages/attest/package-lock.json @@ -1,17 +1,17 @@ { "name": "@actions/attest", - "version": "1.4.0", + "version": "1.4.1", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "@actions/attest", - "version": "1.4.0", + "version": "1.4.1", "license": "MIT", "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", - "@actions/http-client": "^2.2.1", + "@actions/http-client": "^2.2.3", "@octokit/plugin-retry": "^6.0.1", "@sigstore/bundle": "^2.3.2", "@sigstore/sign": "^2.3.2", @@ -46,9 +46,9 @@ } }, "node_modules/@actions/http-client": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz", - "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", "dependencies": { "tunnel": "^0.0.6", "undici": "^5.25.4" @@ -1767,9 +1767,9 @@ } }, "@actions/http-client": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz", - "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==", + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", "requires": { "tunnel": "^0.0.6", "undici": "^5.25.4" diff --git a/packages/attest/package.json b/packages/attest/package.json index d9c6b878..224e948a 100644 --- a/packages/attest/package.json +++ b/packages/attest/package.json @@ -1,6 +1,6 @@ { "name": "@actions/attest", - "version": "1.4.0", + "version": "1.4.1", "description": "Actions attestation lib", "keywords": [ "github", @@ -44,7 +44,7 @@ "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", - "@actions/http-client": "^2.2.1", + "@actions/http-client": "^2.2.3", "@octokit/plugin-retry": "^6.0.1", "@sigstore/bundle": "^2.3.2", "@sigstore/sign": "^2.3.2",