mirror of https://github.com/actions/toolkit
Merge pull request #1701 from actions/bdehamer/attest-v03-bundle
(@actions/attest) generate attestations using v0.3 bundle formatpull/1700/head^2
commit
9ddf153e00
|
@ -1,5 +1,11 @@
|
||||||
# @actions/attest Releases
|
# @actions/attest Releases
|
||||||
|
|
||||||
|
### 1.2.0
|
||||||
|
|
||||||
|
- Generate attestations using the v0.3 Sigstore bundle format.
|
||||||
|
- Bump @sigstore/bundle from 2.2.0 to 2.3.0.
|
||||||
|
- Bump @sigstore/sign from 2.2.3 to 2.3.0.
|
||||||
|
|
||||||
### 1.1.0
|
### 1.1.0
|
||||||
|
|
||||||
- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement.
|
- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement.
|
||||||
|
|
|
@ -64,13 +64,11 @@ describe('signProvenance', () => {
|
||||||
|
|
||||||
expect(att).toBeDefined()
|
expect(att).toBeDefined()
|
||||||
expect(att.mediaType).toEqual(
|
expect(att.mediaType).toEqual(
|
||||||
'application/vnd.dev.sigstore.bundle+json;version=0.2'
|
'application/vnd.dev.sigstore.bundle.v0.3+json'
|
||||||
)
|
)
|
||||||
|
|
||||||
expect(att.content.$case).toEqual('dsseEnvelope')
|
expect(att.content.$case).toEqual('dsseEnvelope')
|
||||||
expect(att.verificationMaterial.content.$case).toEqual(
|
expect(att.verificationMaterial.content.$case).toEqual('certificate')
|
||||||
'x509CertificateChain'
|
|
||||||
)
|
|
||||||
expect(att.verificationMaterial.tlogEntries).toHaveLength(1)
|
expect(att.verificationMaterial.tlogEntries).toHaveLength(1)
|
||||||
expect(
|
expect(
|
||||||
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
|
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
|
||||||
|
@ -89,13 +87,11 @@ describe('signProvenance', () => {
|
||||||
|
|
||||||
expect(att).toBeDefined()
|
expect(att).toBeDefined()
|
||||||
expect(att.mediaType).toEqual(
|
expect(att.mediaType).toEqual(
|
||||||
'application/vnd.dev.sigstore.bundle+json;version=0.2'
|
'application/vnd.dev.sigstore.bundle.v0.3+json'
|
||||||
)
|
)
|
||||||
|
|
||||||
expect(att.content.$case).toEqual('dsseEnvelope')
|
expect(att.content.$case).toEqual('dsseEnvelope')
|
||||||
expect(att.verificationMaterial.content.$case).toEqual(
|
expect(att.verificationMaterial.content.$case).toEqual('certificate')
|
||||||
'x509CertificateChain'
|
|
||||||
)
|
|
||||||
expect(att.verificationMaterial.tlogEntries).toHaveLength(0)
|
expect(att.verificationMaterial.tlogEntries).toHaveLength(0)
|
||||||
expect(
|
expect(
|
||||||
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
|
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
|
||||||
|
|
|
@ -1,19 +1,19 @@
|
||||||
{
|
{
|
||||||
"name": "@actions/attest",
|
"name": "@actions/attest",
|
||||||
"version": "1.0.0",
|
"version": "1.2.0",
|
||||||
"lockfileVersion": 2,
|
"lockfileVersion": 2,
|
||||||
"requires": true,
|
"requires": true,
|
||||||
"packages": {
|
"packages": {
|
||||||
"": {
|
"": {
|
||||||
"name": "@actions/attest",
|
"name": "@actions/attest",
|
||||||
"version": "1.0.0",
|
"version": "1.2.0",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@actions/core": "^1.10.1",
|
"@actions/core": "^1.10.1",
|
||||||
"@actions/github": "^6.0.0",
|
"@actions/github": "^6.0.0",
|
||||||
"@actions/http-client": "^2.2.1",
|
"@actions/http-client": "^2.2.1",
|
||||||
"@sigstore/bundle": "^2.2.0",
|
"@sigstore/bundle": "^2.3.0",
|
||||||
"@sigstore/sign": "^2.2.3",
|
"@sigstore/sign": "^2.3.0",
|
||||||
"jsonwebtoken": "^9.0.2",
|
"jsonwebtoken": "^9.0.2",
|
||||||
"jwks-rsa": "^3.1.0",
|
"jwks-rsa": "^3.1.0",
|
||||||
"make-fetch-happen": "^13.0.0"
|
"make-fetch-happen": "^13.0.0"
|
||||||
|
@ -408,11 +408,11 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@sigstore/bundle": {
|
"node_modules/@sigstore/bundle": {
|
||||||
"version": "2.2.0",
|
"version": "2.3.0",
|
||||||
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.2.0.tgz",
|
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.0.tgz",
|
||||||
"integrity": "sha512-5VI58qgNs76RDrwXNhpmyN/jKpq9evV/7f1XrcqcAfvxDl5SeVY/I5Rmfe96ULAV7/FK5dge9RBKGBJPhL1WsQ==",
|
"integrity": "sha512-MU3XYHkOvKEFnuUtcAtVh0s4RTemRyi1NN87+v9fAL0qR9JZuK/nF27YJ79wjPvvi1W9sz3qc7cTgshH5tji6Q==",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@sigstore/protobuf-specs": "^0.3.0"
|
"@sigstore/protobuf-specs": "^0.3.1"
|
||||||
},
|
},
|
||||||
"engines": {
|
"engines": {
|
||||||
"node": "^16.14.0 || >=18.0.0"
|
"node": "^16.14.0 || >=18.0.0"
|
||||||
|
@ -448,11 +448,11 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@sigstore/protobuf-specs": {
|
"node_modules/@sigstore/protobuf-specs": {
|
||||||
"version": "0.3.0",
|
"version": "0.3.1",
|
||||||
"resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.0.tgz",
|
"resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.1.tgz",
|
||||||
"integrity": "sha512-zxiQ66JFOjVvP9hbhGj/F/qNdsZfkGb/dVXSanNRNuAzMlr4MC95voPUBX8//ZNnmv3uSYzdfR/JSkrgvZTGxA==",
|
"integrity": "sha512-aIL8Z9NsMr3C64jyQzE0XlkEyBLpgEJJFDHLVVStkFV5Q3Il/r/YtY6NJWKQ4cy4AE7spP1IX5Jq7VCAxHHMfQ==",
|
||||||
"engines": {
|
"engines": {
|
||||||
"node": "^14.17.0 || ^16.13.0 || >=18.0.0"
|
"node": "^16.14.0 || >=18.0.0"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@sigstore/rekor-types": {
|
"node_modules/@sigstore/rekor-types": {
|
||||||
|
@ -465,13 +465,13 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@sigstore/sign": {
|
"node_modules/@sigstore/sign": {
|
||||||
"version": "2.2.3",
|
"version": "2.3.0",
|
||||||
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.2.3.tgz",
|
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.0.tgz",
|
||||||
"integrity": "sha512-LqlA+ffyN02yC7RKszCdMTS6bldZnIodiox+IkT8B2f8oRYXCB3LQ9roXeiEL21m64CVH1wyveYAORfD65WoSw==",
|
"integrity": "sha512-tsAyV6FC3R3pHmKS880IXcDJuiFJiKITO1jxR1qbplcsBkZLBmjrEw5GbC7ikD6f5RU1hr7WnmxB/2kKc1qUWQ==",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@sigstore/bundle": "^2.2.0",
|
"@sigstore/bundle": "^2.3.0",
|
||||||
"@sigstore/core": "^1.0.0",
|
"@sigstore/core": "^1.0.0",
|
||||||
"@sigstore/protobuf-specs": "^0.3.0",
|
"@sigstore/protobuf-specs": "^0.3.1",
|
||||||
"make-fetch-happen": "^13.0.0"
|
"make-fetch-happen": "^13.0.0"
|
||||||
},
|
},
|
||||||
"engines": {
|
"engines": {
|
||||||
|
@ -2324,11 +2324,11 @@
|
||||||
"optional": true
|
"optional": true
|
||||||
},
|
},
|
||||||
"@sigstore/bundle": {
|
"@sigstore/bundle": {
|
||||||
"version": "2.2.0",
|
"version": "2.3.0",
|
||||||
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.2.0.tgz",
|
"resolved": "https://registry.npmjs.org/@sigstore/bundle/-/bundle-2.3.0.tgz",
|
||||||
"integrity": "sha512-5VI58qgNs76RDrwXNhpmyN/jKpq9evV/7f1XrcqcAfvxDl5SeVY/I5Rmfe96ULAV7/FK5dge9RBKGBJPhL1WsQ==",
|
"integrity": "sha512-MU3XYHkOvKEFnuUtcAtVh0s4RTemRyi1NN87+v9fAL0qR9JZuK/nF27YJ79wjPvvi1W9sz3qc7cTgshH5tji6Q==",
|
||||||
"requires": {
|
"requires": {
|
||||||
"@sigstore/protobuf-specs": "^0.3.0"
|
"@sigstore/protobuf-specs": "^0.3.1"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"@sigstore/core": {
|
"@sigstore/core": {
|
||||||
|
@ -2355,9 +2355,9 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"@sigstore/protobuf-specs": {
|
"@sigstore/protobuf-specs": {
|
||||||
"version": "0.3.0",
|
"version": "0.3.1",
|
||||||
"resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.0.tgz",
|
"resolved": "https://registry.npmjs.org/@sigstore/protobuf-specs/-/protobuf-specs-0.3.1.tgz",
|
||||||
"integrity": "sha512-zxiQ66JFOjVvP9hbhGj/F/qNdsZfkGb/dVXSanNRNuAzMlr4MC95voPUBX8//ZNnmv3uSYzdfR/JSkrgvZTGxA=="
|
"integrity": "sha512-aIL8Z9NsMr3C64jyQzE0XlkEyBLpgEJJFDHLVVStkFV5Q3Il/r/YtY6NJWKQ4cy4AE7spP1IX5Jq7VCAxHHMfQ=="
|
||||||
},
|
},
|
||||||
"@sigstore/rekor-types": {
|
"@sigstore/rekor-types": {
|
||||||
"version": "2.0.0",
|
"version": "2.0.0",
|
||||||
|
@ -2366,13 +2366,13 @@
|
||||||
"dev": true
|
"dev": true
|
||||||
},
|
},
|
||||||
"@sigstore/sign": {
|
"@sigstore/sign": {
|
||||||
"version": "2.2.3",
|
"version": "2.3.0",
|
||||||
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.2.3.tgz",
|
"resolved": "https://registry.npmjs.org/@sigstore/sign/-/sign-2.3.0.tgz",
|
||||||
"integrity": "sha512-LqlA+ffyN02yC7RKszCdMTS6bldZnIodiox+IkT8B2f8oRYXCB3LQ9roXeiEL21m64CVH1wyveYAORfD65WoSw==",
|
"integrity": "sha512-tsAyV6FC3R3pHmKS880IXcDJuiFJiKITO1jxR1qbplcsBkZLBmjrEw5GbC7ikD6f5RU1hr7WnmxB/2kKc1qUWQ==",
|
||||||
"requires": {
|
"requires": {
|
||||||
"@sigstore/bundle": "^2.2.0",
|
"@sigstore/bundle": "^2.3.0",
|
||||||
"@sigstore/core": "^1.0.0",
|
"@sigstore/core": "^1.0.0",
|
||||||
"@sigstore/protobuf-specs": "^0.3.0",
|
"@sigstore/protobuf-specs": "^0.3.1",
|
||||||
"make-fetch-happen": "^13.0.0"
|
"make-fetch-happen": "^13.0.0"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"name": "@actions/attest",
|
"name": "@actions/attest",
|
||||||
"version": "1.1.0",
|
"version": "1.2.0",
|
||||||
"description": "Actions attestation lib",
|
"description": "Actions attestation lib",
|
||||||
"keywords": [
|
"keywords": [
|
||||||
"github",
|
"github",
|
||||||
|
@ -46,8 +46,8 @@
|
||||||
"@actions/core": "^1.10.1",
|
"@actions/core": "^1.10.1",
|
||||||
"@actions/github": "^6.0.0",
|
"@actions/github": "^6.0.0",
|
||||||
"@actions/http-client": "^2.2.1",
|
"@actions/http-client": "^2.2.1",
|
||||||
"@sigstore/bundle": "^2.2.0",
|
"@sigstore/bundle": "^2.3.0",
|
||||||
"@sigstore/sign": "^2.2.3",
|
"@sigstore/sign": "^2.3.0",
|
||||||
"jsonwebtoken": "^9.0.2",
|
"jsonwebtoken": "^9.0.2",
|
||||||
"jwks-rsa": "^3.1.0",
|
"jwks-rsa": "^3.1.0",
|
||||||
"make-fetch-happen": "^13.0.0"
|
"make-fetch-happen": "^13.0.0"
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
import {Bundle, bundleToJSON} from '@sigstore/bundle'
|
import {bundleToJSON} from '@sigstore/bundle'
|
||||||
import {X509Certificate} from 'crypto'
|
import {X509Certificate} from 'crypto'
|
||||||
import {SigstoreInstance, signingEndpoints} from './endpoints'
|
import {SigstoreInstance, signingEndpoints} from './endpoints'
|
||||||
import {buildIntotoStatement} from './intoto'
|
import {buildIntotoStatement} from './intoto'
|
||||||
import {Payload, signPayload} from './sign'
|
import {Payload, signPayload} from './sign'
|
||||||
import {writeAttestation} from './store'
|
import {writeAttestation} from './store'
|
||||||
|
|
||||||
|
import type {Bundle} from '@sigstore/sign'
|
||||||
import type {Attestation, Predicate, Subject} from './shared.types'
|
import type {Attestation, Predicate, Subject} from './shared.types'
|
||||||
|
|
||||||
const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'
|
const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
import {Bundle} from '@sigstore/bundle'
|
|
||||||
import {
|
import {
|
||||||
|
Bundle,
|
||||||
BundleBuilder,
|
BundleBuilder,
|
||||||
CIContextProvider,
|
CIContextProvider,
|
||||||
DSSEBundleBuilder,
|
DSSEBundleBuilder,
|
||||||
|
@ -103,5 +103,7 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
return new DSSEBundleBuilder({signer, witnesses})
|
// Build the bundle with the singleCertificate option which will
|
||||||
|
// trigger the creation of v0.3 DSSE bundles
|
||||||
|
return new DSSEBundleBuilder({signer, witnesses, singleCertificate: true})
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue