Merge 5b6308ff32 into 9d3beef651

.devcontainer/devcontainer.json

@@ -0,0 +1,4 @@
+{
+  "image": "mcr.microsoft.com/devcontainers/universal:2",
+  "features": {}
+}

.github/dependabot.yml

@@ -1,4 +1,4 @@
-version: 2
+version: 💌
 updates:
   - package-ecosystem: github-actions
     directory: /

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v7.2.1
+        uses: super-linter/super-linter/slim@v7.3.0
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*

.github/workflows/prober-public-good.yml

@@ -1,18 +1,28 @@
-name: Public-Good Sigstore Prober
+            - name: Upload a Build Artifact
+  uses: actions/upload-artifact@v4.6.2
+  with:
+    # Artifact name
+    name: # optional, default is artifact
+    # A file, directory or wildcard pattern that describes what to upload
+    path: 
+    # The desired behavior if no files are found using the provided path.
+Available Options:
+  warn: Output a warning but do not fail the action
+  error: Fail the action with an error message
+  ignore: Do not output any warnings or errors, the action does not fail
 
-on:
-  workflow_dispatch:
-  schedule:
-    # run every 5 minutes, as often as Github Actions allows
-    - cron: '*/5 * * * *'
+    if-no-files-found: # optional, default is warn
+    # Duration after which artifact will expire in days. 0 means using default retention.
+Minimum 1 day. Maximum 90 days unless changed from the repository settings page.
 
-jobs:
-  prober:
-    if: github.repository_owner == 'actions'
-    permissions:
-      attestations: write
-      id-token: write
-    secrets: inherit
-    uses: ./.github/workflows/prober.yml
-    with:
-      sigstore: public-good
+    retention-days: # optional
+    # The level of compression for Zlib to be applied to the artifact archive. The value can range from 0 to 9: - 0: No compression - 1: Best speed - 6: Default compression (same as GNU Gzip) - 9: Best compression Higher levels will result in better compression, but will take longer to complete. For large files that are not easily compressed, a value of 0 is recommended for significantly faster uploads.
+
+    compression-level: # optional, default is 6
+    # If true, an artifact with a matching name will be deleted before a new one is uploaded. If false, the action will fail if an artifact for the given name already exists. Does not fail if the artifact does not exist.
+
+    overwrite: # optional, default is false
+    # If true, hidden files will be included in the artifact. If false, hidden files will be excluded from the artifact.
+
+    include-hidden-files: # optional, default is false
+          

.github/workflows/prober.yml

@@ -5,6 +5,20 @@ on:
     inputs:
       sigstore:
         description: 'Which Sigstore instance to use for signing'
+        default: 'public-good'
+        required: false
+        type: string
+    secrets:
+      trust-domain:
+        description: 'Trust domain in which the test is executed'
+        required: true
+        type: string
+      service:
+        description: 'Service against which status should be reported'
+        required: true
+        type: string
+      team:
+        description: 'Team associated with status report'
         required: true
         type: string
 
@@ -16,6 +30,8 @@ jobs:
       id-token: write
 
     steps:
+      - uses: hmarr/debug-action@v3
+
       - name: Request OIDC Token
         run: |
           curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
@@ -28,6 +44,11 @@ jobs:
         run: |
           date > artifact
 
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: "artifact"
+
       - name: Attest build provenance
         uses: actions/attest-build-provenance@v2
         env:
@@ -41,14 +62,9 @@ jobs:
         run: |
           gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
 
-      - name: Upload build artifact
-        uses: actions/upload-artifact@v4
-        with:
-          path: "artifact"
-
       - name: Report attestation prober success
         if: ${{ success() }}
-        uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
+        uses: masci/datadog@6889e9d060f5368eeee51f8a3f06a52f65d04da3 # v1.9.1
         with:
           api-key: "${{ secrets.DATADOG_API_KEY }}"
           service-checks: |
@@ -56,17 +72,17 @@ jobs:
               status: 0
               host_name: github.com
               tags:
-                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
-                - "service:${{ secrets.CATALOG_SERVICE }}"
-                - "stamp:${{ secrets.STAMP }}"
+                - "catalog_service:${{ secrets.service }}"
+                - "service:${{ secrets.service }}"
+                - "stamp:${{ secrets.trust-domain }}"
                 - "env:production"
                 - "repo:${{ github.repository }}"
-                - "team:${{ secrets.TEAM }}"
+                - "team:${{ secrets.team }}"
                 - "sigstore:${{ inputs.sigstore }}"
 
       - name: Report attestation prober failure
         if: ${{ failure() }}
-        uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
+        uses: masci/datadog@6889e9d060f5368eeee51f8a3f06a52f65d04da3 # v1.9.1
         with:
           api-key: "${{ secrets.DATADOG_API_KEY }}"
           service-checks: |
@@ -75,10 +91,10 @@ jobs:
               status: 2
               host_name: github.com
               tags:
-                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
-                - "service:${{ secrets.CATALOG_SERVICE }}"
-                - "stamp:${{ secrets.STAMP }}"
+                - "catalog_service:${{ secrets.service }}"
+                - "service:${{ secrets.service }}"
+                - "stamp:${{ secrets.trust-domain }}"
                 - "env:production"
                 - "repo:${{ github.repository }}"
-                - "team:${{ secrets.TEAM }}"
+                - "team:${{ secrets.team }}"
                 - "sigstore:${{ inputs.sigstore }}"

LICENSE

@@ -1,21 +1 @@
-MIT License
 
-Copyright GitHub
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.

package-lock.json

@@ -21,7 +21,7 @@
         "eslint-plugin-import": "^2.31.0",
         "eslint-plugin-jest": "^28.11.0",
         "jest": "^29.7.0",
-        "jose": "^5.9.6",
+        "jose": "^6.0.10",
         "markdownlint-cli": "^0.44.0",
         "nock": "^14.0.1",
         "prettier": "^3.5.3",
@@ -48,6 +48,15 @@
         "jose": "^5.2.3"
       }
     },
+    "node_modules/@actions/attest/node_modules/jose": {
+      "version": "5.10.0",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-5.10.0.tgz",
+      "integrity": "sha512-s+3Al/p9g32Iq+oqXxkW//7jk2Vig6FF1CFqzVXoTUXt2qz89YWbL+OwS17NFYEvxC35n0FKeGO2LGYSxeM2Gg==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/@actions/core": {
       "version": "1.11.1",
       "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
@@ -5532,9 +5541,11 @@
       }
     },
     "node_modules/jose": {
-      "version": "5.9.6",
-      "resolved": "https://registry.npmjs.org/jose/-/jose-5.9.6.tgz",
-      "integrity": "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ==",
+      "version": "6.0.10",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-6.0.10.tgz",
+      "integrity": "sha512-skIAxZqcMkOrSwjJvplIPYrlXGpxTPnro2/QWTDCxAdWQrSTV5/KqspMWmi5WAx5+ULswASJiZ0a+1B/Lxt9cw==",
+      "dev": true,
+      "license": "MIT",
       "funding": {
         "url": "https://github.com/sponsors/panva"
       }

package.json

@@ -82,7 +82,7 @@
     "eslint-plugin-import": "^2.31.0",
     "eslint-plugin-jest": "^28.11.0",
     "jest": "^29.7.0",
-    "jose": "^5.9.6",
+    "jose": "^6.0.10",
     "markdownlint-cli": "^0.44.0",
     "nock": "^14.0.1",
     "prettier": "^3.5.3",