diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000..39bbd26 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,4 @@ +{ + "image": "mcr.microsoft.com/devcontainers/universal:2", + "features": {} +} diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1d9d7ed..8c8ee5e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,4 +1,4 @@ -version: 2 +version: 💌 updates: - package-ecosystem: github-actions directory: / diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 4f29ace..3109d59 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -38,7 +38,7 @@ jobs: - name: Lint Codebase id: super-linter - uses: super-linter/super-linter/slim@v7.2.1 + uses: super-linter/super-linter/slim@v7.3.0 env: DEFAULT_BRANCH: main FILTER_REGEX_EXCLUDE: dist/**/* diff --git a/.github/workflows/prober-public-good.yml b/.github/workflows/prober-public-good.yml index d8efefd..ca85ce1 100644 --- a/.github/workflows/prober-public-good.yml +++ b/.github/workflows/prober-public-good.yml @@ -1,18 +1,28 @@ -name: Public-Good Sigstore Prober + - name: Upload a Build Artifact + uses: actions/upload-artifact@v4.6.2 + with: + # Artifact name + name: # optional, default is artifact + # A file, directory or wildcard pattern that describes what to upload + path: + # The desired behavior if no files are found using the provided path. +Available Options: + warn: Output a warning but do not fail the action + error: Fail the action with an error message + ignore: Do not output any warnings or errors, the action does not fail -on: - workflow_dispatch: - schedule: - # run every 5 minutes, as often as Github Actions allows - - cron: '*/5 * * * *' + if-no-files-found: # optional, default is warn + # Duration after which artifact will expire in days. 0 means using default retention. +Minimum 1 day. Maximum 90 days unless changed from the repository settings page. -jobs: - prober: - if: github.repository_owner == 'actions' - permissions: - attestations: write - id-token: write - secrets: inherit - uses: ./.github/workflows/prober.yml - with: - sigstore: public-good + retention-days: # optional + # The level of compression for Zlib to be applied to the artifact archive. The value can range from 0 to 9: - 0: No compression - 1: Best speed - 6: Default compression (same as GNU Gzip) - 9: Best compression Higher levels will result in better compression, but will take longer to complete. For large files that are not easily compressed, a value of 0 is recommended for significantly faster uploads. + + compression-level: # optional, default is 6 + # If true, an artifact with a matching name will be deleted before a new one is uploaded. If false, the action will fail if an artifact for the given name already exists. Does not fail if the artifact does not exist. + + overwrite: # optional, default is false + # If true, hidden files will be included in the artifact. If false, hidden files will be excluded from the artifact. + + include-hidden-files: # optional, default is false + diff --git a/.github/workflows/prober.yml b/.github/workflows/prober.yml index b8439a6..63bfcd4 100644 --- a/.github/workflows/prober.yml +++ b/.github/workflows/prober.yml @@ -5,6 +5,20 @@ on: inputs: sigstore: description: 'Which Sigstore instance to use for signing' + default: 'public-good' + required: false + type: string + secrets: + trust-domain: + description: 'Trust domain in which the test is executed' + required: true + type: string + service: + description: 'Service against which status should be reported' + required: true + type: string + team: + description: 'Team associated with status report' required: true type: string @@ -16,6 +30,8 @@ jobs: id-token: write steps: + - uses: hmarr/debug-action@v3 + - name: Request OIDC Token run: | curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \ @@ -28,6 +44,11 @@ jobs: run: | date > artifact + - name: Upload build artifact + uses: actions/upload-artifact@v4 + with: + path: "artifact" + - name: Attest build provenance uses: actions/attest-build-provenance@v2 env: @@ -41,14 +62,9 @@ jobs: run: | gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER" - - name: Upload build artifact - uses: actions/upload-artifact@v4 - with: - path: "artifact" - - name: Report attestation prober success if: ${{ success() }} - uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1 + uses: masci/datadog@6889e9d060f5368eeee51f8a3f06a52f65d04da3 # v1.9.1 with: api-key: "${{ secrets.DATADOG_API_KEY }}" service-checks: | @@ -56,17 +72,17 @@ jobs: status: 0 host_name: github.com tags: - - "catalog_service:${{ secrets.CATALOG_SERVICE }}" - - "service:${{ secrets.CATALOG_SERVICE }}" - - "stamp:${{ secrets.STAMP }}" + - "catalog_service:${{ secrets.service }}" + - "service:${{ secrets.service }}" + - "stamp:${{ secrets.trust-domain }}" - "env:production" - "repo:${{ github.repository }}" - - "team:${{ secrets.TEAM }}" + - "team:${{ secrets.team }}" - "sigstore:${{ inputs.sigstore }}" - name: Report attestation prober failure if: ${{ failure() }} - uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1 + uses: masci/datadog@6889e9d060f5368eeee51f8a3f06a52f65d04da3 # v1.9.1 with: api-key: "${{ secrets.DATADOG_API_KEY }}" service-checks: | @@ -75,10 +91,10 @@ jobs: status: 2 host_name: github.com tags: - - "catalog_service:${{ secrets.CATALOG_SERVICE }}" - - "service:${{ secrets.CATALOG_SERVICE }}" - - "stamp:${{ secrets.STAMP }}" + - "catalog_service:${{ secrets.service }}" + - "service:${{ secrets.service }}" + - "stamp:${{ secrets.trust-domain }}" - "env:production" - "repo:${{ github.repository }}" - - "team:${{ secrets.TEAM }}" + - "team:${{ secrets.team }}" - "sigstore:${{ inputs.sigstore }}" diff --git a/LICENSE b/LICENSE index 5f9e342..8b13789 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1 @@ -MIT License -Copyright GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..034e848 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. diff --git a/package-lock.json b/package-lock.json index 7858cab..041d429 100644 --- a/package-lock.json +++ b/package-lock.json @@ -21,7 +21,7 @@ "eslint-plugin-import": "^2.31.0", "eslint-plugin-jest": "^28.11.0", "jest": "^29.7.0", - "jose": "^5.9.6", + "jose": "^6.0.10", "markdownlint-cli": "^0.44.0", "nock": "^14.0.1", "prettier": "^3.5.3", @@ -48,6 +48,15 @@ "jose": "^5.2.3" } }, + "node_modules/@actions/attest/node_modules/jose": { + "version": "5.10.0", + "resolved": "https://registry.npmjs.org/jose/-/jose-5.10.0.tgz", + "integrity": "sha512-s+3Al/p9g32Iq+oqXxkW//7jk2Vig6FF1CFqzVXoTUXt2qz89YWbL+OwS17NFYEvxC35n0FKeGO2LGYSxeM2Gg==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/@actions/core": { "version": "1.11.1", "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz", @@ -5532,9 +5541,11 @@ } }, "node_modules/jose": { - "version": "5.9.6", - "resolved": "https://registry.npmjs.org/jose/-/jose-5.9.6.tgz", - "integrity": "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ==", + "version": "6.0.10", + "resolved": "https://registry.npmjs.org/jose/-/jose-6.0.10.tgz", + "integrity": "sha512-skIAxZqcMkOrSwjJvplIPYrlXGpxTPnro2/QWTDCxAdWQrSTV5/KqspMWmi5WAx5+ULswASJiZ0a+1B/Lxt9cw==", + "dev": true, + "license": "MIT", "funding": { "url": "https://github.com/sponsors/panva" } diff --git a/package.json b/package.json index 11cd6c7..3efa571 100644 --- a/package.json +++ b/package.json @@ -82,7 +82,7 @@ "eslint-plugin-import": "^2.31.0", "eslint-plugin-jest": "^28.11.0", "jest": "^29.7.0", - "jose": "^5.9.6", + "jose": "^6.0.10", "markdownlint-cli": "^0.44.0", "nock": "^14.0.1", "prettier": "^3.5.3",