From 0fb5031fe62a53977a9e73f15e1738d27337da6c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Mar 2025 01:43:41 +0000 Subject: [PATCH 01/11] Bump the actions-minor group across 1 directory with 2 updates Bumps the actions-minor group with 2 updates in the / directory: [super-linter/super-linter](https://github.com/super-linter/super-linter) and [masci/datadog](https://github.com/masci/datadog). Updates `super-linter/super-linter` from 7.2.1 to 7.3.0 - [Release notes](https://github.com/super-linter/super-linter/releases) - [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md) - [Commits](https://github.com/super-linter/super-linter/compare/v7.2.1...v7.3.0) Updates `masci/datadog` from 1.7.1 to 1.9.1 - [Release notes](https://github.com/masci/datadog/releases) - [Commits](https://github.com/masci/datadog/compare/a5d283e78e33a688ed08a96ba64440505e645a8c...6889e9d060f5368eeee51f8a3f06a52f65d04da3) --- updated-dependencies: - dependency-name: super-linter/super-linter dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor - dependency-name: masci/datadog dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/linter.yml | 2 +- .github/workflows/prober.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 4f29ace..3109d59 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -38,7 +38,7 @@ jobs: - name: Lint Codebase id: super-linter - uses: super-linter/super-linter/slim@v7.2.1 + uses: super-linter/super-linter/slim@v7.3.0 env: DEFAULT_BRANCH: main FILTER_REGEX_EXCLUDE: dist/**/* diff --git a/.github/workflows/prober.yml b/.github/workflows/prober.yml index b8439a6..0aa2aed 100644 --- a/.github/workflows/prober.yml +++ b/.github/workflows/prober.yml @@ -48,7 +48,7 @@ jobs: - name: Report attestation prober success if: ${{ success() }} - uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1 + uses: masci/datadog@6889e9d060f5368eeee51f8a3f06a52f65d04da3 # v1.9.1 with: api-key: "${{ secrets.DATADOG_API_KEY }}" service-checks: | @@ -66,7 +66,7 @@ jobs: - name: Report attestation prober failure if: ${{ failure() }} - uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1 + uses: masci/datadog@6889e9d060f5368eeee51f8a3f06a52f65d04da3 # v1.9.1 with: api-key: "${{ secrets.DATADOG_API_KEY }}" service-checks: | From 54346bf44eaab2c8a33395e906306e630e179b71 Mon Sep 17 00:00:00 2001 From: Whatisthis-dot Date: Sun, 16 Mar 2025 03:43:28 +0700 Subject: [PATCH 02/11] Create devcontainer.json --- .devcontainer/devcontainer.json | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .devcontainer/devcontainer.json diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000..39bbd26 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,4 @@ +{ + "image": "mcr.microsoft.com/devcontainers/universal:2", + "features": {} +} From 9c690b0bf81f7d3341ada472bc7c7d0eebe1fb6e Mon Sep 17 00:00:00 2001 From: Whatisthis-dot Date: Sun, 16 Mar 2025 03:44:40 +0700 Subject: [PATCH 03/11] wip (#1) Signed-off-by: Brian DeHamer Co-authored-by: Brian DeHamer --- .github/workflows/prober.yml | 42 +++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/.github/workflows/prober.yml b/.github/workflows/prober.yml index b8439a6..45abb90 100644 --- a/.github/workflows/prober.yml +++ b/.github/workflows/prober.yml @@ -5,6 +5,20 @@ on: inputs: sigstore: description: 'Which Sigstore instance to use for signing' + default: 'public-good' + required: false + type: string + secrets: + trust-domain: + description: 'Trust domain in which the test is executed' + required: true + type: string + service: + description: 'Service against which status should be reported' + required: true + type: string + team: + description: 'Team associated with status report' required: true type: string @@ -16,6 +30,8 @@ jobs: id-token: write steps: + - uses: hmarr/debug-action@v2 + - name: Request OIDC Token run: | curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \ @@ -28,6 +44,11 @@ jobs: run: | date > artifact + - name: Upload build artifact + uses: actions/upload-artifact@v4 + with: + path: "artifact" + - name: Attest build provenance uses: actions/attest-build-provenance@v2 env: @@ -41,11 +62,6 @@ jobs: run: | gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER" - - name: Upload build artifact - uses: actions/upload-artifact@v4 - with: - path: "artifact" - - name: Report attestation prober success if: ${{ success() }} uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1 @@ -56,12 +72,12 @@ jobs: status: 0 host_name: github.com tags: - - "catalog_service:${{ secrets.CATALOG_SERVICE }}" - - "service:${{ secrets.CATALOG_SERVICE }}" - - "stamp:${{ secrets.STAMP }}" + - "catalog_service:${{ secrets.service }}" + - "service:${{ secrets.service }}" + - "stamp:${{ secrets.trust-domain }}" - "env:production" - "repo:${{ github.repository }}" - - "team:${{ secrets.TEAM }}" + - "team:${{ secrets.team }}" - "sigstore:${{ inputs.sigstore }}" - name: Report attestation prober failure @@ -75,10 +91,10 @@ jobs: status: 2 host_name: github.com tags: - - "catalog_service:${{ secrets.CATALOG_SERVICE }}" - - "service:${{ secrets.CATALOG_SERVICE }}" - - "stamp:${{ secrets.STAMP }}" + - "catalog_service:${{ secrets.service }}" + - "service:${{ secrets.service }}" + - "stamp:${{ secrets.trust-domain }}" - "env:production" - "repo:${{ github.repository }}" - - "team:${{ secrets.TEAM }}" + - "team:${{ secrets.team }}" - "sigstore:${{ inputs.sigstore }}" From 5e39606b1f148d1807499104c218efbe60572109 Mon Sep 17 00:00:00 2001 From: Whatisthis-dot Date: Sun, 16 Mar 2025 04:13:31 +0700 Subject: [PATCH 04/11] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..034e848 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 58432d13e88b8093ffac85d81f63482d9fb5bc4e Mon Sep 17 00:00:00 2001 From: Whatisthis-dot <202803114+whatisthis-dot@users.noreply.github.com> Date: Mon, 17 Mar 2025 12:41:42 +0700 Subject: [PATCH 05/11] Update LICENSE (#2) https://github.com/actions/attest-build-provenance/pull/516#issue-2923532422 Tr4200812 --- LICENSE | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/LICENSE b/LICENSE index 5f9e342..8b13789 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1 @@ -MIT License -Copyright GitHub - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. \ No newline at end of file From 648e0dfb2e00dc66aaf69b8a7cf0aa23ab08e1be Mon Sep 17 00:00:00 2001 From: Whatisthis-dot <202803114+whatisthis-dot@users.noreply.github.com> Date: Mon, 17 Mar 2025 13:30:42 +0700 Subject: [PATCH 06/11] Update dependabot.yml --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1d9d7ed..8c8ee5e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,4 +1,4 @@ -version: 2 +version: 💌 updates: - package-ecosystem: github-actions directory: / From 34c8dcd1dbbef896f612a54725553412ac063b5a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Mar 2025 06:31:16 +0000 Subject: [PATCH 07/11] Bump hmarr/debug-action from 2 to 3 Bumps [hmarr/debug-action](https://github.com/hmarr/debug-action) from 2 to 3. - [Release notes](https://github.com/hmarr/debug-action/releases) - [Commits](https://github.com/hmarr/debug-action/compare/v2...v3) --- updated-dependencies: - dependency-name: hmarr/debug-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/prober.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/prober.yml b/.github/workflows/prober.yml index 45abb90..b2eec0e 100644 --- a/.github/workflows/prober.yml +++ b/.github/workflows/prober.yml @@ -30,7 +30,7 @@ jobs: id-token: write steps: - - uses: hmarr/debug-action@v2 + - uses: hmarr/debug-action@v3 - name: Request OIDC Token run: | From 7c8d3afa3f6c2b089ea280941c159e99d18c0d92 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Mar 2025 06:31:34 +0000 Subject: [PATCH 08/11] Bump jose from 5.9.6 to 6.0.10 Bumps [jose](https://github.com/panva/jose) from 5.9.6 to 6.0.10. - [Release notes](https://github.com/panva/jose/releases) - [Changelog](https://github.com/panva/jose/blob/main/CHANGELOG.md) - [Commits](https://github.com/panva/jose/compare/v5.9.6...v6.0.10) --- updated-dependencies: - dependency-name: jose dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- package-lock.json | 19 +++++++++++++++---- package.json | 2 +- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 42c8710..8bd2ffc 100644 --- a/package-lock.json +++ b/package-lock.json @@ -21,7 +21,7 @@ "eslint-plugin-import": "^2.31.0", "eslint-plugin-jest": "^28.11.0", "jest": "^29.7.0", - "jose": "^5.9.6", + "jose": "^6.0.10", "markdownlint-cli": "^0.44.0", "nock": "^14.0.1", "prettier": "^3.5.3", @@ -48,6 +48,15 @@ "jose": "^5.2.3" } }, + "node_modules/@actions/attest/node_modules/jose": { + "version": "5.10.0", + "resolved": "https://registry.npmjs.org/jose/-/jose-5.10.0.tgz", + "integrity": "sha512-s+3Al/p9g32Iq+oqXxkW//7jk2Vig6FF1CFqzVXoTUXt2qz89YWbL+OwS17NFYEvxC35n0FKeGO2LGYSxeM2Gg==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, "node_modules/@actions/core": { "version": "1.11.1", "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz", @@ -5532,9 +5541,11 @@ } }, "node_modules/jose": { - "version": "5.9.6", - "resolved": "https://registry.npmjs.org/jose/-/jose-5.9.6.tgz", - "integrity": "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ==", + "version": "6.0.10", + "resolved": "https://registry.npmjs.org/jose/-/jose-6.0.10.tgz", + "integrity": "sha512-skIAxZqcMkOrSwjJvplIPYrlXGpxTPnro2/QWTDCxAdWQrSTV5/KqspMWmi5WAx5+ULswASJiZ0a+1B/Lxt9cw==", + "dev": true, + "license": "MIT", "funding": { "url": "https://github.com/sponsors/panva" } diff --git a/package.json b/package.json index 0eba31d..db3bc93 100644 --- a/package.json +++ b/package.json @@ -82,7 +82,7 @@ "eslint-plugin-import": "^2.31.0", "eslint-plugin-jest": "^28.11.0", "jest": "^29.7.0", - "jose": "^5.9.6", + "jose": "^6.0.10", "markdownlint-cli": "^0.44.0", "nock": "^14.0.1", "prettier": "^3.5.3", From 866c493965a6f84f799720e0f8937b120dd46c17 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Mar 2025 07:55:00 +0000 Subject: [PATCH 09/11] Bump @octokit/plugin-paginate-rest in the npm_and_yarn group Bumps the npm_and_yarn group with 1 update: [@octokit/plugin-paginate-rest](https://github.com/octokit/plugin-paginate-rest.js). Updates `@octokit/plugin-paginate-rest` from 9.2.0 to 9.2.2 - [Release notes](https://github.com/octokit/plugin-paginate-rest.js/releases) - [Commits](https://github.com/octokit/plugin-paginate-rest.js/compare/v9.2.0...v9.2.2) --- updated-dependencies: - dependency-name: "@octokit/plugin-paginate-rest" dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] --- package-lock.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 42c8710..53bd292 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1566,7 +1566,9 @@ "license": "MIT" }, "node_modules/@octokit/plugin-paginate-rest": { - "version": "9.2.0", + "version": "9.2.2", + "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-9.2.2.tgz", + "integrity": "sha512-u3KYkGF7GcZnSD/3UP0S7K5XUFT2FkOQdcfXZGZQPGv3lm4F2Xbf71lvjldr8c1H3nNbF+33cLEkWYbokGWqiQ==", "license": "MIT", "dependencies": { "@octokit/types": "^12.6.0" @@ -1575,7 +1577,7 @@ "node": ">= 18" }, "peerDependencies": { - "@octokit/core": ">=5" + "@octokit/core": "5" } }, "node_modules/@octokit/plugin-rest-endpoint-methods": { From 50b57aa744770c9af12179d3e2291664e6cd3bd6 Mon Sep 17 00:00:00 2001 From: Whatisthis-dot <202803114+whatisthis-dot@users.noreply.github.com> Date: Fri, 21 Mar 2025 20:09:19 +0700 Subject: [PATCH 10/11] Revert "Bump @octokit/plugin-paginate-rest from 9.2.0 to 9.2.2 in the npm_and_yarn group" --- package-lock.json | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index cd76258..8bd2ffc 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1575,9 +1575,7 @@ "license": "MIT" }, "node_modules/@octokit/plugin-paginate-rest": { - "version": "9.2.2", - "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-9.2.2.tgz", - "integrity": "sha512-u3KYkGF7GcZnSD/3UP0S7K5XUFT2FkOQdcfXZGZQPGv3lm4F2Xbf71lvjldr8c1H3nNbF+33cLEkWYbokGWqiQ==", + "version": "9.2.0", "license": "MIT", "dependencies": { "@octokit/types": "^12.6.0" @@ -1586,7 +1584,7 @@ "node": ">= 18" }, "peerDependencies": { - "@octokit/core": "5" + "@octokit/core": ">=5" } }, "node_modules/@octokit/plugin-rest-endpoint-methods": { From d928f595ed39a8dd20f56b1b211207b7a2b7a5e9 Mon Sep 17 00:00:00 2001 From: Whatisthis-dot <202803114+whatisthis-dot@users.noreply.github.com> Date: Fri, 21 Mar 2025 20:28:54 +0700 Subject: [PATCH 11/11] Update prober-public-good.yml --- .github/workflows/prober-public-good.yml | 42 +++++++++++++++--------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/.github/workflows/prober-public-good.yml b/.github/workflows/prober-public-good.yml index d8efefd..ca85ce1 100644 --- a/.github/workflows/prober-public-good.yml +++ b/.github/workflows/prober-public-good.yml @@ -1,18 +1,28 @@ -name: Public-Good Sigstore Prober + - name: Upload a Build Artifact + uses: actions/upload-artifact@v4.6.2 + with: + # Artifact name + name: # optional, default is artifact + # A file, directory or wildcard pattern that describes what to upload + path: + # The desired behavior if no files are found using the provided path. +Available Options: + warn: Output a warning but do not fail the action + error: Fail the action with an error message + ignore: Do not output any warnings or errors, the action does not fail -on: - workflow_dispatch: - schedule: - # run every 5 minutes, as often as Github Actions allows - - cron: '*/5 * * * *' + if-no-files-found: # optional, default is warn + # Duration after which artifact will expire in days. 0 means using default retention. +Minimum 1 day. Maximum 90 days unless changed from the repository settings page. -jobs: - prober: - if: github.repository_owner == 'actions' - permissions: - attestations: write - id-token: write - secrets: inherit - uses: ./.github/workflows/prober.yml - with: - sigstore: public-good + retention-days: # optional + # The level of compression for Zlib to be applied to the artifact archive. The value can range from 0 to 9: - 0: No compression - 1: Best speed - 6: Default compression (same as GNU Gzip) - 9: Best compression Higher levels will result in better compression, but will take longer to complete. For large files that are not easily compressed, a value of 0 is recommended for significantly faster uploads. + + compression-level: # optional, default is 6 + # If true, an artifact with a matching name will be deleted before a new one is uploaded. If false, the action will fail if an artifact for the given name already exists. Does not fail if the artifact does not exist. + + overwrite: # optional, default is false + # If true, hidden files will be included in the artifact. If false, hidden files will be excluded from the artifact. + + include-hidden-files: # optional, default is false +