actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2025-12-16 20:30:59 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge 5b6308ff32 into 9d3beef651

Browse Source
This commit is contained in:
Whatisthis-dot 2025-03-25 03:38:46 +07:00 committed by GitHub
commit b66e274e08
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 100 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.devcontainer/devcontainer.json Normal file
View File

@ -0,0 +1,4 @@
{
"image": "mcr.microsoft.com/devcontainers/universal:2",
"features": {}
}

2
.github/dependabot.yml vendored
View File

@ -1,4 +1,4 @@
version: 2
version: 💌
updates:
- package-ecosystem: github-actions
directory: /

2
.github/workflows/linter.yml vendored
View File

@ -38,7 +38,7 @@ jobs:
- name: Lint Codebase
id: super-linter
uses: super-linter/super-linter/slim@v7.2.1
uses: super-linter/super-linter/slim@v7.3.0
env:
DEFAULT_BRANCH: main
FILTER_REGEX_EXCLUDE: dist/**/*

42
.github/workflows/prober-public-good.yml vendored
View File

@ -1,18 +1,28 @@
name: Public-Good Sigstore Prober
- name: Upload a Build Artifact
uses: actions/upload-artifact@v4.6.2
with:
# Artifact name
name: # optional, default is artifact
# A file, directory or wildcard pattern that describes what to upload
path:
# The desired behavior if no files are found using the provided path.
Available Options:
warn: Output a warning but do not fail the action
error: Fail the action with an error message
ignore: Do not output any warnings or errors, the action does not fail
on:
workflow_dispatch:
schedule:
# run every 5 minutes, as often as Github Actions allows
- cron: '*/5 * * * *'
if-no-files-found: # optional, default is warn
# Duration after which artifact will expire in days. 0 means using default retention.
Minimum 1 day. Maximum 90 days unless changed from the repository settings page.
jobs:
prober:
if: github.repository_owner == 'actions'
permissions:
attestations: write
id-token: write
secrets: inherit
uses: ./.github/workflows/prober.yml
with:
sigstore: public-good
retention-days: # optional
# The level of compression for Zlib to be applied to the artifact archive. The value can range from 0 to 9: - 0: No compression - 1: Best speed - 6: Default compression (same as GNU Gzip) - 9: Best compression Higher levels will result in better compression, but will take longer to complete. For large files that are not easily compressed, a value of 0 is recommended for significantly faster uploads.
compression-level: # optional, default is 6
# If true, an artifact with a matching name will be deleted before a new one is uploaded. If false, the action will fail if an artifact for the given name already exists. Does not fail if the artifact does not exist.
overwrite: # optional, default is false
# If true, hidden files will be included in the artifact. If false, hidden files will be excluded from the artifact.
include-hidden-files: # optional, default is false

46
.github/workflows/prober.yml vendored
View File

@ -5,6 +5,20 @@ on:
inputs:
sigstore:
description: 'Which Sigstore instance to use for signing'
default: 'public-good'
required: false
type: string
secrets:
trust-domain:
description: 'Trust domain in which the test is executed'
required: true
type: string
service:
description: 'Service against which status should be reported'
required: true
type: string
team:
description: 'Team associated with status report'
required: true
type: string
@ -16,6 +30,8 @@ jobs:
id-token: write
steps:
- uses: hmarr/debug-action@v3
- name: Request OIDC Token
run: |
curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
@ -28,6 +44,11 @@ jobs:
run: |
date > artifact
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
path: "artifact"
- name: Attest build provenance
uses: actions/attest-build-provenance@v2
env:
@ -41,14 +62,9 @@ jobs:
run: |
gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
path: "artifact"
- name: Report attestation prober success
if: ${{ success() }}
uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
uses: masci/datadog@6889e9d060f5368eeee51f8a3f06a52f65d04da3 # v1.9.1
with:
api-key: "${{ secrets.DATADOG_API_KEY }}"
service-checks: |
@ -56,17 +72,17 @@ jobs:
status: 0
host_name: github.com
tags:
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
- "service:${{ secrets.CATALOG_SERVICE }}"
- "stamp:${{ secrets.STAMP }}"
- "catalog_service:${{ secrets.service }}"
- "service:${{ secrets.service }}"
- "stamp:${{ secrets.trust-domain }}"
- "env:production"
- "repo:${{ github.repository }}"
- "team:${{ secrets.TEAM }}"
- "team:${{ secrets.team }}"
- "sigstore:${{ inputs.sigstore }}"
- name: Report attestation prober failure
if: ${{ failure() }}
uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
uses: masci/datadog@6889e9d060f5368eeee51f8a3f06a52f65d04da3 # v1.9.1
with:
api-key: "${{ secrets.DATADOG_API_KEY }}"
service-checks: |
@ -75,10 +91,10 @@ jobs:
status: 2
host_name: github.com
tags:
- "catalog_service:${{ secrets.CATALOG_SERVICE }}"
- "service:${{ secrets.CATALOG_SERVICE }}"
- "stamp:${{ secrets.STAMP }}"
- "catalog_service:${{ secrets.service }}"
- "service:${{ secrets.service }}"
- "stamp:${{ secrets.trust-domain }}"
- "env:production"
- "repo:${{ github.repository }}"
- "team:${{ secrets.TEAM }}"
- "team:${{ secrets.team }}"
- "sigstore:${{ inputs.sigstore }}"

20
LICENSE
View File

@ -1,21 +1 @@
MIT License
Copyright GitHub
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

21
SECURITY.md Normal file
View File

@ -0,0 +1,21 @@
# Security Policy
## Supported Versions
Use this section to tell people about which versions of your project are
currently being supported with security updates.
| Version | Supported |
| ------- | ------------------ |
| 5.1.x | :white_check_mark: |
| 5.0.x | :x: |
| 4.0.x | :white_check_mark: |
| < 4.0 | :x: |
## Reporting a Vulnerability
Use this section to tell people how to report a vulnerability.
Tell them where to go, how often they can expect to get an update on a
reported vulnerability, what to expect if the vulnerability is accepted or
declined, etc.

19
package-lock.json generated
View File

@ -21,7 +21,7 @@
"eslint-plugin-import": "^2.31.0",
"eslint-plugin-jest": "^28.11.0",
"jest": "^29.7.0",
"jose": "^5.9.6",
"jose": "^6.0.10",
"markdownlint-cli": "^0.44.0",
"nock": "^14.0.1",
"prettier": "^3.5.3",
@ -48,6 +48,15 @@
"jose": "^5.2.3"
}
},
"node_modules/@actions/attest/node_modules/jose": {
"version": "5.10.0",
"resolved": "https://registry.npmjs.org/jose/-/jose-5.10.0.tgz",
"integrity": "sha512-s+3Al/p9g32Iq+oqXxkW//7jk2Vig6FF1CFqzVXoTUXt2qz89YWbL+OwS17NFYEvxC35n0FKeGO2LGYSxeM2Gg==",
"license": "MIT",
"funding": {
"url": "https://github.com/sponsors/panva"
}
},
"node_modules/@actions/core": {
"version": "1.11.1",
"resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
@ -5532,9 +5541,11 @@
}
},
"node_modules/jose": {
"version": "5.9.6",
"resolved": "https://registry.npmjs.org/jose/-/jose-5.9.6.tgz",
"integrity": "sha512-AMlnetc9+CV9asI19zHmrgS/WYsWUwCn2R7RzlbJWD7F9eWYUTGyBmU9o6PxngtLGOiDGPRu+Uc4fhKzbpteZQ==",
"version": "6.0.10",
"resolved": "https://registry.npmjs.org/jose/-/jose-6.0.10.tgz",
"integrity": "sha512-skIAxZqcMkOrSwjJvplIPYrlXGpxTPnro2/QWTDCxAdWQrSTV5/KqspMWmi5WAx5+ULswASJiZ0a+1B/Lxt9cw==",
"dev": true,
"license": "MIT",
"funding": {
"url": "https://github.com/sponsors/panva"
}

2
package.json
View File

@ -82,7 +82,7 @@
"eslint-plugin-import": "^2.31.0",
"eslint-plugin-jest": "^28.11.0",
"jest": "^29.7.0",
"jose": "^5.9.6",
"jose": "^6.0.10",
"markdownlint-cli": "^0.44.0",
"nock": "^14.0.1",
"prettier": "^3.5.3",