actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2025-12-15 20:03:28 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

reference @actions/attest package (#10)

Browse Source 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer 2024-02-26 14:49:08 -08:00 committed by GitHub
parent 96a4c7ef30
commit d6e451253f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
27 changed files with 858 additions and 2811 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.eslintignore
View File

@ -2,4 +2,3 @@ lib/
dist/ dist/
node_modules/ node_modules/
coverage/ coverage/
packages/

3
.github/workflows/check-dist.yml vendored
View File

@ -41,9 +41,6 @@ jobs:
id: install id: install
run: npm ci run: npm ci
- name: Build @actions/attest
run: npm run build --workspace packages/attest
- name: Build dist/ Directory - name: Build dist/ Directory
id: build id: build
run: npm run bundle run: npm run bundle

3
.github/workflows/ci.yml vendored
View File

@ -34,9 +34,6 @@ jobs:
id: npm-ci id: npm-ci
run: npm ci run: npm ci
- name: Build @actions/attest
run: npm run build --workspace packages/attest
- name: Check Format - name: Check Format
id: npm-format-check id: npm-format-check
run: npm run format:check run: npm run format:check

3
.github/workflows/linter.yml vendored
View File

@ -36,9 +36,6 @@ jobs:
id: install id: install
run: npm ci run: npm ci
- name: Build @actions/attest
run: npm run build --workspace packages/attest
- name: Lint Codebase - name: Lint Codebase
id: super-linter id: super-linter
uses: super-linter/super-linter/slim@v6 uses: super-linter/super-linter/slim@v6

2
.gitignore vendored
View File

@ -101,5 +101,3 @@ __tests__/runner/*
.idea .idea
.vscode .vscode
*.code-workspace *.code-workspace
packages/attest/dist

BIN
dist/index.js generated vendored
View File

Binary file not shown.

BIN
dist/licenses.txt generated vendored
View File

Binary file not shown.

2821
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

7
package.json
View File

@ -25,7 +25,6 @@
}, },
"scripts": { "scripts": {
"bundle": "npm run format:write && npm run package", "bundle": "npm run format:write && npm run package",
"prepackage": "npm run build --workspace packages/attest",
"ci-test": "jest", "ci-test": "jest",
"coverage": "make-coverage-badge --output-path ./badges/coverage.svg", "coverage": "make-coverage-badge --output-path ./badges/coverage.svg",
"format:write": "prettier --write **/*.ts", "format:write": "prettier --write **/*.ts",
@ -67,6 +66,7 @@
] ]
}, },
"dependencies": { "dependencies": {
"@actions/attest": "^1.0.0",
"@actions/core": "^1.10.1" "@actions/core": "^1.10.1"
}, },
"devDependencies": { "devDependencies": {
@ -86,8 +86,5 @@
"prettier-eslint": "^16.3.0", "prettier-eslint": "^16.3.0",
"ts-jest": "^29.1.2", "ts-jest": "^29.1.2",
"typescript": "^5.3.3" "typescript": "^5.3.3"
}, }
"workspaces": [
"./packages/*"
]
} }

5
packages/attest/jest.config.js
View File

@ -1,5 +0,0 @@
module.exports = {
preset: 'ts-jest',
testEnvironment: 'node',
testMatch: ['**/__tests__/*.test.ts'],
};

44
packages/attest/package.json
View File

@ -1,44 +0,0 @@
{
"name": "@actions/attest",
"version": "0.0.0",
"description": "Base library for Sigstore",
"main": "dist/index.js",
"types": "dist/index.d.ts",
"scripts": {
"clean": "shx rm -rf dist *.tsbuildinfo",
"build": "tsc --build",
"test": "jest"
},
"files": [
"dist"
],
"author": "bdehamer@github.com",
"license": "Apache-2.0",
"repository": {
"type": "git",
"url": "git+https://github.com/github/attest-js.git"
},
"bugs": {
"url": "https://github.com/github/attest-js/issues"
},
"homepage": "https://github.com/github/attest-js/tree/main/packages/core#readme",
"publishConfig": {
"provenance": true
},
"devDependencies": {
"@sigstore/mock": "^0.6.4",
"@total-typescript/shoehorn": "^0.1.1",
"@tsconfig/node18": "^18.2.2",
"@types/make-fetch-happen": "^10.0.4",
"nock": "^13.5.1"
},
"dependencies": {
"@actions/github": "^6.0.0",
"@sigstore/bundle": "^2.2.0",
"@sigstore/sign": "^2.2.3",
"make-fetch-happen": "^13.0.0"
},
"engines": {
"node": "^18.17.0 || >=20.5.0"
}
}

51
packages/attest/src/__tests__/__snapshots__/provenance.test.ts.snap
View File

@ -1,51 +0,0 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`generateProvenance returns a provenance hydrated from env vars 1`] = `
{
"_type": "https://in-toto.io/Statement/v1",
"predicate": {
"buildDefinition": {
"buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
"externalParameters": {
"workflow": {
"path": ".github/workflows/main.yml",
"ref": "main",
"repository": "https://github.com/owner/repo",
},
},
"internalParameters": {
"github": {
"event_name": "push",
"repository_id": "repo-id",
"repository_owner_id": "owner-id",
},
},
"resolvedDependencies": [
{
"digest": {
"gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
},
"uri": "git+https://github.com/owner/repo@refs/heads/main",
},
],
},
"runDetails": {
"builder": {
"id": "https://github.com/actions/runner/github-hosted",
},
"metadata": {
"invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
},
},
},
"predicateType": "https://slsa.dev/provenance/v1",
"subject": [
{
"digest": {
"sha256": "7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32",
},
"name": "subjecty",
},
],
}
`;

154
packages/attest/src/__tests__/attest.test.ts
View File

@ -1,154 +0,0 @@
import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
import nock from 'nock'
import { attestProvenance } from '../attest'
describe('attest functions', () => {
// Capture original environment variables and GitHub context so we can restore
// them after each test
const originalEnv = process.env
// Fake an OIDC token
const subject = 'foo@bar.com'
const oidcPayload = { sub: subject, iss: '' }
const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
'base64'
)}.}`
const tokenURL = 'https://token.url'
const fulcioURL = 'https://fulcio.url'
const rekorURL = 'https://rekor.url'
const tsaServerURL = 'https://tsa.url'
const attestationID = '1234567890'
beforeEach(async () => {
jest.clearAllMocks()
nock(tokenURL)
.get('/')
.query({ audience: 'sigstore' })
.reply(200, { value: oidcToken })
// Mock Fulcio endpoint
await mockFulcio({ baseURL: fulcioURL, strict: false })
// Set-up GHA environment variables
process.env = {
...originalEnv,
ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token'
}
})
afterEach(() => {
// Restore the original environment
process.env = originalEnv
})
describe('#attestProvenance', () => {
const env = {
GITHUB_REPOSITORY: 'owner/repo',
GITHUB_REF: 'refs/heads/main',
GITHUB_SHA: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
GITHUB_WORKFLOW_REF: 'owner/repo/.github/workflows/main.yml@main',
GITHUB_SERVER_URL: 'https://github.com',
GITHUB_EVENT_NAME: 'push',
GITHUB_REPOSITORY_ID: 'repo-id',
GITHUB_REPOSITORY_OWNER_ID: 'owner-id',
GITHUB_RUN_ID: 'run-id',
GITHUB_RUN_ATTEMPT: 'run-attempt',
RUNNER_ENVIRONMENT: 'github-hosted'
}
beforeEach(() => {
process.env = { ...process.env, ...env }
})
describe('when the timestamp authority URL is set', () => {
beforeEach(async () => {
await mockTSA({ baseURL: tsaServerURL })
// Mock GH attestations API
nock('https://api.github.com')
.post(/^\/repos\/.*\/.*\/attestations$/)
.reply(201, { id: attestationID })
})
it('attests provenance', async () => {
const attestation = await attestProvenance({
subjectName: 'subjective',
subjectDigest: {
sha256:
'7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
},
token: 'token',
fulcioURL,
tsaServerURL
})
expect(attestation).toBeDefined()
expect(attestation.bundle).toBeDefined()
expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
expect(attestation.tlogID).toBeUndefined()
expect(attestation.attestationID).toBe(attestationID)
})
})
describe('when the transparency log URL is set', () => {
beforeEach(async () => {
await mockRekor({ baseURL: rekorURL })
// Mock GH attestations API
nock('https://api.github.com')
.post(/^\/repos\/.*\/.*\/attestations$/)
.reply(201, { id: attestationID })
})
it('attests provenance', async () => {
const attestation = await attestProvenance({
subjectName: 'subjective',
subjectDigest: {
sha256:
'7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
},
token: 'token',
fulcioURL,
rekorURL
})
expect(attestation).toBeDefined()
expect(attestation.bundle).toBeDefined()
expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
expect(attestation.tlogID).toBeDefined()
expect(attestation.attestationID).toBe(attestationID)
})
})
describe('when skipWrite is set to true', () => {
beforeEach(async () => {
await mockRekor({ baseURL: rekorURL })
await mockTSA({ baseURL: tsaServerURL })
})
it('attests provenance', async () => {
const attestation = await attestProvenance({
subjectName: 'subjective',
subjectDigest: {
sha256:
'7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
},
token: 'token',
fulcioURL,
rekorURL,
tsaServerURL,
skipWrite: true
})
expect(attestation).toBeDefined()
expect(attestation.bundle).toBeDefined()
expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
expect(attestation.tlogID).toBeDefined()
expect(attestation.attestationID).toBeUndefined()
})
})
})
})

32
packages/attest/src/__tests__/index.test.ts
View File

@ -1,32 +0,0 @@
import { fromPartial } from '@total-typescript/shoehorn'
import {
AttestOptions,
AttestProvenanceOptions,
Attestation,
Predicate,
Subject,
attest,
attestProvenance
} from '..'
it('exports functions', () => {
expect(attestProvenance).toBeInstanceOf(Function)
expect(attest).toBeInstanceOf(Function)
})
it('exports types', async () => {
const attestation: Attestation = fromPartial({})
expect(attestation).toBeDefined()
const attestOptions: AttestOptions = fromPartial({})
expect(attestOptions).toBeDefined()
const attestProvenanceOptions: AttestProvenanceOptions = fromPartial({})
expect(attestProvenanceOptions).toBeDefined()
const subject: Subject = fromPartial({})
expect(subject).toBeDefined()
const predicate: Predicate = fromPartial({})
expect(predicate).toBeDefined()
})

30
packages/attest/src/__tests__/provenance.test.ts
View File

@ -1,30 +0,0 @@
import { generateProvenance } from '../provenance'
import type { Subject } from '../shared.types'
describe('generateProvenance', () => {
const subject: Subject = {
name: 'subjecty',
digest: {
sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
}
}
const env = {
GITHUB_REPOSITORY: 'owner/repo',
GITHUB_REF: 'refs/heads/main',
GITHUB_SHA: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
GITHUB_WORKFLOW_REF: 'owner/repo/.github/workflows/main.yml@main',
GITHUB_SERVER_URL: 'https://github.com',
GITHUB_EVENT_NAME: 'push',
GITHUB_REPOSITORY_ID: 'repo-id',
GITHUB_REPOSITORY_OWNER_ID: 'owner-id',
GITHUB_RUN_ID: 'run-id',
GITHUB_RUN_ATTEMPT: 'run-attempt',
RUNNER_ENVIRONMENT: 'github-hosted'
}
it('returns a provenance hydrated from env vars', () => {
const provenance = generateProvenance(subject, env)
expect(provenance).toMatchSnapshot()
})
})

105
packages/attest/src/__tests__/sign.test.ts
View File

@ -1,105 +0,0 @@
import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
import nock from 'nock'
import { Payload, signPayload } from '../sign'
describe('signProvenance', () => {
const originalEnv = process.env
// Fake an OIDC token
const subject = 'foo@bar.com'
const oidcPayload = { sub: subject, iss: '' }
const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
'base64'
)}.}`
// Dummy provenance to be signed
const provenance = {
_type: 'https://in-toto.io/Statement/v1',
subject: {
name: 'subjective',
digest: {
sha256:
'7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
}
}
}
const payload: Payload = {
body: Buffer.from(JSON.stringify(provenance)),
type: 'application/vnd.in-toto+json'
}
const fulcioURL = 'https://fulcio.url'
const rekorURL = 'https://rekor.url'
const tsaServerURL = 'https://tsa.url'
beforeEach(() => {
// Mock OIDC token endpoint
const tokenURL = 'https://token.url'
process.env = {
...originalEnv,
ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token'
}
nock(tokenURL)
.get('/')
.query({ audience: 'sigstore' })
.reply(200, { value: oidcToken })
})
afterEach(() => {
process.env = originalEnv
})
describe('when visibility is public', () => {
beforeEach(async () => {
await mockFulcio({ baseURL: fulcioURL, strict: false })
await mockRekor({ baseURL: rekorURL })
})
it('returns a bundle', async () => {
const att = await signPayload(payload, { fulcioURL, rekorURL })
expect(att).toBeDefined()
expect(att.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2'
)
expect(att.content.$case).toEqual('dsseEnvelope')
expect(att.verificationMaterial.content.$case).toEqual(
'x509CertificateChain'
)
expect(att.verificationMaterial.tlogEntries).toHaveLength(1)
expect(
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
).toHaveLength(0)
})
})
describe('when visibility is private', () => {
beforeEach(async () => {
await mockFulcio({ baseURL: fulcioURL, strict: false })
await mockTSA({ baseURL: tsaServerURL })
})
it('returns a bundle', async () => {
const att = await signPayload(payload, { fulcioURL, tsaServerURL })
expect(att).toBeDefined()
expect(att.mediaType).toEqual(
'application/vnd.dev.sigstore.bundle+json;version=0.2'
)
expect(att.content.$case).toEqual('dsseEnvelope')
expect(att.verificationMaterial.content.$case).toEqual(
'x509CertificateChain'
)
expect(att.verificationMaterial.tlogEntries).toHaveLength(0)
expect(
att.verificationMaterial.timestampVerificationData?.rfc3161Timestamps
).toHaveLength(1)
})
})
})

45
packages/attest/src/__tests__/store.test.ts
View File

@ -1,45 +0,0 @@
import nock from 'nock'
import { writeAttestation } from '../store'
describe('writeAttestation', () => {
const originalEnv = process.env
const attestation = { foo: 'bar ' }
const token = 'token'
beforeEach(() => {
process.env = {
...originalEnv,
GITHUB_REPOSITORY: 'foo/bar'
}
})
afterEach(() => {
process.env = originalEnv
})
describe('when the api call is successful', () => {
beforeEach(() => {
nock('https://api.github.com')
.matchHeader('authorization', `token ${token}`)
.post('/repos/foo/bar/attestations', { bundle: attestation })
.reply(201, { id: '123' })
})
it('persists the attestation', async () => {
await expect(writeAttestation(attestation, token)).resolves.toEqual('123')
})
})
describe('when the api call fails', () => {
beforeEach(() => {
nock('https://api.github.com')
.matchHeader('authorization', `token ${token}`)
.post('/repos/foo/bar/attestations', { bundle: attestation })
.reply(500, 'oops')
})
it('persists the attestation', async () => {
await expect(writeAttestation(attestation, token)).rejects.toThrow(/oops/)
})
})
})

88
packages/attest/src/attest.ts
View File

@ -1,88 +0,0 @@
import { Bundle, bundleToJSON } from '@sigstore/bundle'
import { generateProvenancePredicate } from './provenance'
import { Payload, SignOptions, signPayload } from './sign'
import { writeAttestation } from './store'
import assert from 'assert'
import { X509Certificate } from 'crypto'
import type { Attestation, Subject } from './shared.types'
const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'
const INTOTO_STATEMENT_V1_TYPE = 'https://in-toto.io/Statement/v1'
type AttestBaseOptions = SignOptions & {
subjectName: string
subjectDigest: Record<string, string>
token: string
skipWrite?: boolean
}
export type AttestOptions = AttestBaseOptions & {
predicateType: string
predicate: object
}
export type AttestProvenanceOptions = AttestBaseOptions
export async function attest(options: AttestOptions): Promise<Attestation> {
const subject: Subject = {
name: options.subjectName,
digest: options.subjectDigest
}
const statement = {
_type: INTOTO_STATEMENT_V1_TYPE,
subject: [subject],
predicateType: options.predicateType,
predicate: options.predicate
}
// Sign the provenance statement
const payload: Payload = {
body: Buffer.from(JSON.stringify(statement)),
type: INTOTO_PAYLOAD_TYPE
}
const bundle = await signPayload(payload, options)
// Store the attestation
let attestationID: string | undefined
if (options.skipWrite !== true) {
attestationID = await writeAttestation(bundleToJSON(bundle), options.token)
}
return toAttestation(bundle, attestationID)
}
export async function attestProvenance(
options: AttestProvenanceOptions
): Promise<Attestation> {
const predicate = generateProvenancePredicate(process.env)
return attest({
...options,
predicateType: predicate.type,
predicate: predicate.params
})
}
function toAttestation(bundle: Bundle, attestationID?: string): Attestation {
// Extract the signing certificate from the bundle
assert(
bundle.verificationMaterial.content.$case === 'x509CertificateChain',
'Bundle must contain an x509 certificate chain'
)
const signingCert = new X509Certificate(
bundle.verificationMaterial.content.x509CertificateChain.certificates[0].rawBytes
)
// Determine if we can provide a link to the transparency log
const tlogEntries = bundle.verificationMaterial.tlogEntries
const tlogID = tlogEntries.length > 0 ? tlogEntries[0].logIndex : undefined
return {
bundle: bundleToJSON(bundle),
certificate: signingCert.toString(),
tlogID,
attestationID
}
}

10
packages/attest/src/index.ts
View File

@ -1,10 +0,0 @@
export {
AttestOptions,
AttestProvenanceOptions,
attest,
attestProvenance
} from './attest'
export { generateProvenancePredicate } from './provenance'
export { generateSBOMPredicate } from './sbom'
export type { Attestation, Predicate, Subject, SBOM } from './shared.types'

72
packages/attest/src/provenance.ts
View File

@ -1,72 +0,0 @@
import type { Predicate, Subject } from './shared.types'
const INTOTO_STATEMENT_V1_TYPE = 'https://in-toto.io/Statement/v1'
export const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner'
const GITHUB_BUILD_TYPE =
'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'
export const generateProvenancePredicate = (
env: NodeJS.ProcessEnv
): Predicate => {
const workflow = env.GITHUB_WORKFLOW_REF || /* istanbul ignore next */ ''
// Split just the path and ref from the workflow string.
// owner/repo/.github/workflows/main.yml@main =>
// .github/workflows/main.yml, main
const [workflowPath, workflowRef] = workflow
.replace(`${env.GITHUB_REPOSITORY}/`, '')
.split('@')
return {
type: SLSA_PREDICATE_V1_TYPE,
params: {
buildDefinition: {
buildType: GITHUB_BUILD_TYPE,
externalParameters: {
workflow: {
ref: workflowRef,
repository: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}`,
path: workflowPath
}
},
internalParameters: {
github: {
event_name: env.GITHUB_EVENT_NAME,
repository_id: env.GITHUB_REPOSITORY_ID,
repository_owner_id: env.GITHUB_REPOSITORY_OWNER_ID
}
},
resolvedDependencies: [
{
uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
digest: {
gitCommit: env.GITHUB_SHA
}
}
]
},
runDetails: {
builder: {
id: `${GITHUB_BUILDER_ID_PREFIX}/${env.RUNNER_ENVIRONMENT}`
},
metadata: {
invocationId: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}/actions/runs/${env.GITHUB_RUN_ID}/attempts/${env.GITHUB_RUN_ATTEMPT}`
}
}
}
}
}
export const generateProvenance = (
subject: Subject,
env: NodeJS.ProcessEnv
): object => {
const predicate = generateProvenancePredicate(env)
return {
_type: INTOTO_STATEMENT_V1_TYPE,
subject: [subject],
predicateType: predicate.type,
predicate: predicate.params
}
}

34
packages/attest/src/sbom.ts
View File

@ -1,34 +0,0 @@
import type { SBOM, Predicate } from './shared.types'
export const generateSBOMPredicate = (sbom: SBOM): Predicate => {
if (sbom.type === 'spdx') {
return generateSPDXIntoto(sbom.object)
}
if (sbom.type === 'cyclonedx') {
return generateCycloneDXIntoto(sbom.object)
}
throw new Error('Unsupported SBOM format')
}
// ref: https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md
const generateSPDXIntoto = (sbom: object): Predicate => {
const spdxVersion = (sbom as { spdxVersion?: string })?.['spdxVersion']
if (!spdxVersion) {
throw new Error('Cannot find spdxVersion in the SBOM')
}
const version = spdxVersion.split('-')[1]
return {
type: `https://spdx.dev/Document/v${version}`,
params: sbom
}
}
// ref: https://github.com/in-toto/attestation/blob/main/spec/predicates/cyclonedx.md
const generateCycloneDXIntoto = (sbom: object): Predicate => {
return {
type: 'https://cyclonedx.org/bom',
params: sbom
}
}

22
packages/attest/src/shared.types.ts
View File

@ -1,22 +0,0 @@
import type { SerializedBundle } from '@sigstore/bundle'
export type Subject = {
name: string
digest: Record<string, string>
}
export type Predicate = {
type: string
params: object
}
export type Attestation = {
bundle: SerializedBundle
certificate: string
tlogID?: string
attestationID?: string
}
export type SBOM = {
type: 'spdx' | 'cyclonedx'
object: object
}

82
packages/attest/src/sign.ts
View File

@ -1,82 +0,0 @@
import { Bundle } from '@sigstore/bundle'
import {
BundleBuilder,
CIContextProvider,
DSSEBundleBuilder,
FulcioSigner,
IdentityProvider,
RekorWitness,
TSAWitness,
Witness
} from '@sigstore/sign'
const OIDC_AUDIENCE = 'sigstore'
const DEFAULT_TIMEOUT = 10000
const DEFAULT_RETRIES = 3
export type Payload = {
body: Buffer
type: string
}
export type SignOptions = {
fulcioURL: string
rekorURL?: string
tsaServerURL?: string
identityProvider?: IdentityProvider
timeout?: number
retry?: number
}
// Signs the provided payload with Sigstore.
export const signPayload = async (
payload: Payload,
options: SignOptions
): Promise<Bundle> => {
const artifact = {
data: payload.body,
type: payload.type
}
// Sign the artifact and build the bundle
return initBundleBuilder(options).create(artifact)
}
// Assembles the Sigstore bundle builder with the appropriate options
const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
const identityProvider =
opts.identityProvider || new CIContextProvider(OIDC_AUDIENCE)
const timeout = opts.timeout || DEFAULT_TIMEOUT
const retry = opts.retry || DEFAULT_RETRIES
const witnesses: Witness[] = []
const signer = new FulcioSigner({
identityProvider: identityProvider,
fulcioBaseURL: opts.fulcioURL,
timeout: timeout,
retry: retry
})
if (opts.rekorURL) {
witnesses.push(
new RekorWitness({
rekorBaseURL: opts.rekorURL,
entryType: 'dsse',
timeout: timeout,
retry: retry
})
)
}
if (opts.tsaServerURL) {
witnesses.push(
new TSAWitness({
tsaBaseURL: opts.tsaServerURL,
timeout: timeout,
retry: retry
})
)
}
return new DSSEBundleBuilder({ signer, witnesses })
}

27
packages/attest/src/store.ts
View File

@ -1,27 +0,0 @@
import * as github from '@actions/github'
import fetch from 'make-fetch-happen'
const CREATE_ATTESTATION_REQUEST = 'POST /repos/{owner}/{repo}/attestations'
// Upload the attestation to the repository's attestations endpoint. Returns the
// ID of the uploaded attestation.
export const writeAttestation = async (
attestation: unknown,
token: string
): Promise<string> => {
const octokit = github.getOctokit(token, { request: { fetch } })
try {
const response = await octokit.request(CREATE_ATTESTATION_REQUEST, {
owner: github.context.repo.owner,
repo: github.context.repo.repo,
data: { bundle: attestation }
})
return response.data?.id
} catch (err) {
/* istanbul ignore next */
const message = err instanceof Error ? err.message : err
throw new Error(`Failed to persist attestation: ${message}`)
}
}

18
packages/attest/tsconfig.json
View File

@ -1,18 +0,0 @@
{
"extends": "@tsconfig/node18/tsconfig.json",
"compilerOptions": {
"composite": true,
"rootDir": "src",
"outDir": "dist",
"declaration": true,
"noFallthroughCasesInSwitch": true,
"noImplicitOverride": true,
"allowUnreachableCode": false,
"noImplicitReturns": true,
"noUnusedParameters": true
},
"exclude": [
"./dist",
"**/__tests__"
]
}

4
src/main.ts
View File

@ -1,4 +1,4 @@
import { generateProvenancePredicate } from '@actions/attest' import { buildSLSAProvenancePredicate } from '@actions/attest'
import * as core from '@actions/core' import * as core from '@actions/core'
/** /**
@ -8,7 +8,7 @@ import * as core from '@actions/core'
export async function run(): Promise<void> { export async function run(): Promise<void> {
try { try {
// Calculate subject from inputs and generate provenance // Calculate subject from inputs and generate provenance
const predicate = generateProvenancePredicate(process.env) const predicate = buildSLSAProvenancePredicate(process.env)
core.setOutput('predicate', predicate.params) core.setOutput('predicate', predicate.params)
core.setOutput('predicate-type', predicate.type) core.setOutput('predicate-type', predicate.type)

6
tsconfig.json
View File

@ -15,9 +15,5 @@
"skipLibCheck": true, "skipLibCheck": true,
"newLine": "lf" "newLine": "lf"
}, },
"include": [ "/src/*" ], "exclude": ["./dist", "./node_modules", "./__tests__", "./coverage"]
"exclude": ["./dist", "./node_modules", "./__tests__", "./coverage"],
"references": [
{ "path": "./packages/attest" }
]
} }