From ff19f402b6e212671813b2ebe231d8a7c81ec049 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Mon, 25 Aug 2025 13:52:01 -0700 Subject: [PATCH 1/7] custom node max-http-header-size (#687) Signed-off-by: Brian DeHamer --- action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/action.yml b/action.yml index 7cbc82a..fa6a9a7 100644 --- a/action.yml +++ b/action.yml @@ -66,6 +66,8 @@ runs: id: generate-build-provenance-predicate - uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0 id: attest + env: + NODE_OPTIONS: "--max-http-header-size=32768" with: subject-path: ${{ inputs.subject-path }} subject-digest: ${{ inputs.subject-digest }} From 91ca1c25673125472e7081bed0d584ac6696d4de Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Aug 2025 16:21:27 -0700 Subject: [PATCH 2/7] Bump actions/checkout from 4.1.1 to 5.0.0 (#684) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4.1.1...08c6903cd8c0fde910a37f88322edcfb5dd907a8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0684c9f..c8b6453 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout id: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup Node.js id: setup-node @@ -57,7 +57,7 @@ jobs: steps: - name: Checkout id: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Run attest-provenance id: attest-provenance uses: ./ From 8ee716368b9238b22c2d8d9579a01cb8630ee506 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Tue, 26 Aug 2025 16:57:28 -0700 Subject: [PATCH 3/7] refactor eslint config (#690) Signed-off-by: Brian DeHamer --- .github/linters/.yaml-lint.yml | 10 ---- .github/linters/tsconfig.json | 9 --- .github/workflows/linter.yml | 55 ------------------- .../.markdown-lint.yml => .markdown-lint.yml | 0 .../eslint.config.mjs => eslint.config.mjs | 4 +- package.json | 4 +- tsconfig.lint.json | 9 +++ 7 files changed, 13 insertions(+), 78 deletions(-) delete mode 100644 .github/linters/.yaml-lint.yml delete mode 100644 .github/linters/tsconfig.json delete mode 100644 .github/workflows/linter.yml rename .github/linters/.markdown-lint.yml => .markdown-lint.yml (100%) rename .github/linters/eslint.config.mjs => eslint.config.mjs (97%) create mode 100644 tsconfig.lint.json diff --git a/.github/linters/.yaml-lint.yml b/.github/linters/.yaml-lint.yml deleted file mode 100644 index c975a33..0000000 --- a/.github/linters/.yaml-lint.yml +++ /dev/null @@ -1,10 +0,0 @@ -rules: - document-end: disable - document-start: - level: warning - present: false - line-length: - level: warning - max: 80 - allow-non-breakable-words: true - allow-non-breakable-inline-mappings: true diff --git a/.github/linters/tsconfig.json b/.github/linters/tsconfig.json deleted file mode 100644 index a34cf90..0000000 --- a/.github/linters/tsconfig.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "$schema": "https://json.schemastore.org/tsconfig", - "extends": "../../tsconfig.json", - "compilerOptions": { - "noEmit": true - }, - "include": ["../../__tests__/**/*", "../../src/**/*"], - "exclude": ["../../dist", "../../node_modules", "../../coverage", "*.json"] -} diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml deleted file mode 100644 index 5451fa6..0000000 --- a/.github/workflows/linter.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: Lint Codebase - -on: - pull_request: - branches: - - main - push: - branches: - - main - -permissions: - contents: read - packages: read - statuses: write - -jobs: - lint: - name: Lint Codebase - runs-on: ubuntu-latest - - steps: - - name: Checkout - id: checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - fetch-depth: 0 - - - name: Setup Node.js - id: setup-node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 - with: - node-version-file: .node-version - cache: npm - - - name: Install Dependencies - id: install - run: npm ci - - - name: Lint Codebase - id: super-linter - uses: super-linter/super-linter/slim@v8.0.0 - env: - DEFAULT_BRANCH: main - FILTER_REGEX_EXCLUDE: dist/**/* - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - TYPESCRIPT_DEFAULT_STYLE: prettier - VALIDATE_ALL_CODEBASE: true - VALIDATE_JAVASCRIPT_STANDARD: false - VALIDATE_TYPESCRIPT_ES: false - VALIDATE_TYPESCRIPT_STANDARD: false - VALIDATE_JSCPD: false - VALIDATE_YAML_PRETTIER: false - - - name: Run eslint - run: npm run lint:eslint diff --git a/.github/linters/.markdown-lint.yml b/.markdown-lint.yml similarity index 100% rename from .github/linters/.markdown-lint.yml rename to .markdown-lint.yml diff --git a/.github/linters/eslint.config.mjs b/eslint.config.mjs similarity index 97% rename from .github/linters/eslint.config.mjs rename to eslint.config.mjs index d09dad5..9020108 100644 --- a/.github/linters/eslint.config.mjs +++ b/eslint.config.mjs @@ -7,7 +7,7 @@ export default tseslint.config( // Ignore non-project files { name: 'ignore', - ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js'] + ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js', 'eslint.config.mjs'] }, // Use recommended rules from ESLint, TypeScript, and other plugins eslint.configs.recommended, @@ -21,7 +21,7 @@ export default tseslint.config( languageOptions: { ecmaVersion: 2023, parserOptions: { - project: ['./.github/linters/tsconfig.json'] + project: ['./tsconfig.lint.json'] } }, rules: { diff --git a/package.json b/package.json index 3ed1139..97ed777 100644 --- a/package.json +++ b/package.json @@ -28,8 +28,8 @@ "ci-test": "jest", "format:write": "prettier --write **/*.ts", "format:check": "prettier --check **/*.ts", - "lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs", - "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"", + "lint:eslint": "npx eslint", + "lint:markdown": "npx markdownlint --config .markdown-lint.yml \"*.md\"", "lint": "npm run lint:eslint && npm run lint:markdown", "package": "ncc build src/index.ts --license licenses.txt", "package:watch": "npm run package -- --watch", diff --git a/tsconfig.lint.json b/tsconfig.lint.json new file mode 100644 index 0000000..a08b563 --- /dev/null +++ b/tsconfig.lint.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://json.schemastore.org/tsconfig", + "extends": "./tsconfig.json", + "compilerOptions": { + "noEmit": true + }, + "include": ["./__tests__/**/*", "./src/**/*"], + "exclude": ["./dist", "./node_modules", "./coverage", "*.json"] +} From 57aa2b0928860f17511d3a8828161ffc4d0cc940 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Tue, 26 Aug 2025 16:57:36 -0700 Subject: [PATCH 4/7] bump actions/attest from v2.4.0 to v3.0.0 (#691) Signed-off-by: Brian DeHamer --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index fa6a9a7..0743687 100644 --- a/action.yml +++ b/action.yml @@ -64,7 +64,7 @@ runs: steps: - uses: actions/attest-build-provenance/predicate@1176ef556905f349f669722abf30bce1a6e16e01 # predicate@1.1.5 id: generate-build-provenance-predicate - - uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0 + - uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0 id: attest env: NODE_OPTIONS: "--max-http-header-size=32768" From 864457a58d4733d7f1574bd8821fa24e02cf7538 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Tue, 26 Aug 2025 20:53:13 -0700 Subject: [PATCH 5/7] Bump to node24 runtime (#692) Signed-off-by: Brian DeHamer Co-authored-by: Salman Muin Kayser Chishti --- .node-version | 2 +- package-lock.json | 6 +++--- package.json | 4 ++-- predicate/action.yml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.node-version b/.node-version index 1cc433a..341cb50 100644 --- a/.node-version +++ b/.node-version @@ -1 +1 @@ -20.6.0 +24.5.0 diff --git a/package-lock.json b/package-lock.json index 7e642aa..7a1fe3d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "actions/attest-build-provenance", - "version": "1.1.5", + "version": "2.0.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "actions/attest-build-provenance", - "version": "1.1.5", + "version": "2.0.0", "license": "MIT", "dependencies": { "@actions/attest": "^1.6.0", @@ -30,7 +30,7 @@ "typescript-eslint": "^8.39.0" }, "engines": { - "node": ">=20" + "node": ">=24" } }, "node_modules/@actions/attest": { diff --git a/package.json b/package.json index 97ed777..9debc65 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "actions/attest-build-provenance", "description": "Generate signed build provenance attestations", - "version": "1.1.5", + "version": "2.0.0", "author": "", "private": true, "homepage": "https://github.com/actions/attest-build-provenance", @@ -21,7 +21,7 @@ ".": "./dist/index.js" }, "engines": { - "node": ">=20" + "node": ">=24" }, "scripts": { "bundle": "npm run format:write && npm run package", diff --git a/predicate/action.yml b/predicate/action.yml index b36a954..c2dbb84 100644 --- a/predicate/action.yml +++ b/predicate/action.yml @@ -10,5 +10,5 @@ outputs: description: > URI identifying the type of the predicate. runs: - using: node20 + using: node24 main: ../dist/index.js From 977bb373ede98d70efdf65b84cb5f73e068dcc2a Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Thu, 28 Aug 2025 14:03:13 -0700 Subject: [PATCH 6/7] bump attest-build-provenance/predicate to v2.0.0 (#693) Signed-off-by: Brian DeHamer --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 0743687..be9f4c1 100644 --- a/action.yml +++ b/action.yml @@ -62,7 +62,7 @@ outputs: runs: using: 'composite' steps: - - uses: actions/attest-build-provenance/predicate@1176ef556905f349f669722abf30bce1a6e16e01 # predicate@1.1.5 + - uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0 id: generate-build-provenance-predicate - uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0 id: attest From 0b6e9809265278d02c58acf52849a95818a5a306 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Thu, 28 Aug 2025 14:23:03 -0700 Subject: [PATCH 7/7] update doc references to v3 release (#697) Signed-off-by: Brian DeHamer --- .github/workflows/prober.yml | 2 +- README.md | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/prober.yml b/.github/workflows/prober.yml index 3705b57..7b4ecfb 100644 --- a/.github/workflows/prober.yml +++ b/.github/workflows/prober.yml @@ -29,7 +29,7 @@ jobs: date > artifact - name: Attest build provenance - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@v3 env: INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }} with: diff --git a/README.md b/README.md index 6c8975f..609acc0 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ attest: 1. Add the following to your workflow after your artifact has been built: ```yaml - - uses: actions/attest-build-provenance@v2 + - uses: actions/attest-build-provenance@v3 with: subject-path: '' ``` @@ -68,7 +68,7 @@ attest: See [action.yml](action.yml) ```yaml -- uses: actions/attest-build-provenance@v2 +- uses: actions/attest-build-provenance@v3 with: # Path to the artifact serving as the subject of the attestation. Must # specify exactly one of "subject-path", "subject-digest", or @@ -159,7 +159,7 @@ jobs: - name: Build artifact run: make my-app - name: Attest - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@v3 with: subject-path: '${{ github.workspace }}/my-app' ``` @@ -170,7 +170,7 @@ If you are generating multiple artifacts, you can attest all of them at the same time by using a wildcard in the `subject-path` input. ```yaml -- uses: actions/attest-build-provenance@v2 +- uses: actions/attest-build-provenance@v3 with: subject-path: 'dist/**/my-bin-*' ``` @@ -182,13 +182,13 @@ Alternatively, you can explicitly list multiple subjects with either a comma or newline delimited list: ```yaml -- uses: actions/attest-build-provenance@v2 +- uses: actions/attest-build-provenance@v3 with: subject-path: 'dist/foo, dist/bar' ``` ```yaml -- uses: actions/attest-build-provenance@v2 +- uses: actions/attest-build-provenance@v3 with: subject-path: | dist/foo @@ -209,7 +209,7 @@ attestation. - name: Calculate artifact digests run: | shasum -a 256 foo_0.0.1_* > subject.checksums.txt -- uses: actions/attest-build-provenance@v2 +- uses: actions/attest-build-provenance@v3 with: subject-checksums: subject.checksums.txt ``` @@ -282,7 +282,7 @@ jobs: push: true tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - name: Attest - uses: actions/attest-build-provenance@v2 + uses: actions/attest-build-provenance@v3 id: attest with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -304,7 +304,7 @@ artifact directly into the `subject-digest` input of the attestation action. path: dist/* name: artifact.zip -- uses: actions/attest-build-provenance@v2 +- uses: actions/attest-build-provenance@v3 with: subject-name: artifact.zip subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}