mirror of
https://github.com/actions/attest-build-provenance.git
synced 2026-05-13 08:20:57 +00:00
d9d19f137e
* Bump the npm-development group with 4 updates (#471) Bumps the npm-development group with 4 updates: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint](https://github.com/eslint/eslint), [prettier](https://github.com/prettier/prettier) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `@types/node` from 22.13.1 to 22.13.4 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 9.20.0 to 9.20.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/compare/v9.20.0...v9.20.1) Updates `prettier` from 3.5.0 to 3.5.1 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.5.0...3.5.1) Updates `typescript-eslint` from 8.23.0 to 8.24.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.24.0/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: typescript-eslint dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump @octokit/request-error from 5.0.1 to 5.1.1 (#469) * Bump @octokit/request-error from 5.0.1 to 5.1.1 Bumps [@octokit/request-error](https://github.com/octokit/request-error.js) from 5.0.1 to 5.1.1. - [Release notes](https://github.com/octokit/request-error.js/releases) - [Commits](https://github.com/octokit/request-error.js/compare/v5.0.1...v5.1.1) --- updated-dependencies: - dependency-name: "@octokit/request-error" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * build the bundle * update dist --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugene <108841108+ejahnGithub@users.noreply.github.com> Co-authored-by: ejahnGithub <ejahngithub@github.com> * Bump the npm-development group with 6 updates (#476) * Bump the npm-development group with 6 updates Bumps the npm-development group with 6 updates: | Package | From | To | | --- | --- | --- | | [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) | `9.20.0` | `9.21.0` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `22.13.4` | `22.13.5` | | [eslint](https://github.com/eslint/eslint) | `9.20.1` | `9.21.0` | | [prettier](https://github.com/prettier/prettier) | `3.5.1` | `3.5.2` | | [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.2.5` | `29.2.6` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.24.0` | `8.24.1` | Updates `@eslint/js` from 9.20.0 to 9.21.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/commits/v9.21.0/packages/js) Updates `@types/node` from 22.13.4 to 22.13.5 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 9.20.1 to 9.21.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/compare/v9.20.1...v9.21.0) Updates `prettier` from 3.5.1 to 3.5.2 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.5.1...3.5.2) Updates `ts-jest` from 29.2.5 to 29.2.6 - [Release notes](https://github.com/kulshekhar/ts-jest/releases) - [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.2.5...v29.2.6) Updates `typescript-eslint` from 8.24.0 to 8.24.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.24.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-development - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-development - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: ts-jest dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: typescript-eslint dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development ... Signed-off-by: dependabot[bot] <support@github.com> * generate dist --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugene <108841108+ejahnGithub@users.noreply.github.com> Co-authored-by: ejahnGithub <ejahngithub@github.com> * Bump @octokit/request from 8.2.0 to 8.4.1 (#478) * Bump @octokit/request from 8.2.0 to 8.4.1 Bumps [@octokit/request](https://github.com/octokit/request.js) from 8.2.0 to 8.4.1. - [Release notes](https://github.com/octokit/request.js/releases) - [Commits](https://github.com/octokit/request.js/compare/v8.2.0...v8.4.1) --- updated-dependencies: - dependency-name: "@octokit/request" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * generate dist --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugene <108841108+ejahnGithub@users.noreply.github.com> Co-authored-by: ejahnGithub <ejahngithub@github.com> * Bump actions/attest from 2.2.0 to 2.2.1 (#481) * bump actions/attest from v2.2.0 to v2.2.1 Signed-off-by: Brian DeHamer <bdehamer@github.com> * pin super-linter action to v7.2.1 Signed-off-by: Brian DeHamer <bdehamer@github.com> --------- Signed-off-by: Brian DeHamer <bdehamer@github.com> * bump @actions/attest from 1.5.0 to 1.6.0 (#484) Signed-off-by: Brian DeHamer <bdehamer@github.com> * bump predicate from 1.1.4 to 1.1.5 (#485) Signed-off-by: Brian DeHamer <bdehamer@github.com> * pin actions/attest reference by commit sha (#493) Signed-off-by: Brian DeHamer <bdehamer@github.com> * Bump the npm-development group across 1 directory with 6 updates (#506) Bumps the npm-development group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) | `9.21.0` | `9.22.0` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `22.13.5` | `22.13.10` | | [eslint](https://github.com/eslint/eslint) | `9.21.0` | `9.22.0` | | [prettier](https://github.com/prettier/prettier) | `3.5.2` | `3.5.3` | | [typescript](https://github.com/microsoft/TypeScript) | `5.7.3` | `5.8.2` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.24.1` | `8.26.0` | Updates `@eslint/js` from 9.21.0 to 9.22.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/commits/v9.22.0/packages/js) Updates `@types/node` from 22.13.5 to 22.13.10 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 9.21.0 to 9.22.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/compare/v9.21.0...v9.22.0) Updates `prettier` from 3.5.2 to 3.5.3 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.5.2...3.5.3) Updates `typescript` from 5.7.3 to 5.8.2 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml) - [Commits](https://github.com/microsoft/TypeScript/compare/v5.7.3...v5.8.2) Updates `typescript-eslint` from 8.24.1 to 8.26.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.26.0/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-development - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: eslint dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-development - dependency-name: prettier dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-development - dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-development - dependency-name: typescript-eslint dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Create devcontainer.json * wip (#1) Signed-off-by: Brian DeHamer <bdehamer@github.com> Co-authored-by: Brian DeHamer <bdehamer@github.com> * Create SECURITY.md * Update LICENSE (#2) https://github.com/actions/attest-build-provenance/pull/516#issue-2923532422 Tr4200812 * Update dependabot.yml --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Brian DeHamer <bdehamer@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eugene <108841108+ejahnGithub@users.noreply.github.com> Co-authored-by: ejahnGithub <ejahngithub@github.com> Co-authored-by: Brian DeHamer <bdehamer@github.com> Co-authored-by: Whatisthis-dot <tr4200812@vk.com> Co-authored-by: Whatisthis-dot <202803114+whatisthis-dot@users.noreply.github.com>
101 lines
3.2 KiB
YAML
101 lines
3.2 KiB
YAML
name: Prober Workflow
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
sigstore:
|
|
description: 'Which Sigstore instance to use for signing'
|
|
default: 'public-good'
|
|
required: false
|
|
type: string
|
|
secrets:
|
|
trust-domain:
|
|
description: 'Trust domain in which the test is executed'
|
|
required: true
|
|
type: string
|
|
service:
|
|
description: 'Service against which status should be reported'
|
|
required: true
|
|
type: string
|
|
team:
|
|
description: 'Team associated with status report'
|
|
required: true
|
|
type: string
|
|
|
|
jobs:
|
|
probe:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
attestations: write
|
|
id-token: write
|
|
|
|
steps:
|
|
- uses: hmarr/debug-action@v2
|
|
|
|
- name: Request OIDC Token
|
|
run: |
|
|
curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
|
|
-H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
|
|
-H "Accept: application/json; api-version=2.0" \
|
|
-H "Content-Type: application/json" \
|
|
--silent | jq -r '.value' | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson'
|
|
|
|
- name: Create artifact
|
|
run: |
|
|
date > artifact
|
|
|
|
- name: Upload build artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
path: "artifact"
|
|
|
|
- name: Attest build provenance
|
|
uses: actions/attest-build-provenance@v2
|
|
env:
|
|
INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
|
|
with:
|
|
subject-path: artifact
|
|
|
|
- name: Verify build artifact
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
|
|
|
|
- name: Report attestation prober success
|
|
if: ${{ success() }}
|
|
uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
|
|
with:
|
|
api-key: "${{ secrets.DATADOG_API_KEY }}"
|
|
service-checks: |
|
|
- check: "attestation-integration.actions.prober"
|
|
status: 0
|
|
host_name: github.com
|
|
tags:
|
|
- "catalog_service:${{ secrets.service }}"
|
|
- "service:${{ secrets.service }}"
|
|
- "stamp:${{ secrets.trust-domain }}"
|
|
- "env:production"
|
|
- "repo:${{ github.repository }}"
|
|
- "team:${{ secrets.team }}"
|
|
- "sigstore:${{ inputs.sigstore }}"
|
|
|
|
- name: Report attestation prober failure
|
|
if: ${{ failure() }}
|
|
uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
|
|
with:
|
|
api-key: "${{ secrets.DATADOG_API_KEY }}"
|
|
service-checks: |
|
|
- check: "attestation-integration.actions.prober"
|
|
message: "${{ github.repository_owner }} failed prober check"
|
|
status: 2
|
|
host_name: github.com
|
|
tags:
|
|
- "catalog_service:${{ secrets.service }}"
|
|
- "service:${{ secrets.service }}"
|
|
- "stamp:${{ secrets.trust-domain }}"
|
|
- "env:production"
|
|
- "repo:${{ github.repository }}"
|
|
- "team:${{ secrets.team }}"
|
|
- "sigstore:${{ inputs.sigstore }}"
|