actions/toolkit
1
0
Fork 0
mirror of https://github.com/actions/toolkit.git synced 2025-06-09 09:35:06 +09:00
Code Activity
1504 commits 193 branches 19 tags 19 MiB
Commit graph

34 commits

Author SHA1 Message Date
dependabot[bot]
41b3ce3141
Bump undici from 5.28.5 to 5.29.0 in /packages/attest 
Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-15 16:30:57 +00:00
Brian DeHamer
36db4d62ad
Merge pull request #2045 from actions/dependabot/npm_and_yarn/packages/attest/octokit/endpoint-9.0.6 
Bump @octokit/endpoint from 9.0.5 to 9.0.6 in /packages/attest
 2025-05-08 10:47:59 -07:00
dependabot[bot]
957610a37a
Bump @octokit/request-error from 5.1.0 to 5.1.1 in /packages/attest 
Bumps [@octokit/request-error](https://github.com/octokit/request-error.js) from 5.1.0 to 5.1.1.
- [Release notes](https://github.com/octokit/request-error.js/releases)
- [Commits](https://github.com/octokit/request-error.js/compare/v5.1.0...v5.1.1)

---
updated-dependencies:
- dependency-name: "@octokit/request-error"
  dependency-version: 5.1.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-08 11:19:50 +00:00
dependabot[bot]
6ed621e7d1
Bump @octokit/endpoint from 9.0.5 to 9.0.6 in /packages/attest 
Bumps [@octokit/endpoint](https://github.com/octokit/endpoint.js) from 9.0.5 to 9.0.6.
- [Release notes](https://github.com/octokit/endpoint.js/releases)
- [Commits](https://github.com/octokit/endpoint.js/compare/v9.0.5...v9.0.6)

---
updated-dependencies:
- dependency-name: "@octokit/endpoint"
  dependency-version: 9.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-08 11:19:48 +00:00
Brian DeHamer
0bc338adab
set workflow.ref provenance field from ref claim 
Updates the `buildSLSAProvenancePredicate` function to populate the
`workflow.ref` field from the `ref` claim in the OIDC token.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2025-02-26 08:47:27 -08:00
Brian DeHamer
95e747361e
bump undici to 5.28.5 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2025-02-14 08:02:10 -08:00
Brian DeHamer
7e54468896
update release notes for @actions/attest v1.5.0 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-11-01 09:45:11 -07:00
Brian DeHamer
339447c5d3
Merge pull request #1863 from meriadec/attest-provenance-tags 
Handle tags containing "@" character in `buildSLSAProvenancePredicate`
 2024-11-01 09:35:13 -07:00
Brian DeHamer
265a5be8bc
support multi-subject attestations 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-11-01 09:08:19 -07:00
Meriadec Pillet
717ba9d9a4
Handle tags containing "@" character in buildSLSAProvenancePredicate 
When using some monorepo-related tools (like [changesets](https://github.com/changesets/changesets)),
the produced tags have a special format that includes `@` character.

For example, a `foo` package on a monorepo will produce Git tags looking
like `foo@1.0.0` if using changesets.

When used in combination with `actions/attest-build-provenance`, the
action was not properly re-crafting the tag in `buildSLSAProvenancePredicate` because
it was always splitting the workflow ref by `@` and taking the second
element.

This result in this error on CI:

```
Error: Error: Failed to persist attestation: Invalid Argument - values do not match: refs/tags/foo != refs/tags/foo@1.0.0 - https://docs.github.com/rest/repos/repos#create-an-attestation
````

This PR slightly update the logic there, and rather take "everything
located after the first '@'". This shouldn't introduce any breaking
change, while giving support for custom tags.

I've added the corresponding test case, it passes, however I couldn't
successfully run the full test suite (neither on `main`). Looking
forward for CI outcome.

Thanks in advance for the review 🙏.
 2024-10-30 14:29:42 +01:00
Brian DeHamer
29d342f176
Merge pull request #1848 from actions/bdehamer/attest-prep-1-5 
`@actions/attest`: prep release of @actions/attest v1.5.0
 2024-10-14 12:49:33 -07:00
Brian DeHamer
72113fe791
Merge pull request #1847 from actions/bdehamer/attest-update-core 
`@actions/attest`: bump @actions/core from 1.10.1 to 1.11.1
 2024-10-14 12:49:15 -07:00
Brian DeHamer
26c752f562
prep release of @actions/attest v1.5.0 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-10-14 12:33:10 -07:00
Brian DeHamer
ac1332a8e2
bump @actions/core from 1.10.1 to 1.11.1 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-10-14 12:16:09 -07:00
Brian DeHamer
c6c5ef6b8e
bump @sigstore/sign from 2.3.2 to 3.0.0 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-10-14 12:06:26 -07:00
Brian DeHamer
2a07de1333
fix bug with customized oidc issuer 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-09-04 10:24:28 -07:00
Brian DeHamer
1e69bffbba
bump @actions/http-client from 2.2.1 to 2.2.3 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-08-22 07:52:03 -07:00
Brian DeHamer
ac3a063583
improve release notes for @actions/attest 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-08-16 12:43:39 -07:00
Brian DeHamer
fa6cc53297
derive default OIDC issuer from current tenant 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-08-16 12:07:23 -07:00
Brian DeHamer
340a1033a5
support for headers param in attest functions 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-08-15 15:35:32 -07:00
Brian DeHamer
b28406bd1f
fix proxy support for jwks retrieval 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-07-26 15:03:40 -07:00
Brian DeHamer
dddc440d56
config rekor to fetch on conflict 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-06-12 11:57:18 -07:00
Brian DeHamer
73100a7f85
new GHA build provenance 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-06-05 14:54:34 -07:00
Brian DeHamer
8735a7e2da
prep 1.3.0 release of @actions/attest 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-05-21 13:11:37 -07:00
Fredrik Skogman
d3d7736bae
Fixed a spelling error 2024-05-20 07:57:44 +02:00
Fredrik Skogman
7d18e7aa0d
PR feedback. Juse more JS idiomatic code 2024-05-20 07:52:36 +02:00
Fredrik Skogman
e60694077d
Read the server url from the environment variable. 
Instead of having the urls hardcoded, read them from the environment.
I opted to read from the environment variable instead of the github context
because it would be easier to test.
 2024-05-16 17:00:35 +02:00
Brian DeHamer
abb586d71e
add doc link in @actions/attest readme 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-05-01 11:30:45 -07:00
Brian DeHamer
0e8fe8af62
retry request on failure to save attestation 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-04-24 15:07:39 -07:00
Brian DeHamer
2961d73391
remove dep on make-fetch-happen 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-04-23 09:39:17 -07:00
Brian DeHamer
f8d95a85df
generate v0.3 bundles in attest package 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-04-03 12:12:26 -07:00
Brian DeHamer
a0e6af1e53
build provenance stmt from OIDC claims 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-03-22 12:34:42 -07:00
Brian DeHamer
37a562b194
bump @actions/attest to 1.0.0 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-02-26 10:21:47 -08:00
Brian DeHamer
6079dea4c4
add new @actions/attest package 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-02-26 08:52:20 -08:00