From 65e3b8bbb5e42355dfbd47602fcb08a993094def Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Wed, 12 Jun 2024 11:27:41 -0700 Subject: [PATCH] bump @sigstore/oci to 0.3.6 (#88) Signed-off-by: Brian DeHamer --- dist/index.js | 23 ++++++++++++++++++----- package-lock.json | 18 +++++++++--------- package.json | 4 ++-- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/dist/index.js b/dist/index.js index 2bb0532c..bd865ee7 100644 --- a/dist/index.js +++ b/dist/index.js @@ -11744,13 +11744,20 @@ class OCIImage { }); // Upload artifact manifest artifactDescriptor = await __classPrivateFieldGet(this, _OCIImage_client, "f").uploadManifest(JSON.stringify(manifest)); + // Check to see if registry supports the referrers API. For most + // registries the presence of a subjectDigest response header when + // uploading the artifact manifest indicates that the referrers API IS + // supported -- however, this is not a guarantee (AWS ECR does NOT support + // the referrers API but still reports a subjectDigest). + const referrersSupported = await __classPrivateFieldGet(this, _OCIImage_client, "f").pingReferrers(); // Manually update the referrers list if the referrers API is not supported. - // The lack of a subjectDigest indicates that the referrers API is not - // supported. - if (artifactDescriptor.subjectDigest === undefined) { + if (!referrersSupported) { + // Strip subjectDigest from the artifact descriptor (in case it was returned) + /* eslint-disable-next-line @typescript-eslint/no-unused-vars */ + const { subjectDigest, ...descriptor } = artifactDescriptor; await __classPrivateFieldGet(this, _OCIImage_instances, "m", _OCIImage_createReferrersIndexByTag).call(this, { artifact: { - ...artifactDescriptor, + ...descriptor, artifactType: opts.mediaType, annotations, }, @@ -11953,7 +11960,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) { }; var _RegistryClient_instances, _RegistryClient_baseURL, _RegistryClient_repository, _RegistryClient_fetch, _RegistryClient_fetchDistributionToken, _RegistryClient_fetchOAuth2Token; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.RegistryClient = void 0; +exports.RegistryClient = exports.ZERO_DIGEST = void 0; /* Copyright 2023 The Sigstore Authors. @@ -11980,6 +11987,7 @@ const ALL_MANIFEST_MEDIA_TYPES = [ constants_1.CONTENT_TYPE_DOCKER_MANIFEST, constants_1.CONTENT_TYPE_DOCKER_MANIFEST_LIST, ].join(','); +exports.ZERO_DIGEST = 'sha256:0000000000000000000000000000000000000000000000000000000000000000'; class RegistryClient { constructor(registry, repository, opts) { _RegistryClient_instances.add(this); @@ -12115,6 +12123,11 @@ class RegistryClient { subjectDigest, }; } + // Returns true if the registry supports the referrers API + async pingReferrers() { + const response = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/referrers/${exports.ZERO_DIGEST}`); + return response.status === 200; + } static digest(blob) { const hash = node_crypto_1.default.createHash('sha256'); hash.update(blob); diff --git a/package-lock.json b/package-lock.json index 033e6e65..55c8ec85 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,18 +1,18 @@ { "name": "actions/attest", - "version": "1.2.0", + "version": "1.2.1", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "actions/attest", - "version": "1.2.0", + "version": "1.2.1", "license": "MIT", "dependencies": { "@actions/attest": "^1.2.1", "@actions/core": "^1.10.1", "@actions/glob": "^0.4.0", - "@sigstore/oci": "^0.3.4", + "@sigstore/oci": "^0.3.6", "csv-parse": "^5.5.6" }, "devDependencies": { @@ -1729,9 +1729,9 @@ } }, "node_modules/@sigstore/oci": { - "version": "0.3.4", - "resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.4.tgz", - "integrity": "sha512-ydRTsvHOmLWnlR2BTtG1pHYvLkHG/oaqVyd2WDkfLU7B3dIWfqavE80VCzidNWuZpXN7m8+uBNatus2Qva1ktA==", + "version": "0.3.6", + "resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.6.tgz", + "integrity": "sha512-nv/uHEHj6AbzGcBg1Cs7EsetB0M+N8GW1wYA26KQT6ymirv5UWUtqx9L1hbJjClpQ6/8R0vYXCpunvic2O1jfg==", "dependencies": { "make-fetch-happen": "^13.0.1", "proc-log": "^4.2.0" @@ -9838,9 +9838,9 @@ } }, "@sigstore/oci": { - "version": "0.3.4", - "resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.4.tgz", - "integrity": "sha512-ydRTsvHOmLWnlR2BTtG1pHYvLkHG/oaqVyd2WDkfLU7B3dIWfqavE80VCzidNWuZpXN7m8+uBNatus2Qva1ktA==", + "version": "0.3.6", + "resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.6.tgz", + "integrity": "sha512-nv/uHEHj6AbzGcBg1Cs7EsetB0M+N8GW1wYA26KQT6ymirv5UWUtqx9L1hbJjClpQ6/8R0vYXCpunvic2O1jfg==", "requires": { "make-fetch-happen": "^13.0.1", "proc-log": "^4.2.0" diff --git a/package.json b/package.json index fe3efa15..4fe14eb2 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "actions/attest", "description": "Generate signed attestations for workflow artifacts", - "version": "1.2.0", + "version": "1.2.1", "author": "", "private": true, "homepage": "https://github.com/actions/attest", @@ -72,7 +72,7 @@ "@actions/attest": "^1.2.1", "@actions/core": "^1.10.1", "@actions/glob": "^0.4.0", - "@sigstore/oci": "^0.3.4", + "@sigstore/oci": "^0.3.6", "csv-parse": "^5.5.6" }, "devDependencies": {