add new @actions/attest package

Signed-off-by: Brian DeHamer <bdehamer@github.com>
2026-05-05 07:58:05 +08:00 · 2024-02-17 19:14:10 -08:00
parent 415c42d27c
commit 6079dea4c4
24 changed files with 4224 additions and 3 deletions
--- a/packages/attest/src/endpoints.ts
+++ b/packages/attest/src/endpoints.ts
@@ -0,0 +1,50 @@
+import * as github from '@actions/github'
+
+const PUBLIC_GOOD_ID = 'public-good'
+const GITHUB_ID = 'github'
+
+const FULCIO_PUBLIC_GOOD_URL = 'https://fulcio.sigstore.dev'
+const REKOR_PUBLIC_GOOD_URL = 'https://rekor.sigstore.dev'
+
+const FULCIO_INTERNAL_URL = 'https://fulcio.githubapp.com'
+const TSA_INTERNAL_URL = 'https://timestamp.githubapp.com'
+
+export type SigstoreInstance = typeof PUBLIC_GOOD_ID | typeof GITHUB_ID
+
+export type Endpoints = {
+  fulcioURL: string
+  rekorURL?: string
+  tsaServerURL?: string
+}
+
+export const SIGSTORE_PUBLIC_GOOD: Endpoints = {
+  fulcioURL: FULCIO_PUBLIC_GOOD_URL,
+  rekorURL: REKOR_PUBLIC_GOOD_URL
+}
+
+export const SIGSTORE_GITHUB: Endpoints = {
+  fulcioURL: FULCIO_INTERNAL_URL,
+  tsaServerURL: TSA_INTERNAL_URL
+}
+
+export const signingEndpoints = (sigstore?: SigstoreInstance): Endpoints => {
+  let instance: SigstoreInstance
+
+  // An explicitly set instance type takes precedence, but if not set, use the
+  // repository's visibility to determine the instance type.
+  if (sigstore && [PUBLIC_GOOD_ID, GITHUB_ID].includes(sigstore)) {
+    instance = sigstore
+  } else {
+    instance =
+      github.context.payload.repository?.visibility === 'public'
+        ? PUBLIC_GOOD_ID
+        : GITHUB_ID
+  }
+
+  switch (instance) {
+    case PUBLIC_GOOD_ID:
+      return SIGSTORE_PUBLIC_GOOD
+    case GITHUB_ID:
+      return SIGSTORE_GITHUB
+  }
+}