Merge branch 'main' into neo-cache-service

2026-04-07 12:23:18 +08:00 · 2024-09-24 02:36:02 -07:00
parent 4902d3a118 6dd369c0e6
commit 70e5684b1f
39 changed files with 811 additions and 1218 deletions
--- a/packages/attest/README.md
+++ b/packages/attest/README.md
@@ -63,6 +63,8 @@ export type AttestOptions = {
  // Sigstore instance to use for signing. Must be one of "public-good" or
  // "github".
  sigstore?: 'public-good' | 'github'
+  // HTTP headers to include in request to attestations API.
+  headers?: {[header: string]: string | number | undefined}
  // Whether to skip writing the attestation to the GH attestations API.
  skipWrite?: boolean
 }
@@ -113,6 +115,8 @@ export type AttestProvenanceOptions = {
  // Sigstore instance to use for signing. Must be one of "public-good" or
  // "github".
  sigstore?: 'public-good' | 'github'
+  // HTTP headers to include in request to attestations API.
+  headers?: {[header: string]: string | number | undefined}
  // Whether to skip writing the attestation to the GH attestations API.
  skipWrite?: boolean
  // Issuer URL responsible for minting the OIDC token from which the
--- a/packages/attest/RELEASES.md
+++ b/packages/attest/RELEASES.md
@@ -1,19 +1,42 @@
 # @actions/attest Releases

+### 1.4.2
+
+- Fix bug in `buildSLSAProvenancePredicate`/`attestProvenance` when generating provenance statement for enterprise account using customized OIDC issuer value [#1823](https://github.com/actions/toolkit/pull/1823)
+### 1.4.1
+
+- Bump @actions/http-client from 2.2.1 to 2.2.3 [#1805](https://github.com/actions/toolkit/pull/1805)
+
+### 1.4.0
+
+- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790)
+- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796](https://github.com/actions/toolkit/pull/1796)
+### 1.3.1
+
+- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776](https://github.com/actions/toolkit/pull/1776)
+
+### 1.3.0
+
+- Dynamic construction of Sigstore API URLs [#1735](https://github.com/actions/toolkit/pull/1735)
+- Switch to new GH provenance build type [#1745](https://github.com/actions/toolkit/pull/1745)
+- Fetch existing Rekor entry on 409 conflict error [#1759](https://github.com/actions/toolkit/pull/1759)
+- Bump @sigstore/bundle from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738)
+- Bump @sigstore/sign from 2.3.0 to 2.3.2 [#1738](https://github.com/actions/toolkit/pull/1738)
+
 ### 1.2.1

- Retry request on attestation persistence failure
+- Retry request on attestation persistence failure [#1725](https://github.com/actions/toolkit/pull/1725)

 ### 1.2.0

- Generate attestations using the v0.3 Sigstore bundle format.
- Bump @sigstore/bundle from 2.2.0 to 2.3.0.
- Bump @sigstore/sign from 2.2.3 to 2.3.0.
- Remove dependency on make-fetch-happen
+- Generate attestations using the v0.3 Sigstore bundle format [#1701](https://github.com/actions/toolkit/pull/1701)
+- Bump @sigstore/bundle from 2.2.0 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701)
+- Bump @sigstore/sign from 2.2.3 to 2.3.0 [#1701](https://github.com/actions/toolkit/pull/1701)
+- Remove dependency on make-fetch-happen [#1714](https://github.com/actions/toolkit/pull/1714)

 ### 1.1.0

- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement.
+- Updates the `attestProvenance` function to retrieve a token from the GitHub OIDC provider and use the token claims to populate the provenance statement [#1693](https://github.com/actions/toolkit/pull/1693)

 ### 1.0.0

--- a/packages/attest/tests/snapshots/provenance.test.ts.snap
+++ b/packages/attest/tests/snapshots/provenance.test.ts.snap
@@ -4,12 +4,12 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
 {
  "params": {
    "buildDefinition": {
-      "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
+      "buildType": "https://actions.github.io/buildtypes/workflow/v1",
      "externalParameters": {
        "workflow": {
          "path": ".github/workflows/main.yml",
          "ref": "main",
-          "repository": "https://github.com/owner/repo",
+          "repository": "https://foo.ghe.com/owner/repo",
        },
      },
      "internalParameters": {
@@ -17,6 +17,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
          "event_name": "push",
          "repository_id": "repo-id",
          "repository_owner_id": "owner-id",
+          "runner_environment": "github-hosted",
        },
      },
      "resolvedDependencies": [
@@ -24,16 +25,16 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
          "digest": {
            "gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
          },
-          "uri": "git+https://github.com/owner/repo@refs/heads/main",
+          "uri": "git+https://foo.ghe.com/owner/repo@refs/heads/main",
        },
      ],
    },
    "runDetails": {
      "builder": {
-        "id": "https://github.com/actions/runner/github-hosted",
+        "id": "https://foo.ghe.com/owner/workflows/.github/workflows/publish.yml@main",
      },
      "metadata": {
-        "invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
+        "invocationId": "https://foo.ghe.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
      },
    },
  },
--- a/packages/attest/tests/oidc.test.ts
+++ b/packages/attest/tests/oidc.test.ts
@@ -45,7 +45,8 @@ describe('getIDTokenClaims', () => {
      sha: 'sha',
      repository: 'repo',
      event_name: 'push',
-      workflow_ref: 'main',
+      job_workflow_ref: 'job_workflow_ref',
+      workflow_ref: 'workflow',
      repository_id: '1',
      repository_owner_id: '1',
      runner_environment: 'github-hosted',
@@ -67,6 +68,55 @@ describe('getIDTokenClaims', () => {
    })
  })

+  describe('when ID token is valid (w/ enterprise slug)', () => {
+    const claims = {
+      iss: `${issuer}/foo-bar`,
+      aud: audience,
+      ref: 'ref',
+      sha: 'sha',
+      repository: 'repo',
+      event_name: 'push',
+      job_workflow_ref: 'job_workflow_ref',
+      workflow_ref: 'workflow',
+      repository_id: '1',
+      repository_owner_id: '1',
+      runner_environment: 'github-hosted',
+      run_id: '1',
+      run_attempt: '1'
+    }
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('returns the ID token claims', async () => {
+      const result = await getIDTokenClaims(issuer)
+      expect(result).toEqual(claims)
+    })
+  })
+
+  describe('when ID token is missing the "iss" claim', () => {
+    const claims = {
+      aud: audience
+    }
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('throws an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/missing "iss"/i)
+    })
+  })
+
  describe('when ID token is missing required claims', () => {
    const claims = {
      iss: issuer,
@@ -98,7 +148,9 @@ describe('getIDTokenClaims', () => {
    })

    it('throws an error', async () => {
-      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/issuer invalid/)
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(
+        /unexpected "iss"/i
+      )
    })
  })

@@ -114,7 +166,7 @@ describe('getIDTokenClaims', () => {
    })

    it('throw an error', async () => {
-      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/audience invalid/)
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/unexpected "aud"/)
    })
  })

--- a/packages/attest/tests/provenance.test.ts
+++ b/packages/attest/tests/provenance.test.ts
@@ -8,7 +8,7 @@ import {attestProvenance, buildSLSAProvenancePredicate} from '../src/provenance'

 describe('provenance functions', () => {
  const originalEnv = process.env
-  const issuer = 'https://example.com'
+  const issuer = 'https://token.actions.foo.ghe.com'
  const audience = 'nobody'
  const jwksPath = '/.well-known/jwks.json'
  const tokenPath = '/token'
@@ -23,6 +23,7 @@ describe('provenance functions', () => {
    repository: 'owner/repo',
    ref: 'refs/heads/main',
    sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+    job_workflow_ref: 'owner/workflows/.github/workflows/publish.yml@main',
    workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
    event_name: 'push',
    repository_id: 'repo-id',
@@ -37,7 +38,7 @@ describe('provenance functions', () => {
      ...originalEnv,
      ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
      ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
-      GITHUB_SERVER_URL: 'https://github.com',
+      GITHUB_SERVER_URL: 'https://foo.ghe.com',
      GITHUB_REPOSITORY: claims.repository
    }

@@ -67,7 +68,7 @@ describe('provenance functions', () => {

  describe('buildSLSAProvenancePredicate', () => {
    it('returns a provenance hydrated from an OIDC token', async () => {
-      const predicate = await buildSLSAProvenancePredicate(issuer)
+      const predicate = await buildSLSAProvenancePredicate()
      expect(predicate).toMatchSnapshot()
    })
  })
@@ -95,9 +96,9 @@ describe('provenance functions', () => {
    })

    describe('when using the github Sigstore instance', () => {
-      const {fulcioURL, tsaServerURL} = signingEndpoints('github')
-
      beforeEach(async () => {
+        const {fulcioURL, tsaServerURL} = signingEndpoints('github')
+
        // Mock Sigstore
        await mockFulcio({baseURL: fulcioURL, strict: false})
        await mockTSA({baseURL: tsaServerURL})
@@ -117,8 +118,7 @@ describe('provenance functions', () => {
            subjectName,
            subjectDigest,
            token: 'token',
-            sigstore: 'github',
-            issuer
+            sigstore: 'github'
          })

          expect(attestation).toBeDefined()
@@ -145,8 +145,7 @@ describe('provenance functions', () => {
          const attestation = await attestProvenance({
            subjectName,
            subjectDigest,
-            token: 'token',
-            issuer
+            token: 'token'
          })

          expect(attestation).toBeDefined()
@@ -182,8 +181,7 @@ describe('provenance functions', () => {
            subjectName,
            subjectDigest,
            token: 'token',
-            sigstore: 'public-good',
-            issuer
+            sigstore: 'public-good'
          })

          expect(attestation).toBeDefined()
@@ -210,8 +208,7 @@ describe('provenance functions', () => {
          const attestation = await attestProvenance({
            subjectName,
            subjectDigest,
-            token: 'token',
-            issuer
+            token: 'token'
          })

          expect(attestation).toBeDefined()
@@ -237,8 +234,7 @@ describe('provenance functions', () => {
          subjectDigest,
          token: 'token',
          sigstore: 'public-good',
-          skipWrite: true,
-          issuer
+          skipWrite: true
        })

        expect(attestation).toBeDefined()
--- a/packages/attest/tests/store.test.ts
+++ b/packages/attest/tests/store.test.ts
@@ -5,6 +5,7 @@ describe('writeAttestation', () => {
  const originalEnv = process.env
  const attestation = {foo: 'bar '}
  const token = 'token'
+  const headers = {'X-GitHub-Foo': 'true'}

  const mockAgent = new MockAgent()
  setGlobalDispatcher(mockAgent)
@@ -27,14 +28,16 @@ describe('writeAttestation', () => {
        .intercept({
          path: '/repos/foo/bar/attestations',
          method: 'POST',
-          headers: {authorization: `token ${token}`},
+          headers: {authorization: `token ${token}`, ...headers},
          body: JSON.stringify({bundle: attestation})
        })
        .reply(201, {id: '123'})
    })

    it('persists the attestation', async () => {
-      await expect(writeAttestation(attestation, token)).resolves.toEqual('123')
+      await expect(
+        writeAttestation(attestation, token, {headers})
+      ).resolves.toEqual('123')
    })
  })

--- a/packages/attest/package-lock.json
+++ b/packages/attest/package-lock.json
--- a/packages/attest/package.json
+++ b/packages/attest/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@actions/attest",
-  "version": "1.2.1",
+  "version": "1.4.2",
  "description": "Actions attestation lib",
  "keywords": [
    "github",
@@ -35,22 +35,20 @@
    "url": "https://github.com/actions/toolkit/issues"
  },
  "devDependencies": {
-    "@sigstore/mock": "^0.6.5",
+    "@sigstore/mock": "^0.7.4",
    "@sigstore/rekor-types": "^2.0.0",
    "@types/jsonwebtoken": "^9.0.6",
-    "jose": "^5.2.3",
    "nock": "^13.5.1",
    "undici": "^5.28.4"
  },
  "dependencies": {
    "@actions/core": "^1.10.1",
    "@actions/github": "^6.0.0",
-    "@actions/http-client": "^2.2.1",
+    "@actions/http-client": "^2.2.3",
    "@octokit/plugin-retry": "^6.0.1",
-    "@sigstore/bundle": "^2.3.0",
-    "@sigstore/sign": "^2.3.0",
-    "jsonwebtoken": "^9.0.2",
-    "jwks-rsa": "^3.1.0"
+    "@sigstore/bundle": "^2.3.2",
+    "@sigstore/sign": "^2.3.2",
+    "jose": "^5.2.3"
  },
  "overrides": {
    "@octokit/plugin-retry": {
--- a/packages/attest/src/attest.ts
+++ b/packages/attest/src/attest.ts
@@ -28,6 +28,8 @@ export type AttestOptions = {
  // Sigstore instance to use for signing. Must be one of "public-good" or
  // "github".
  sigstore?: SigstoreInstance
+  // HTTP headers to include in request to attestations API.
+  headers?: {[header: string]: string | number | undefined}
  // Whether to skip writing the attestation to the GH attestations API.
  skipWrite?: boolean
 }
@@ -61,7 +63,11 @@ export async function attest(options: AttestOptions): Promise<Attestation> {
  // Store the attestation
  let attestationID: string | undefined
  if (options.skipWrite !== true) {
-    attestationID = await writeAttestation(bundleToJSON(bundle), options.token)
+    attestationID = await writeAttestation(
+      bundleToJSON(bundle),
+      options.token,
+      {headers: options.headers}
+    )
  }

  return toAttestation(bundle, attestationID)
--- a/packages/attest/src/oidc.ts
+++ b/packages/attest/src/oidc.ts
@@ -1,16 +1,21 @@
 import {getIDToken} from '@actions/core'
 import {HttpClient} from '@actions/http-client'
-import * as jwt from 'jsonwebtoken'
-import jwks from 'jwks-rsa'
+import * as jose from 'jose'

 const OIDC_AUDIENCE = 'nobody'

+const VALID_SERVER_URLS = [
+  'https://github.com',
+  new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
+] as const
+
 const REQUIRED_CLAIMS = [
  'iss',
  'ref',
  'sha',
  'repository',
  'event_name',
+  'job_workflow_ref',
  'workflow_ref',
  'repository_id',
  'repository_owner_id',
@@ -25,7 +30,8 @@ type OIDCConfig = {
  jwks_uri: string
 }

-export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => {
+export const getIDTokenClaims = async (issuer?: string): Promise<ClaimSet> => {
+  issuer = issuer || getIssuer()
  try {
    const token = await getIDToken(OIDC_AUDIENCE)
    const claims = await decodeOIDCToken(token, issuer)
@@ -39,55 +45,46 @@ export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => {
 const decodeOIDCToken = async (
  token: string,
  issuer: string
-): Promise<jwt.JwtPayload> => {
+): Promise<jose.JWTPayload> => {
  // Verify and decode token
-  return new Promise((resolve, reject) => {
-    jwt.verify(
-      token,
-      getPublicKey(issuer),
-      {audience: OIDC_AUDIENCE, issuer},
-      (err, decoded) => {
-        if (err) {
-          reject(err)
-        } else if (!decoded || typeof decoded === 'string') {
-          reject(new Error('No decoded token'))
-        } else {
-          resolve(decoded)
-        }
-      }
-    )
+  const jwks = jose.createLocalJWKSet(await getJWKS(issuer))
+  const {payload} = await jose.jwtVerify(token, jwks, {
+    audience: OIDC_AUDIENCE
  })
-}

-// Returns a callback to locate the public key for the given JWT header. This
-// involves two calls:
-// 1. Fetch the OpenID configuration to get the JWKS URI.
-// 2. Fetch the public key from the JWKS URI.
-const getPublicKey =
-  (issuer: string): jwt.GetPublicKeyOrSecret =>
-  (header: jwt.JwtHeader, callback: jwt.SigningKeyCallback) => {
-    // Look up the JWKS URI from the issuer's OpenID configuration
-    new HttpClient('actions/attest')
-      .getJson<OIDCConfig>(`${issuer}/.well-known/openid-configuration`)
-      .then(data => {
-        if (!data.result) {
-          callback(new Error('No OpenID configuration found'))
-        } else {
-          // Fetch the public key from the JWKS URI
-          jwks({jwksUri: data.result.jwks_uri}).getSigningKey(
-            header.kid,
-            (err, key) => {
-              callback(err, key?.getPublicKey())
-            }
-          )
-        }
-      })
-      .catch(err => {
-        callback(err)
-      })
+  if (!payload.iss) {
+    throw new Error('Missing "iss" claim')
  }

-function assertClaimSet(claims: jwt.JwtPayload): asserts claims is ClaimSet {
+  // Check that the issuer STARTS WITH the expected issuer URL to account for
+  // the fact that the value may include an enterprise-specific slug
+  if (!payload.iss.startsWith(issuer)) {
+    throw new Error(`Unexpected "iss" claim: ${payload.iss}`)
+  }
+
+  return payload
+}
+
+const getJWKS = async (issuer: string): Promise<jose.JSONWebKeySet> => {
+  const client = new HttpClient('@actions/attest')
+  const config = await client.getJson<OIDCConfig>(
+    `${issuer}/.well-known/openid-configuration`
+  )
+
+  if (!config.result) {
+    throw new Error('No OpenID configuration found')
+  }
+
+  const jwks = await client.getJson<jose.JSONWebKeySet>(config.result.jwks_uri)
+
+  if (!jwks.result) {
+    throw new Error('No JWKS found for issuer')
+  }
+
+  return jwks.result
+}
+
+function assertClaimSet(claims: jose.JWTPayload): asserts claims is ClaimSet {
  const missingClaims: string[] = []

  for (const claim of REQUIRED_CLAIMS) {
@@ -100,3 +97,21 @@ function assertClaimSet(claims: jwt.JwtPayload): asserts claims is ClaimSet {
    throw new Error(`Missing claims: ${missingClaims.join(', ')}`)
  }
 }
+
+// Derive the current OIDC issuer based on the server URL
+function getIssuer(): string {
+  const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'
+
+  // Ensure the server URL is a valid GitHub server URL
+  if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
+    throw new Error(`Invalid server URL: ${serverURL}`)
+  }
+
+  let host = new URL(serverURL).hostname
+
+  if (host === 'github.com') {
+    host = 'githubusercontent.com'
+  }
+
+  return `https://token.actions.${host}`
+}
--- a/packages/attest/src/provenance.ts
+++ b/packages/attest/src/provenance.ts
@@ -3,12 +3,7 @@ import {getIDTokenClaims} from './oidc'
 import type {Attestation, Predicate} from './shared.types'

 const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
-
-const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner'
-const GITHUB_BUILD_TYPE =
-  'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'
-
-const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'
+const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'

 export type AttestProvenanceOptions = Omit<
  AttestOptions,
@@ -27,7 +22,7 @@ export type AttestProvenanceOptions = Omit<
 * @returns The SLSA provenance predicate.
 */
 export const buildSLSAProvenancePredicate = async (
-  issuer: string = DEFAULT_ISSUER
+  issuer?: string
 ): Promise<Predicate> => {
  const serverURL = process.env.GITHUB_SERVER_URL
  const claims = await getIDTokenClaims(issuer)
@@ -55,7 +50,8 @@ export const buildSLSAProvenancePredicate = async (
          github: {
            event_name: claims.event_name,
            repository_id: claims.repository_id,
-            repository_owner_id: claims.repository_owner_id
+            repository_owner_id: claims.repository_owner_id,
+            runner_environment: claims.runner_environment
          }
        },
        resolvedDependencies: [
@@ -69,7 +65,7 @@ export const buildSLSAProvenancePredicate = async (
      },
      runDetails: {
        builder: {
-          id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}`
+          id: `${serverURL}/${claims.job_workflow_ref}`
        },
        metadata: {
          invocationId: `${serverURL}/${claims.repository}/actions/runs/${claims.run_id}/attempts/${claims.run_attempt}`
--- a/packages/attest/src/sign.ts
+++ b/packages/attest/src/sign.ts
@@ -87,6 +87,7 @@ const initBundleBuilder = (opts: SignOptions): BundleBuilder => {
      new RekorWitness({
        rekorBaseURL: opts.rekorURL,
        entryType: 'dsse',
+        fetchOnConflict: true,
        timeout,
        retry
      })
--- a/packages/attest/src/store.ts
+++ b/packages/attest/src/store.ts
@@ -1,11 +1,13 @@
 import * as github from '@actions/github'
 import {retry} from '@octokit/plugin-retry'
+import {RequestHeaders} from '@octokit/types'

 const CREATE_ATTESTATION_REQUEST = 'POST /repos/{owner}/{repo}/attestations'
 const DEFAULT_RETRY_COUNT = 5

 export type WriteOptions = {
  retry?: number
+  headers?: RequestHeaders
 }
 /**
 * Writes an attestation to the repository's attestations endpoint.
@@ -26,6 +28,7 @@ export const writeAttestation = async (
    const response = await octokit.request(CREATE_ATTESTATION_REQUEST, {
      owner: github.context.repo.owner,
      repo: github.context.repo.repo,
+      headers: options.headers,
      data: {bundle: attestation}
    })