bump @actions/attest from 1.0.0 to 1.1.0 (#33)

Signed-off-by: Brian DeHamer <[email protected]>
actions · Mar 29, 2024 · 810042e · 810042e
1 parent 5096d30
commit 810042e
Show file tree

Hide file tree

Showing 6 changed files with 15,578 additions and 1,769 deletions.
diff --git a/__tests__/main.test.ts b/__tests__/main.test.ts
@@ -1,8 +1,9 @@
 import * as core from '@actions/core'
+import * as jose from 'jose'
+import nock from 'nock'
 import * as main from '../src/main'
 
-// Mock the GitHub Actions core library
-jest.mock('@actions/core')
+// Mock the GitHub Actions core library functions
 const setOutputMock = jest.spyOn(core, 'setOutput')
 const setFailedMock = jest.spyOn(core, 'setFailed')
 
@@ -11,50 +12,76 @@ setFailedMock.mockImplementation(() => {})
 
 describe('main', () => {
   let outputs = {} as Record<string, string>
+  const originalEnv = process.env
+  const issuer = 'https://token.actions.githubusercontent.com'
+  const audience = 'nobody'
+  const jwksPath = '/.well-known/jwks.json'
+  const tokenPath = '/token'
 
-  beforeEach(() => {
+  const claims = {
+    iss: issuer,
+    aud: 'nobody',
+    repository: 'owner/repo',
+    ref: 'refs/heads/main',
+    sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+    workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
+    event_name: 'push',
+    repository_id: 'repo-id',
+    repository_owner_id: 'owner-id',
+    run_id: 'run-id',
+    run_attempt: 'run-attempt',
+    runner_environment: 'github-hosted'
+  }
+
+  beforeEach(async () => {
     jest.resetAllMocks()
+
     setOutputMock.mockImplementation((key, value) => {
       outputs[key] = value
     })
+
+    process.env = {
+      ...originalEnv,
+      ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
+      ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
+      GITHUB_SERVER_URL: 'https://github.com',
+      GITHUB_REPOSITORY: claims.repository
+    }
+
+    // Generate JWT signing key
+    const key = await jose.generateKeyPair('PS256')
+
+    // Create JWK, JWKS, and JWT
+    const kid = '12345'
+    const jwk = await jose.exportJWK(key.publicKey)
+    const jwks = { keys: [{ ...jwk, kid }] }
+    const jwt = await new jose.SignJWT(claims)
+      .setProtectedHeader({ alg: 'PS256', kid })
+      .sign(key.privateKey)
+
+    // Mock OpenID configuration and JWKS endpoints
+    nock(issuer)
+      .get('/.well-known/openid-configuration')
+      .reply(200, { jwks_uri: `${issuer}${jwksPath}` })
+    nock(issuer).get(jwksPath).reply(200, jwks)
+
+    // Mock OIDC token endpoint for populating the provenance
+    nock(issuer).get(tokenPath).query({ audience }).reply(200, { value: jwt })
   })
 
   afterEach(() => {
     outputs = {}
+    process.env = originalEnv
   })
 
   it('successfully run main', async () => {
-    const originalEnv = process.env
-    process.env = {
-      ...originalEnv,
-      GITHUB_REPOSITORY: 'owner/repo',
-      GITHUB_REF: 'refs/heads/main',
-      GITHUB_SHA: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
-      GITHUB_WORKFLOW_REF: 'owner/repo/.github/workflows/main.yml@main',
-      GITHUB_SERVER_URL: 'https://github.com',
-      GITHUB_EVENT_NAME: 'push',
-      GITHUB_REPOSITORY_ID: 'repo-id',
-      GITHUB_REPOSITORY_OWNER_ID: 'owner-id',
-      GITHUB_RUN_ID: 'run-id',
-      GITHUB_RUN_ATTEMPT: 'run-attempt',
-      RUNNER_ENVIRONMENT: 'github-hosted'
-    }
-
     // Run the main function
     await main.run()
 
     // Verify that outputs were set correctly
     expect(setOutputMock).toHaveBeenCalledTimes(2)
 
-    // Use the expected object in the test assertion
     expect(outputs['predicate']).toMatchSnapshot()
-
-    expect(setOutputMock).toHaveBeenNthCalledWith(
-      2,
-      'predicate-type',
-      'https://slsa.dev/provenance/v1'
-    )
-
-    process.env = originalEnv
+    expect(outputs['predicate-type']).toBe('https://slsa.dev/provenance/v1')
   })
 })