diff --git a/dist/index.js b/dist/index.js index 6d1cf4d4..72119d86 100644 --- a/dist/index.js +++ b/dist/index.js @@ -284,9 +284,16 @@ const decodeOIDCToken = (token, issuer) => __awaiter(void 0, void 0, void 0, fun // Verify and decode token const jwks = jose.createLocalJWKSet(yield getJWKS(issuer)); const { payload } = yield jose.jwtVerify(token, jwks, { - audience: OIDC_AUDIENCE, - issuer + audience: OIDC_AUDIENCE }); + if (!payload.iss) { + throw new Error('Missing "iss" claim'); + } + // Check that the issuer STARTS WITH the expected issuer URL to account for + // the fact that the value may include an enterprise-specific slug + if (!payload.iss.startsWith(issuer)) { + throw new Error(`Unexpected "iss" claim: ${payload.iss}`); + } return payload; }); const getJWKS = (issuer) => __awaiter(void 0, void 0, void 0, function* () { @@ -68177,19 +68184,14 @@ Object.defineProperty(exports, "__esModule", ({ value: true })); exports.run = run; const attest_1 = __nccwpck_require__(74113); const core = __importStar(__nccwpck_require__(42186)); -const VALID_SERVER_URLS = [ - 'https://github.com', - new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$') -]; /** * The main function for the action. * @returns {Promise} Resolves when the action is complete. */ async function run() { try { - const issuer = getIssuer(); // Calculate subject from inputs and generate provenance - const predicate = await (0, attest_1.buildSLSAProvenancePredicate)(issuer); + const predicate = await (0, attest_1.buildSLSAProvenancePredicate)(); core.setOutput('predicate', predicate.params); core.setOutput('predicate-type', predicate.type); } @@ -68199,19 +68201,6 @@ async function run() { core.setFailed(error.message); } } -// Derive the current OIDC issuer based on the server URL -function getIssuer() { - const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'; - // Ensure the server URL is a valid GitHub server URL - if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) { - throw new Error(`Invalid server URL: ${serverURL}`); - } - let host = new URL(serverURL).hostname; - if (host === 'github.com') { - host = 'githubusercontent.com'; - } - return `https://token.actions.${host}`; -} /***/ }), diff --git a/package-lock.json b/package-lock.json index 3ec3b466..ec69cc8b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,15 +1,15 @@ { "name": "actions/attest-build-provenance", - "version": "1.1.2", + "version": "1.1.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "actions/attest-build-provenance", - "version": "1.1.2", + "version": "1.1.3", "license": "MIT", "dependencies": { - "@actions/attest": "^1.4.1", + "@actions/attest": "^1.4.2", "@actions/core": "^1.10.1" }, "devDependencies": { @@ -45,9 +45,9 @@ } }, "node_modules/@actions/attest": { - "version": "1.4.1", - "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.4.1.tgz", - "integrity": "sha512-IEwE9SxHUGZUogp7s9nb8KCcj+83VQ62TR7r6J/HUh94KN+nU+V9AvqnEg1sGCKmFo9BUVX8lV7D+M2tdfVxaw==", + "version": "1.4.2", + "resolved": "https://registry.npmjs.org/@actions/attest/-/attest-1.4.2.tgz", + "integrity": "sha512-VCE5xFPexHc/iBD77b5Rip1ClYFF5j6vE7HxNxFga4OUnRwM6gXdObcz4cDRJsyp6ud4BgEqFUJYNinMnpPYMQ==", "dependencies": { "@actions/core": "^1.10.1", "@actions/github": "^6.0.0", diff --git a/package.json b/package.json index a9723052..f62d1484 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "actions/attest-build-provenance", "description": "Generate signed build provenance attestations", - "version": "1.1.2", + "version": "1.1.3", "author": "", "private": true, "homepage": "https://github.com/actions/attest-build-provenance", @@ -70,7 +70,7 @@ ] }, "dependencies": { - "@actions/attest": "^1.4.1", + "@actions/attest": "^1.4.2", "@actions/core": "^1.10.1" }, "devDependencies": { diff --git a/src/main.ts b/src/main.ts index f623157e..0b1f21ae 100644 --- a/src/main.ts +++ b/src/main.ts @@ -1,21 +1,14 @@ import { buildSLSAProvenancePredicate } from '@actions/attest' import * as core from '@actions/core' -const VALID_SERVER_URLS = [ - 'https://github.com', - new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$') -] as const - /** * The main function for the action. * @returns {Promise} Resolves when the action is complete. */ export async function run(): Promise { try { - const issuer = getIssuer() - // Calculate subject from inputs and generate provenance - const predicate = await buildSLSAProvenancePredicate(issuer) + const predicate = await buildSLSAProvenancePredicate() core.setOutput('predicate', predicate.params) core.setOutput('predicate-type', predicate.type) @@ -25,21 +18,3 @@ export async function run(): Promise { core.setFailed(error.message) } } - -// Derive the current OIDC issuer based on the server URL -function getIssuer(): string { - const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com' - - // Ensure the server URL is a valid GitHub server URL - if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) { - throw new Error(`Invalid server URL: ${serverURL}`) - } - - let host = new URL(serverURL).hostname - - if (host === 'github.com') { - host = 'githubusercontent.com' - } - - return `https://token.actions.${host}` -}