feat: VerifyNpmPackage API with supplied tuf client #768

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Add a new Post-Commit workflow, to make these renovate-bot updates a bit easier. Previously, we had to clone the PR locally, run `make package`, and then push to the PR. Now we would just need to use the github UI to invoke this new workflow against the PR number. We could also copy this over to the slsa-github-generator repo. > A workflow to run against renovate-bot's PRs, > such as `make package` after it updates the package.json and package-lock.json files. > The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact. > Then a higher-privilege Job applies the diff and pushes the changes to the PR. > It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes! ## Testing. Tested in my own private fork, where when applicable, it pushed a commit of changes to `dist/` folders - https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483 - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits - https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353 - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

…#717) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@actions/core](https://github.com/actions/toolkit/tree/main/packages/core) ([source](https://github.com/actions/toolkit/tree/HEAD/packages/core)) | [`1.10.0` -> `1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/toolkit (@actions/core)</summary> ### [`v1.10.1`](https://github.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101) - Fix error message reference in oidc utils [#1511](https://github.com/actions/toolkit/pull/1511) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier).  --------- Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: github-actions <github-actions@github.com> Co-authored-by: github-actions <github-actions@github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

This reverts commit e855e4f. Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version comment. Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

# Summary Updates renovate config to use the [`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices) preset rather than the `config:base` preset since `config:base` seems to be deprecated. Also updates the `schedule` config to use the [`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly) preset. Also adds a pre-submit to run the [`renovate-config-validator`](https://docs.renovatebot.com/config-validation/) to ensure that renovate config is valid. This pre-submit will need to be made required in the repository branch protection rule for `main` in the repository settings after this PR is merged. --------- Signed-off-by: Ian Lewis <ianmlewis@gmail.com> Signed-off-by: Ian Lewis <ianlewis@google.com> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

changing the update-dist workflow to use the `pr_number` input as an env variable to avoid [script injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks). Our workflows are only invokable by our trusted maintainers so we should be okay. This is just an extra hardening measure. Open issue actions/runner#1070 (comment) ## Testing I confirmed the issue by invoking the workflow with `650 && echo SCRIPT INJECTION`, and it did also do the extra `echo` command. - https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36 after invoking the workflow again with this PR's version, the problem is mitigated. - https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8 - https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7 Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Followup to slsa-framework#760 Fix the .github/workflows/update-actions-dist-post-commit.yml workflow to also signoff commit # Testing - [x] Invoked this PR's branch copy of the workflow against slsa-framework#717, and it did signoff the commit. - slsa-framework@9670f76 Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: VerifyNpmPackage API with supplied tuf client #768

feat: VerifyNpmPackage API with supplied tuf client #768

Commits on May 8, 2024

Commits on Jun 10, 2024

Commits on Jun 11, 2024

Commits on Jul 1, 2024

Commits on Jul 2, 2024

Commits on Aug 7, 2024

Commits on Aug 28, 2024

feat: VerifyNpmPackage API with supplied tuf client #768

Are you sure you want to change the base?

feat: VerifyNpmPackage API with supplied tuf client #768

Commits on May 8, 2024

Commits on Jun 10, 2024

Commits on Jun 11, 2024

Commits on Jul 1, 2024

Commits on Jul 2, 2024

Commits on Aug 7, 2024

Commits on Aug 28, 2024