@@ -40,24 +40,9 @@ async function run() {
4040 // Step 2: First download Witness binary
4141 await downloadWitness ( witnessVersion , witnessInstallDir ) ;
4242
43- // Check if we have a direct command or if we're wrapping an action
44- const directCommand = core . getInput ( "command" ) ;
43+ // Step 3: Now handle the GitHub Action wrapping
4544 const actionRef = core . getInput ( "action-ref" ) ;
46-
47- // If both are specified, action-ref takes precedence
48- let downloadedActionDir = null ;
49- let commandToRun = null ;
50-
51- if ( actionRef ) {
52- // Step 3a: Handle the GitHub Action wrapping
53- downloadedActionDir = await downloadAndExtractAction ( actionRef ) ;
54- } else if ( directCommand ) {
55- // Step 3b: Use the direct command (for backward compatibility)
56- commandToRun = directCommand ;
57- core . info ( `Using direct command mode: ${ commandToRun } ) ;
58- } else {
59- throw new Error ( "Either 'action-ref' or 'command' input must be provided" ) ;
60- }
45+ const downloadedActionDir = await downloadAndExtractAction ( actionRef ) ;
6146
6247 // Step 4: Prepare witness command
6348 const step = core . getInput ( "step" ) ;
@@ -88,67 +73,34 @@ async function run() {
8873 const exportSLSA = core . getInput ( "attestor-slsa-export" ) === "true" ;
8974 const mavenPOM = core . getInput ( "attestor-maven-pom-path" ) ;
9075
91- // Step 5: Run with Witness (either action or direct command)
92- let witnessOutput ;
93- if ( downloadedActionDir ) {
94- // Run the downloaded action with Witness
95- witnessOutput = await runActionWithWitness (
96- downloadedActionDir ,
97- {
98- step,
99- archivistaServer,
100- attestations,
101- certificate,
102- enableArchivista,
103- fulcio,
104- fulcioOidcClientId,
105- fulcioOidcIssuer,
106- fulcioToken,
107- intermediates,
108- key,
109- outfile,
110- productExcludeGlob,
111- productIncludeGlob,
112- spiffeSocket,
113- timestampServers,
114- trace,
115- enableSigstore,
116- exportLink,
117- exportSBOM,
118- exportSLSA,
119- mavenPOM,
120- }
121- ) ;
122- } else {
123- // Run direct command with Witness
124- witnessOutput = await runDirectCommandWithWitness (
125- commandToRun ,
126- {
127- step,
128- archivistaServer,
129- attestations,
130- certificate,
131- enableArchivista,
132- fulcio,
133- fulcioOidcClientId,
134- fulcioOidcIssuer,
135- fulcioToken,
136- intermediates,
137- key,
138- outfile,
139- productExcludeGlob,
140- productIncludeGlob,
141- spiffeSocket,
142- timestampServers,
143- trace,
144- enableSigstore,
145- exportLink,
146- exportSBOM,
147- exportSLSA,
148- mavenPOM,
149- }
150- ) ;
151- }
76+ // Step 5: Run the downloaded action with Witness
77+ const witnessOutput = await runActionWithWitness (
78+ downloadedActionDir ,
79+ {
80+ step,
81+ archivistaServer,
82+ attestations,
83+ certificate,
84+ enableArchivista,
85+ fulcio,
86+ fulcioOidcClientId,
87+ fulcioOidcIssuer,
88+ fulcioToken,
89+ intermediates,
90+ key,
91+ outfile,
92+ productExcludeGlob,
93+ productIncludeGlob,
94+ spiffeSocket,
95+ timestampServers,
96+ trace,
97+ enableSigstore,
98+ exportLink,
99+ exportSBOM,
100+ exportSLSA,
101+ mavenPOM,
102+ }
103+ ) ;
152104
153105 // Step 6: Process the output
154106 const gitOIDs = extractDesiredGitOIDs ( witnessOutput ) ;
@@ -570,140 +522,6 @@ function extractDesiredGitOIDs(output) {
570522 return matchArray ;
571523}
572524
573- // Run a direct command with Witness
574- async function runDirectCommandWithWitness ( command , witnessOptions ) {
575- const {
576- step,
577- archivistaServer,
578- attestations,
579- certificate,
580- enableArchivista,
581- fulcio,
582- fulcioOidcClientId,
583- fulcioOidcIssuer,
584- fulcioToken,
585- intermediates,
586- key,
587- outfile,
588- productExcludeGlob,
589- productIncludeGlob,
590- spiffeSocket,
591- timestampServers,
592- trace,
593- enableSigstore,
594- exportLink,
595- exportSBOM,
596- exportSLSA,
597- mavenPOM,
598- } = witnessOptions ;
599-
600- // Build the witness run command
601- const cmd = [ "run" ] ;
602-
603- if ( enableSigstore ) {
604- fulcio = fulcio || "https://fulcio.sigstore.dev" ;
605- fulcioOidcClientId = fulcioOidcClientId || "sigstore" ;
606- fulcioOidcIssuer = fulcioOidcIssuer || "https://oauth2.sigstore.dev/auth" ;
607- timestampServers = "https://freetsa.org/tsr " + timestampServers ;
608- }
609-
610- if ( attestations . length ) {
611- attestations . forEach ( ( attestation ) => {
612- attestation = attestation . trim ( ) ;
613- if ( attestation . length > 0 ) {
614- cmd . push ( `-a=${ attestation } ) ;
615- }
616- } ) ;
617- }
618-
619- if ( exportLink ) cmd . push ( `--attestor-link-export` ) ;
620- if ( exportSBOM ) cmd . push ( `--attestor-sbom-export` ) ;
621- if ( exportSLSA ) cmd . push ( `--attestor-slsa-export` ) ;
622-
623- if ( mavenPOM ) cmd . push ( `--attestor-maven-pom-path=${ mavenPOM } ) ;
624-
625- if ( certificate ) cmd . push ( `--certificate=${ certificate } ) ;
626- if ( enableArchivista ) cmd . push ( `--enable-archivista=${ enableArchivista } ) ;
627- if ( archivistaServer ) cmd . push ( `--archivista-server=${ archivistaServer } ) ;
628- if ( fulcio ) cmd . push ( `--signer-fulcio-url=${ fulcio } ) ;
629- if ( fulcioOidcClientId ) cmd . push ( `--signer-fulcio-oidc-client-id=${ fulcioOidcClientId } ) ;
630- if ( fulcioOidcIssuer ) cmd . push ( `--signer-fulcio-oidc-issuer=${ fulcioOidcIssuer } ) ;
631- if ( fulcioToken ) cmd . push ( `--signer-fulcio-token=${ fulcioToken } ) ;
632-
633- if ( intermediates . length ) {
634- intermediates . forEach ( ( intermediate ) => {
635- intermediate = intermediate . trim ( ) ;
636- if ( intermediate . length > 0 ) {
637- cmd . push ( `-i=${ intermediate } ) ;
638- }
639- } ) ;
640- }
641-
642- if ( key ) cmd . push ( `--key=${ key } ) ;
643- if ( productExcludeGlob ) cmd . push ( `--attestor-product-exclude-glob=${ productExcludeGlob } ) ;
644- if ( productIncludeGlob ) cmd . push ( `--attestor-product-include-glob=${ productIncludeGlob } ) ;
645- if ( spiffeSocket ) cmd . push ( `--spiffe-socket=${ spiffeSocket } ) ;
646- if ( step ) cmd . push ( `-s=${ step } ) ;
647-
648- if ( timestampServers ) {
649- const timestampServerValues = timestampServers . split ( " " ) ;
650- timestampServerValues . forEach ( ( timestampServer ) => {
651- timestampServer = timestampServer . trim ( ) ;
652- if ( timestampServer . length > 0 ) {
653- cmd . push ( `--timestamp-servers=${ timestampServer } ) ;
654- }
655- } ) ;
656- }
657-
658- if ( trace ) cmd . push ( `--trace=${ trace } ) ;
659- if ( outfile ) cmd . push ( `--outfile=${ outfile } ) ;
660-
661- // Parse the command into an array if it's not already
662- const commandArray = command . match ( / (?: [ ^ \s " ] + | " [ ^ " ] * " ) + / g) || [ command ] ;
663-
664- // Execute the command and capture its output
665- const runArray = [ "witness" , ...cmd , "--" , ...commandArray ] ;
666- const commandString = runArray . join ( " " ) ;
667-
668- core . info ( `Running witness command: ${ commandString } ) ;
669-
670- // Set up options for execution
671- const execOptions = {
672- cwd : process . env . GITHUB_WORKSPACE || process . cwd ( ) ,
673- env : process . env ,
674- listeners : {
675- stdout : ( data ) => {
676- process . stdout . write ( data . toString ( ) ) ;
677- } ,
678- stderr : ( data ) => {
679- process . stderr . write ( data . toString ( ) ) ;
680- }
681- }
682- } ;
683-
684- // Execute and capture output
685- let output = '' ;
686-
687- await exec . exec ( 'sh' , [ '-c' , commandString ] , {
688- ...execOptions ,
689- listeners : {
690- ...execOptions . listeners ,
691- stdout : ( data ) => {
692- const str = data . toString ( ) ;
693- output += str ;
694- process . stdout . write ( str ) ;
695- } ,
696- stderr : ( data ) => {
697- const str = data . toString ( ) ;
698- output += str ;
699- process . stderr . write ( str ) ;
700- }
701- }
702- } ) ;
703-
704- return output ;
705- }
706-
707525function parseActionRef ( refString ) {
708526 const parts = refString . split ( "@" ) ;
709527 if ( parts . length !== 2 ) {
0 commit comments