fix(deps): Update Sigstore Dep to Sigstore 2.2.2

[enteraga6]

Summary

Updates sigstore version from 1.8 -> 2.2.2 for the root dependency version and for the Github Action sign-attestation, verify-token, and setup-generic.

Per 1.9, signing options needed to be removed. More information on it here on this Sigstore Issue. This fixes revert from #2913

The actions were refactored to make use of to explicitly use Sigstore's individual functions/types on imports from this v2.0.0 change

Testing Process

Testing Removal of Signing Options
After updating sign-attestation on a personal workflow pointing to the branch. Check it out here
After updating verify-token and setup-generic to 1.9, I tested using this workflow.

Testing 2.2.2
After updating the actions to Sigstore 2.2.2, I tested using this workflow. Note: it says Sigstore 1.9 on workflow title, but it was used to test 2.2.2. I used the same workflow.

Final Test
This workflow test shows successful functionality after all the changes.

Checklist

• Review the contributing guidelines
• Add a reference to related issues in the PR description.
• Update documentation if applicable.
• Add unit tests if applicable.
• Add changes to the CHANGELOG if applicable.

[ramonpetgrave64]

Are these now default params in v1.9?

[enteraga6]

Yes, in v1.9 it defaults to CI provider when no other strategy has been configured, instead of defaulting as the first strategy like before in v1.8. Removing signOptions, lets it fallback to CI provider to get OIDC token for GHA.

You can see that change here: https://github.com/sigstore/sigstore-js/blob/sigstore%401.9.0/packages/client/src/config.ts#L130-L139

[enteraga6]

I also just updated verify-token and setup-generic because they also had Sigstore v1.8. I think that is all the actions that were running v1.8. Test that confirms functionality is in the edited PR description and here

[kpk47]

Thanks for the contribution!

[enteraga6]

@kpk47 I bumped to Sigstore 2.2.2 to make it the latest since it seemed to be a simple change following this commit from Sigstore 2.0.0 where they had some major changes.

I seem to be failing check-dist-matrix pre-submit tests for the sign-attestations and setup-generic, both of which I bumped. Is this because I pushed another commit after you approved the code? Or is there another reason I should look into?

The functionality is correct on my personal workflow test here

Thanks!

[ramonpetgrave64]

I'm not sure, but I think the pre-submit problems you're having might be around node version.

The tests all use node18, but we still have some actions using node 16.

slsa-github-generator/.github/workflows/pre-submit.actions.yml

Lines 67 to 83 in 2512315

	matrix:
	action:
	- .github/actions/compute-sha256
	- .github/actions/privacy-check
	- .github/actions/generate-attestations
	- .github/actions/sign-attestations
	- .github/actions/create-container_based-predicate
	- ./actions/delegator/setup-generic
	- .github/actions/verify-token
	- .github/actions/detect-workflow-js
	steps:
	- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Set Node.js 18
	uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
	with:
	node-version: 18

[ramonpetgrave64]

Did you mean for this to be 2.2.2?

[laurentsimon]

The package seems to exist at this verison, iiuc https://github.com/sigstore/sigstore-js/releases/tag/sigstore%402.2.2

[ramonpetgrave64]

I ask because your PR description says you mean to upgrade to "1.9", so I thought you might have meant 1.9.0.
https://github.com/sigstore/sigstore-js/releases/tag/sigstore%401.9.0

[enteraga6]

Yes! I should have updated the title and description. Will do that now. Perhaps, I should have done 2.2.2 in a separate pr. My thinking was that since 2.2.2 was the latest and required only a small change that it would be best to do that here.

[laurentsimon]

I'm not sure, but I think the pre-submit problems you're having might be around node version.

The tests all use node18, but we still have some actions using node 16.

slsa-github-generator/.github/workflows/pre-submit.actions.yml

Lines 67 to 83 in 2512315

	matrix:
	action:
	- .github/actions/compute-sha256
	- .github/actions/privacy-check
	- .github/actions/generate-attestations
	- .github/actions/sign-attestations
	- .github/actions/create-container_based-predicate
	- ./actions/delegator/setup-generic
	- .github/actions/verify-token
	- .github/actions/detect-workflow-js
	steps:
	- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Set Node.js 18
	uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
	with:
	node-version: 18

You need to recompile the code from typescript (TS) to javascript. In each of these projects, run something like npm run all (check the Makefile and package.json where these commands are defined). The reason we have this check is because the compiled code is not human-readable so we can't review it. But we want to ensure that what's being pushed and eventually run by the Action is the same as the TS code that we review.

Version change post-review.

[kpk47]

I'm removing my approval for now. Please recompile the TypeScript and request review again when the tests pass.

Also, please update the PR description when you re-send it.

[enteraga6]

@laurentsimon It is recompiled in each using npm run all. I went ahead to double check did npm run all again, then cleared the node_modules in case there was a local cache issue, did npm install then npm run all. I refactored the code to explicitly use Sigstore's individual functions/types on imports from this 2.0.0 change. No luck.

Honestly, I am not sure what the problem is. I think it might be best to reset to last v1.9 commit, draft a pr to continue exploring this issue for 2.2.2.

It seems that the tests fail because of this git diff (same for other fail as well):

diff --git a/actions/delegator/setup-generic/dist/public-good-instance-root.json b/actions/delegator/setup-generic/dist/public-good-instance-root.json
deleted file mode 100644
index e95c7e8..0000000
--- a/actions/delegator/setup-generic/dist/public-good-instance-root.json

What is public-good-instance-root.json? What do you think?

[laurentsimon]

@laurentsimon It is recompiled in each using npm run all. I went ahead to double check did npm run all again, then cleared the node_modules in case there was a local cache issue, did npm install then npm run all. I refactored the code to explicitly use Sigstore's individual functions/types on imports from this 2.0.0 change. No luck.

Honestly, I am not sure what the problem is. I think it might be best to reset to last v1.9 commit, draft a pr to continue exploring this issue for 2.2.2.

It seems that the tests fail because of this git diff (same for other fail as well):

diff --git a/actions/delegator/setup-generic/dist/public-good-instance-root.json b/actions/delegator/setup-generic/dist/public-good-instance-root.json
deleted file mode 100644
index e95c7e8..0000000
--- a/actions/delegator/setup-generic/dist/public-good-instance-root.json

What is public-good-instance-root.json? What do you think?

Looks like tests are passing now?

[laurentsimon]

LGTM. Wdut @ianlewis @ramonpetgrave64 ?

[enteraga6]

@laurentsimon Yes! Tests are passing now. It seems that npm run all created public-good-instance-root.json which the tests did not want. Looking over the the matrix dist tests, they run make clean package. Doing that removed public-good-instance-root.json which is what the tests needed to pass. I am still unsure what public-good-instance-root.json was or why it was generated with npm run all but not make clean package.

[ianlewis]

@laurentsimon Yes! Tests are passing now. It seems that npm run all created public-good-instance-root.json which the tests did not want. Looking over the the matrix dist tests, they run make clean package. Doing that removed public-good-instance-root.json which is what the tests needed to pass. I am still unsure what public-good-instance-root.json was or why it was generated with npm run all but not make clean package.

The sigstore-js packages (or underlying TUF packages) have likely changed how they build the TUF root info into the package and public-good-instance-root.json was just hanging around from a previous build. Running make clean cleaned out the lib and dist directories and cleared things up.

[ianlewis]

LGTM