From 12c083815ed46d5d78222e3824f4a26c42c234d3 Mon Sep 17 00:00:00 2001
From: Brian DeHamer <bdehamer@github.com>
Date: Thu, 16 May 2024 11:25:01 -0700
Subject: [PATCH] Bump @sigstore/oci from 0.3.2 to 0.3.3 (#66)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
---
 README.md         |  2 +-
 dist/index.js     | 28 ++++++++++++++++++++--------
 package-lock.json | 18 +++++++++---------
 package.json      |  4 ++--
 4 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index b51cf9f7..fb0cfd83 100644
--- a/README.md
+++ b/README.md
@@ -175,7 +175,7 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
 "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
 the specific image being attested is identified by the supplied digest.
 
-> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
+> **NOTE**: When pushing to Docker Hub, please use "docker.io" as the
 > registry portion of the image name.
 
 ```yaml
diff --git a/dist/index.js b/dist/index.js
index 8f61d172..051634bb 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -11433,7 +11433,7 @@ exports.SignedCertificateTimestamp = SignedCertificateTimestamp;
 "use strict";
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.HEADER_OCI_SUBJECT = exports.HEADER_LOCATION = exports.HEADER_IF_MATCH = exports.HEADER_ETAG = exports.HEADER_DIGEST = exports.HEADER_CONTENT_TYPE = exports.HEADER_CONTENT_LENGTH = exports.HEADER_AUTHORIZATION = exports.HEADER_AUTHENTICATE = exports.HEADER_API_VERSION = exports.HEADER_ACCEPT = exports.CONTENT_TYPE_EMPTY_DESCRIPTOR = exports.CONTENT_TYPE_OCTET_STREAM = exports.CONTENT_TYPE_OCI_MANIFEST = exports.CONTENT_TYPE_OCI_INDEX = void 0;
+exports.HEADER_OCI_SUBJECT = exports.HEADER_LOCATION = exports.HEADER_IF_MATCH = exports.HEADER_ETAG = exports.HEADER_DIGEST = exports.HEADER_CONTENT_TYPE = exports.HEADER_CONTENT_LENGTH = exports.HEADER_AUTHORIZATION = exports.HEADER_AUTHENTICATE = exports.HEADER_API_VERSION = exports.HEADER_ACCEPT = exports.CONTENT_TYPE_EMPTY_DESCRIPTOR = exports.CONTENT_TYPE_OCTET_STREAM = exports.CONTENT_TYPE_DOCKER_MANIFEST_LIST = exports.CONTENT_TYPE_DOCKER_MANIFEST = exports.CONTENT_TYPE_OCI_MANIFEST = exports.CONTENT_TYPE_OCI_INDEX = void 0;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -11451,6 +11451,8 @@ limitations under the License.
 */
 exports.CONTENT_TYPE_OCI_INDEX = 'application/vnd.oci.image.index.v1+json';
 exports.CONTENT_TYPE_OCI_MANIFEST = 'application/vnd.oci.image.manifest.v1+json';
+exports.CONTENT_TYPE_DOCKER_MANIFEST = 'application/vnd.docker.distribution.manifest.v2+json';
+exports.CONTENT_TYPE_DOCKER_MANIFEST_LIST = 'application/vnd.docker.distribution.manifest.list.v2+json';
 exports.CONTENT_TYPE_OCTET_STREAM = 'application/octet-stream';
 exports.CONTENT_TYPE_EMPTY_DESCRIPTOR = 'application/vnd.oci.empty.v1+json';
 exports.HEADER_ACCEPT = 'Accept';
@@ -11704,13 +11706,14 @@ limitations under the License.
 const constants_1 = __nccwpck_require__(61319);
 const error_1 = __nccwpck_require__(60064);
 const registry_1 = __nccwpck_require__(27464);
+const DOCKER_DEFAULT_REGISTRY = 'registry-1.docker.io';
 const EMPTY_BLOB = Buffer.from('{}');
 class OCIImage {
     constructor(image, creds, opts) {
         _OCIImage_instances.add(this);
         _OCIImage_client.set(this, void 0);
         _OCIImage_credentials.set(this, void 0);
-        __classPrivateFieldSet(this, _OCIImage_client, new registry_1.RegistryClient(image.registry, image.path, opts), "f");
+        __classPrivateFieldSet(this, _OCIImage_client, new registry_1.RegistryClient(canonicalizeRegistryName(image.registry), image.path, opts), "f");
         __classPrivateFieldSet(this, _OCIImage_credentials, creds, "f");
     }
     async addArtifact(opts) {
@@ -11840,6 +11843,13 @@ const newIndex = () => ({
 const digestToTag = (digest) => {
     return digest.replace(':', '-');
 };
+// Canonicalize the registry name to match the format used by the registry
+// client. This is used primarily to handle the special case of the Docker Hub
+// registry.
+// https://github.com/moby/moby/blob/v24.0.2/registry/config.go#L25-L48
+const canonicalizeRegistryName = (registry) => {
+    return registry.endsWith('docker.io') ? DOCKER_DEFAULT_REGISTRY : registry;
+};
 
 
 /***/ }),
@@ -11964,6 +11974,12 @@ const constants_1 = __nccwpck_require__(61319);
 const credentials_1 = __nccwpck_require__(95475);
 const error_1 = __nccwpck_require__(60064);
 const fetch_1 = __importDefault(__nccwpck_require__(437));
+const ALL_MANIFEST_MEDIA_TYPES = [
+    constants_1.CONTENT_TYPE_OCI_INDEX,
+    constants_1.CONTENT_TYPE_OCI_MANIFEST,
+    constants_1.CONTENT_TYPE_DOCKER_MANIFEST,
+    constants_1.CONTENT_TYPE_DOCKER_MANIFEST_LIST,
+].join(',');
 class RegistryClient {
     constructor(registry, repository, opts) {
         _RegistryClient_instances.add(this);
@@ -12058,9 +12074,7 @@ class RegistryClient {
     async checkManifest(reference) {
         const response = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/manifests/${reference}`, {
             method: 'HEAD',
-            headers: {
-                [constants_1.HEADER_ACCEPT]: `${constants_1.CONTENT_TYPE_OCI_MANIFEST},${constants_1.CONTENT_TYPE_OCI_INDEX}`,
-            },
+            headers: { [constants_1.HEADER_ACCEPT]: ALL_MANIFEST_MEDIA_TYPES },
         }).then((0, error_1.ensureStatus)(200));
         const mediaType = response.headers.get(constants_1.HEADER_CONTENT_TYPE) ||
             /* istanbul ignore next */ '';
@@ -12072,9 +12086,7 @@ class RegistryClient {
     // Retrieves a manifest by reference
     async getManifest(reference) {
         const response = await __classPrivateFieldGet(this, _RegistryClient_fetch, "f").call(this, `${__classPrivateFieldGet(this, _RegistryClient_baseURL, "f")}/v2/${__classPrivateFieldGet(this, _RegistryClient_repository, "f")}/manifests/${reference}`, {
-            headers: {
-                [constants_1.HEADER_ACCEPT]: `${constants_1.CONTENT_TYPE_OCI_MANIFEST},${constants_1.CONTENT_TYPE_OCI_INDEX}`,
-            },
+            headers: { [constants_1.HEADER_ACCEPT]: ALL_MANIFEST_MEDIA_TYPES },
         }).then((0, error_1.ensureStatus)(200));
         const body = await response.json();
         const mediaType = response.headers.get(constants_1.HEADER_CONTENT_TYPE) ||
diff --git a/package-lock.json b/package-lock.json
index b5774017..cbdb60d2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,18 +1,18 @@
 {
   "name": "actions/attest",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "actions/attest",
-      "version": "1.1.1",
+      "version": "1.1.2",
       "license": "MIT",
       "dependencies": {
         "@actions/attest": "^1.2.1",
         "@actions/core": "^1.10.1",
         "@actions/glob": "^0.4.0",
-        "@sigstore/oci": "^0.3.2",
+        "@sigstore/oci": "^0.3.3",
         "csv-parse": "^5.5.5"
       },
       "devDependencies": {
@@ -1729,9 +1729,9 @@
       }
     },
     "node_modules/@sigstore/oci": {
-      "version": "0.3.2",
-      "resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.2.tgz",
-      "integrity": "sha512-3UJC2SV+A4HuILse/jvodDI+0QIN13fErxu3roX5HU9wOeP31UHH/WMQBlN3l5DVewXTufNs3Q85DzOI1tQNLQ==",
+      "version": "0.3.3",
+      "resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.3.tgz",
+      "integrity": "sha512-GFNS7BVC0YvZnajj/ZtboH98A8T0rApkkI3988BzkuIJ5f3Z+mTXr/b5K7OekfHv7LvLzSziXXRRnsb6Cx8zXg==",
       "dependencies": {
         "make-fetch-happen": "^13.0.1",
         "proc-log": "^4.2.0"
@@ -9805,9 +9805,9 @@
       }
     },
     "@sigstore/oci": {
-      "version": "0.3.2",
-      "resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.2.tgz",
-      "integrity": "sha512-3UJC2SV+A4HuILse/jvodDI+0QIN13fErxu3roX5HU9wOeP31UHH/WMQBlN3l5DVewXTufNs3Q85DzOI1tQNLQ==",
+      "version": "0.3.3",
+      "resolved": "https://registry.npmjs.org/@sigstore/oci/-/oci-0.3.3.tgz",
+      "integrity": "sha512-GFNS7BVC0YvZnajj/ZtboH98A8T0rApkkI3988BzkuIJ5f3Z+mTXr/b5K7OekfHv7LvLzSziXXRRnsb6Cx8zXg==",
       "requires": {
         "make-fetch-happen": "^13.0.1",
         "proc-log": "^4.2.0"
diff --git a/package.json b/package.json
index fcfc8e66..9388d72d 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "actions/attest",
   "description": "Generate signed attestations for workflow artifacts",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest",
@@ -72,7 +72,7 @@
     "@actions/attest": "^1.2.1",
     "@actions/core": "^1.10.1",
     "@actions/glob": "^0.4.0",
-    "@sigstore/oci": "^0.3.2",
+    "@sigstore/oci": "^0.3.3",
     "csv-parse": "^5.5.5"
   },
   "devDependencies": {