mirror of
https://github.com/actions/attest-build-provenance.git
synced 2026-01-28 23:17:10 +00:00
Add support for creating artifact metadata storage records (#779)
Some checks failed
Check Transpiled JavaScript / Check dist/ (push) Failing after 4s
Continuous Integration / TypeScript Tests (push) Failing after 2s
Continuous Integration / Test attest-provenance action (push) Failing after 2s
CodeQL / Analyze (TypeScript) (push) Failing after 31s
Public-Good Sigstore Prober / prober (push) Failing after 2s
GitHub Sigstore Prober / prober (push) Failing after 1s
Some checks failed
Check Transpiled JavaScript / Check dist/ (push) Failing after 4s
Continuous Integration / TypeScript Tests (push) Failing after 2s
Continuous Integration / Test attest-provenance action (push) Failing after 2s
CodeQL / Analyze (TypeScript) (push) Failing after 31s
Public-Good Sigstore Prober / prober (push) Failing after 2s
GitHub Sigstore Prober / prober (push) Failing after 1s
* use latest version of attest action Signed-off-by: Meredith Lancaster <malancas@github.com> * include docs on create-storage-record Signed-off-by: Meredith Lancaster <malancas@github.com> * install most recent version of actions/attest Signed-off-by: Meredith Lancaster <malancas@github.com> * update attest action to latest version Signed-off-by: Meredith Lancaster <malancas@github.com> * add artifact-metadata permission docs Signed-off-by: Meredith Lancaster <malancas@github.com> * restore original package version Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
This commit is contained in:
Meredith Lancaster
GitHub
parent
8835c60c52
commit
00014ed6ed
14
README.md
14
README.md
@ -46,11 +46,15 @@ attest:
|
||||
permissions:
|
||||
id-token: write
|
||||
attestations: write
|
||||
artifact-metadata: write
|
||||
```
|
||||
|
||||
The `id-token` permission gives the action the ability to mint the OIDC token
|
||||
necessary to request a Sigstore signing certificate. The `attestations`
|
||||
permission is necessary to persist the attestation.
|
||||
The `artifact-metadata` permission is required to generate artifact
|
||||
metadata storage records. If this permission is not included, the action
|
||||
will continue without creating the record.
|
||||
|
||||
1. Add the following to your workflow after your artifact has been built:
|
||||
|
||||
@ -95,6 +99,12 @@ See [action.yml](action.yml)
|
||||
# the "subject-digest" parameter be specified. Defaults to false.
|
||||
push-to-registry:
|
||||
|
||||
# Whether to create a storage record for the artifact.
|
||||
# Requires that push-to-registry is set to true.
|
||||
# Requires that the "subject-name" parameter specify the fully-qualified
|
||||
# image name. Defaults to true.
|
||||
create-storage-record:
|
||||
|
||||
# Whether to attach a list of generated attestations to the workflow run
|
||||
# summary page. Defaults to true.
|
||||
show-summary:
|
||||
@ -243,6 +253,10 @@ the specific image being attested is identified by the supplied digest.
|
||||
Attestation bundles are stored in the OCI registry according to the [Cosign
|
||||
Bundle Specification][10].
|
||||
|
||||
If the `push-to-registry` option is set to true, the Action will also
|
||||
emit an Artifact Metadata Storage Record. If you do not want to emit a
|
||||
storage record, set `create-storage-record` to `false`.
|
||||
|
||||
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
|
||||
> registry portion of the image name.
|
||||
|
||||
|
||||
@ -36,6 +36,12 @@ inputs:
|
||||
and that the "subject-digest" parameter be specified. Defaults to false.
|
||||
default: false
|
||||
required: false
|
||||
create-storage-record:
|
||||
description: >
|
||||
Whether to create a storage record for the artifact.
|
||||
Requires that push-to-registry is set to true. Defaults to true.
|
||||
default: true
|
||||
required: false
|
||||
show-summary:
|
||||
description: >
|
||||
Whether to attach a list of generated attestations to the workflow run
|
||||
@ -64,7 +70,7 @@ runs:
|
||||
steps:
|
||||
- uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0
|
||||
id: generate-build-provenance-predicate
|
||||
- uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
|
||||
- uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
|
||||
id: attest
|
||||
env:
|
||||
NODE_OPTIONS: "--max-http-header-size=32768"
|
||||
@ -76,5 +82,6 @@ runs:
|
||||
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
|
||||
predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
|
||||
push-to-registry: ${{ inputs.push-to-registry }}
|
||||
create-storage-record: ${{ inputs.create-storage-record }}
|
||||
show-summary: ${{ inputs.show-summary }}
|
||||
github-token: ${{ inputs.github-token }}
|
||||
|
||||
4
package-lock.json
generated
4
package-lock.json
generated
@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "actions/attest-build-provenance",
|
||||
"version": "2.0.0",
|
||||
"version": "3.1.0",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "actions/attest-build-provenance",
|
||||
"version": "2.0.0",
|
||||
"version": "3.1.0",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/attest": "^2.1.0",
|
||||
|
||||
Loading…
Reference in New Issue
Block a user