actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2026-03-15 19:58:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add support for creating artifact metadata storage records (#779)
Some checks failed
Check Transpiled JavaScript / Check dist/ (push) Failing after 4s
Details
Continuous Integration / TypeScript Tests (push) Failing after 2s
Details
Continuous Integration / Test attest-provenance action (push) Failing after 2s
Details
CodeQL / Analyze (TypeScript) (push) Failing after 31s
Details
Public-Good Sigstore Prober / prober (push) Failing after 2s
Details
GitHub Sigstore Prober / prober (push) Failing after 1s
Details

Browse Source 
* use latest version of attest action

Signed-off-by: Meredith Lancaster <malancas@github.com>

* include docs on create-storage-record

Signed-off-by: Meredith Lancaster <malancas@github.com>

* install most recent version of actions/attest

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update attest action to latest version

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add artifact-metadata permission docs

Signed-off-by: Meredith Lancaster <malancas@github.com>

* restore original package version

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
This commit is contained in:
Meredith Lancaster 2025-12-18 16:09:53 -08:00 committed by GitHub
parent 8835c60c52
commit 00014ed6ed
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -46,11 +46,15 @@ attest:
permissions: permissions:
id-token: write id-token: write
attestations: write attestations: write
artifact-metadata: write
``` ```
The `id-token` permission gives the action the ability to mint the OIDC token The `id-token` permission gives the action the ability to mint the OIDC token
necessary to request a Sigstore signing certificate. The `attestations` necessary to request a Sigstore signing certificate. The `attestations`
permission is necessary to persist the attestation. permission is necessary to persist the attestation.
The `artifact-metadata` permission is required to generate artifact
metadata storage records. If this permission is not included, the action
will continue without creating the record.
1. Add the following to your workflow after your artifact has been built: 1. Add the following to your workflow after your artifact has been built:
@ -95,6 +99,12 @@ See [action.yml](action.yml)
# the "subject-digest" parameter be specified. Defaults to false. # the "subject-digest" parameter be specified. Defaults to false.
push-to-registry: push-to-registry:
# Whether to create a storage record for the artifact.
# Requires that push-to-registry is set to true.
# Requires that the "subject-name" parameter specify the fully-qualified
# image name. Defaults to true.
create-storage-record:
# Whether to attach a list of generated attestations to the workflow run # Whether to attach a list of generated attestations to the workflow run
# summary page. Defaults to true. # summary page. Defaults to true.
show-summary: show-summary:
@ -243,6 +253,10 @@ the specific image being attested is identified by the supplied digest.
Attestation bundles are stored in the OCI registry according to the [Cosign Attestation bundles are stored in the OCI registry according to the [Cosign
Bundle Specification][10]. Bundle Specification][10].
If the `push-to-registry` option is set to true, the Action will also
emit an Artifact Metadata Storage Record. If you do not want to emit a
storage record, set `create-storage-record` to `false`.
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the > **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
> registry portion of the image name. > registry portion of the image name.

9
action.yml
View File

@ -36,6 +36,12 @@ inputs:
and that the "subject-digest" parameter be specified. Defaults to false. and that the "subject-digest" parameter be specified. Defaults to false.
default: false default: false
required: false required: false
create-storage-record:
description: >
Whether to create a storage record for the artifact.
Requires that push-to-registry is set to true. Defaults to true.
default: true
required: false
show-summary: show-summary:
description: > description: >
Whether to attach a list of generated attestations to the workflow run Whether to attach a list of generated attestations to the workflow run
@ -64,7 +70,7 @@ runs:
steps: steps:
- uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0 - uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0
id: generate-build-provenance-predicate id: generate-build-provenance-predicate
- uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0 - uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
id: attest id: attest
env: env:
NODE_OPTIONS: "--max-http-header-size=32768" NODE_OPTIONS: "--max-http-header-size=32768"
@ -76,5 +82,6 @@ runs:
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }} predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }} predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
push-to-registry: ${{ inputs.push-to-registry }} push-to-registry: ${{ inputs.push-to-registry }}
create-storage-record: ${{ inputs.create-storage-record }}
show-summary: ${{ inputs.show-summary }} show-summary: ${{ inputs.show-summary }}
github-token: ${{ inputs.github-token }} github-token: ${{ inputs.github-token }}

4
package-lock.json generated
View File

@ -1,12 +1,12 @@
{ {
"name": "actions/attest-build-provenance", "name": "actions/attest-build-provenance",
"version": "2.0.0", "version": "3.1.0",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "actions/attest-build-provenance", "name": "actions/attest-build-provenance",
"version": "2.0.0", "version": "3.1.0",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/attest": "^2.1.0", "@actions/attest": "^2.1.0",