actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2026-06-13 18:19:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #5 from ETEnterprises1/ETEnterprises1-patch-1

Browse Source 
Update .gitattributes
This commit is contained in:
Chais Fitzwater 2024-12-31 00:38:58 -06:00 committed by GitHub
commit 1d38832261
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 916 additions and 440 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.gitattributes vendored
View File

@ -1,3 +1,19 @@
* text=auto eol=lf
dist/** -diff linguist-generated=true
$0/** -add paymentmethod-
All
Products
Homework
Visual matches
About this image
wc:2f31846a089906e83e36196a50250ea5092ac69ad2783fd307dc7c0e9952575c@2?expiryTimestamp=1735625463&relay-protocol=irn&symKey=e793ea123eb2822da2855501b8f19ea525641ab883bc66fbbfad10168ce1e586
Search
Copy text
Translate
Spanish Lake, Missouri - Based on your places (Home)
Update location
Terms=true

2
.github/workflows/prober.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
date > artifact
- name: Attest build provenance
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@v2
env:
INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
with:

2
.github/workflows/publish-immutable-actions.yml vendored
View File

@ -19,4 +19,4 @@ jobs:
uses: actions/checkout@v4
- name: Publish
id: publish
uses: actions/publish-immutable-action@0.0.3
uses: actions/publish-immutable-action@v0.0.4

8
.prettierrc.json
View File

@ -1,12 +1,12 @@
{
"printWidth": 80,
"tabWidth": 2,
"useTabs": false,
"semi": false,
"useTabs": true,
"semi": true,
"singleQuote": true,
"quoteProps": "as-needed",
"jsxSingleQuote": false,
"trailingComma": "none",
"jsxSingleQuote": true,
"trailingComma": "as needed",
"bracketSpacing": true,
"bracketSameLine": true,
"arrowParens": "avoid",

50
README.md
View File

@ -25,6 +25,16 @@ CLI][5].
See [Using artifact attestations to establish provenance for builds][9] for more
information on artifact attestations.
<!-- prettier-ignore-start -->
> [!NOTE]
> Artifact attestations are available in public repositories for all
> current GitHub plans. They are not available on legacy plans, such as Bronze,
> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
> artifact attestations are only available for public repositories. To use
> artifact attestations in private or internal repositories, you must be on a
> GitHub Enterprise Cloud plan.
<!-- prettier-ignore-end -->
## Usage
Within the GitHub Actions workflow which builds some artifact you would like to
@ -45,7 +55,7 @@ attest:
1. Add the following to your workflow after your artifact has been built:
```yaml
- uses: actions/attest-build-provenance@v1
- uses: actions/attest-build-provenance@v2
with:
subject-path: '<PATH TO ARTIFACT>'
```
@ -58,11 +68,11 @@ attest:
See [action.yml](action.yml)
```yaml
- uses: actions/attest-build-provenance@v1
- uses: actions/attest-build-provenance@v2
with:
# Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path" or "subject-digest". May contain a
# glob pattern or list of paths (total subject count cannot exceed 2500).
# glob pattern or list of paths (total subject count cannot exceed 1024).
subject-path:
# SHA256 digest of the subject for the attestation. Must be in the form
@ -93,26 +103,24 @@ See [action.yml](action.yml)
<!-- markdownlint-disable MD013 -->
| Name | Description | Example |
| ------------- | -------------------------------------------------------------- | ------------------------ |
| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.jsonl` |
| Name | Description | Example |
| ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
| `attestation-id` | GitHub ID for the attestation | `123456` |
| `attestation-url` | URL for the attestation summary | `https://github.com/foo/bar/attestations/123456` |
| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.json` |
<!-- markdownlint-enable MD013 -->
Attestations are saved in the JSON-serialized [Sigstore bundle][6] format.
If multiple subjects are being attested at the same time, each attestation will
be written to the output file on a separate line (using the [JSON Lines][7]
format).
If multiple subjects are being attested at the same time, a single attestation
will be created with references to each of the supplied subjects.
## Attestation Limits
### Subject Limits
No more than 2500 subjects can be attested at the same time. Subjects will be
processed in batches 50. After the initial group of 50, each subsequent batch
will incur an exponentially increasing amount of delay (capped at 1 minute of
delay per batch) to avoid overwhelming the attestation API.
No more than 1024 subjects can be attested at the same time.
## Examples
@ -130,6 +138,7 @@ on:
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
@ -141,18 +150,18 @@ jobs:
- name: Build artifact
run: make my-app
- name: Attest
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@v2
with:
subject-path: '${{ github.workspace }}/my-app'
```
### Identify Multiple Subjects
If you are generating multiple artifacts, you can generate a provenance
attestation for each by using a wildcard in the `subject-path` input.
If you are generating multiple artifacts, you can attest all of them at the same
time by using a wildcard in the `subject-path` input.
```yaml
- uses: actions/attest-build-provenance@v1
- uses: actions/attest-build-provenance@v2
with:
subject-path: 'dist/**/my-bin-*'
```
@ -164,13 +173,13 @@ Alternatively, you can explicitly list multiple subjects with either a comma or
newline delimited list:
```yaml
- uses: actions/attest-build-provenance@v1
- uses: actions/attest-build-provenance@v2
with:
subject-path: 'dist/foo, dist/bar'
```
```yaml
- uses: actions/attest-build-provenance@v1
- uses: actions/attest-build-provenance@v2
with:
subject-path: |
dist/foo
@ -230,7 +239,7 @@ jobs:
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Attest
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@v2
id: attest
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@ -245,7 +254,6 @@ jobs:
[5]: https://cli.github.com/manual/gh_attestation_verify
[6]:
https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
[7]: https://jsonlines.org/
[8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
[9]:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

14
action.yml
View File

@ -10,7 +10,7 @@ inputs:
description: >
Path to the artifact serving as the subject of the attestation. Must
specify exactly one of "subject-path" or "subject-digest". May contain a
glob pattern or list of paths (total subject count cannot exceed 2500).
glob pattern or list of paths (total subject count cannot exceed 1024).
required: false
subject-digest:
description: >
@ -44,15 +44,21 @@ inputs:
outputs:
bundle-path:
description: 'The path to the file containing the attestation bundle(s).'
description: 'The path to the file containing the attestation bundle.'
value: ${{ steps.attest.outputs.bundle-path }}
attestation-id:
description: 'The ID of the attestation.'
value: ${{ steps.attest.outputs.attestation-id }}
attestation-url:
description: 'The URL for the attestation summary.'
value: ${{ steps.attest.outputs.attestation-url }}
runs:
using: 'composite'
steps:
- uses: actions/attest-build-provenance/predicate@f1185f1959cdaeda41a7f5a7b43cbe6b58a7a793 # predicate@1.1.3
- uses: actions/attest-build-provenance/predicate@36fa7d009e22618ca7cd599486979b8150596c74 # predicate@1.1.4
id: generate-build-provenance-predicate
- uses: actions/attest@67422f5511b7ff725f4dbd6fb9bd2cd925c65a8d # v1.4.1
- uses: actions/attest@v2.1.0
id: attest
with:
subject-path: ${{ inputs.subject-path }}

BIN
dist/606.index.js generated vendored Normal file
View File

Binary file not shown.

BIN
dist/index.js generated vendored
View File

Binary file not shown.

BIN
dist/licenses.txt generated vendored
View File

Binary file not shown.

1238
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

26
package.json
View File

@ -1,7 +1,7 @@
{
"name": "actions/attest-build-provenance",
"description": "Generate signed build provenance attestations",
"version": "1.1.3",
"version": "1.1.4",
"author": "",
"private": true,
"homepage": "https://github.com/actions/attest-build-provenance",
@ -70,27 +70,27 @@
]
},
"dependencies": {
"@actions/attest": "^1.4.2",
"@actions/attest": "^1.5.0",
"@actions/core": "^1.11.1"
},
"devDependencies": {
"@types/jest": "^29.5.13",
"@types/node": "^22.7.5",
"@types/jest": "^29.5.14",
"@types/node": "^22.10.1",
"@typescript-eslint/eslint-plugin": "^7.17.0",
"@typescript-eslint/parser": "^7.18.0",
"@vercel/ncc": "^0.38.2",
"@vercel/ncc": "^0.38.3",
"eslint": "^8.57.1",
"eslint-plugin-github": "^5.0.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-jsonc": "^2.16.0",
"eslint-plugin-github": "^5.1.4",
"eslint-plugin-jest": "^28.9.0",
"eslint-plugin-jsonc": "^2.18.2",
"eslint-plugin-prettier": "^5.2.1",
"jest": "^29.7.0",
"jose": "^5.9.4",
"markdownlint-cli": "^0.42.0",
"nock": "^13.5.5",
"prettier": "^3.3.3",
"jose": "^5.9.6",
"markdownlint-cli": "^0.43.0",
"nock": "^13.5.6",
"prettier": "^3.4.2",
"prettier-eslint": "^16.3.0",
"ts-jest": "^29.2.5",
"typescript": "^5.6.3"
"typescript": "^5.7.2"
}
}