actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2026-05-13 08:20:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-1

Browse Source
This commit is contained in:
Juan Torrente 2025-12-23 09:32:32 +01:00 committed by GitHub
commit 2ef05cf121
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 783 additions and 884 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/check-dist.yml vendored
View File

@ -28,11 +28,11 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Setup Node.js - name: Setup Node.js
id: setup-node id: setup-node
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
with: with:
node-version-file: .node-version node-version-file: .node-version
cache: npm cache: npm
@ -60,7 +60,7 @@ jobs:
- if: ${{ failure() && steps.diff.outcome == 'failure' }} - if: ${{ failure() && steps.diff.outcome == 'failure' }}
name: Upload Artifact name: Upload Artifact
id: upload id: upload
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v6.0.0
with: with:
name: dist name: dist
path: dist/ path: dist/

6
.github/workflows/ci.yml vendored
View File

@ -21,11 +21,11 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Setup Node.js - name: Setup Node.js
id: setup-node id: setup-node
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
with: with:
node-version-file: .node-version node-version-file: .node-version
cache: npm cache: npm
@ -57,7 +57,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Run attest-provenance - name: Run attest-provenance
id: attest-provenance id: attest-provenance
uses: ./ uses: ./

8
.github/workflows/codeql-analysis.yml vendored
View File

@ -32,19 +32,19 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Initialize CodeQL - name: Initialize CodeQL
id: initialize id: initialize
uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 uses: github/codeql-action/init@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
source-root: src source-root: src
- name: Autobuild - name: Autobuild
id: autobuild id: autobuild
uses: github/codeql-action/autobuild@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 uses: github/codeql-action/autobuild@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
id: analyze id: analyze
uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 uses: github/codeql-action/analyze@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8

6
.github/workflows/prober.yml vendored
View File

@ -42,13 +42,13 @@ jobs:
gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER" gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
- name: Upload build artifact - name: Upload build artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with: with:
path: "artifact" path: "artifact"
- name: Report attestation prober success - name: Report attestation prober success
if: ${{ success() }} if: ${{ success() }}
uses: masci/datadog@f0cad7cba58a34e65535732564c9bf174ee89006 # v1.9.2 uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3
with: with:
api-key: "${{ secrets.DATADOG_API_KEY }}" api-key: "${{ secrets.DATADOG_API_KEY }}"
service-checks: | service-checks: |
@ -66,7 +66,7 @@ jobs:
- name: Report attestation prober failure - name: Report attestation prober failure
if: ${{ failure() }} if: ${{ failure() }}
uses: masci/datadog@f0cad7cba58a34e65535732564c9bf174ee89006 # v1.9.2 uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3
with: with:
api-key: "${{ secrets.DATADOG_API_KEY }}" api-key: "${{ secrets.DATADOG_API_KEY }}"
service-checks: | service-checks: |

14
README.md
View File

@ -46,11 +46,15 @@ attest:
permissions: permissions:
id-token: write id-token: write
attestations: write attestations: write
artifact-metadata: write
``` ```
The `id-token` permission gives the action the ability to mint the OIDC token The `id-token` permission gives the action the ability to mint the OIDC token
necessary to request a Sigstore signing certificate. The `attestations` necessary to request a Sigstore signing certificate. The `attestations`
permission is necessary to persist the attestation. permission is necessary to persist the attestation.
The `artifact-metadata` permission is required to generate artifact
metadata storage records. If this permission is not included, the action
will continue without creating the record.
1. Add the following to your workflow after your artifact has been built: 1. Add the following to your workflow after your artifact has been built:
@ -95,6 +99,12 @@ See [action.yml](action.yml)
# the "subject-digest" parameter be specified. Defaults to false. # the "subject-digest" parameter be specified. Defaults to false.
push-to-registry: push-to-registry:
# Whether to create a storage record for the artifact.
# Requires that push-to-registry is set to true.
# Requires that the "subject-name" parameter specify the fully-qualified
# image name. Defaults to true.
create-storage-record:
# Whether to attach a list of generated attestations to the workflow run # Whether to attach a list of generated attestations to the workflow run
# summary page. Defaults to true. # summary page. Defaults to true.
show-summary: show-summary:
@ -243,6 +253,10 @@ the specific image being attested is identified by the supplied digest.
Attestation bundles are stored in the OCI registry according to the [Cosign Attestation bundles are stored in the OCI registry according to the [Cosign
Bundle Specification][10]. Bundle Specification][10].
If the `push-to-registry` option is set to true, the Action will also
emit an Artifact Metadata Storage Record. If you do not want to emit a
storage record, set `create-storage-record` to `false`.
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the > **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
> registry portion of the image name. > registry portion of the image name.

2
__tests__/__snapshots__/main.test.ts.snap
View File

@ -1,4 +1,4 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP // Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
exports[`main when a non-default OIDC issuer is used successfully run main 1`] = ` exports[`main when a non-default OIDC issuer is used successfully run main 1`] = `
{ {

9
action.yml
View File

@ -36,6 +36,12 @@ inputs:
and that the "subject-digest" parameter be specified. Defaults to false. and that the "subject-digest" parameter be specified. Defaults to false.
default: false default: false
required: false required: false
create-storage-record:
description: >
Whether to create a storage record for the artifact.
Requires that push-to-registry is set to true. Defaults to true.
default: true
required: false
show-summary: show-summary:
description: > description: >
Whether to attach a list of generated attestations to the workflow run Whether to attach a list of generated attestations to the workflow run
@ -64,7 +70,7 @@ runs:
steps: steps:
- uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0 - uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0
id: generate-build-provenance-predicate id: generate-build-provenance-predicate
- uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0 - uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
id: attest id: attest
env: env:
NODE_OPTIONS: "--max-http-header-size=32768" NODE_OPTIONS: "--max-http-header-size=32768"
@ -76,5 +82,6 @@ runs:
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }} predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }} predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
push-to-registry: ${{ inputs.push-to-registry }} push-to-registry: ${{ inputs.push-to-registry }}
create-storage-record: ${{ inputs.create-storage-record }}
show-summary: ${{ inputs.show-summary }} show-summary: ${{ inputs.show-summary }}
github-token: ${{ inputs.github-token }} github-token: ${{ inputs.github-token }}

BIN
dist/606.index.js generated vendored
View File

Binary file not shown.

BIN
dist/index.js generated vendored
View File

Binary file not shown.

1590
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

26
package.json
View File

@ -70,24 +70,24 @@
] ]
}, },
"dependencies": { "dependencies": {
"@actions/attest": "^1.6.0", "@actions/attest": "^2.1.0",
"@actions/core": "^1.11.1" "@actions/core": "^1.11.1"
}, },
"devDependencies": { "devDependencies": {
"@eslint/js": "^9.33.0", "@eslint/js": "^9.39.2",
"@types/jest": "^30.0.0", "@types/jest": "^30.0.0",
"@types/node": "^24.2.1", "@types/node": "^25.0.2",
"@vercel/ncc": "^0.38.3", "@vercel/ncc": "^0.38.4",
"eslint": "^9.33.0", "eslint": "^9.39.2",
"eslint-plugin-import": "^2.32.0", "eslint-plugin-import": "^2.32.0",
"eslint-plugin-jest": "^29.0.1", "eslint-plugin-jest": "^29.5.0",
"jest": "^30.0.5", "jest": "^30.2.0",
"jose": "^5.9.6", "jose": "^5.9.6",
"markdownlint-cli": "^0.45.0", "markdownlint-cli": "^0.47.0",
"nock": "^14.0.9", "nock": "^14.0.10",
"prettier": "^3.6.2", "prettier": "^3.7.4",
"ts-jest": "^29.4.1", "ts-jest": "^29.4.6",
"typescript": "^5.9.2", "typescript": "^5.9.3",
"typescript-eslint": "^8.39.0" "typescript-eslint": "^8.49.0"
} }
} }