actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2026-06-13 18:19:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into main

Browse Source
This commit is contained in:
BMO Financial Group 2025-02-04 11:52:52 -06:00 committed by GitHub
commit 34392f6995
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 1070 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
README.md
View File

@ -71,20 +71,25 @@ See [action.yml](action.yml)
- uses: actions/attest-build-provenance@v2 - uses: actions/attest-build-provenance@v2
with: with:
# Path to the artifact serving as the subject of the attestation. Must # Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path" or "subject-digest". May contain a # specify exactly one of "subject-path", "subject-digest", or
# glob pattern or list of paths (total subject count cannot exceed 1024). # "subject-checksums". May contain a glob pattern or list of paths
# (total subject count cannot exceed 1024).
subject-path: subject-path:
# SHA256 digest of the subject for the attestation. Must be in the form # SHA256 digest of the subject for the attestation. Must be in the form
# "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
# of "subject-path" or "subject-digest". # of "subject-path", "subject-digest", or "subject-checksums".
subject-digest: subject-digest:
# Subject name as it should appear in the attestation. Required unless # Subject name as it should appear in the attestation. Required when
# "subject-path" is specified, in which case it will be inferred from the # identifying the subject with the "subject-digest" input.
# path.
subject-name: subject-name:
# Path to checksums file containing digest and name of subjects for
# attestation. Must specify exactly one of "subject-path", "subject-digest",
# or "subject-checksums".
subject-checksums:
# Whether to push the attestation to the image registry. Requires that the # Whether to push the attestation to the image registry. Requires that the
# "subject-name" parameter specify the fully-qualified image name and that # "subject-name" parameter specify the fully-qualified image name and that
# the "subject-digest" parameter be specified. Defaults to false. # the "subject-digest" parameter be specified. Defaults to false.
@ -186,6 +191,40 @@ newline delimited list:
dist/bar dist/bar
``` ```
### Identify Subjects with Checksums File
If you are using tools like
[goreleaser](https://goreleaser.com/customization/checksum/) or
[jreleaser](https://jreleaser.org/guide/latest/reference/checksum.html) which
generate a checksums file you can identify the attestation subjects by passing
the path of the checksums file to the `subject-checksums` input. Each of the
artifacts identified in the checksums file will be listed as a subject for the
attestation.
```yaml
- name: Calculate artifact digests
run: |
shasum -a 256 foo_0.0.1_* > subject.checksums.txt
- uses: actions/attest-build-provenance@v2
with:
subject-checksums: subject.checksums.txt
```
<!-- markdownlint-disable MD038 -->
The file referenced by the `subject-checksums` input must conform to the same
format used by the shasum tools. Each subject should be listed on a separate
line including the hex-encoded digest (either SHA256 or SHA512), a space, a
single character flag indicating either binary (`*`) or text (` `) input mode,
and the filename.
<!-- markdownlint-enable MD038 -->
```text
b569bf992b287f55d78bf8ee476497e9b7e9d2bf1c338860bfb905016218c740 foo_0.0.1_darwin_amd64
a54fc515e616cac7fcf11a49d5c5ec9ec315948a5935c1e11dd610b834b14dde foo_0.0.1_darwin_arm64
```
### Container Image ### Container Image
When working with container images you can invoke the action with the When working with container images you can invoke the action with the
@ -247,6 +286,26 @@ jobs:
push-to-registry: true push-to-registry: true
``` ```
### Integration with `actions/upload-artifact`
If you'd like to create an attestation for an archive created with the
[actions/upload-artifact][11] action you can feed the digest of the generated
artifact directly into the `subject-digest` input of the attestation action.
```yaml
- name: Upload build artifact
id: upload
uses: actions/upload-artifact@v4
with:
path: dist/*
name: artifact.zip
- uses: actions/attest-build-provenance@v2
with:
subject-name: artifact.zip
subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
```
[1]: https://github.com/actions/toolkit/tree/main/packages/attest [1]: https://github.com/actions/toolkit/tree/main/packages/attest
[2]: https://github.com/in-toto/attestation/tree/main/spec/v1 [2]: https://github.com/in-toto/attestation/tree/main/spec/v1
[3]: https://slsa.dev/spec/v1.0/provenance [3]: https://slsa.dev/spec/v1.0/provenance
@ -258,3 +317,4 @@ jobs:
[9]: [9]:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
[10]: https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md [10]: https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md
[11]: https://github.com/actions/upload-artifact

21
action.yml
View File

@ -9,20 +9,26 @@ inputs:
subject-path: subject-path:
description: > description: >
Path to the artifact serving as the subject of the attestation. Must Path to the artifact serving as the subject of the attestation. Must
specify exactly one of "subject-path" or "subject-digest". May contain a specify exactly one of "subject-path", "subject-digest", or
glob pattern or list of paths (total subject count cannot exceed 1024). "subject-checksums". May contain a glob pattern or list of paths
(total subject count cannot exceed 1024).
required: false required: false
subject-digest: subject-digest:
description: > description: >
Digest of the subject for which provenance will be generated. Must be in Digest of the subject for which provenance will be generated. Must be in
the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify
exactly one of "subject-path" or "subject-digest". exactly one of "subject-path", "subject-digest", or "subject-checksums".
required: false required: false
subject-name: subject-name:
description: > description: >
Subject name as it should appear in the provenance statement. Required Subject name as it should appear in the attestation. Required when
unless "subject-path" is specified, in which case it will be inferred from identifying the subject with the "subject-digest" input.
the path. subject-checksums:
description: >
Path to checksums file containing digest and name of subjects for
attestation. Must specify exactly one of "subject-path", "subject-digest",
or "subject-checksums".
required: false
push-to-registry: push-to-registry:
description: > description: >
Whether to push the provenance statement to the image registry. Requires Whether to push the provenance statement to the image registry. Requires
@ -58,12 +64,13 @@ runs:
steps: steps:
- uses: actions/attest-build-provenance/predicate@36fa7d009e22618ca7cd599486979b8150596c74 # predicate@1.1.4 - uses: actions/attest-build-provenance/predicate@36fa7d009e22618ca7cd599486979b8150596c74 # predicate@1.1.4
id: generate-build-provenance-predicate id: generate-build-provenance-predicate
- uses: actions/attest@v2.1.0 - uses: actions/attest@v2.2.0
id: attest id: attest
with: with:
subject-path: ${{ inputs.subject-path }} subject-path: ${{ inputs.subject-path }}
subject-digest: ${{ inputs.subject-digest }} subject-digest: ${{ inputs.subject-digest }}
subject-name: ${{ inputs.subject-name }} subject-name: ${{ inputs.subject-name }}
subject-checksums: ${{ inputs.subject-checksums }}
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }} predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }} predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
push-to-registry: ${{ inputs.push-to-registry }} push-to-registry: ${{ inputs.push-to-registry }}

BIN
dist/index.js generated vendored
View File

Binary file not shown.

1179
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

16
package.json
View File

@ -74,20 +74,20 @@
"@actions/core": "^1.11.1" "@actions/core": "^1.11.1"
}, },
"devDependencies": { "devDependencies": {
"@eslint/js": "^9.17.0", "@eslint/js": "^9.19.0",
"@types/jest": "^29.5.14", "@types/jest": "^29.5.14",
"@types/node": "^22.10.2", "@types/node": "^22.13.0",
"@vercel/ncc": "^0.38.3", "@vercel/ncc": "^0.38.3",
"eslint": "^9.17.0", "eslint": "^9.19.0",
"eslint-plugin-import": "^2.31.0", "eslint-plugin-import": "^2.31.0",
"eslint-plugin-jest": "^28.10.0", "eslint-plugin-jest": "^28.11.0",
"jest": "^29.7.0", "jest": "^29.7.0",
"jose": "^5.9.6", "jose": "^5.9.6",
"markdownlint-cli": "^0.43.0", "markdownlint-cli": "^0.44.0",
"nock": "^13.5.6", "nock": "^14.0.0",
"prettier": "^3.4.2", "prettier": "^3.4.2",
"ts-jest": "^29.2.5", "ts-jest": "^29.2.5",
"typescript": "^5.7.2", "typescript": "^5.7.3",
"typescript-eslint": "^8.18.2" "typescript-eslint": "^8.22.0"
} }
} }