actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2026-05-13 16:30:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'actions:main' into main

Browse Source
This commit is contained in:
GO-NFT-GO 2024-12-25 09:48:09 +00:00 committed by GitHub
commit 398d297db4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 1208 additions and 1899 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.eslintignore
View File

@ -1,4 +0,0 @@
lib/
dist/
node_modules/
coverage/

83
.github/linters/.eslintrc.yml vendored
View File

@ -1,83 +0,0 @@
env:
node: true
es6: true
jest: true
globals:
Atomics: readonly
SharedArrayBuffer: readonly
ignorePatterns:
- '!.*'
- '**/node_modules/.*'
- '**/dist/.*'
- '**/coverage/.*'
- '*.json'
parser: '@typescript-eslint/parser'
parserOptions:
ecmaVersion: 2023
sourceType: module
project:
- './.github/linters/tsconfig.json'
- './tsconfig.json'
plugins:
- jest
- '@typescript-eslint'
extends:
- eslint:recommended
- plugin:@typescript-eslint/eslint-recommended
- plugin:@typescript-eslint/recommended
- plugin:github/recommended
- plugin:jest/recommended
rules:
{
'camelcase': 'off',
'eslint-comments/no-use': 'off',
'eslint-comments/no-unused-disable': 'off',
'i18n-text/no-en': 'off',
'import/no-namespace': 'off',
'no-console': 'off',
'no-unused-vars': 'off',
'prettier/prettier': 'error',
'semi': 'off',
'@typescript-eslint/array-type': 'error',
'@typescript-eslint/await-thenable': 'error',
'@typescript-eslint/ban-ts-comment': 'error',
'@typescript-eslint/consistent-type-assertions': 'error',
'@typescript-eslint/explicit-member-accessibility':
['error', { 'accessibility': 'no-public' }],
'@typescript-eslint/explicit-function-return-type':
['error', { 'allowExpressions': true }],
'@typescript-eslint/func-call-spacing': ['error', 'never'],
'@typescript-eslint/no-array-constructor': 'error',
'@typescript-eslint/no-empty-interface': 'error',
'@typescript-eslint/no-explicit-any': 'error',
'@typescript-eslint/no-extraneous-class': 'error',
'@typescript-eslint/no-for-in-array': 'error',
'@typescript-eslint/no-inferrable-types': 'error',
'@typescript-eslint/no-misused-new': 'error',
'@typescript-eslint/no-namespace': 'error',
'@typescript-eslint/no-non-null-assertion': 'warn',
'@typescript-eslint/no-require-imports': 'error',
'@typescript-eslint/no-unnecessary-qualifier': 'error',
'@typescript-eslint/no-unnecessary-type-assertion': 'error',
'@typescript-eslint/no-unused-vars': 'error',
'@typescript-eslint/no-useless-constructor': 'error',
'@typescript-eslint/no-var-requires': 'error',
'@typescript-eslint/prefer-for-of': 'warn',
'@typescript-eslint/prefer-function-type': 'warn',
'@typescript-eslint/prefer-includes': 'error',
'@typescript-eslint/prefer-string-starts-ends-with': 'error',
'@typescript-eslint/promise-function-async': 'error',
'@typescript-eslint/require-array-sort-compare': 'error',
'@typescript-eslint/restrict-plus-operands': 'error',
'@typescript-eslint/semi': ['error', 'never'],
'@typescript-eslint/space-before-function-paren': 'off',
'@typescript-eslint/type-annotation-spacing': 'error',
'@typescript-eslint/unbound-method': 'error'
}

92
.github/linters/eslint.config.mjs vendored Normal file
View File

@ -0,0 +1,92 @@
import eslint from '@eslint/js'
import importplugin from 'eslint-plugin-import'
import jestplugin from 'eslint-plugin-jest'
import tseslint from 'typescript-eslint'
export default tseslint.config(
// Ignore non-project files
{
name: 'ignore',
ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js']
},
// Use recommended rules from ESLint, TypeScript, and other plugins
eslint.configs.recommended,
tseslint.configs.recommendedTypeChecked,
jestplugin.configs['flat/recommended'],
importplugin.flatConfigs.recommended,
importplugin.flatConfigs.typescript,
// Override some rules
{
name: 'project-settings',
languageOptions: {
ecmaVersion: 2023,
parserOptions: {
project: ['./.github/linters/tsconfig.json', './tsconfig.json']
}
},
rules: {
// eslint rules
eqeqeq: ['error', 'smart'],
'func-style': ['error', 'declaration', { allowArrowFunctions: true }],
'no-console': 'off',
'no-implicit-globals': 'error',
'no-inner-declarations': 'error',
'no-invalid-this': 'error',
'no-return-assign': 'error',
'no-sequences': 'error',
'no-shadow': 'error',
'no-useless-concat': 'error',
'object-shorthand': ['error', 'always', { avoidQuotes: true }],
'one-var': ['error', 'never'],
'prefer-template': 'error',
// typescript-eslint rules
'@typescript-eslint/array-type': 'error',
'@typescript-eslint/consistent-type-assertions': 'error',
'@typescript-eslint/explicit-function-return-type': [
'error',
{ allowExpressions: true }
],
'@typescript-eslint/explicit-member-accessibility': [
'error',
{ accessibility: 'no-public' }
],
'@typescript-eslint/no-extraneous-class': 'error',
'@typescript-eslint/no-inferrable-types': 'error',
'@typescript-eslint/no-non-null-assertion': 'warn',
'@typescript-eslint/no-unnecessary-qualifier': 'error',
'@typescript-eslint/no-unsafe-assignment': 'off',
'@typescript-eslint/no-useless-constructor': 'error',
'@typescript-eslint/prefer-for-of': 'warn',
'@typescript-eslint/prefer-function-type': 'warn',
'@typescript-eslint/prefer-includes': 'error',
'@typescript-eslint/prefer-string-starts-ends-with': 'error',
'@typescript-eslint/promise-function-async': 'error',
'@typescript-eslint/require-array-sort-compare': 'error',
'@typescript-eslint/restrict-template-expressions': 'off',
// eslint-plugin-import rules
'import/extensions': 'error',
'import/first': 'error',
'import/no-absolute-path': 'error',
'import/no-commonjs': 'error',
'import/no-deprecated': 'warn',
'import/no-dynamic-require': 'error',
'import/no-extraneous-dependencies': 'error',
'import/no-mutable-exports': 'error',
'import/no-namespace': 'off',
'import/no-unresolved': ['error', { ignore: ['csv-parse/sync'] }],
'import/no-anonymous-default-export': [
'error',
{
allowAnonymousClass: false,
allowAnonymousFunction: false,
allowArray: true,
allowArrowFunction: false,
allowLiteral: true,
allowObject: true
}
]
}
}
)

2
.github/workflows/prober.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
date > artifact date > artifact
- name: Attest build provenance - name: Attest build provenance
uses: actions/attest-build-provenance@v1 uses: actions/attest-build-provenance@v2
env: env:
INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }} INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
with: with:

48
README.md
View File

@ -25,6 +25,16 @@ CLI][5].
See [Using artifact attestations to establish provenance for builds][9] for more See [Using artifact attestations to establish provenance for builds][9] for more
information on artifact attestations. information on artifact attestations.
<!-- prettier-ignore-start -->
> [!NOTE]
> Artifact attestations are available in public repositories for all
> current GitHub plans. They are not available on legacy plans, such as Bronze,
> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
> artifact attestations are only available for public repositories. To use
> artifact attestations in private or internal repositories, you must be on a
> GitHub Enterprise Cloud plan.
<!-- prettier-ignore-end -->
## Usage ## Usage
Within the GitHub Actions workflow which builds some artifact you would like to Within the GitHub Actions workflow which builds some artifact you would like to
@ -45,7 +55,7 @@ attest:
1. Add the following to your workflow after your artifact has been built: 1. Add the following to your workflow after your artifact has been built:
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
subject-path: '<PATH TO ARTIFACT>' subject-path: '<PATH TO ARTIFACT>'
``` ```
@ -58,11 +68,11 @@ attest:
See [action.yml](action.yml) See [action.yml](action.yml)
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
# Path to the artifact serving as the subject of the attestation. Must # Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path" or "subject-digest". May contain a # specify exactly one of "subject-path" or "subject-digest". May contain a
# glob pattern or list of paths (total subject count cannot exceed 2500). # glob pattern or list of paths (total subject count cannot exceed 1024).
subject-path: subject-path:
# SHA256 digest of the subject for the attestation. Must be in the form # SHA256 digest of the subject for the attestation. Must be in the form
@ -94,25 +104,23 @@ See [action.yml](action.yml)
<!-- markdownlint-disable MD013 --> <!-- markdownlint-disable MD013 -->
| Name | Description | Example | | Name | Description | Example |
| ------------- | -------------------------------------------------------------- | ------------------------ | | ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.jsonl` | | `attestation-id` | GitHub ID for the attestation | `123456` |
| `attestation-url` | URL for the attestation summary | `https://github.com/foo/bar/attestations/123456` |
| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.json` |
<!-- markdownlint-enable MD013 --> <!-- markdownlint-enable MD013 -->
Attestations are saved in the JSON-serialized [Sigstore bundle][6] format. Attestations are saved in the JSON-serialized [Sigstore bundle][6] format.
If multiple subjects are being attested at the same time, each attestation will If multiple subjects are being attested at the same time, a single attestation
be written to the output file on a separate line (using the [JSON Lines][7] will be created with references to each of the supplied subjects.
format).
## Attestation Limits ## Attestation Limits
### Subject Limits ### Subject Limits
No more than 2500 subjects can be attested at the same time. Subjects will be No more than 1024 subjects can be attested at the same time.
processed in batches 50. After the initial group of 50, each subsequent batch
will incur an exponentially increasing amount of delay (capped at 1 minute of
delay per batch) to avoid overwhelming the attestation API.
## Examples ## Examples
@ -130,6 +138,7 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest
permissions: permissions:
id-token: write id-token: write
contents: read contents: read
@ -141,18 +150,18 @@ jobs:
- name: Build artifact - name: Build artifact
run: make my-app run: make my-app
- name: Attest - name: Attest
uses: actions/attest-build-provenance@v1 uses: actions/attest-build-provenance@v2
with: with:
subject-path: '${{ github.workspace }}/my-app' subject-path: '${{ github.workspace }}/my-app'
``` ```
### Identify Multiple Subjects ### Identify Multiple Subjects
If you are generating multiple artifacts, you can generate a provenance If you are generating multiple artifacts, you can attest all of them at the same
attestation for each by using a wildcard in the `subject-path` input. time by using a wildcard in the `subject-path` input.
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
subject-path: 'dist/**/my-bin-*' subject-path: 'dist/**/my-bin-*'
``` ```
@ -164,13 +173,13 @@ Alternatively, you can explicitly list multiple subjects with either a comma or
newline delimited list: newline delimited list:
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
subject-path: 'dist/foo, dist/bar' subject-path: 'dist/foo, dist/bar'
``` ```
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
subject-path: | subject-path: |
dist/foo dist/foo
@ -230,7 +239,7 @@ jobs:
push: true push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Attest - name: Attest
uses: actions/attest-build-provenance@v1 uses: actions/attest-build-provenance@v2
id: attest id: attest
with: with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@ -245,7 +254,6 @@ jobs:
[5]: https://cli.github.com/manual/gh_attestation_verify [5]: https://cli.github.com/manual/gh_attestation_verify
[6]: [6]:
https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
[7]: https://jsonlines.org/
[8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
[9]: [9]:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

2
__tests__/index.test.ts
View File

@ -8,7 +8,7 @@ import * as main from '../src/main'
const runMock = jest.spyOn(main, 'run').mockImplementation() const runMock = jest.spyOn(main, 'run').mockImplementation()
describe('index', () => { describe('index', () => {
it('calls run when imported', async () => { it('calls run when imported', () => {
// eslint-disable-next-line @typescript-eslint/no-require-imports // eslint-disable-next-line @typescript-eslint/no-require-imports
require('../src/index') require('../src/index')

12
action.yml
View File

@ -10,7 +10,7 @@ inputs:
description: > description: >
Path to the artifact serving as the subject of the attestation. Must Path to the artifact serving as the subject of the attestation. Must
specify exactly one of "subject-path" or "subject-digest". May contain a specify exactly one of "subject-path" or "subject-digest". May contain a
glob pattern or list of paths (total subject count cannot exceed 2500). glob pattern or list of paths (total subject count cannot exceed 1024).
required: false required: false
subject-digest: subject-digest:
description: > description: >
@ -44,15 +44,21 @@ inputs:
outputs: outputs:
bundle-path: bundle-path:
description: 'The path to the file containing the attestation bundle(s).' description: 'The path to the file containing the attestation bundle.'
value: ${{ steps.attest.outputs.bundle-path }} value: ${{ steps.attest.outputs.bundle-path }}
attestation-id:
description: 'The ID of the attestation.'
value: ${{ steps.attest.outputs.attestation-id }}
attestation-url:
description: 'The URL for the attestation summary.'
value: ${{ steps.attest.outputs.attestation-url }}
runs: runs:
using: 'composite' using: 'composite'
steps: steps:
- uses: actions/attest-build-provenance/predicate@36fa7d009e22618ca7cd599486979b8150596c74 # predicate@1.1.4 - uses: actions/attest-build-provenance/predicate@36fa7d009e22618ca7cd599486979b8150596c74 # predicate@1.1.4
id: generate-build-provenance-predicate id: generate-build-provenance-predicate
- uses: actions/attest@67422f5511b7ff725f4dbd6fb9bd2cd925c65a8d # v1.4.1 - uses: actions/attest@v2.1.0
id: attest id: attest
with: with:
subject-path: ${{ inputs.subject-path }} subject-path: ${{ inputs.subject-path }}

BIN
dist/index.js generated vendored
View File

Binary file not shown.

2835
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

27
package.json
View File

@ -28,7 +28,7 @@
"ci-test": "jest", "ci-test": "jest",
"format:write": "prettier --write **/*.ts", "format:write": "prettier --write **/*.ts",
"format:check": "prettier --check **/*.ts", "format:check": "prettier --check **/*.ts",
"lint:eslint": "npx eslint . -c ./.github/linters/.eslintrc.yml", "lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs",
"lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"", "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
"lint": "npm run lint:eslint && npm run lint:markdown", "lint": "npm run lint:eslint && npm run lint:markdown",
"package": "ncc build src/index.ts --license licenses.txt", "package": "ncc build src/index.ts --license licenses.txt",
@ -74,23 +74,20 @@
"@actions/core": "^1.11.1" "@actions/core": "^1.11.1"
}, },
"devDependencies": { "devDependencies": {
"@eslint/js": "^9.17.0",
"@types/jest": "^29.5.14", "@types/jest": "^29.5.14",
"@types/node": "^22.8.7", "@types/node": "^22.10.2",
"@typescript-eslint/eslint-plugin": "^7.17.0", "@vercel/ncc": "^0.38.3",
"@typescript-eslint/parser": "^7.18.0", "eslint": "^9.17.0",
"@vercel/ncc": "^0.38.2", "eslint-plugin-import": "^2.31.0",
"eslint": "^8.57.1", "eslint-plugin-jest": "^28.10.0",
"eslint-plugin-github": "^5.0.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-jsonc": "^2.16.0",
"eslint-plugin-prettier": "^5.2.1",
"jest": "^29.7.0", "jest": "^29.7.0",
"jose": "^5.9.6", "jose": "^5.9.6",
"markdownlint-cli": "^0.42.0", "markdownlint-cli": "^0.43.0",
"nock": "^13.5.5", "nock": "^13.5.6",
"prettier": "^3.3.3", "prettier": "^3.4.2",
"prettier-eslint": "^16.3.0",
"ts-jest": "^29.2.5", "ts-jest": "^29.2.5",
"typescript": "^5.6.3" "typescript": "^5.7.2",
"typescript-eslint": "^8.18.1"
} }
} }