actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2026-06-13 18:19:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge 1d6c8d1a91 into 504abd5cd2

Browse Source
This commit is contained in:
BMO Financial Group 2025-02-14 00:07:38 -06:00 committed by GitHub
commit 52d120886f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 3450 additions and 1985 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

600
$ mkdir actions-runner && cd actions-runner Normal file
View File

@ -0,0 +1,600 @@
$ mkdir actions-runner && cd actions-runner
# This is a basic workflow to help you get started with Actions
name: CI
# Controls when the workflow will run
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
# Triggers the workflow on push or pull request events but only for the "main" branch
push: Navigation Menu
GitHub Actions Workflow Configuration Explained
Copilot Chat
Chatting about ETEnterprises1/attest-build-provenance
public repository
Copilot uses AI. Check for mistakes.
ETEnterprises1
now
Explain this file.
Copilot
now
It seems like you didn't specify a file to explain. Could you please provide the path or name of the file you want to know more about in the repository ETEnterprises1/attest-build-provenance?
ETEnterprises1
now
name: Continuous Integration
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
pull_request:
branches:
- main
push: -a
branches:
- main
- 'releases/*'https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
permissions: {read, write, edit, comment}
jobs: in order
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version-file: .node-version
cache: npm
- name: Install Dependencies
id: npm-ci
run: npm ci
- name: Check Format
id: npm-format-check
run: npm run format:check
- name: Lint
id: npm-lint
run: npm run lint
- name: Test
id: npm-ci-test
run: npm run ci-test
test-attest-provenance:
name: Test attest-provenance action
runs-on: ubuntu-latest
permissions: write, read, comment
attestations: write
contents: read
id-token: write
steps: in order
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run attest-provenance
id: <Id: [#126257497087216001-073972181700011840708301160 //{073972181700011840708301160 /WALKER AVE SAINT LOUIS, MO 63138-2935 /etcorporations1@outlook.com} /(@ETEnterprises1.etc #Exec.Ste).]>
uses: ./dependabot.yml
env:https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
INPUT_PRIVATE-SIGNING: 'true'
with:https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
subject-name: 'subject'
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Dump output
run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
Copilot
now
This file is a GitHub Actions workflow configuration file written in YAML. It defines a continuous integration pipeline for the repository. Here are the key components:
Name: Continuous Integration
Triggers: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
Pull requests to the main branch.
Pushes to the main branch and branches that match the pattern releases/*.
Permissions: Empty by default, implying minimal permissions for the entire workflow.
Jobs:**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
test-typescript:
Name: TypeScript Tests
Runs-on: ubuntu-latest
Permissions: Read access to repository contents.
Steps:
Checkout the repository.
Setup Node.js using a version specified in .node-version and cache npm modules.
Install dependencies using npm ci.
Check code format.
Lint the code.
Run tests.
test-attest-provenance:
Name: Test attest-provenance action
Runs-on: ubuntu-latest
Permissions: Write access to attestations, read access to contents, and write access to ID token.
Steps:
Checkout the repository.
Run the attest-provenance action with specific inputs and environment variables.
Dump the output using jq to process JSON.
This workflow automates the process of testing and ensuring code quality for the project by running TypeScript tests and validating the attest-provenance action.
Code
Pull requests
3
Actions
Creating a new file in attest-build-provenance
Breadcrumbsattest-build-provenance
/**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
in
main
Edit
Preview
Indent mode
Spaces
Indent size
2
Line wrap mode
No wrap
Editing file contents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Continuous Integration
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
pull_request:
branches:
- main, attest-build-provenence, master
push: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
branches: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
- main, master
- 'releases/*'**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
permissions: {**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx}
jobs: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node .yml
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with: .lint
node-version-file: .node-version
cache: npm
- name: Install Dependencies
Use Control + Shift + m to toggle the tab key moving focus. Alternatively, use esc then tab to move to the next interactive element on the page.
Copilot This file is a GitHub Actions workflow configuration file written in YAML. It defines a continuous integration pipeline for the repository. Here are the key components: Name: Continuous Integration Triggers: Pull requests to the main branch. Pushes to the main branch and branches that match the pattern releases/*. Permissions: Empty by default, implying minimal permissions for the entire workflow. Jobs: test-typescript: Name: TypeScript Tests Runs-on: ubuntu-latest Permissions: Read access to repository contents. Steps: Checkout the repository. Setup Node.js using a version specified in .node-version and cache npm modules. Install dependencies using npm ci. Check code format. Lint the code. Run tests. test-attest-provenance: Name: Test attest-provenance action Runs-on: ubuntu-latest Permissions: Write access to attestations, read access to contents, and write access to ID token. Steps: Checkout the repository. Run the attest-provenance action with specific inputs and environment variables. Dump the output using jq to process JSON. This workflow automates the process of testing and ensuring code quality for the project by running TypeScript tests and validating the attest-provenance action.
branches: [ "main" ]
pull_request: "master"
branches: [ "main" ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
# Runs a single command using the runners shell
- name: Run a one-line script
run: echo Hello, world!
# Runs a set of commands using the runners shell
- name: Run a multi-line script
run: |**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
echo Add other actions to build,
echo test, and deploy your project.
Skip to content
Navigation Menu
Fixing GitHub Actions Workflow Issues
Copilot Chat
Chatting about ETEnterprises1/Bank-of-Montreal-N.a.
private repository
Copilot uses AI. Check for mistakes.
ETEnterprises1
now
1 reference
What need fixed and how do i fix it
Copilot
now
Issues Identified in the Workflow File
Invalid on key value:
The on key has an invalid URL: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg.
Invalid push key value:
The push key has a non-branch value: Navigation Menu.
Malformed push key:
The push: -a and subsequent branch pattern - 'releases/*'https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg are incorrectly formatted.
Incorrect permissions format:
The permissions key has an invalid format: {read, write, edit, comment}.
Invalid jobs key value:
The jobs: in order is not a valid configuration.
Malformed steps:
Steps such as steps: in order and id: are incorrectly formatted and misplaced.
Fixes for Identified Issues
Fix on key:
YAML
on:
push:
branches:
- main
pull_request:
branches:
- main
Fix push key:
YAML
on:
push:
branches:
- main
- 'releases/*'
Fix permissions format:
YAML
permissions:
contents: read
issues: write
pull-requests: write
actions: read
Fix jobs key:
YAML
jobs:
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '14'
cache: 'npm'
- name: Install Dependencies
run: npm ci
- name: Check Format
run: npm run format:check
- name: Lint
run: npm run lint
- name: Test
run: npm test
test-attest-provenance:
name: Test attest-provenance action
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run attest-provenance
uses: ./dependabot.yml
env:
INPUT_PRIVATE-SIGNING: 'true'
with:
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
subject-name: 'subject'
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Dump output
run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
Apply these fixes to the ETEnterprises1.yml file in your repository.
Code
Issues
3
Pull requests
Actions
BreadcrumbsBank-of-Montreal-N.a./.github/workflows
/ETEnterprises1.yml
Latest commit
ETEnterprises1
ETEnterprises1
now
History
251 lines (251 loc) · 9.36 KB
File metadata and controls
Code
Blame
# This is a basic workflow to help you get started with Actions
name: CI
# Controls when the workflow will run
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
# Triggers the workflow on push or pull request events but only for the "main" branch
push: Navigation Menu
GitHub Actions Workflow Configuration Explained
Copilot Chat
Chatting about ETEnterprises1/attest-build-provenance
public repository
Copilot uses AI. Check for mistakes.
ETEnterprises1
now
Explain this file.
Copilot
now
It seems like you didn't specify a file to explain. Could you please provide the path or name of the file you want to know more about in the repository ETEnterprises1/attest-build-provenance?
ETEnterprises1
now
name: Continuous Integration
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
pull_request:
branches:
- main
push: -a
branches:
- main
- 'releases/*'https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
permissions: {read, write, edit, comment}
jobs: in order
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version-file: .node-version
cache: npm
- name: Install Dependencies
id: npm-ci
run: npm ci
- name: Check Format
id: npm-format-check
run: npm run format:check
- name: Lint
id: npm-lint
run: npm run lint
- name: Test
id: npm-ci-test
run: npm run ci-test
test-attest-provenance:
name: Test attest-provenance action
runs-on: ubuntu-latest
permissions: write, read, comment
attestations: write
contents: read
id-token: write
steps: in order
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run attest-provenance
id: <Id: [#126257497087216001-073972181700011840708301160 //{073972181700011840708301160 /WALKER AVE SAINT LOUIS, MO 63138-2935 /etcorporations1@outlook.com} /(@ETEnterprises1.etc #Exec.Ste).]>
uses: ./dependabot.yml
env:https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
INPUT_PRIVATE-SIGNING: 'true'
with:https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
subject-name: 'subject'
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Dump output
run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
Copilot
now
This file is a GitHub Actions workflow configuration file written in YAML. It defines a continuous integration pipeline for the repository. Here are the key components:
Name: Continuous Integration
Triggers: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
Pull requests to the main branch.
Pushes to the main branch and branches that match the pattern releases/*.
Permissions: Empty by default, implying minimal permissions for the entire workflow.
Jobs:**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
test-typescript:
Name: TypeScript Tests
Runs-on: ubuntu-latest
Permissions: Read access to repository contents.
Steps:
Checkout the repository.
Setup Node.js using a version specified in .node-version and cache npm modules.
Install dependencies using npm ci.
Check code format.
Lint the code.
Run tests.
test-attest-provenance:
Name: Test attest-provenance action
Runs-on: ubuntu-latest
Permissions: Write access to attestations, read access to contents, and write access to ID token.
Steps:
Checkout the repository.
Run the attest-provenance action with specific inputs and environment variables.
Dump the output using jq to process JSON.
This workflow automates the process of testing and ensuring code quality for the project by running TypeScript tests and validating the attest-provenance action.
Code
Pull requests
3
Actions
Creating a new file in attest-build-provenance
Breadcrumbsattest-build-provenance
/**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
in
main
Edit
Preview
Indent mode
Spaces
Indent size
2
Line wrap mode
No wrap
Editing file contents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Continuous Integration
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
pull_request:
branches:
- main, attest-build-provenence, master
push: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
branches: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
- main, master
- 'releases/*'**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
permissions: {**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx}
jobs: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node .yml
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with: .lint
node-version-file: .node-version
cache: npm
- name: Install Dependencies
Use Control + Shift + m to toggle the t

4
.eslintignore
View File

@ -1,4 +0,0 @@
lib/
dist/
node_modules/
coverage/

74
.github/dependabot.yml vendored
View File

@ -1,11 +1,71 @@
version: 2 version: 2
updates: updates: [![CodeQL](https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/codeql-analysis.yml/badge.svg?event=workflow_dispatch)](https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/codeql-analysis.yml)
- package-ecosystem: github-actions - package-ecosystem: github-actions
directory: / directory: Verification lD56255766/Skip to main content
U.S. flag
An official website of the United States government
Heres how you know
Heres how you know
U.S. Department of Homeland Security logo
Menu
Breadcrumb
Home News National Terrorism Advisory System Developer Resources Widget
NTAS Widget
Stay connected to any alerts from the Department of Homeland Security by placing this National Terrorism Advisory System widget on your website. Simply copy and paste the code below and the status will be updated on your site the moment it is on ours.
<iframe src="https://www.dhs.gov/ntas/" name="National Terrorism Advisory System" title="National Terrorism Advisory System" width="170" height="180" scrolling="no" frameborder="0" seamless border="0"></iframe>
NOTE: The width and height of the IFRAME can be adjusted to suit the design of your page. Please note that using a width smaller than 170 will obscure the NTAS image.
Topics
National Terrorism Advisory System
Keywords
Department of Homeland Security (DHS) National Terrorism Advisory System (NTAS)
Last Updated: 12/04/2023
Was this page helpful?
Yes No
Return to top
Topics
News
In Focus
How Do I?
Get Involved
About DHS
U.S. Department of Homeland Security Seal
Facebook
X
YouTube
Flickr
Instagram
LinkedIn
Email
U.S. Department of Homeland Security Seal
DHS.gov
An official website of the U.S. Department of Homeland Security
About DHS
Accessibility
Budget and Performance
DHS Components
FOIA Requests
No FEAR Act Data
Privacy Policy
Site Links
Vulnerability Disclosure Program
Office of Inspector General
The White House
USA.gov
schedule: schedule:
interval: weekly interval: weekly
groups: groups:
actions-minor: actions-minor: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/codeql-analysis.yml/badge.svg?event=workflow_dispatch
update-types: update-types:
- minor - minor
- patch - patch
@ -13,16 +73,16 @@ updates:
- dependency-name: 'actions/attest-build-provenance' - dependency-name: 'actions/attest-build-provenance'
- package-ecosystem: npm - package-ecosystem: npm
directory: / directory: /https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/codeql-analysis.yml
schedule: schedule:
interval: weekly interval: weekly.ci
groups: groups:
npm-development: npm-development:
dependency-type: development dependency-type: development
update-types: update-types:
- minor - minor
- patch - patch
npm-production: npm-production:https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/codeql-analysis.yml
dependency-type: production dependency-type: production
update-types: update-types:
- patch - patch

83
.github/linters/.eslintrc.yml vendored
View File

@ -1,83 +0,0 @@
env:
node: true
es6: true
jest: true
globals:
Atomics: readonly
SharedArrayBuffer: readonly
ignorePatterns:
- '!.*'
- '**/node_modules/.*'
- '**/dist/.*'
- '**/coverage/.*'
- '*.json'
parser: '@typescript-eslint/parser'
parserOptions:
ecmaVersion: 2023
sourceType: module
project:
- './.github/linters/tsconfig.json'
- './tsconfig.json'
plugins:
- jest
- '@typescript-eslint'
extends:
- eslint:recommended
- plugin:@typescript-eslint/eslint-recommended
- plugin:@typescript-eslint/recommended
- plugin:github/recommended
- plugin:jest/recommended
rules:
{
'camelcase': 'off',
'eslint-comments/no-use': 'off',
'eslint-comments/no-unused-disable': 'off',
'i18n-text/no-en': 'off',
'import/no-namespace': 'off',
'no-console': 'off',
'no-unused-vars': 'off',
'prettier/prettier': 'error',
'semi': 'off',
'@typescript-eslint/array-type': 'error',
'@typescript-eslint/await-thenable': 'error',
'@typescript-eslint/ban-ts-comment': 'error',
'@typescript-eslint/consistent-type-assertions': 'error',
'@typescript-eslint/explicit-member-accessibility':
['error', { 'accessibility': 'no-public' }],
'@typescript-eslint/explicit-function-return-type':
['error', { 'allowExpressions': true }],
'@typescript-eslint/func-call-spacing': ['error', 'never'],
'@typescript-eslint/no-array-constructor': 'error',
'@typescript-eslint/no-empty-interface': 'error',
'@typescript-eslint/no-explicit-any': 'error',
'@typescript-eslint/no-extraneous-class': 'error',
'@typescript-eslint/no-for-in-array': 'error',
'@typescript-eslint/no-inferrable-types': 'error',
'@typescript-eslint/no-misused-new': 'error',
'@typescript-eslint/no-namespace': 'error',
'@typescript-eslint/no-non-null-assertion': 'warn',
'@typescript-eslint/no-require-imports': 'error',
'@typescript-eslint/no-unnecessary-qualifier': 'error',
'@typescript-eslint/no-unnecessary-type-assertion': 'error',
'@typescript-eslint/no-unused-vars': 'error',
'@typescript-eslint/no-useless-constructor': 'error',
'@typescript-eslint/no-var-requires': 'error',
'@typescript-eslint/prefer-for-of': 'warn',
'@typescript-eslint/prefer-function-type': 'warn',
'@typescript-eslint/prefer-includes': 'error',
'@typescript-eslint/prefer-string-starts-ends-with': 'error',
'@typescript-eslint/promise-function-async': 'error',
'@typescript-eslint/require-array-sort-compare': 'error',
'@typescript-eslint/restrict-plus-operands': 'error',
'@typescript-eslint/semi': ['error', 'never'],
'@typescript-eslint/space-before-function-paren': 'off',
'@typescript-eslint/type-annotation-spacing': 'error',
'@typescript-eslint/unbound-method': 'error'
}

92
.github/linters/eslint.config.mjs vendored Normal file
View File

@ -0,0 +1,92 @@
import eslint from '@eslint/js'
import importplugin from 'eslint-plugin-import'
import jestplugin from 'eslint-plugin-jest'
import tseslint from 'typescript-eslint'
export default tseslint.config(
// Ignore non-project files
{
name: 'ignore',
ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js']
},
// Use recommended rules from ESLint, TypeScript, and other plugins
eslint.configs.recommended,
tseslint.configs.recommendedTypeChecked,
jestplugin.configs['flat/recommended'],
importplugin.flatConfigs.recommended,
importplugin.flatConfigs.typescript,
// Override some rules
{
name: 'project-settings',
languageOptions: {
ecmaVersion: 2023,
parserOptions: {
project: ['./.github/linters/tsconfig.json', './tsconfig.json']
}
},
rules: {
// eslint rules
eqeqeq: ['error', 'smart'],
'func-style': ['error', 'declaration', { allowArrowFunctions: true }],
'no-console': 'off',
'no-implicit-globals': 'error',
'no-inner-declarations': 'error',
'no-invalid-this': 'error',
'no-return-assign': 'error',
'no-sequences': 'error',
'no-shadow': 'error',
'no-useless-concat': 'error',
'object-shorthand': ['error', 'always', { avoidQuotes: true }],
'one-var': ['error', 'never'],
'prefer-template': 'error',
// typescript-eslint rules
'@typescript-eslint/array-type': 'error',
'@typescript-eslint/consistent-type-assertions': 'error',
'@typescript-eslint/explicit-function-return-type': [
'error',
{ allowExpressions: true }
],
'@typescript-eslint/explicit-member-accessibility': [
'error',
{ accessibility: 'no-public' }
],
'@typescript-eslint/no-extraneous-class': 'error',
'@typescript-eslint/no-inferrable-types': 'error',
'@typescript-eslint/no-non-null-assertion': 'warn',
'@typescript-eslint/no-unnecessary-qualifier': 'error',
'@typescript-eslint/no-unsafe-assignment': 'off',
'@typescript-eslint/no-useless-constructor': 'error',
'@typescript-eslint/prefer-for-of': 'warn',
'@typescript-eslint/prefer-function-type': 'warn',
'@typescript-eslint/prefer-includes': 'error',
'@typescript-eslint/prefer-string-starts-ends-with': 'error',
'@typescript-eslint/promise-function-async': 'error',
'@typescript-eslint/require-array-sort-compare': 'error',
'@typescript-eslint/restrict-template-expressions': 'off',
// eslint-plugin-import rules
'import/extensions': 'error',
'import/first': 'error',
'import/no-absolute-path': 'error',
'import/no-commonjs': 'error',
'import/no-deprecated': 'warn',
'import/no-dynamic-require': 'error',
'import/no-extraneous-dependencies': 'error',
'import/no-mutable-exports': 'error',
'import/no-namespace': 'off',
'import/no-unresolved': ['error', { ignore: ['csv-parse/sync'] }],
'import/no-anonymous-default-export': [
'error',
{
allowAnonymousClass: false,
allowAnonymousFunction: false,
allowArray: true,
allowArrowFunction: false,
allowLiteral: true,
allowObject: true
}
]
}
}
)

2
.github/workflows/prober.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
date > artifact date > artifact
- name: Attest build provenance - name: Attest build provenance
uses: actions/attest-build-provenance@v1 uses: actions/attest-build-provenance@v2
env: env:
INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }} INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
with: with:

3
CODEOWNERS
View File

@ -1,3 +0,0 @@
# Repository CODEOWNERS
* @actions/package-security

2
Codeowners Normal file
View File

@ -0,0 +1,2 @@
# Repository CODEOWNERS
actions/package-security

120
README.md
View File

@ -25,6 +25,16 @@ CLI][5].
See [Using artifact attestations to establish provenance for builds][9] for more See [Using artifact attestations to establish provenance for builds][9] for more
information on artifact attestations. information on artifact attestations.
<!-- prettier-ignore-start -->
> [!NOTE]
> Artifact attestations are available in public repositories for all
> current GitHub plans. They are not available on legacy plans, such as Bronze,
> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
> artifact attestations are only available for public repositories. To use
> artifact attestations in private or internal repositories, you must be on a
> GitHub Enterprise Cloud plan.
<!-- prettier-ignore-end -->
## Usage ## Usage
Within the GitHub Actions workflow which builds some artifact you would like to Within the GitHub Actions workflow which builds some artifact you would like to
@ -45,7 +55,7 @@ attest:
1. Add the following to your workflow after your artifact has been built: 1. Add the following to your workflow after your artifact has been built:
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
subject-path: '<PATH TO ARTIFACT>' subject-path: '<PATH TO ARTIFACT>'
``` ```
@ -58,23 +68,28 @@ attest:
See [action.yml](action.yml) See [action.yml](action.yml)
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
# Path to the artifact serving as the subject of the attestation. Must # Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path" or "subject-digest". May contain a # specify exactly one of "subject-path", "subject-digest", or
# glob pattern or list of paths (total subject count cannot exceed 2500). # "subject-checksums". May contain a glob pattern or list of paths
# (total subject count cannot exceed 1024).
subject-path: subject-path:
# SHA256 digest of the subject for the attestation. Must be in the form # SHA256 digest of the subject for the attestation. Must be in the form
# "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
# of "subject-path" or "subject-digest". # of "subject-path", "subject-digest", or "subject-checksums".
subject-digest: subject-digest:
# Subject name as it should appear in the attestation. Required unless # Subject name as it should appear in the attestation. Required when
# "subject-path" is specified, in which case it will be inferred from the # identifying the subject with the "subject-digest" input.
# path.
subject-name: subject-name:
# Path to checksums file containing digest and name of subjects for
# attestation. Must specify exactly one of "subject-path", "subject-digest",
# or "subject-checksums".
subject-checksums:
# Whether to push the attestation to the image registry. Requires that the # Whether to push the attestation to the image registry. Requires that the
# "subject-name" parameter specify the fully-qualified image name and that # "subject-name" parameter specify the fully-qualified image name and that
# the "subject-digest" parameter be specified. Defaults to false. # the "subject-digest" parameter be specified. Defaults to false.
@ -93,26 +108,24 @@ See [action.yml](action.yml)
<!-- markdownlint-disable MD013 --> <!-- markdownlint-disable MD013 -->
| Name | Description | Example | | Name | Description | Example |
| ------------- | -------------------------------------------------------------- | ------------------------ | | ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.jsonl` | | `attestation-id` | GitHub ID for the attestation | `123456` |
| `attestation-url` | URL for the attestation summary | `https://github.com/foo/bar/attestations/123456` |
| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.json` |
<!-- markdownlint-enable MD013 --> <!-- markdownlint-enable MD013 -->
Attestations are saved in the JSON-serialized [Sigstore bundle][6] format. Attestations are saved in the JSON-serialized [Sigstore bundle][6] format.
If multiple subjects are being attested at the same time, each attestation will If multiple subjects are being attested at the same time, a single attestation
be written to the output file on a separate line (using the [JSON Lines][7] will be created with references to each of the supplied subjects.
format).
## Attestation Limits ## Attestation Limits
### Subject Limits ### Subject Limits
No more than 2500 subjects can be attested at the same time. Subjects will be No more than 1024 subjects can be attested at the same time.
processed in batches 50. After the initial group of 50, each subsequent batch
will incur an exponentially increasing amount of delay (capped at 1 minute of
delay per batch) to avoid overwhelming the attestation API.
## Examples ## Examples
@ -130,6 +143,7 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-latest
permissions: permissions:
id-token: write id-token: write
contents: read contents: read
@ -141,18 +155,18 @@ jobs:
- name: Build artifact - name: Build artifact
run: make my-app run: make my-app
- name: Attest - name: Attest
uses: actions/attest-build-provenance@v1 uses: actions/attest-build-provenance@v2
with: with:
subject-path: '${{ github.workspace }}/my-app' subject-path: '${{ github.workspace }}/my-app'
``` ```
### Identify Multiple Subjects ### Identify Multiple Subjects
If you are generating multiple artifacts, you can generate a provenance If you are generating multiple artifacts, you can attest all of them at the same
attestation for each by using a wildcard in the `subject-path` input. time by using a wildcard in the `subject-path` input.
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
subject-path: 'dist/**/my-bin-*' subject-path: 'dist/**/my-bin-*'
``` ```
@ -164,19 +178,53 @@ Alternatively, you can explicitly list multiple subjects with either a comma or
newline delimited list: newline delimited list:
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
subject-path: 'dist/foo, dist/bar' subject-path: 'dist/foo, dist/bar'
``` ```
```yaml ```yaml
- uses: actions/attest-build-provenance@v1 - uses: actions/attest-build-provenance@v2
with: with:
subject-path: | subject-path: |
dist/foo dist/foo
dist/bar dist/bar
``` ```
### Identify Subjects with Checksums File
If you are using tools like
[goreleaser](https://goreleaser.com/customization/checksum/) or
[jreleaser](https://jreleaser.org/guide/latest/reference/checksum.html) which
generate a checksums file you can identify the attestation subjects by passing
the path of the checksums file to the `subject-checksums` input. Each of the
artifacts identified in the checksums file will be listed as a subject for the
attestation.
```yaml
- name: Calculate artifact digests
run: |
shasum -a 256 foo_0.0.1_* > subject.checksums.txt
- uses: actions/attest-build-provenance@v2
with:
subject-checksums: subject.checksums.txt
```
<!-- markdownlint-disable MD038 -->
The file referenced by the `subject-checksums` input must conform to the same
format used by the shasum tools. Each subject should be listed on a separate
line including the hex-encoded digest (either SHA256 or SHA512), a space, a
single character flag indicating either binary (`*`) or text (` `) input mode,
and the filename.
<!-- markdownlint-enable MD038 -->
```text
b569bf992b287f55d78bf8ee476497e9b7e9d2bf1c338860bfb905016218c740 foo_0.0.1_darwin_amd64
a54fc515e616cac7fcf11a49d5c5ec9ec315948a5935c1e11dd610b834b14dde foo_0.0.1_darwin_arm64
```
### Container Image ### Container Image
When working with container images you can invoke the action with the When working with container images you can invoke the action with the
@ -230,7 +278,7 @@ jobs:
push: true push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Attest - name: Attest
uses: actions/attest-build-provenance@v1 uses: actions/attest-build-provenance@v2
id: attest id: attest
with: with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@ -238,6 +286,26 @@ jobs:
push-to-registry: true push-to-registry: true
``` ```
### Integration with `actions/upload-artifact`
If you'd like to create an attestation for an archive created with the
[actions/upload-artifact][11] action you can feed the digest of the generated
artifact directly into the `subject-digest` input of the attestation action.
```yaml
- name: Upload build artifact
id: upload
uses: actions/upload-artifact@v4
with:
path: dist/*
name: artifact.zip
- uses: actions/attest-build-provenance@v2
with:
subject-name: artifact.zip
subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
```
[1]: https://github.com/actions/toolkit/tree/main/packages/attest [1]: https://github.com/actions/toolkit/tree/main/packages/attest
[2]: https://github.com/in-toto/attestation/tree/main/spec/v1 [2]: https://github.com/in-toto/attestation/tree/main/spec/v1
[3]: https://slsa.dev/spec/v1.0/provenance [3]: https://slsa.dev/spec/v1.0/provenance
@ -245,8 +313,8 @@ jobs:
[5]: https://cli.github.com/manual/gh_attestation_verify [5]: https://cli.github.com/manual/gh_attestation_verify
[6]: [6]:
https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
[7]: https://jsonlines.org/
[8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
[9]: [9]:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
[10]: https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md [10]: https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md
[11]: https://github.com/actions/upload-artifact

2
__tests__/index.test.ts
View File

@ -8,7 +8,7 @@ import * as main from '../src/main'
const runMock = jest.spyOn(main, 'run').mockImplementation() const runMock = jest.spyOn(main, 'run').mockImplementation()
describe('index', () => { describe('index', () => {
it('calls run when imported', async () => { it('calls run when imported', () => {
// eslint-disable-next-line @typescript-eslint/no-require-imports // eslint-disable-next-line @typescript-eslint/no-require-imports
require('../src/index') require('../src/index')

31
action.yml
View File

@ -9,20 +9,26 @@ inputs:
subject-path: subject-path:
description: > description: >
Path to the artifact serving as the subject of the attestation. Must Path to the artifact serving as the subject of the attestation. Must
specify exactly one of "subject-path" or "subject-digest". May contain a specify exactly one of "subject-path", "subject-digest", or
glob pattern or list of paths (total subject count cannot exceed 2500). "subject-checksums". May contain a glob pattern or list of paths
(total subject count cannot exceed 1024).
required: false required: false
subject-digest: subject-digest:
description: > description: >
Digest of the subject for which provenance will be generated. Must be in Digest of the subject for which provenance will be generated. Must be in
the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify
exactly one of "subject-path" or "subject-digest". exactly one of "subject-path", "subject-digest", or "subject-checksums".
required: false required: false
subject-name: subject-name:
description: > description: >
Subject name as it should appear in the provenance statement. Required Subject name as it should appear in the attestation. Required when
unless "subject-path" is specified, in which case it will be inferred from identifying the subject with the "subject-digest" input.
the path. subject-checksums:
description: >
Path to checksums file containing digest and name of subjects for
attestation. Must specify exactly one of "subject-path", "subject-digest",
or "subject-checksums".
required: false
push-to-registry: push-to-registry:
description: > description: >
Whether to push the provenance statement to the image registry. Requires Whether to push the provenance statement to the image registry. Requires
@ -44,20 +50,31 @@ inputs:
outputs: outputs:
bundle-path: bundle-path:
description: 'The path to the file containing the attestation bundle(s).' description: 'The path to the file containing the attestation bundle.'
value: ${{ steps.attest.outputs.bundle-path }} value: ${{ steps.attest.outputs.bundle-path }}
attestation-id:
description: 'The ID of the attestation.'
value: ${{ steps.attest.outputs.attestation-id }}
attestation-url:
description: 'The URL for the attestation summary.'
value: ${{ steps.attest.outputs.attestation-url }}
runs: runs:
using: 'composite' using: 'composite'
steps: steps:
- uses: actions/attest-build-provenance/predicate@36fa7d009e22618ca7cd599486979b8150596c74 # predicate@1.1.4 - uses: actions/attest-build-provenance/predicate@36fa7d009e22618ca7cd599486979b8150596c74 # predicate@1.1.4
id: generate-build-provenance-predicate id: generate-build-provenance-predicate
main
- uses: actions/attest@v2.2.0
- uses: actions/attest@main - uses: actions/attest@main
bdehamer/demo
id: attest id: attest
with: with:
subject-path: ${{ inputs.subject-path }} subject-path: ${{ inputs.subject-path }}
subject-digest: ${{ inputs.subject-digest }} subject-digest: ${{ inputs.subject-digest }}
subject-name: ${{ inputs.subject-name }} subject-name: ${{ inputs.subject-name }}
subject-checksums: ${{ inputs.subject-checksums }}
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }} predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }} predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
push-to-registry: ${{ inputs.push-to-registry }} push-to-registry: ${{ inputs.push-to-registry }}

BIN
dist/index.js generated vendored
View File

Binary file not shown.

3769
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

27
package.json
View File

@ -28,7 +28,7 @@
"ci-test": "jest", "ci-test": "jest",
"format:write": "prettier --write **/*.ts", "format:write": "prettier --write **/*.ts",
"format:check": "prettier --check **/*.ts", "format:check": "prettier --check **/*.ts",
"lint:eslint": "npx eslint . -c ./.github/linters/.eslintrc.yml", "lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs",
"lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"", "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
"lint": "npm run lint:eslint && npm run lint:markdown", "lint": "npm run lint:eslint && npm run lint:markdown",
"package": "ncc build src/index.ts --license licenses.txt", "package": "ncc build src/index.ts --license licenses.txt",
@ -74,23 +74,20 @@
"@actions/core": "^1.11.1" "@actions/core": "^1.11.1"
}, },
"devDependencies": { "devDependencies": {
"@eslint/js": "^9.20.0",
"@types/jest": "^29.5.14", "@types/jest": "^29.5.14",
"@types/node": "^22.8.7", "@types/node": "^22.13.1",
"@typescript-eslint/eslint-plugin": "^7.17.0", "@vercel/ncc": "^0.38.3",
"@typescript-eslint/parser": "^7.18.0", "eslint": "^9.20.0",
"@vercel/ncc": "^0.38.2", "eslint-plugin-import": "^2.31.0",
"eslint": "^8.57.1", "eslint-plugin-jest": "^28.11.0",
"eslint-plugin-github": "^5.0.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-jsonc": "^2.16.0",
"eslint-plugin-prettier": "^5.2.1",
"jest": "^29.7.0", "jest": "^29.7.0",
"jose": "^5.9.6", "jose": "^5.9.6",
"markdownlint-cli": "^0.42.0", "markdownlint-cli": "^0.44.0",
"nock": "^13.5.5", "nock": "^14.0.1",
"prettier": "^3.3.3", "prettier": "^3.5.0",
"prettier-eslint": "^16.3.0",
"ts-jest": "^29.2.5", "ts-jest": "^29.2.5",
"typescript": "^5.6.3" "typescript": "^5.7.3",
"typescript-eslint": "^8.23.0"
} }
} }

626
workflow file/ .runner Normal file
View File

@ -0,0 +1,626 @@
# This is a basic workflow to help you get started with Actions
name: CI
# Controls when the workflow will run
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
# Triggers the workflow on push or pull request events but only for the "main" branch
push: Navigation Menu
GitHub Actions Workflow Configuration Explained
Copilot Chat
Chatting about ETEnterprises1/attest-build-provenance
public repository
Copilot uses AI. Check for mistakes.
ETEnterprises1
now
Explain this file.
Copilot
now
It seems like you didn't specify a file to explain. Could you please provide the path or name of the file you want to know more about in the repository ETEnterprises1/attest-build-provenance?
ETEnterprises1
now
name: Continuous Integration
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
pull_request:
branches:
- main
push: -a
branches:
- main
- 'releases/*'https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
permissions: {read, write, edit, comment}
jobs: in order
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version-file: .node-version
cache: npm
- name: Install Dependencies
id: npm-ci
run: npm ci
- name: Check Format
id: npm-format-check
run: npm run format:check
- name: Lint
id: npm-lint
run: npm run lint
- name: Test
id: npm-ci-test
run: npm run ci-test
test-attest-provenance:
name: Test attest-provenance action
runs-on: ubuntu-latest
permissions: write, read, comment
attestations: write
contents: read
id-token: write
steps: in order
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run attest-provenance
id: <Id: [#126257497087216001-073972181700011840708301160 //{073972181700011840708301160 /WALKER AVE SAINT LOUIS, MO 63138-2935 /etcorporations1@outlook.com} /(@ETEnterprises1.etc #Exec.Ste).]>
uses: ./dependabot.yml
env:https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
INPUT_PRIVATE-SIGNING: 'true'
with:https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
subject-name: 'subject'
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Dump output
run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
Copilot
now
This file is a GitHub Actions workflow configuration file written in YAML. It defines a continuous integration pipeline for the repository. Here are the key components:
Name: Continuous Integration
Triggers: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
Pull requests to the main branch.
Pushes to the main branch and branches that match the pattern releases/*.
Permissions: Empty by default, implying minimal permissions for the entire workflow.
Jobs:**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
test-typescript:
Name: TypeScript Tests
Runs-on: ubuntu-latest
Permissions: Read access to repository contents.
Steps:
Checkout the repository.
Setup Node.js using a version specified in .node-version and cache npm modules.
Install dependencies using npm ci.
Check code format.
Lint the code.
Run tests.
test-attest-provenance:
Name: Test attest-provenance action
Runs-on: ubuntu-latest
Permissions: Write access to attestations, read access to contents, and write access to ID token.
Steps:
Checkout the repository.
Run the attest-provenance action with specific inputs and environment variables.
Dump the output using jq to process JSON.
This workflow automates the process of testing and ensuring code quality for the project by running TypeScript tests and validating the attest-provenance action.
Code
Pull requests
3
Actions
Creating a new file in attest-build-provenance
Breadcrumbsattest-build-provenance
/**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
in
main
Edit
Preview
Indent mode
Spaces
Indent size
2
Line wrap mode
No wrap
Editing file contents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Continuous Integration
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
pull_request:
branches:
- main, attest-build-provenence, master
push: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
branches: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
- main, master
- 'releases/*'**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
permissions: {**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx}
jobs: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node .yml
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with: .lint
node-version-file: .node-version
cache: npm
- name: Install Dependencies
Use Control + Shift + m to toggle the tab key moving focus. Alternatively, use esc then tab to move to the next interactive element on the page.
Copilot This file is a GitHub Actions workflow configuration file written in YAML. It defines a continuous integration pipeline for the repository. Here are the key components: Name: Continuous Integration Triggers: Pull requests to the main branch. Pushes to the main branch and branches that match the pattern releases/*. Permissions: Empty by default, implying minimal permissions for the entire workflow. Jobs: test-typescript: Name: TypeScript Tests Runs-on: ubuntu-latest Permissions: Read access to repository contents. Steps: Checkout the repository. Setup Node.js using a version specified in .node-version and cache npm modules. Install dependencies using npm ci. Check code format. Lint the code. Run tests. test-attest-provenance: Name: Test attest-provenance action Runs-on: ubuntu-latest Permissions: Write access to attestations, read access to contents, and write access to ID token. Steps: Checkout the repository. Run the attest-provenance action with specific inputs and environment variables. Dump the output using jq to process JSON. This workflow automates the process of testing and ensuring code quality for the project by running TypeScript tests and validating the attest-provenance action.
branches: [ "main" ]
pull_request: "master"
branches: [ "main" ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
# Runs a single command using the runners shell
- name: Run a one-line script
run: echo Hello, world!
# Runs a set of commands using the runners shell
- name: Run a multi-line script
run: |**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
echo Add other actions to build,
echo test, and deploy your project.
Skip to content
Navigation Menu
Fixing GitHub Actions Workflow Issues
Copilot Chat
Chatting about ETEnterprises1/Bank-of-Montreal-N.a.
private repository
Copilot uses AI. Check for mistakes.
ETEnterprises1
now
1 reference
What need fixed and how do i fix it
Copilot
now
Issues Identified in the Workflow File
Invalid on key value:
The on key has an invalid URL: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg.
Invalid push key value:
The push key has a non-branch value: Navigation Menu.
Malformed push key:
The push: -a and subsequent branch pattern - 'releases/*'https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg are incorrectly formatted.
Incorrect permissions format:
The permissions key has an invalid format: {read, write, edit, comment}.
Invalid jobs key value:
The jobs: in order is not a valid configuration.
Malformed steps:
Steps such as steps: in order and id: are incorrectly formatted and misplaced.
Fixes for Identified Issues
Fix on key:
YAML
on:
push:
branches:
- main
pull_request:
branches:
- main
Fix push key:
YAML
on:
push:
branches:
- main
- 'releases/*'
Fix permissions format:
YAML
permissions:
contents: read
issues: write
pull-requests: write
actions: read
Fix jobs key:
YAML
jobs:
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '14'
cache: 'npm'
- name: Install Dependencies
run: npm ci
- name: Check Format
run: npm run format:check
- name: Lint
run: npm run lint
- name: Test
run: npm test
test-attest-provenance:
name: Test attest-provenance action
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run attest-provenance
uses: ./dependabot.yml
env:
INPUT_PRIVATE-SIGNING: 'true'
with:
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
subject-name: 'subject'
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Dump output
run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
Apply these fixes to the ETEnterprises1.yml file in your repository.
Code
Issues
3
Pull requests
Actions
BreadcrumbsBank-of-Montreal-N.a./.github/workflows
/ETEnterprises1.yml
Latest commit
ETEnterprises1
ETEnterprises1
now
History
251 lines (251 loc) · 9.36 KB
File metadata and controls
Code
Blame
# This is a basic workflow to help you get started with Actions
name: CI
# Controls when the workflow will run
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
# Triggers the workflow on push or pull request events but only for the "main" branch
push: Navigation Menu
GitHub Actions Workflow Configuration Explained
Copilot Chat
Chatting about ETEnterprises1/attest-build-provenance
public repository
Copilot uses AI. Check for mistakes.
ETEnterprises1
now
Explain this file.
Copilot
now
It seems like you didn't specify a file to explain. Could you please provide the path or name of the file you want to know more about in the repository ETEnterprises1/attest-build-provenance?
ETEnterprises1
now
name: Continuous Integration
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
pull_request:
branches:
- main
push: -a
branches:
- main
- 'releases/*'https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
permissions: {read, write, edit, comment}
jobs: in order
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version-file: .node-version
cache: npm
- name: Install Dependencies
id: npm-ci
run: npm ci
- name: Check Format
id: npm-format-check
run: npm run format:check
- name: Lint
id: npm-lint
run: npm run lint
- name: Test
id: npm-ci-test
run: npm run ci-test
test-attest-provenance:
name: Test attest-provenance action
runs-on: ubuntu-latest
permissions: write, read, comment
attestations: write
contents: read
id-token: write
steps: in order
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run attest-provenance
id: <Id: [#126257497087216001-073972181700011840708301160 //{073972181700011840708301160 /WALKER AVE SAINT LOUIS, MO 63138-2935 /etcorporations1@outlook.com} /(@ETEnterprises1.etc #Exec.Ste).]>
uses: ./dependabot.yml
env:https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
INPUT_PRIVATE-SIGNING: 'true'
with:https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
subject-name: 'subject'
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Dump output
run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
Copilot
now
This file is a GitHub Actions workflow configuration file written in YAML. It defines a continuous integration pipeline for the repository. Here are the key components:
Name: Continuous Integration
Triggers: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
Pull requests to the main branch.
Pushes to the main branch and branches that match the pattern releases/*.
Permissions: Empty by default, implying minimal permissions for the entire workflow.
Jobs:**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
test-typescript:
Name: TypeScript Tests
Runs-on: ubuntu-latest
Permissions: Read access to repository contents.
Steps:
Checkout the repository.
Setup Node.js using a version specified in .node-version and cache npm modules.
Install dependencies using npm ci.
Check code format.
Lint the code.
Run tests.
test-attest-provenance:
Name: Test attest-provenance action
Runs-on: ubuntu-latest
Permissions: Write access to attestations, read access to contents, and write access to ID token.
Steps:
Checkout the repository.
Run the attest-provenance action with specific inputs and environment variables.
Dump the output using jq to process JSON.
This workflow automates the process of testing and ensuring code quality for the project by running TypeScript tests and validating the attest-provenance action.
Code
Pull requests
3
Actions
Creating a new file in attest-build-provenance
Breadcrumbsattest-build-provenance
/**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
in
main
Edit
Preview
Indent mode
Spaces
Indent size
2
Line wrap mode
No wrap
Editing file contents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Continuous Integration
on: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
pull_request:
branches:
- main, attest-build-provenence, master
push: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg
branches: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
- main, master
- 'releases/*'**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
permissions: {**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx}
jobs: **Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node .yml
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with: .lint
node-version-file: .node-version
cache: npm
- name: Install Dependencies
Use Control + Shift + m to toggle the tab key moving focus. Alternatively, use esc then tab to move to the next interactive element on the page.
Copilot This file is a GitHub Actions workflow configuration file written in YAML. It defines a continuous integration pipeline for the repository. Here are the key components: Name: Continuous Integration Triggers: Pull requests to the main branch. Pushes to the main branch and branches that match the pattern releases/*. Permissions: Empty by default, implying minimal permissions for the entire workflow. Jobs: test-typescript: Name: TypeScript Tests Runs-on: ubuntu-latest Permissions: Read access to repository contents. Steps: Checkout the repository. Setup Node.js using a version specified in .node-version and cache npm modules. Install dependencies using npm ci. Check code format. Lint the code. Run tests. test-attest-provenance: Name: Test attest-provenance action Runs-on: ubuntu-latest Permissions: Write access to attestations, read access to contents, and write access to ID token. Steps: Checkout the repository. Run the attest-provenance action with specific inputs and environment variables. Dump the output using jq to process JSON. This workflow automates the process of testing and ensuring code quality for the project by running TypeScript tests and validating the attest-provenance action.
branches: [ "main" ]
pull_request: "master"
branches: [ "main" ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
# Runs a single command using the runners shell
- name: Run a one-line script
run: echo Hello, world!
# Runs a set of commands using the runners shell
- name: Run a multi-line script
run: |**Full Changelog**: https://github.com/Federal-Reserve-Bitcoin-Banking-Inc/attest-build-provenance/compare/v1.4.3...v1.4.4
[html..etcorps.com.yaml.docx](https://github.com/user-attachments/files/18306677/html.etcorps.com.yaml.docx
echo Add other actions to build,
echo test, and deploy your project.
Copilot Issues Identified in the Workflow File Invalid on key value: The on key has an invalid URL: https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg. Invalid push key value: The push key has a non-branch value: Navigation Menu. Malformed push key: The push: -a and subsequent branch pattern - 'releases/*'https://github.com/ETEnterprises1/attest-build-provenance/actions/workflows/ci.yml/badge.svg are incorrectly formatted. Incorrect permissions format: The permissions key has an invalid format: {read, write, edit, comment}. Invalid jobs key value: The jobs: in order is not a valid configuration. Malformed steps: Steps such as steps: in order and id: are incorrectly formatted and misplaced. Fixes for Identified Issues Fix on key: on: push: branches: - main pull_request: branches: - main Fix push key: on: push: branches: - main - 'releases/*' Fix permissions format: permissions: contents: read issues: write pull-requests: write actions: read Fix jobs key: jobs: test-typescript: name: TypeScript Tests runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: '14' cache: 'npm' - name: Install Dependencies run: npm ci - name: Check Format run: npm run format:check - name: Lint run: npm run lint - name: Test run: npm test test-attest-provenance: name: Test attest-provenance action runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Run attest-provenance uses: ./dependabot.yml env: INPUT_PRIVATE-SIGNING: 'true' with: subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' subject-name: 'subject' github-token: ${{ secrets.GITHUB_TOKEN }} - name: Dump output run: jq < ${{ steps.attest-provenance.outputs.bundle-path }} Apply these fixes to the ETEnterprises1.yml file in your repository.