From fec1f1e733c9ac2c6823992c50d2236d09969569 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Thu, 29 Feb 2024 11:57:49 -0800 Subject: [PATCH 1/3] refactor action inputs (#14) Signed-off-by: Brian DeHamer --- action.yml | 14 ++---- .../action.yml | 14 ++++++ .../action.yml | 43 ------------------- 3 files changed, 18 insertions(+), 53 deletions(-) create mode 100644 generate-build-provenance-predicate/action.yml delete mode 100644 generate-build-provenance-statement/action.yml diff --git a/action.yml b/action.yml index 6e0bb6f..68750d9 100644 --- a/action.yml +++ b/action.yml @@ -39,14 +39,8 @@ outputs: runs: using: 'composite' steps: - - uses: actions/attest-build-provenance/generate-build-provenance-statement@main - id: generate-build-provenance-statement - with: - github-token: ${{ inputs.github-token }} - subject-path: ${{ inputs.subject-path }} - subject-digest: ${{ inputs.subject-digest }} - subject-name: ${{ inputs.subject-name }} - push-to-registry: ${{ inputs.push-to-registry }} + - uses: actions/attest-build-provenance/generate-build-provenance-predicate@input-refactor + id: generate-build-provenance-predicate - uses: actions/attest@main id: attest with: @@ -55,5 +49,5 @@ runs: subject-digest: ${{ inputs.subject-digest }} subject-name: ${{ inputs.subject-name }} push-to-registry: ${{ inputs.push-to-registry }} - predicate-type: ${{ steps.generate-build-provenance-statement.outputs.predicate-type }} - predicate: ${{ steps.generate-build-provenance-statement.outputs.predicate }} + predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }} + predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }} diff --git a/generate-build-provenance-predicate/action.yml b/generate-build-provenance-predicate/action.yml new file mode 100644 index 0000000..ae5b0bd --- /dev/null +++ b/generate-build-provenance-predicate/action.yml @@ -0,0 +1,14 @@ +name: 'Generate Build Provenance Statement' +description: 'Generate provenance statement for build artifacts' +author: 'GitHub' + +outputs: + predicate: + description: > + The JSON-serialized of the attestation predicate. + predicate-type: + description: > + URI identifying the type of the predicate. +runs: + using: node20 + main: ../dist/index.js diff --git a/generate-build-provenance-statement/action.yml b/generate-build-provenance-statement/action.yml deleted file mode 100644 index ef42c75..0000000 --- a/generate-build-provenance-statement/action.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: 'Generate Build Provenance Statement' -description: 'Generate provenance statement for build artifacts' -author: 'GitHub' - -inputs: - github-token: - description: > - The GitHub token used to make authenticated API requests. - default: ${{ github.token }} - required: false - subject-path: - description: > - Path to the artifact for which provenance will be generated. Must specify - exactly one of "subject-path" or "subject-digest". - required: false - subject-digest: - description: > - Digest of the subject for which provenance will be generated. Must be in - the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify - exactly one of "subject-path" or "subject-digest". - required: false - subject-name: - description: > - Subject name as it should appear in the provenance statement. Required - unless "subject-path" is specified, in which case it will be inferred from - the path. - push-to-registry: - description: > - Whether to push the provenance statement to the image registry. Requires - that the "subject-name" parameter specify the fully-qualified image name - and that the "subject-digest" parameter be specified. Defaults to false. - default: false - required: false -outputs: - predicate: - description: > - The JSON-serialized of the attestation predicate. - predicate-type: - description: > - URI identifying the type of the predicate. -runs: - using: node20 - main: ../dist/index.js \ No newline at end of file From f47db5c9bcbc7a88996c73dc380f716c81be3987 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Thu, 29 Feb 2024 14:00:31 -0800 Subject: [PATCH 2/3] update ref to sub-action (#15) Signed-off-by: Brian DeHamer --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 68750d9..ae28288 100644 --- a/action.yml +++ b/action.yml @@ -39,7 +39,7 @@ outputs: runs: using: 'composite' steps: - - uses: actions/attest-build-provenance/generate-build-provenance-predicate@input-refactor + - uses: actions/attest-build-provenance/generate-build-provenance-predicate@main id: generate-build-provenance-predicate - uses: actions/attest@main id: attest From b6400165aadbed17e417d99bf3f37c2b6aa54131 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Thu, 29 Feb 2024 16:29:00 -0800 Subject: [PATCH 3/3] Force signing w/ private sigstore instance (#16) Signed-off-by: Brian DeHamer --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1ff0c9d..50a3b0c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -59,6 +59,8 @@ jobs: - name: Run attest-provenance id: attest-provenance uses: ./ + env: + INPUT_PRIVATE-SIGNING: 'true' with: subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' subject-name: 'subject'