actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2025-12-14 03:12:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add link to cosign bundle spec to readme (#63)

Browse Source 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer 2024-05-06 12:14:34 -07:00 committed by GitHub
parent 317e60695d
commit 799a179922
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -19,8 +19,8 @@ initiated.
Attestations can be verified using the [`attestation` command in the GitHub Attestations can be verified using the [`attestation` command in the GitHub
CLI][5]. CLI][5].
See [Using artifact attestations to establish provenance for builds][9] See [Using artifact attestations to establish provenance for builds][9] for more
for more information on artifact attestations. information on artifact attestations.
## Usage ## Usage
@ -36,8 +36,8 @@ attest:
``` ```
The `id-token` permission gives the action the ability to mint the OIDC token The `id-token` permission gives the action the ability to mint the OIDC token
permission is necessary to persist the attestation. The `attestations` permission permission is necessary to persist the attestation. The `attestations`
is necessary to persist the attestation. permission is necessary to persist the attestation.
1. Add the following to your workflow after your artifact has been built: 1. Add the following to your workflow after your artifact has been built:
@ -154,6 +154,9 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
"acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name -- "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
the specific image being attested is identified by the supplied digest. the specific image being attested is identified by the supplied digest.
Attestation bundles are stored in the OCI registry according to the [Cosign
Bundle Specification][10].
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the > **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
> registry portion of the image name. > registry portion of the image name.
@ -210,4 +213,6 @@ jobs:
https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
[7]: https://jsonlines.org/ [7]: https://jsonlines.org/
[8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
[9]: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds [9]:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
[10]: https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md