actions/docker-attest-build-provenance
1
0
Fork 0
mirror of https://github.com/actions/attest-build-provenance.git synced 2025-12-16 12:19:04 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'actions:main' into main-origin

Browse Source
This commit is contained in:
Devlynn Singley 2025-08-28 21:09:09 -07:00 committed by GitHub
commit f2a6401597
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 36 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/linters/.yaml-lint.yml vendored
View File

@ -1,10 +0,0 @@
rules:
document-end: disable
document-start:
level: warning
present: false
line-length:
level: warning
max: 80
allow-non-breakable-words: true
allow-non-breakable-inline-mappings: true

9
.github/linters/tsconfig.json vendored
View File

@ -1,9 +0,0 @@
{
"$schema": "https://json.schemastore.org/tsconfig",
"extends": "../../tsconfig.json",
"compilerOptions": {
"noEmit": true
},
"include": ["../../__tests__/**/*", "../../src/**/*"],
"exclude": ["../../dist", "../../node_modules", "../../coverage", "*.json"]
}

4
.github/workflows/ci.yml vendored
View File

@ -21,7 +21,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Setup Node.js - name: Setup Node.js
id: setup-node id: setup-node
@ -57,7 +57,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
id: checkout id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run attest-provenance - name: Run attest-provenance
id: attest-provenance id: attest-provenance
uses: ./ uses: ./

55
.github/workflows/linter.yml vendored
View File

@ -1,55 +0,0 @@
name: Lint Codebase
on:
pull_request:
branches:
- main
push:
branches:
- main
permissions:
contents: read
packages: read
statuses: write
jobs:
lint:
name: Lint Codebase
runs-on: ubuntu-latest
steps:
- name: Checkout
id: checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .node-version
cache: npm
- name: Install Dependencies
id: install
run: npm ci
- name: Lint Codebase
id: super-linter
uses: super-linter/super-linter/slim@v8.0.0
env:
DEFAULT_BRANCH: main
FILTER_REGEX_EXCLUDE: dist/**/*
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TYPESCRIPT_DEFAULT_STYLE: prettier
VALIDATE_ALL_CODEBASE: true
VALIDATE_JAVASCRIPT_STANDARD: false
VALIDATE_TYPESCRIPT_ES: false
VALIDATE_TYPESCRIPT_STANDARD: false
VALIDATE_JSCPD: false
VALIDATE_YAML_PRETTIER: false
- name: Run eslint
run: npm run lint:eslint

2
.github/workflows/prober.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
date > artifact date > artifact
- name: Attest build provenance - name: Attest build provenance
uses: actions/attest-build-provenance@v2 uses: actions/attest-build-provenance@v3
env: env:
INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }} INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
with: with:

0
.github/linters/.markdown-lint.yml → .markdown-lint.yml
View File

2
.node-version
View File

@ -1 +1 @@
20.6.0 24.5.0

18
README.md
View File

@ -55,7 +55,7 @@ attest:
1. Add the following to your workflow after your artifact has been built: 1. Add the following to your workflow after your artifact has been built:
```yaml ```yaml
- uses: actions/attest-build-provenance@v2 - uses: actions/attest-build-provenance@v3
with: with:
subject-path: '<PATH TO ARTIFACT>' subject-path: '<PATH TO ARTIFACT>'
``` ```
@ -68,7 +68,7 @@ attest:
See [action.yml](action.yml) See [action.yml](action.yml)
```yaml ```yaml
- uses: actions/attest-build-provenance@v2 - uses: actions/attest-build-provenance@v3
with: with:
# Path to the artifact serving as the subject of the attestation. Must # Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path", "subject-digest", or # specify exactly one of "subject-path", "subject-digest", or
@ -159,7 +159,7 @@ jobs:
- name: Build artifact - name: Build artifact
run: make my-app run: make my-app
- name: Attest - name: Attest
uses: actions/attest-build-provenance@v2 uses: actions/attest-build-provenance@v3
with: with:
subject-path: '${{ github.workspace }}/my-app' subject-path: '${{ github.workspace }}/my-app'
``` ```
@ -170,7 +170,7 @@ If you are generating multiple artifacts, you can attest all of them at the same
time by using a wildcard in the `subject-path` input. time by using a wildcard in the `subject-path` input.
```yaml ```yaml
- uses: actions/attest-build-provenance@v2 - uses: actions/attest-build-provenance@v3
with: with:
subject-path: 'dist/**/my-bin-*' subject-path: 'dist/**/my-bin-*'
``` ```
@ -182,13 +182,13 @@ Alternatively, you can explicitly list multiple subjects with either a comma or
newline delimited list: newline delimited list:
```yaml ```yaml
- uses: actions/attest-build-provenance@v2 - uses: actions/attest-build-provenance@v3
with: with:
subject-path: 'dist/foo, dist/bar' subject-path: 'dist/foo, dist/bar'
``` ```
```yaml ```yaml
- uses: actions/attest-build-provenance@v2 - uses: actions/attest-build-provenance@v3
with: with:
subject-path: | subject-path: |
dist/foo dist/foo
@ -209,7 +209,7 @@ attestation.
- name: Calculate artifact digests - name: Calculate artifact digests
run: | run: |
shasum -a 256 foo_0.0.1_* > subject.checksums.txt shasum -a 256 foo_0.0.1_* > subject.checksums.txt
- uses: actions/attest-build-provenance@v2 - uses: actions/attest-build-provenance@v3
with: with:
subject-checksums: subject.checksums.txt subject-checksums: subject.checksums.txt
``` ```
@ -282,7 +282,7 @@ jobs:
push: true push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Attest - name: Attest
uses: actions/attest-build-provenance@v2 uses: actions/attest-build-provenance@v3
id: attest id: attest
with: with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@ -304,7 +304,7 @@ artifact directly into the `subject-digest` input of the attestation action.
path: dist/* path: dist/*
name: artifact.zip name: artifact.zip
- uses: actions/attest-build-provenance@v2 - uses: actions/attest-build-provenance@v3
with: with:
subject-name: artifact.zip subject-name: artifact.zip
subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }} subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}

6
action.yml
View File

@ -62,10 +62,12 @@ outputs:
runs: runs:
using: 'composite' using: 'composite'
steps: steps:
- uses: actions/attest-build-provenance/predicate@1176ef556905f349f669722abf30bce1a6e16e01 # predicate@1.1.5 - uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0
id: generate-build-provenance-predicate id: generate-build-provenance-predicate
- uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0 - uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
id: attest id: attest
env:
NODE_OPTIONS: "--max-http-header-size=32768"
with: with:
subject-path: ${{ inputs.subject-path }} subject-path: ${{ inputs.subject-path }}
subject-digest: ${{ inputs.subject-digest }} subject-digest: ${{ inputs.subject-digest }}

4
.github/linters/eslint.config.mjs → eslint.config.mjs
View File

@ -7,7 +7,7 @@ export default tseslint.config(
// Ignore non-project files // Ignore non-project files
{ {
name: 'ignore', name: 'ignore',
ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js'] ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js', 'eslint.config.mjs']
}, },
// Use recommended rules from ESLint, TypeScript, and other plugins // Use recommended rules from ESLint, TypeScript, and other plugins
eslint.configs.recommended, eslint.configs.recommended,
@ -21,7 +21,7 @@ export default tseslint.config(
languageOptions: { languageOptions: {
ecmaVersion: 2023, ecmaVersion: 2023,
parserOptions: { parserOptions: {
project: ['./.github/linters/tsconfig.json'] project: ['./tsconfig.lint.json']
} }
}, },
rules: { rules: {

6
package-lock.json generated
View File

@ -1,12 +1,12 @@
{ {
"name": "actions/attest-build-provenance", "name": "actions/attest-build-provenance",
"version": "1.1.5", "version": "2.0.0",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "actions/attest-build-provenance", "name": "actions/attest-build-provenance",
"version": "1.1.5", "version": "2.0.0",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/attest": "^1.6.0", "@actions/attest": "^1.6.0",
@ -30,7 +30,7 @@
"typescript-eslint": "^8.39.1" "typescript-eslint": "^8.39.1"
}, },
"engines": { "engines": {
"node": ">=20" "node": ">=24"
} }
}, },
"node_modules/@actions/attest": { "node_modules/@actions/attest": {

8
package.json
View File

@ -1,7 +1,7 @@
{ {
"name": "actions/attest-build-provenance", "name": "actions/attest-build-provenance",
"description": "Generate signed build provenance attestations", "description": "Generate signed build provenance attestations",
"version": "1.1.5", "version": "2.0.0",
"author": "", "author": "",
"private": true, "private": true,
"homepage": "https://github.com/actions/attest-build-provenance", "homepage": "https://github.com/actions/attest-build-provenance",
@ -21,15 +21,15 @@
".": "./dist/index.js" ".": "./dist/index.js"
}, },
"engines": { "engines": {
"node": ">=20" "node": ">=24"
}, },
"scripts": { "scripts": {
"bundle": "npm run format:write && npm run package", "bundle": "npm run format:write && npm run package",
"ci-test": "jest", "ci-test": "jest",
"format:write": "prettier --write **/*.ts", "format:write": "prettier --write **/*.ts",
"format:check": "prettier --check **/*.ts", "format:check": "prettier --check **/*.ts",
"lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs", "lint:eslint": "npx eslint",
"lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"", "lint:markdown": "npx markdownlint --config .markdown-lint.yml \"*.md\"",
"lint": "npm run lint:eslint && npm run lint:markdown", "lint": "npm run lint:eslint && npm run lint:markdown",
"package": "ncc build src/index.ts --license licenses.txt", "package": "ncc build src/index.ts --license licenses.txt",
"package:watch": "npm run package -- --watch", "package:watch": "npm run package -- --watch",

2
predicate/action.yml
View File

@ -10,5 +10,5 @@ outputs:
description: > description: >
URI identifying the type of the predicate. URI identifying the type of the predicate.
runs: runs:
using: node20 using: node24
main: ../dist/index.js main: ../dist/index.js

9
tsconfig.lint.json Normal file
View File

@ -0,0 +1,9 @@
{
"$schema": "https://json.schemastore.org/tsconfig",
"extends": "./tsconfig.json",
"compilerOptions": {
"noEmit": true
},
"include": ["./__tests__/**/*", "./src/**/*"],
"exclude": ["./dist", "./node_modules", "./coverage", "*.json"]
}