name: 'Attest Build Provenance'
description: 'Generate provenance attestations for build artifacts'
author: 'GitHub'
branding:
  color: 'blue'
  icon: 'lock'

inputs:
  subject-path:
    description: >
      Path to the artifact serving as the subject of the attestation. Must
      specify exactly one of "subject-path" or "subject-digest". May contain a
      glob pattern or list of paths (total subject count cannot exceed 2500).
    required: false
  subject-digest:
    description: >
      Digest of the subject for which provenance will be generated. Must be in
      the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify
      exactly one of "subject-path" or "subject-digest".
    required: false
  subject-name:
    description: >
      Subject name as it should appear in the provenance statement. Required
      unless "subject-path" is specified, in which case it will be inferred from
      the path.
  push-to-registry:
    description: >
      Whether to push the provenance statement to the image registry. Requires
      that the "subject-name" parameter specify the fully-qualified image name
      and that the "subject-digest" parameter be specified. Defaults to false.
    default: false
    required: false
  github-token:
    description: >
      The GitHub token used to make authenticated API requests.
    default: ${{ github.token }}
    required: false

outputs:
  bundle-path:
    description: 'The path to the file containing the attestation bundle(s).'
    value: ${{ steps.attest.outputs.bundle-path }}

runs:
  using: 'composite'
  steps:
    - uses: actions/attest-build-provenance/predicate@46e4ff8b824dc6ae13c8f92c8ba69907e2d39b4e # predicate@1.1.0
      id: generate-build-provenance-predicate
    - uses: actions/attest@0fdba851bc306a96f085a0acd31cf892a7e14f2d # v1.3.1
      id: attest
      with:
        subject-path: ${{ inputs.subject-path }}
        subject-digest: ${{ inputs.subject-digest }}
        subject-name: ${{ inputs.subject-name }}
        predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
        predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
        push-to-registry: ${{ inputs.push-to-registry }}
        github-token: ${{ inputs.github-token }}