Bump actions/attest from 2.2.0 to 2.2.1 (#481)

* bump actions/attest from v2.2.0 to v2.2.1

Signed-off-by: Brian DeHamer <bdehamer@github.com>

* pin super-linter action to v7.2.1

Signed-off-by: Brian DeHamer <bdehamer@github.com>

---------

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.eslintignore

@@ -1,4 +0,0 @@
-lib/
-dist/
-node_modules/
-coverage/

.github/dependabot.yml

@@ -9,6 +9,8 @@ updates:
         update-types:
           - minor
           - patch
+    ignore:
+      - dependency-name: 'actions/attest-build-provenance'
 
   - package-ecosystem: npm
     directory: /

.github/linters/.eslintrc.yml

@@ -1,83 +0,0 @@
-env:
-  node: true
-  es6: true
-  jest: true
-
-globals:
-  Atomics: readonly
-  SharedArrayBuffer: readonly
-
-ignorePatterns:
-  - '!.*'
-  - '**/node_modules/.*'
-  - '**/dist/.*'
-  - '**/coverage/.*'
-  - '*.json'
-
-parser: '@typescript-eslint/parser'
-
-parserOptions:
-  ecmaVersion: 2023
-  sourceType: module
-  project:
-    - './.github/linters/tsconfig.json'
-    - './tsconfig.json'
-
-plugins:
-  - jest
-  - '@typescript-eslint'
-
-extends:
-  - eslint:recommended
-  - plugin:@typescript-eslint/eslint-recommended
-  - plugin:@typescript-eslint/recommended
-  - plugin:github/recommended
-  - plugin:jest/recommended
-
-rules:
-  {
-    'camelcase': 'off',
-    'eslint-comments/no-use': 'off',
-    'eslint-comments/no-unused-disable': 'off',
-    'i18n-text/no-en': 'off',
-    'import/no-namespace': 'off',
-    'no-console': 'off',
-    'no-unused-vars': 'off',
-    'prettier/prettier': 'error',
-    'semi': 'off',
-    '@typescript-eslint/array-type': 'error',
-    '@typescript-eslint/await-thenable': 'error',
-    '@typescript-eslint/ban-ts-comment': 'error',
-    '@typescript-eslint/consistent-type-assertions': 'error',
-    '@typescript-eslint/explicit-member-accessibility':
-      ['error', { 'accessibility': 'no-public' }],
-    '@typescript-eslint/explicit-function-return-type':
-      ['error', { 'allowExpressions': true }],
-    '@typescript-eslint/func-call-spacing': ['error', 'never'],
-    '@typescript-eslint/no-array-constructor': 'error',
-    '@typescript-eslint/no-empty-interface': 'error',
-    '@typescript-eslint/no-explicit-any': 'error',
-    '@typescript-eslint/no-extraneous-class': 'error',
-    '@typescript-eslint/no-for-in-array': 'error',
-    '@typescript-eslint/no-inferrable-types': 'error',
-    '@typescript-eslint/no-misused-new': 'error',
-    '@typescript-eslint/no-namespace': 'error',
-    '@typescript-eslint/no-non-null-assertion': 'warn',
-    '@typescript-eslint/no-require-imports': 'error',
-    '@typescript-eslint/no-unnecessary-qualifier': 'error',
-    '@typescript-eslint/no-unnecessary-type-assertion': 'error',
-    '@typescript-eslint/no-unused-vars': 'error',
-    '@typescript-eslint/no-useless-constructor': 'error',
-    '@typescript-eslint/no-var-requires': 'error',
-    '@typescript-eslint/prefer-for-of': 'warn',
-    '@typescript-eslint/prefer-function-type': 'warn',
-    '@typescript-eslint/prefer-includes': 'error',
-    '@typescript-eslint/prefer-string-starts-ends-with': 'error',
-    '@typescript-eslint/promise-function-async': 'error',
-    '@typescript-eslint/require-array-sort-compare': 'error',
-    '@typescript-eslint/restrict-plus-operands': 'error',
-    '@typescript-eslint/semi': ['error', 'never'],
-    '@typescript-eslint/space-before-function-paren': 'off',
-    '@typescript-eslint/type-annotation-spacing': 'error',
-    '@typescript-eslint/unbound-method': 'error'
-  }

.github/linters/eslint.config.mjs

@@ -0,0 +1,92 @@
+import eslint from '@eslint/js'
+import importplugin from 'eslint-plugin-import'
+import jestplugin from 'eslint-plugin-jest'
+import tseslint from 'typescript-eslint'
+
+export default tseslint.config(
+  // Ignore non-project files
+  {
+    name: 'ignore',
+    ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js']
+  },
+  // Use recommended rules from ESLint, TypeScript, and other plugins
+  eslint.configs.recommended,
+  tseslint.configs.recommendedTypeChecked,
+  jestplugin.configs['flat/recommended'],
+  importplugin.flatConfigs.recommended,
+  importplugin.flatConfigs.typescript,
+  // Override some rules
+  {
+    name: 'project-settings',
+    languageOptions: {
+      ecmaVersion: 2023,
+      parserOptions: {
+        project: ['./.github/linters/tsconfig.json', './tsconfig.json']
+      }
+    },
+    rules: {
+      // eslint rules
+      eqeqeq: ['error', 'smart'],
+      'func-style': ['error', 'declaration', { allowArrowFunctions: true }],
+      'no-console': 'off',
+      'no-implicit-globals': 'error',
+      'no-inner-declarations': 'error',
+      'no-invalid-this': 'error',
+      'no-return-assign': 'error',
+      'no-sequences': 'error',
+      'no-shadow': 'error',
+      'no-useless-concat': 'error',
+      'object-shorthand': ['error', 'always', { avoidQuotes: true }],
+      'one-var': ['error', 'never'],
+      'prefer-template': 'error',
+
+      // typescript-eslint rules
+      '@typescript-eslint/array-type': 'error',
+      '@typescript-eslint/consistent-type-assertions': 'error',
+      '@typescript-eslint/explicit-function-return-type': [
+        'error',
+        { allowExpressions: true }
+      ],
+      '@typescript-eslint/explicit-member-accessibility': [
+        'error',
+        { accessibility: 'no-public' }
+      ],
+      '@typescript-eslint/no-extraneous-class': 'error',
+      '@typescript-eslint/no-inferrable-types': 'error',
+      '@typescript-eslint/no-non-null-assertion': 'warn',
+      '@typescript-eslint/no-unnecessary-qualifier': 'error',
+      '@typescript-eslint/no-unsafe-assignment': 'off',
+      '@typescript-eslint/no-useless-constructor': 'error',
+      '@typescript-eslint/prefer-for-of': 'warn',
+      '@typescript-eslint/prefer-function-type': 'warn',
+      '@typescript-eslint/prefer-includes': 'error',
+      '@typescript-eslint/prefer-string-starts-ends-with': 'error',
+      '@typescript-eslint/promise-function-async': 'error',
+      '@typescript-eslint/require-array-sort-compare': 'error',
+      '@typescript-eslint/restrict-template-expressions': 'off',
+
+      // eslint-plugin-import rules
+      'import/extensions': 'error',
+      'import/first': 'error',
+      'import/no-absolute-path': 'error',
+      'import/no-commonjs': 'error',
+      'import/no-deprecated': 'warn',
+      'import/no-dynamic-require': 'error',
+      'import/no-extraneous-dependencies': 'error',
+      'import/no-mutable-exports': 'error',
+      'import/no-namespace': 'off',
+      'import/no-unresolved': ['error', { ignore: ['csv-parse/sync'] }],
+      'import/no-anonymous-default-export': [
+        'error',
+        {
+          allowAnonymousClass: false,
+          allowAnonymousFunction: false,
+          allowArray: true,
+          allowArrowFunction: false,
+          allowLiteral: true,
+          allowObject: true
+        }
+      ]
+    }
+  }
+)

.github/workflows/ci.yml

@@ -50,7 +50,8 @@ jobs:
     name: Test attest-provenance action
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      attestations: write
+      contents: read
       id-token: write
 
     steps:
@@ -68,4 +69,3 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Dump output
         run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
-

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v6
+        uses: super-linter/super-linter/slim@v7.2.1
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*
@@ -46,4 +46,6 @@ jobs:
           TYPESCRIPT_DEFAULT_STYLE: prettier
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JAVASCRIPT_STANDARD: false
+          VALIDATE_TYPESCRIPT_STANDARD: false
           VALIDATE_JSCPD: false
+          VALIDATE_YAML_PRETTIER: false

.github/workflows/prober-github.yml

@@ -0,0 +1,18 @@
+name: GitHub Sigstore Prober
+
+on:
+  workflow_dispatch:
+  schedule:
+    # run every 5 minutes, as often as Github Actions allows
+    - cron: '*/5 * * * *'
+
+jobs:
+  prober:
+    if: github.repository_owner == 'actions'
+    permissions:
+      attestations: write
+      id-token: write
+    secrets: inherit
+    uses: ./.github/workflows/prober.yml
+    with:
+      sigstore: github

.github/workflows/prober-public-good.yml

@@ -0,0 +1,18 @@
+name: Public-Good Sigstore Prober
+
+on:
+  workflow_dispatch:
+  schedule:
+    # run every 5 minutes, as often as Github Actions allows
+    - cron: '*/5 * * * *'
+
+jobs:
+  prober:
+    if: github.repository_owner == 'actions'
+    permissions:
+      attestations: write
+      id-token: write
+    secrets: inherit
+    uses: ./.github/workflows/prober.yml
+    with:
+      sigstore: public-good

.github/workflows/prober.yml

@@ -0,0 +1,84 @@
+name: Prober Workflow
+
+on:
+  workflow_call:
+    inputs:
+      sigstore:
+        description: 'Which Sigstore instance to use for signing'
+        required: true
+        type: string
+
+jobs:
+  probe:
+    runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Request OIDC Token
+        run: |
+          curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
+            -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
+            -H "Accept: application/json; api-version=2.0" \
+            -H "Content-Type: application/json" \
+            --silent | jq -r '.value' | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson'
+
+      - name: Create artifact
+        run: |
+          date > artifact
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        env:
+          INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
+        with:
+          subject-path: artifact
+
+      - name: Verify build artifact
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: "artifact"
+
+      - name: Report attestation prober success
+        if: ${{ success() }}
+        uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
+        with:
+          api-key: "${{ secrets.DATADOG_API_KEY }}"
+          service-checks: |
+            - check: "attestation-integration.actions.prober"
+              status: 0
+              host_name: github.com
+              tags:
+                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
+                - "service:${{ secrets.CATALOG_SERVICE }}"
+                - "stamp:${{ secrets.STAMP }}"
+                - "env:production"
+                - "repo:${{ github.repository }}"
+                - "team:${{ secrets.TEAM }}"
+                - "sigstore:${{ inputs.sigstore }}"
+
+      - name: Report attestation prober failure
+        if: ${{ failure() }}
+        uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
+        with:
+          api-key: "${{ secrets.DATADOG_API_KEY }}"
+          service-checks: |
+            - check: "attestation-integration.actions.prober"
+              message: "${{ github.repository_owner }} failed prober check"
+              status: 2
+              host_name: github.com
+              tags:
+                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
+                - "service:${{ secrets.CATALOG_SERVICE }}"
+                - "stamp:${{ secrets.STAMP }}"
+                - "env:production"
+                - "repo:${{ github.repository }}"
+                - "team:${{ secrets.TEAM }}"
+                - "sigstore:${{ inputs.sigstore }}"

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,22 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/publish-immutable-action@v0.0.4

README.md

@@ -1,6 +1,9 @@
 # `actions/attest-build-provenance`
 
-Generate signed build provenace attestations for workflow artifacts. Internally
+[![Public-Good Sigstore Prober](https://github.com/actions/attest-build-provenance/actions/workflows/prober-public-good.yml/badge.svg)](https://github.com/actions/attest-build-provenance/actions/workflows/prober-public-good.yml)
+[![GitHub Sigstore Prober](https://github.com/actions/attest-build-provenance/actions/workflows/prober-github.yml/badge.svg)](https://github.com/actions/attest-build-provenance/actions/workflows/prober-github.yml)
+
+Generate signed build provenance attestations for workflow artifacts. Internally
 powered by the [@actions/attest][1] package.
 
 Attestations bind some subject (a named artifact along with its digest) to a
@@ -16,9 +19,22 @@ Once the attestation has been created and signed, it will be uploaded to the GH
 attestations API and associated with the repository from which the workflow was
 initiated.
 
-Attestations can be verified using the `attestation` command in the [GitHub
+Attestations can be verified using the [`attestation` command in the GitHub
 CLI][5].
 
+See [Using artifact attestations to establish provenance for builds][9] for more
+information on artifact attestations.
+
+<!-- prettier-ignore-start -->
+> [!NOTE]
+> Artifact attestations are available in public repositories for all
+> current GitHub plans. They are not available on legacy plans, such as Bronze,
+> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
+> artifact attestations are only available for public repositories. To use
+> artifact attestations in private or internal repositories, you must be on a
+> GitHub Enterprise Cloud plan.
+<!-- prettier-ignore-end -->
+
 ## Usage
 
 Within the GitHub Actions workflow which builds some artifact you would like to
@@ -29,22 +45,22 @@ attest:
    ```yaml
    permissions:
      id-token: write
-     contents: write # TODO: Update this
+     attestations: write
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
-   permission is necessary to persist the attestation. The `contents` permission
+   necessary to request a Sigstore signing certificate. The `attestations`
-   is necessary to persist the attestation.
+   permission is necessary to persist the attestation.
 
 1. Add the following to your workflow after your artifact has been built:
 
    ```yaml
-   - uses: actions/attest-build-provenance@v1
+   - uses: actions/attest-build-provenance@v2
      with:
        subject-path: '<PATH TO ARTIFACT>'
    ```
 
-   The `subject-path` parameter should identity the artifact for which you want
+   The `subject-path` parameter should identify the artifact for which you want
    to generate an attestation.
 
 ### Inputs
@@ -52,27 +68,37 @@ attest:
 See [action.yml](action.yml)
 
 ```yaml
-- uses: actions/attest-build-provenance@v1
+- uses: actions/attest-build-provenance@v2
   with:
     # Path to the artifact serving as the subject of the attestation. Must
-    # specify exactly one of "subject-path" or "subject-digest".
+    # specify exactly one of "subject-path", "subject-digest", or
+    # "subject-checksums". May contain a glob pattern or list of paths
+    # (total subject count cannot exceed 1024).
     subject-path:
 
-    # SHA256 digest of the subject for for the attestation. Must be in the form
+    # SHA256 digest of the subject for the attestation. Must be in the form
     # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
-    # of "subject-path" or "subject-digest".
+    # of "subject-path", "subject-digest", or "subject-checksums".
     subject-digest:
 
-    # Subject name as it should appear in the attestation. Required unless
+    # Subject name as it should appear in the attestation. Required when
-    # "subject-path" is specified, in which case it will be inferred from the
+    # identifying the subject with the "subject-digest" input.
-    # path.
     subject-name:
 
+    # Path to checksums file containing digest and name of subjects for
+    # attestation. Must specify exactly one of "subject-path", "subject-digest",
+    # or "subject-checksums".
+    subject-checksums:
+
     # Whether to push the attestation to the image registry. Requires that the
     # "subject-name" parameter specify the fully-qualified image name and that
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to attach a list of generated attestations to the workflow run
+    # summary page. Defaults to true.
+    show-summary:
+
     # The GitHub token used to make authenticated API requests. Default is
     # ${{ github.token }}
     github-token:
@@ -82,17 +108,24 @@ See [action.yml](action.yml)
 
 <!-- markdownlint-disable MD013 -->
 
-| Name          | Description                                                    | Example                  |
+| Name              | Description                                                    | Example                                          |
-| ------------- | -------------------------------------------------------------- | ------------------------ |
+| ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
-| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.jsonl` |
+| `attestation-id`  | GitHub ID for the attestation                                  | `123456`                                         |
+| `attestation-url` | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
+| `bundle-path`     | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
 
 <!-- markdownlint-enable MD013 -->
 
 Attestations are saved in the JSON-serialized [Sigstore bundle][6] format.
 
-If multiple subjects are being attested at the same time, each attestation will
+If multiple subjects are being attested at the same time, a single attestation
-be written to the output file on a separate line (using the [JSON Lines][7]
+will be created with references to each of the supplied subjects.
-format).
+
+## Attestation Limits
+
+### Subject Limits
+
+No more than 1024 subjects can be attested at the same time.
 
 ## Examples
 
@@ -110,9 +143,11 @@ on:
 
 jobs:
   build:
+    runs-on: ubuntu-latest
     permissions:
       id-token: write
-      contents: write
+      contents: read
+      attestations: write
 
     steps:
       - name: Checkout
@@ -120,18 +155,18 @@ jobs:
       - name: Build artifact
         run: make my-app
       - name: Attest
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@v2
         with:
           subject-path: '${{ github.workspace }}/my-app'
 ```
 
-### Identify Subjects by Wildcard
+### Identify Multiple Subjects
 
-If you are generating multiple artifacts, you can generate a provenance
+If you are generating multiple artifacts, you can attest all of them at the same
-attestation for each by using a wildcard in the `subject-path` input.
+time by using a wildcard in the `subject-path` input.
 
 ```yaml
-- uses: actions/attest-build-provenance@v1
+- uses: actions/attest-build-provenance@v2
   with:
     subject-path: 'dist/**/my-bin-*'
 ```
@@ -139,6 +174,57 @@ attestation for each by using a wildcard in the `subject-path` input.
 For supported wildcards along with behavior and documentation, see
 [@actions/glob][8] which is used internally to search for files.
 
+Alternatively, you can explicitly list multiple subjects with either a comma or
+newline delimited list:
+
+```yaml
+- uses: actions/attest-build-provenance@v2
+  with:
+    subject-path: 'dist/foo, dist/bar'
+```
+
+```yaml
+- uses: actions/attest-build-provenance@v2
+  with:
+    subject-path: |
+      dist/foo
+      dist/bar
+```
+
+### Identify Subjects with Checksums File
+
+If you are using tools like
+[goreleaser](https://goreleaser.com/customization/checksum/) or
+[jreleaser](https://jreleaser.org/guide/latest/reference/checksum.html) which
+generate a checksums file you can identify the attestation subjects by passing
+the path of the checksums file to the `subject-checksums` input. Each of the
+artifacts identified in the checksums file will be listed as a subject for the
+attestation.
+
+```yaml
+- name: Calculate artifact digests
+  run: |
+    shasum -a 256 foo_0.0.1_* > subject.checksums.txt
+- uses: actions/attest-build-provenance@v2
+  with:
+    subject-checksums: subject.checksums.txt
+```
+
+<!-- markdownlint-disable MD038 -->
+
+The file referenced by the `subject-checksums` input must conform to the same
+format used by the shasum tools. Each subject should be listed on a separate
+line including the hex-encoded digest (either SHA256 or SHA512), a space, a
+single character flag indicating either binary (`*`) or text (` `) input mode,
+and the filename.
+
+<!-- markdownlint-enable MD038 -->
+
+```text
+b569bf992b287f55d78bf8ee476497e9b7e9d2bf1c338860bfb905016218c740  foo_0.0.1_darwin_amd64
+a54fc515e616cac7fcf11a49d5c5ec9ec315948a5935c1e11dd610b834b14dde  foo_0.0.1_darwin_arm64
+```
+
 ### Container Image
 
 When working with container images you can invoke the action with the
@@ -150,6 +236,9 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
 "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
 the specific image being attested is identified by the supplied digest.
 
+Attestation bundles are stored in the OCI registry according to the [Cosign
+Bundle Specification][10].
+
 > **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
 > registry portion of the image name.
 
@@ -166,7 +255,8 @@ jobs:
     permissions:
       id-token: write
       packages: write
-      contents: write
+      contents: read
+      attestations: write
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}
@@ -188,7 +278,7 @@ jobs:
           push: true
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
       - name: Attest
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@v2
         id: attest
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -196,12 +286,35 @@ jobs:
           push-to-registry: true
 ```
 
+### Integration with `actions/upload-artifact`
+
+If you'd like to create an attestation for an archive created with the
+[actions/upload-artifact][11] action you can feed the digest of the generated
+artifact directly into the `subject-digest` input of the attestation action.
+
+```yaml
+- name: Upload build artifact
+  id: upload
+  uses: actions/upload-artifact@v4
+  with:
+    path: dist/*
+    name: artifact.zip
+
+- uses: actions/attest-build-provenance@v2
+  with:
+    subject-name: artifact.zip
+    subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
+```
+
 [1]: https://github.com/actions/toolkit/tree/main/packages/attest
 [2]: https://github.com/in-toto/attestation/tree/main/spec/v1
 [3]: https://slsa.dev/spec/v1.0/provenance
 [4]: https://www.sigstore.dev/
-[5]: https://cli.github.com/
+[5]: https://cli.github.com/manual/gh_attestation_verify
 [6]:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
-[7]: https://jsonlines.org/
 [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
+[9]:
+  https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
+[10]: https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md
+[11]: https://github.com/actions/upload-artifact

RELEASE.md

@@ -0,0 +1,38 @@
+# Release Instructions
+
+Follow the steps below to tag a new release for the
+`actions/attest-build-provenance` action.
+
+If changes were made to the internal `actions/attest-build-provenance/predicate`
+action (any updates to [`./predicate/action.yaml`](./predicate/action.yml) or
+any of the code in the [`./src`](./src) directory), start with step #1;
+otherwise, skip directly to step #5.
+
+1. Merge the latest changes to the `main` branch.
+1. Create and push a new predicate tag of the form `predicate@X.X.X` following
+   SemVer conventions:
+
+   ```shell
+   git tag -a "predicate@X.X.X" -m "predicate@X.X.X Release"
+   git push --tags
+   ```
+
+1. Update the reference to the `actions/attest-build-provenance/predicate`
+   action in [`action.yml`](./action.yml) to point to the SHA of the newly
+   created tag.
+1. Push the `action.yml` change and open a PR. Once it has been reviewed, merge
+   the PR and proceed with the release instructions.
+1. Create a new release for the top-level action using a tag of the form
+   `vX.X.X` following SemVer conventions:
+
+   ```shell
+   gh release create vX.X.X
+   ```
+
+1. Move (or create) the major version tag to point to the same commit tagged
+   above:
+
+   ```shell
+   git tag -fa vX -m "vX"
+   git push origin vX --force
+   ```

__tests__/__snapshots__/main.test.ts.snap

@@ -1,9 +1,48 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`main successfully run main 1`] = `
+exports[`main when a non-default OIDC issuer is used successfully run main 1`] = `
 {
   "buildDefinition": {
-    "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
+    "buildType": "https://actions.github.io/buildtypes/workflow/v1",
+    "externalParameters": {
+      "workflow": {
+        "path": ".github/workflows/main.yml",
+        "ref": "main",
+        "repository": "https://example-01.ghe.com/owner/repo",
+      },
+    },
+    "internalParameters": {
+      "github": {
+        "event_name": "push",
+        "repository_id": "repo-id",
+        "repository_owner_id": "owner-id",
+        "runner_environment": "github-hosted",
+      },
+    },
+    "resolvedDependencies": [
+      {
+        "digest": {
+          "gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
+        },
+        "uri": "git+https://example-01.ghe.com/owner/repo@refs/heads/main",
+      },
+    ],
+  },
+  "runDetails": {
+    "builder": {
+      "id": "https://example-01.ghe.com/owner/shared/.github/workflows/build.yml@main",
+    },
+    "metadata": {
+      "invocationId": "https://example-01.ghe.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
+    },
+  },
+}
+`;
+
+exports[`main when the default OIDC issuer is used successfully run main 1`] = `
+{
+  "buildDefinition": {
+    "buildType": "https://actions.github.io/buildtypes/workflow/v1",
     "externalParameters": {
       "workflow": {
         "path": ".github/workflows/main.yml",
@@ -16,6 +55,7 @@ exports[`main successfully run main 1`] = `
         "event_name": "push",
         "repository_id": "repo-id",
         "repository_owner_id": "owner-id",
+        "runner_environment": "github-hosted",
       },
     },
     "resolvedDependencies": [
@@ -29,7 +69,7 @@ exports[`main successfully run main 1`] = `
   },
   "runDetails": {
     "builder": {
-      "id": "https://github.com/actions/runner/github-hosted",
+      "id": "https://github.com/owner/shared/.github/workflows/build.yml@main",
     },
     "metadata": {
       "invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt",

__tests__/index.test.ts

@@ -8,7 +8,7 @@ import * as main from '../src/main'
 const runMock = jest.spyOn(main, 'run').mockImplementation()
 
 describe('index', () => {
-  it('calls run when imported', async () => {
+  it('calls run when imported', () => {
     // eslint-disable-next-line @typescript-eslint/no-require-imports
     require('../src/index')
 

__tests__/main.test.ts

@@ -1,8 +1,9 @@
 import * as core from '@actions/core'
+import * as jose from 'jose'
+import nock from 'nock'
 import * as main from '../src/main'
 
-// Mock the GitHub Actions core library
+// Mock the GitHub Actions core library functions
-jest.mock('@actions/core')
 const setOutputMock = jest.spyOn(core, 'setOutput')
 const setFailedMock = jest.spyOn(core, 'setFailed')
 
@@ -11,9 +12,11 @@ setFailedMock.mockImplementation(() => {})
 
 describe('main', () => {
   let outputs = {} as Record<string, string>
+  const originalEnv = process.env
 
   beforeEach(() => {
     jest.resetAllMocks()
+
     setOutputMock.mockImplementation((key, value) => {
       outputs[key] = value
     })
@@ -21,40 +24,134 @@ describe('main', () => {
 
   afterEach(() => {
     outputs = {}
-  })
-
-  it('successfully run main', async () => {
-    const originalEnv = process.env
-    process.env = {
-      ...originalEnv,
-      GITHUB_REPOSITORY: 'owner/repo',
-      GITHUB_REF: 'refs/heads/main',
-      GITHUB_SHA: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
-      GITHUB_WORKFLOW_REF: 'owner/repo/.github/workflows/main.yml@main',
-      GITHUB_SERVER_URL: 'https://github.com',
-      GITHUB_EVENT_NAME: 'push',
-      GITHUB_REPOSITORY_ID: 'repo-id',
-      GITHUB_REPOSITORY_OWNER_ID: 'owner-id',
-      GITHUB_RUN_ID: 'run-id',
-      GITHUB_RUN_ATTEMPT: 'run-attempt',
-      RUNNER_ENVIRONMENT: 'github-hosted'
-    }
-
-    // Run the main function
-    await main.run()
-
-    // Verify that outputs were set correctly
-    expect(setOutputMock).toHaveBeenCalledTimes(2)
-
-    // Use the expected object in the test assertion
-    expect(outputs['predicate']).toMatchSnapshot()
-
-    expect(setOutputMock).toHaveBeenNthCalledWith(
-      2,
-      'predicate-type',
-      'https://slsa.dev/provenance/v1'
-    )
-
     process.env = originalEnv
   })
+
+  describe('when the default OIDC issuer is used', () => {
+    const issuer = 'https://token.actions.githubusercontent.com'
+    const audience = 'nobody'
+    const jwksPath = '/.well-known/jwks.json'
+    const tokenPath = '/token'
+
+    const claims = {
+      iss: issuer,
+      aud: 'nobody',
+      repository: 'owner/repo',
+      ref: 'refs/heads/main',
+      sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+      workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
+      job_workflow_ref: 'owner/shared/.github/workflows/build.yml@main',
+      event_name: 'push',
+      repository_id: 'repo-id',
+      repository_owner_id: 'owner-id',
+      run_id: 'run-id',
+      run_attempt: 'run-attempt',
+      runner_environment: 'github-hosted'
+    }
+
+    beforeEach(async () => {
+      process.env = {
+        ...originalEnv,
+        ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
+        ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
+        GITHUB_SERVER_URL: 'https://github.com',
+        GITHUB_REPOSITORY: claims.repository
+      }
+
+      // Generate JWT signing key
+      const key = await jose.generateKeyPair('PS256')
+
+      // Create JWK, JWKS, and JWT
+      const kid = '12345'
+      const jwk = await jose.exportJWK(key.publicKey)
+      const jwks = { keys: [{ ...jwk, kid }] }
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({ alg: 'PS256', kid })
+        .sign(key.privateKey)
+
+      // Mock OpenID configuration and JWKS endpoints
+      nock(issuer)
+        .get('/.well-known/openid-configuration')
+        .reply(200, { jwks_uri: `${issuer}${jwksPath}` })
+      nock(issuer).get(jwksPath).reply(200, jwks)
+
+      // Mock OIDC token endpoint for populating the provenance
+      nock(issuer).get(tokenPath).query({ audience }).reply(200, { value: jwt })
+    })
+
+    it('successfully run main', async () => {
+      // Run the main function
+      await main.run()
+
+      // Verify that outputs were set correctly
+      expect(setOutputMock).toHaveBeenCalledTimes(2)
+
+      expect(outputs['predicate']).toMatchSnapshot()
+      expect(outputs['predicate-type']).toBe('https://slsa.dev/provenance/v1')
+    })
+  })
+
+  describe('when a non-default OIDC issuer is used', () => {
+    const issuer = 'https://token.actions.example-01.ghe.com'
+    const audience = 'nobody'
+    const jwksPath = '/.well-known/jwks.json'
+    const tokenPath = '/token'
+
+    const claims = {
+      iss: issuer,
+      aud: 'nobody',
+      repository: 'owner/repo',
+      ref: 'refs/heads/main',
+      sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+      workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
+      job_workflow_ref: 'owner/shared/.github/workflows/build.yml@main',
+      event_name: 'push',
+      repository_id: 'repo-id',
+      repository_owner_id: 'owner-id',
+      run_id: 'run-id',
+      run_attempt: 'run-attempt',
+      runner_environment: 'github-hosted'
+    }
+
+    beforeEach(async () => {
+      process.env = {
+        ...originalEnv,
+        ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
+        ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
+        GITHUB_SERVER_URL: 'https://example-01.ghe.com',
+        GITHUB_REPOSITORY: claims.repository
+      }
+
+      // Generate JWT signing key
+      const key = await jose.generateKeyPair('PS256')
+
+      // Create JWK, JWKS, and JWT
+      const kid = '12345'
+      const jwk = await jose.exportJWK(key.publicKey)
+      const jwks = { keys: [{ ...jwk, kid }] }
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({ alg: 'PS256', kid })
+        .sign(key.privateKey)
+
+      // Mock OpenID configuration and JWKS endpoints
+      nock(issuer)
+        .get('/.well-known/openid-configuration')
+        .reply(200, { jwks_uri: `${issuer}${jwksPath}` })
+      nock(issuer).get(jwksPath).reply(200, jwks)
+
+      // Mock OIDC token endpoint for populating the provenance
+      nock(issuer).get(tokenPath).query({ audience }).reply(200, { value: jwt })
+    })
+
+    it('successfully run main', async () => {
+      // Run the main function
+      await main.run()
+
+      // Verify that outputs were set correctly
+      expect(setOutputMock).toHaveBeenCalledTimes(2)
+
+      expect(outputs['predicate']).toMatchSnapshot()
+      expect(outputs['predicate-type']).toBe('https://slsa.dev/provenance/v1')
+    })
+  })
 })

action.yml

@@ -1,24 +1,34 @@
 name: 'Attest Build Provenance'
 description: 'Generate provenance attestations for build artifacts'
 author: 'GitHub'
+branding:
+  color: 'blue'
+  icon: 'lock'
 
 inputs:
   subject-path:
     description: >
-      Path to the artifact for which provenance will be generated. Must specify
+      Path to the artifact serving as the subject of the attestation. Must
-      exactly one of "subject-path" or "subject-digest".
+      specify exactly one of "subject-path", "subject-digest", or
+      "subject-checksums". May contain a glob pattern or list of paths
+      (total subject count cannot exceed 1024).
     required: false
   subject-digest:
     description: >
       Digest of the subject for which provenance will be generated. Must be in
       the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify
-      exactly one of "subject-path" or "subject-digest".
+      exactly one of "subject-path", "subject-digest", or "subject-checksums".
     required: false
   subject-name:
     description: >
-      Subject name as it should appear in the provenance statement. Required
+      Subject name as it should appear in the attestation. Required when
-      unless "subject-path" is specified, in which case it will be inferred from
+      identifying the subject with the "subject-digest" input.
-      the path.
+  subject-checksums:
+    description: >
+      Path to checksums file containing digest and name of subjects for
+      attestation. Must specify exactly one of "subject-path", "subject-digest",
+      or "subject-checksums".
+    required: false
   push-to-registry:
     description: >
       Whether to push the provenance statement to the image registry. Requires
@@ -26,28 +36,43 @@ inputs:
       and that the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  show-summary:
+    description: >
+      Whether to attach a list of generated attestations to the workflow run
+      summary page. Defaults to true.
+    default: true
+    required: false
   github-token:
     description: >
       The GitHub token used to make authenticated API requests.
     default: ${{ github.token }}
     required: false
+
 outputs:
   bundle-path:
-    description: 'The path to the file containing the attestation bundle(s).'
+    description: 'The path to the file containing the attestation bundle.'
     value: ${{ steps.attest.outputs.bundle-path }}
+  attestation-id:
+    description: 'The ID of the attestation.'
+    value: ${{ steps.attest.outputs.attestation-id }}
+  attestation-url:
+    description: 'The URL for the attestation summary.'
+    value: ${{ steps.attest.outputs.attestation-url }}
 
 runs:
   using: 'composite'
   steps:
-    - uses: actions/attest-build-provenance/predicate@main
+    - uses: actions/attest-build-provenance/predicate@36fa7d009e22618ca7cd599486979b8150596c74 # predicate@1.1.4
       id: generate-build-provenance-predicate
-    - uses: actions/attest@main
+    - uses: actions/attest@v2.2.1
       id: attest
       with:
-        github-token: ${{ inputs.github-token }}
         subject-path: ${{ inputs.subject-path }}
         subject-digest: ${{ inputs.subject-digest }}
         subject-name: ${{ inputs.subject-name }}
-        push-to-registry: ${{ inputs.push-to-registry }}
+        subject-checksums: ${{ inputs.subject-checksums }}
         predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
         predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
+        push-to-registry: ${{ inputs.push-to-registry }}
+        show-summary: ${{ inputs.show-summary }}
+        github-token: ${{ inputs.github-token }}

dist/606.index.js

@@ -0,0 +1,287 @@
+"use strict";
+exports.id = 606;
+exports.ids = [606];
+exports.modules = {
+
+/***/ 606:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   "default": () => (/* binding */ pMap)
+/* harmony export */ });
+/* unused harmony exports pMapIterable, pMapSkip */
+async function pMap(
+	iterable,
+	mapper,
+	{
+		concurrency = Number.POSITIVE_INFINITY,
+		stopOnError = true,
+		signal,
+	} = {},
+) {
+	return new Promise((resolve, reject_) => {
+		if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
+			throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
+		}
+
+		if (typeof mapper !== 'function') {
+			throw new TypeError('Mapper function is required');
+		}
+
+		if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
+			throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
+		}
+
+		const result = [];
+		const errors = [];
+		const skippedIndexesMap = new Map();
+		let isRejected = false;
+		let isResolved = false;
+		let isIterableDone = false;
+		let resolvingCount = 0;
+		let currentIndex = 0;
+		const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
+
+		const reject = reason => {
+			isRejected = true;
+			isResolved = true;
+			reject_(reason);
+		};
+
+		if (signal) {
+			if (signal.aborted) {
+				reject(signal.reason);
+			}
+
+			signal.addEventListener('abort', () => {
+				reject(signal.reason);
+			});
+		}
+
+		const next = async () => {
+			if (isResolved) {
+				return;
+			}
+
+			const nextItem = await iterator.next();
+
+			const index = currentIndex;
+			currentIndex++;
+
+			// Note: `iterator.next()` can be called many times in parallel.
+			// This can cause multiple calls to this `next()` function to
+			// receive a `nextItem` with `done === true`.
+			// The shutdown logic that rejects/resolves must be protected
+			// so it runs only one time as the `skippedIndex` logic is
+			// non-idempotent.
+			if (nextItem.done) {
+				isIterableDone = true;
+
+				if (resolvingCount === 0 && !isResolved) {
+					if (!stopOnError && errors.length > 0) {
+						reject(new AggregateError(errors)); // eslint-disable-line unicorn/error-message
+						return;
+					}
+
+					isResolved = true;
+
+					if (skippedIndexesMap.size === 0) {
+						resolve(result);
+						return;
+					}
+
+					const pureResult = [];
+
+					// Support multiple `pMapSkip`'s.
+					for (const [index, value] of result.entries()) {
+						if (skippedIndexesMap.get(index) === pMapSkip) {
+							continue;
+						}
+
+						pureResult.push(value);
+					}
+
+					resolve(pureResult);
+				}
+
+				return;
+			}
+
+			resolvingCount++;
+
+			// Intentionally detached
+			(async () => {
+				try {
+					const element = await nextItem.value;
+
+					if (isResolved) {
+						return;
+					}
+
+					const value = await mapper(element, index);
+
+					// Use Map to stage the index of the element.
+					if (value === pMapSkip) {
+						skippedIndexesMap.set(index, value);
+					}
+
+					result[index] = value;
+
+					resolvingCount--;
+					await next();
+				} catch (error) {
+					if (stopOnError) {
+						reject(error);
+					} else {
+						errors.push(error);
+						resolvingCount--;
+
+						// In that case we can't really continue regardless of `stopOnError` state
+						// since an iterable is likely to continue throwing after it throws once.
+						// If we continue calling `next()` indefinitely we will likely end up
+						// in an infinite loop of failed iteration.
+						try {
+							await next();
+						} catch (error) {
+							reject(error);
+						}
+					}
+				}
+			})();
+		};
+
+		// Create the concurrent runners in a detached (non-awaited)
+		// promise. We need this so we can await the `next()` calls
+		// to stop creating runners before hitting the concurrency limit
+		// if the iterable has already been marked as done.
+		// NOTE: We *must* do this for async iterators otherwise we'll spin up
+		// infinite `next()` calls by default and never start the event loop.
+		(async () => {
+			for (let index = 0; index < concurrency; index++) {
+				try {
+					// eslint-disable-next-line no-await-in-loop
+					await next();
+				} catch (error) {
+					reject(error);
+					break;
+				}
+
+				if (isIterableDone || isRejected) {
+					break;
+				}
+			}
+		})();
+	});
+}
+
+function pMapIterable(
+	iterable,
+	mapper,
+	{
+		concurrency = Number.POSITIVE_INFINITY,
+		backpressure = concurrency,
+	} = {},
+) {
+	if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
+		throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
+	}
+
+	if (typeof mapper !== 'function') {
+		throw new TypeError('Mapper function is required');
+	}
+
+	if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
+		throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
+	}
+
+	if (!((Number.isSafeInteger(backpressure) && backpressure >= concurrency) || backpressure === Number.POSITIVE_INFINITY)) {
+		throw new TypeError(`Expected \`backpressure\` to be an integer from \`concurrency\` (${concurrency}) and up or \`Infinity\`, got \`${backpressure}\` (${typeof backpressure})`);
+	}
+
+	return {
+		async * [Symbol.asyncIterator]() {
+			const iterator = iterable[Symbol.asyncIterator] === undefined ? iterable[Symbol.iterator]() : iterable[Symbol.asyncIterator]();
+
+			const promises = [];
+			let runningMappersCount = 0;
+			let isDone = false;
+			let index = 0;
+
+			function trySpawn() {
+				if (isDone || !(runningMappersCount < concurrency && promises.length < backpressure)) {
+					return;
+				}
+
+				const promise = (async () => {
+					const {done, value} = await iterator.next();
+
+					if (done) {
+						return {done: true};
+					}
+
+					runningMappersCount++;
+
+					// Spawn if still below concurrency and backpressure limit
+					trySpawn();
+
+					try {
+						const returnValue = await mapper(await value, index++);
+
+						runningMappersCount--;
+
+						if (returnValue === pMapSkip) {
+							const index = promises.indexOf(promise);
+
+							if (index > 0) {
+								promises.splice(index, 1);
+							}
+						}
+
+						// Spawn if still below backpressure limit and just dropped below concurrency limit
+						trySpawn();
+
+						return {done: false, value: returnValue};
+					} catch (error) {
+						isDone = true;
+						return {error};
+					}
+				})();
+
+				promises.push(promise);
+			}
+
+			trySpawn();
+
+			while (promises.length > 0) {
+				const {error, done, value} = await promises[0]; // eslint-disable-line no-await-in-loop
+
+				promises.shift();
+
+				if (error) {
+					throw error;
+				}
+
+				if (done) {
+					return;
+				}
+
+				// Spawn if just dropped below backpressure limit and below the concurrency limit
+				trySpawn();
+
+				if (value === pMapSkip) {
+					continue;
+				}
+
+				yield value;
+			}
+		},
+	};
+}
+
+const pMapSkip = Symbol('skip');
+
+
+/***/ })
+
+};
+;

package.json

@@ -1,21 +1,21 @@
 {
-  "name": "typescript-action",
+  "name": "actions/attest-build-provenance",
-  "description": "GitHub Actions TypeScript template",
+  "description": "Generate signed build provenance attestations",
-  "version": "0.0.0",
+  "version": "1.1.4",
   "author": "",
   "private": true,
-  "homepage": "https://github.com/actions/typescript-action",
+  "homepage": "https://github.com/actions/attest-build-provenance",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/actions/typescript-action.git"
+    "url": "git+https://github.com/actions/attest-build-provenance.git"
   },
   "bugs": {
-    "url": "https://github.com/actions/typescript-action/issues"
+    "url": "https://github.com/actions/attest-build-provenance/issues"
   },
   "keywords": [
     "actions",
-    "node",
+    "attestation",
-    "setup"
+    "provenance"
   ],
   "exports": {
     ".": "./dist/index.js"
@@ -28,9 +28,9 @@
     "ci-test": "jest",
     "format:write": "prettier --write **/*.ts",
     "format:check": "prettier --check **/*.ts",
-    "lint:eslint": "npx eslint . -c ./.github/linters/.eslintrc.yml",
+    "lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs",
     "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
-    "lint": "npm run lint:eslint && npm run lint:markdown", 
+    "lint": "npm run lint:eslint && npm run lint:markdown",
     "package": "ncc build src/index.ts --license licenses.txt",
     "package:watch": "npm run package -- --watch",
     "test": "jest",
@@ -70,25 +70,24 @@
     ]
   },
   "dependencies": {
-    "@actions/attest": "^1.0.0",
+    "@actions/attest": "^1.5.0",
-    "@actions/core": "^1.10.1"
+    "@actions/core": "^1.11.1"
   },
   "devDependencies": {
-    "@types/jest": "^29.5.12",
+    "@eslint/js": "^9.21.0",
-    "@types/node": "^20.11.24",
+    "@types/jest": "^29.5.14",
-    "@typescript-eslint/eslint-plugin": "^7.0.0",
+    "@types/node": "^22.13.5",
-    "@typescript-eslint/parser": "^6.21.0",
+    "@vercel/ncc": "^0.38.3",
-    "@vercel/ncc": "^0.38.1",
+    "eslint": "^9.21.0",
-    "eslint": "^8.57.0",
+    "eslint-plugin-import": "^2.31.0",
-    "eslint-plugin-github": "^4.10.2",
+    "eslint-plugin-jest": "^28.11.0",
-    "eslint-plugin-jest": "^27.9.0",
-    "eslint-plugin-jsonc": "^2.13.0",
-    "eslint-plugin-prettier": "^5.1.3",
     "jest": "^29.7.0",
-    "markdownlint-cli": "^0.39.0",
+    "jose": "^5.9.6",
-    "prettier": "^3.2.5",
+    "markdownlint-cli": "^0.44.0",
-    "prettier-eslint": "^16.3.0",
+    "nock": "^14.0.1",
-    "ts-jest": "^29.1.2",
+    "prettier": "^3.5.2",
-    "typescript": "^5.3.3"
+    "ts-jest": "^29.2.6",
+    "typescript": "^5.7.3",
+    "typescript-eslint": "^8.24.1"
   }
 }

script/release

@@ -1,59 +0,0 @@
-#!/bin/bash
-
-# About:
-#
-# This is a helper script to tag and push a new release. GitHub Actions use
-# release tags to allow users to select a specific version of the action to use.
-#
-# See: https://github.com/actions/typescript-action#publishing-a-new-release
-#
-# This script will do the following:
-#
-# 1. Get the latest release tag
-# 2. Prompt the user for a new release tag
-# 3. Tag the new release
-# 4. Push the new tag to the remote
-#
-# Usage:
-#
-# script/release
-
-# Terminal colors
-OFF='\033[0m'
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BLUE='\033[0;34m'
-
-# Get the latest release tag
-latest_tag=$(git describe --tags "$(git rev-list --tags --max-count=1)")
-
-if [[ -z "$latest_tag" ]]; then
-	# There are no existing release tags
-	echo -e "No tags found (yet) - Continue to create and push your first tag"
-	latest_tag="[unknown]"
-fi
-
-# Display the latest release tag
-echo -e "The latest release tag is: ${BLUE}${latest_tag}${OFF}"
-
-# Prompt the user for the new release tag
-read -r -p 'Enter a new release tag (vX.X.X format): ' new_tag
-
-# Validate the new release tag
-tag_regex='v[0-9]+\.[0-9]+\.[0-9]+$'
-if echo "$new_tag" | grep -q -E "$tag_regex"; then
-	echo -e "Tag: ${BLUE}$new_tag${OFF} is valid"
-else
-	# Release tag is not `vX.X.X` format
-	echo -e "Tag: ${BLUE}$new_tag${OFF} is ${RED}not valid${OFF} (must be in vX.X.X format)"
-	exit 1
-fi
-
-# Tag the new release
-git tag -a "$new_tag" -m "$new_tag Release"
-echo -e "${GREEN}Tagged: $new_tag${OFF}"
-
-# Push the new tag to the remote
-git push --tags
-echo -e "${GREEN}Release tag pushed to remote${OFF}"
-echo -e "${GREEN}Done!${OFF}"

src/main.ts

@@ -8,7 +8,7 @@ import * as core from '@actions/core'
 export async function run(): Promise<void> {
   try {
     // Calculate subject from inputs and generate provenance
-    const predicate = buildSLSAProvenancePredicate(process.env)
+    const predicate = await buildSLSAProvenancePredicate()
 
     core.setOutput('predicate', predicate.params)
     core.setOutput('predicate-type', predicate.type)