2024-02-22 08:46:34 -08:00
|
|
|
name: 'Attest SBOM'
|
|
|
|
|
description: 'Generate SBOM attestations for build artifacts'
|
|
|
|
|
author: 'GitHub'
|
2024-02-20 11:28:19 -08:00
|
|
|
|
|
|
|
|
inputs:
|
2024-02-22 08:46:34 -08:00
|
|
|
subject-path:
|
|
|
|
|
description: >
|
2024-02-29 11:59:05 -08:00
|
|
|
Path to the artifact serving as the subject of the attestation. Must
|
|
|
|
|
specify exactly one of "subject-path" or "subject-digest".
|
2024-02-22 08:46:34 -08:00
|
|
|
required: false
|
|
|
|
|
subject-digest:
|
|
|
|
|
description: >
|
2024-02-29 11:59:05 -08:00
|
|
|
SHA256 digest of the subject for for the attestation. Must be in the form
|
|
|
|
|
"sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of
|
|
|
|
|
"subject-path" or "subject-digest".
|
2024-02-22 08:46:34 -08:00
|
|
|
required: false
|
|
|
|
|
subject-name:
|
|
|
|
|
description: >
|
2024-02-29 11:59:05 -08:00
|
|
|
Subject name as it should appear in the attestation. Required unless
|
|
|
|
|
"subject-path" is specified, in which case it will be inferred from the
|
|
|
|
|
path.
|
|
|
|
|
sbom-path:
|
|
|
|
|
description: >
|
|
|
|
|
Path to the JSON-formatted SBOM file to attest. When specified, the
|
|
|
|
|
"scan-path" and "sbom-format" inputs are ignored.
|
|
|
|
|
required: false
|
2024-02-22 08:46:34 -08:00
|
|
|
push-to-registry:
|
|
|
|
|
description: >
|
|
|
|
|
Whether to push the provenance statement to the image registry. Requires
|
|
|
|
|
that the "subject-name" parameter specify the fully-qualified image name
|
|
|
|
|
and that the "subject-digest" parameter be specified. Defaults to false.
|
|
|
|
|
default: false
|
|
|
|
|
required: false
|
2024-02-29 11:59:05 -08:00
|
|
|
github-token:
|
2024-02-22 08:46:34 -08:00
|
|
|
description: >
|
2024-02-29 11:59:05 -08:00
|
|
|
The GitHub token used to make authenticated API requests.
|
|
|
|
|
default: ${{ github.token }}
|
2024-02-22 08:46:34 -08:00
|
|
|
required: false
|
2024-03-05 11:06:06 -08:00
|
|
|
|
2024-02-20 11:28:19 -08:00
|
|
|
outputs:
|
2024-02-22 08:46:34 -08:00
|
|
|
bundle-path:
|
|
|
|
|
description: 'The path to the file containing the attestation bundle(s).'
|
|
|
|
|
value: ${{ steps.attest.outputs.bundle-path }}
|
2024-02-20 11:28:19 -08:00
|
|
|
|
|
|
|
|
runs:
|
2024-02-22 08:46:34 -08:00
|
|
|
using: 'composite'
|
2024-02-29 11:59:05 -08:00
|
|
|
steps:
|
2024-03-05 11:06:06 -08:00
|
|
|
- uses: actions/attest-sbom/predicate@847c6befa7ce187c962fa6c3e6cd3c96e4da9565 # predicate@0.1.0
|
2024-02-29 11:59:05 -08:00
|
|
|
id: generate-sbom-predicate
|
2024-02-22 08:46:34 -08:00
|
|
|
with:
|
2024-02-29 16:29:18 -08:00
|
|
|
sbom-path: ${{ inputs.sbom-path || steps.sbom-output.outputs.path }}
|
2024-03-05 13:11:49 -08:00
|
|
|
- uses: actions/attest@14e407ca15f1b08f4869fc058b059f7f1e434df6 # v0.1.0
|
2024-02-22 08:46:34 -08:00
|
|
|
id: attest
|
|
|
|
|
with:
|
|
|
|
|
subject-path: ${{ inputs.subject-path }}
|
|
|
|
|
subject-digest: ${{ inputs.subject-digest }}
|
|
|
|
|
subject-name: ${{ inputs.subject-name }}
|
2024-02-29 11:59:05 -08:00
|
|
|
predicate-type:
|
|
|
|
|
${{ steps.generate-sbom-predicate.outputs.predicate-type }}
|
|
|
|
|
predicate-path:
|
|
|
|
|
${{ steps.generate-sbom-predicate.outputs.predicate-path }}
|
2024-03-05 11:06:06 -08:00
|
|
|
push-to-registry: ${{ inputs.push-to-registry }}
|
2024-02-29 11:59:05 -08:00
|
|
|
github-token: ${{ inputs.github-token }}
|
