for signing w/ private Sigstore instance (#16)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
2024-02-29 16:30:33 -08:00
parent e6b5225a37
commit 5a5a50bfea
2 changed files with 6 additions and 1 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -60,6 +60,8 @@ jobs:
      - name: Run attest-sbom
        id: attest-sbom
        uses: ./
+        env:
+          INPUT_PRIVATE-SIGNING: 'true'
        with:
          subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
          subject-name: 'subject'
@@ -86,7 +88,10 @@ jobs:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          sbom-format: 'spdx'
      - name: Run attest-sbom with cyclonedx format
+        id: attest-sbom
        uses: ./
+        env:
+          INPUT_PRIVATE-SIGNING: 'true'
        with:
          subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
          subject-name: 'subject'
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 # `actions/attest-sbom`

 Generate signed SBOM attestations for workflow artifacts. Internally powered by
-the [@actions/attest-sbom][1] package.
+the [@actions/attest][1] package.

 Attestations bind some subject (a named artifact along with its digest) to a a
 Software Bill of Materials (SBOM) using the [in-toto][2] format. The action