actions/attest-sbom
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: actions:predicate@1.0.0
Branches Tags
actions:main
actions:v4 actions:v4.1.0 actions:v4.0.0 actions:v3 actions:v3.0.0 actions:predicate@2.0.0 actions:v2 actions:v2.4.0 actions:v2.2.0 actions:v2.1.0 actions:v2.0.1 actions:v2.0.0 actions:v1 actions:v1.4.1 actions:v1.4.0 actions:v1.3.3 actions:v1.3.2 actions:v1.3.1 actions:v1.3.0 actions:v1.2.0 actions:v1.1.2 actions:v1.1.1 actions:v1.1.0 actions:v1.0.0 actions:predicate@1.0.0 actions:v0.1.1 actions:v0.1.0 actions:predicate@0.1.0
...
compare: actions:v1.0.0
Branches Tags
actions:main
actions:v4 actions:v4.1.0 actions:v4.0.0 actions:v3 actions:v3.0.0 actions:predicate@2.0.0 actions:v2 actions:v2.4.0 actions:v2.2.0 actions:v2.1.0 actions:v2.0.1 actions:v2.0.0 actions:v1 actions:v1.4.1 actions:v1.4.0 actions:v1.3.3 actions:v1.3.2 actions:v1.3.1 actions:v1.3.0 actions:v1.2.0 actions:v1.1.2 actions:v1.1.1 actions:v1.1.0 actions:v1.0.0 actions:predicate@1.0.0 actions:v0.1.1 actions:v0.1.0 actions:predicate@0.1.0

3 Commits
predicate@ ... v1.0.0

Author SHA1 Message Date
Brian DeHamer
c168f2354d fix reference to actions/attest (#49) 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-04-26 13:35:58 -07:00
Brian DeHamer
5448b22ebd update readme with SBOM generation example (#48) 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-04-25 16:41:57 -07:00
Brian DeHamer
b125530ffd update action references (#47) 
Bump actions/attest-sbom/predicate from 0.1.0 to 1.0.0
Bump actions/attest from 0.1.0 to 1.0.0

Signed-off-by: Brian DeHamer <bdehamer@github.com>
 2024-04-25 12:50:52 -07:00
2 changed files with 15 additions and 7 deletions
Expand all files Collapse all files

18
README.md
View File

@@ -38,7 +38,8 @@ attest:
necessary to request a Sigstore signing certificate. The `attestations`
permission is necessary to persist the attestation.
1. Add the following to your workflow after your artifact has been built:
1. Add the following to your workflow after your artifact has been built and
your SBOM has been generated:
```yaml
- uses: actions/attest-sbom@v1
@@ -56,7 +57,7 @@ attest:
See [action.yml](action.yml)
```yaml
- uses: actions/attest@v1
- uses: actions/attest-sbom@v1
with:
# Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path" or "subject-digest".
@@ -129,12 +130,15 @@ jobs:
- name: Build artifact
run: make my-app
- name: Generate SBOM
run: make sbom
uses: anchore/sbom-action@v0
with:
format: 'spdx-json'
output-file: 'sbom.spdx.json'
- name: Attest
uses: actions/attest-sbom@v1
with:
subject-path: '${{ github.workspace }}/my-app'
sbom-path: '${{ github.workspace }}/my-app.sbom.spdx.json'
sbom-path: 'sbom.spdx.json'
```
### Identify Subjects by Wildcard
@@ -202,7 +206,11 @@ jobs:
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Generate SBOM
run: make sbom
uses: anchore/sbom-action@v0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: 'cyclonedx-json'
output-file: 'sbom.cyclonedx.json'
- name: Attest
uses: actions/attest-sbom@v1
id: attest

4
action.yml
View File

@@ -45,11 +45,11 @@ outputs:
runs:
using: 'composite'
steps:
- uses: actions/attest-sbom/predicate@847c6befa7ce187c962fa6c3e6cd3c96e4da9565 # predicate@0.1.0
- uses: actions/attest-sbom/predicate@534423496eab34674190bc45fdacbb8b1198e07f # predicate@1.0.0
id: generate-sbom-predicate
with:
sbom-path: ${{ inputs.sbom-path || steps.sbom-output.outputs.path }}
- uses: actions/attest@14e407ca15f1b08f4869fc058b059f7f1e434df6 # v0.1.0
- uses: actions/attest@495f094150e54d72538674c944ca4daf13e7c67d # v1.0.0
id: attest
with:
subject-path: ${{ inputs.subject-path }}