bump actions/attest from 1.3.3 to 1.4.0 (#85)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

README.md

@@ -18,9 +18,12 @@ Once the attestation has been created and signed, it will be uploaded to the GH
 attestations API and associated with the repository from which the workflow was
 initiated.
 
-Attestations can be verified using the `attestation` command in the [GitHub
+Attestations can be verified using the [`attestation` command in the GitHub
 CLI][7].
 
+See [Using artifact attestations to establish provenance for builds][11] for
+more information on artifact attestations.
+
 ## Usage
 
 Within the GitHub Actions workflow which builds some artifact you would like to
@@ -38,7 +41,8 @@ attest:
    necessary to request a Sigstore signing certificate. The `attestations`
    permission is necessary to persist the attestation.
 
-1. Add the following to your workflow after your artifact has been built:
+1. Add the following to your workflow after your artifact has been built and
+   your SBOM has been generated:
 
    ```yaml
    - uses: actions/attest-sbom@v1
@@ -47,7 +51,7 @@ attest:
        sbom-path: '<PATH TO SBOM>'
    ```
 
-   The `subject-path` parameter should identity the artifact for which you want
+   The `subject-path` parameter should identify the artifact for which you want
    to generate an SBOM attestation. The `sbom-path` parameter should identify
    the SBOM document to be associated with the subject.
 
@@ -56,13 +60,14 @@ attest:
 See [action.yml](action.yml)
 
 ```yaml
-- uses: actions/attest@v1
+- uses: actions/attest-sbom@v1
   with:
     # Path to the artifact serving as the subject of the attestation. Must
-    # specify exactly one of "subject-path" or "subject-digest".
+    # specify exactly one of "subject-path" or "subject-digest". May contain a
+    # glob pattern or list of paths (total subject count cannot exceed 2500).
     subject-path:
 
-    # SHA256 digest of the subject for for the attestation. Must be in the form
+    # SHA256 digest of the subject for the attestation. Must be in the form
     # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
     # of "subject-path" or "subject-digest".
     subject-digest:
@@ -72,8 +77,8 @@ See [action.yml](action.yml)
     # path.
     subject-name:
 
-    # Path to the JSON-formatted SBOM file to attest. When specified, the
-    # "scan-path" and "sbom-format" inputs are ignored.
+    # Path to the JSON-formatted SBOM file to attest. File size cannot exceed
+    # 16MB.
     sbom-path:
 
     # Whether to push the attestation to the image registry. Requires that the
@@ -81,6 +86,10 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to attach a list of generated attestations to the workflow run
+    # summary page. Defaults to true.
+    show-summary:
+
     # The GitHub token used to make authenticated API requests. Default is
     # ${{ github.token }}
     github-token:
@@ -102,6 +111,19 @@ If multiple subjects are being attested at the same time, each attestation will
 be written to the output file on a separate line (using the [JSON Lines][9]
 format).
 
+## Attestation Limits
+
+### Subject Limits
+
+No more than 2500 subjects can be attested at the same time. Subjects will be
+processed in batches 50. After the initial group of 50, each subsequent batch
+will incur an exponentially increasing amount of delay (capped at 1 minute of
+delay per batch) to avoid overwhelming the attestation API.
+
+### SBOM Limits
+
+The SBOM supplied via the `sbom-path` input cannot exceed 16MB.
+
 ## Examples
 
 ### Identify Subject and SBOM by Path
@@ -129,15 +151,18 @@ jobs:
       - name: Build artifact
         run: make my-app
       - name: Generate SBOM
-        run: make sbom
+        uses: anchore/sbom-action@v0
+        with:
+          format: 'spdx-json'
+          output-file: 'sbom.spdx.json'
       - name: Attest
         uses: actions/attest-sbom@v1
         with:
           subject-path: '${{ github.workspace }}/my-app'
-          sbom-path: '${{ github.workspace }}/my-app.sbom.spdx.json'
+          sbom-path: 'sbom.spdx.json'
 ```
 
-### Identify Subjects by Wildcard
+### Identify Multiple Subjects
 
 If you are generating multiple artifacts, you can generate an attestation for
 each by using a wildcard in the `subject-path` input.
@@ -152,6 +177,23 @@ each by using a wildcard in the `subject-path` input.
 For supported wildcards along with behavior and documentation, see
 [@actions/glob][10] which is used internally to search for files.
 
+Alternatively, you can explicitly list multiple subjects with either a comma or
+newline delimited list:
+
+```yaml
+- uses: actions/attest-sbom@v1
+  with:
+    subject-path: 'dist/foo, dist/bar'
+```
+
+```yaml
+- uses: actions/attest-sbom@v1
+  with:
+    subject-path: |
+      dist/foo
+      dist/bar
+```
+
 ### Container Image
 
 When working with container images you can invoke the action with the
@@ -202,7 +244,11 @@ jobs:
           push: true
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
       - name: Generate SBOM
-        run: make sbom
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          format: 'cyclonedx-json'
+          output-file: 'sbom.cyclonedx.json'
       - name: Attest
         uses: actions/attest-sbom@v1
         id: attest
@@ -218,8 +264,10 @@ jobs:
 [4]: https://spdx.dev/
 [5]: https://cyclonedx.org/
 [6]: https://www.sigstore.dev/
-[7]: https://cli.github.com/
+[7]: https://cli.github.com/manual/gh_attestation_verify
 [8]:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
 [9]: https://jsonlines.org/
 [10]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
+[11]:
+  https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

RELEASE.md

@@ -28,3 +28,11 @@ otherwise, skip directly to step #5.
    ```shell
    gh release create vX.X.X
    ```
+
+1. Move (or create) the major version tag to point to the same commit tagged
+   above:
+
+   ```shell
+   git tag -fa vX -m "vX"
+   git push origin vX --force
+   ```

action.yml

@@ -1,16 +1,20 @@
 name: 'Attest SBOM'
 description: 'Generate SBOM attestations for build artifacts'
 author: 'GitHub'
+branding:
+  color: 'blue'
+  icon: 'paperclip'
 
 inputs:
   subject-path:
     description: >
       Path to the artifact serving as the subject of the attestation. Must
-      specify exactly one of "subject-path" or "subject-digest".
+      specify exactly one of "subject-path" or "subject-digest". May contain a
+      glob pattern or list of paths (total subject count cannot exceed 2500).
     required: false
   subject-digest:
     description: >
-      SHA256 digest of the subject for for the attestation. Must be in the form
+      SHA256 digest of the subject for the attestation. Must be in the form
       "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of
       "subject-path" or "subject-digest".
     required: false
@@ -21,9 +25,9 @@ inputs:
       path.
   sbom-path:
     description: >
-      Path to the JSON-formatted SBOM file to attest. When specified, the
-      "scan-path" and "sbom-format" inputs are ignored.
-    required: false
+      Path to the JSON-formatted SBOM file to attest. File size cannot exceed
+      16MB.
+    required: true
   push-to-registry:
     description: >
       Whether to push the provenance statement to the image registry. Requires
@@ -31,6 +35,12 @@ inputs:
       and that the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  show-summary:
+    description: >
+      Whether to attach a list of generated attestations to the workflow run
+      summary page. Defaults to true.
+    default: true
+    required: false
   github-token:
     description: >
       The GitHub token used to make authenticated API requests.
@@ -45,11 +55,11 @@ outputs:
 runs:
   using: 'composite'
   steps:
-    - uses: actions/attest-sbom/predicate@847c6befa7ce187c962fa6c3e6cd3c96e4da9565 # predicate@0.1.0
+    - uses: actions/attest-sbom/predicate@534423496eab34674190bc45fdacbb8b1198e07f # predicate@1.0.0
       id: generate-sbom-predicate
       with:
-        sbom-path: ${{ inputs.sbom-path || steps.sbom-output.outputs.path }}
-    - uses: actions/attest@14e407ca15f1b08f4869fc058b059f7f1e434df6 # v0.1.0
+        sbom-path: ${{ inputs.sbom-path }}
+    - uses: actions/attest@2da0b136720d14f01f4dbeeafd1d5a4d76cbe21d # v1.4.0
       id: attest
       with:
         subject-path: ${{ inputs.subject-path }}
@@ -60,4 +70,5 @@ runs:
         predicate-path:
           ${{ steps.generate-sbom-predicate.outputs.predicate-path }}
         push-to-registry: ${{ inputs.push-to-registry }}
+        show-summary: ${{ inputs.show-summary }}
         github-token: ${{ inputs.github-token }}

dist/index.js

@@ -24945,7 +24945,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.run = void 0;
+exports.run = run;
 const core = __importStar(__nccwpck_require__(2186));
 const sbom_1 = __nccwpck_require__(6210);
 /**
@@ -24969,7 +24969,6 @@ async function run() {
         core.setFailed(error.message);
     }
 }
-exports.run = run;
 
 
 /***/ }),
@@ -25006,7 +25005,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.generateSBOMPredicate = exports.storePredicate = exports.parseSBOMFromPath = void 0;
+exports.generateSBOMPredicate = exports.storePredicate = void 0;
+exports.parseSBOMFromPath = parseSBOMFromPath;
 const fs_1 = __importDefault(__nccwpck_require__(7147));
 const path = __importStar(__nccwpck_require__(1017));
 async function parseSBOMFromPath(filePath) {
@@ -25021,7 +25021,6 @@ async function parseSBOMFromPath(filePath) {
     }
     throw new Error('Unsupported SBOM format');
 }
-exports.parseSBOMFromPath = parseSBOMFromPath;
 function checkIsSPDX(sbomObject) {
     if (sbomObject?.spdxVersion && sbomObject?.SPDXID) {
         return true;

package.json

@@ -73,22 +73,22 @@
     "@actions/core": "^1.10.1"
   },
   "devDependencies": {
-    "@actions/attest": "^1.1.0",
+    "@actions/attest": "^1.3.0",
     "@types/jest": "^29.5.12",
-    "@types/node": "^20.12.7",
-    "@typescript-eslint/eslint-plugin": "^7.7.0",
-    "@typescript-eslint/parser": "^7.7.0",
+    "@types/node": "^22.0.0",
+    "@typescript-eslint/eslint-plugin": "^7.17.0",
+    "@typescript-eslint/parser": "^7.17.0",
     "@vercel/ncc": "^0.38.1",
     "eslint": "^8.57.0",
-    "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-jest": "^28.2.0",
-    "eslint-plugin-jsonc": "^2.15.1",
-    "eslint-plugin-prettier": "^5.1.3",
+    "eslint-plugin-github": "^5.0.1",
+    "eslint-plugin-jest": "^28.6.0",
+    "eslint-plugin-jsonc": "^2.16.0",
+    "eslint-plugin-prettier": "^5.2.1",
     "jest": "^29.7.0",
-    "markdownlint-cli": "^0.39.0",
-    "prettier": "^3.2.5",
+    "markdownlint-cli": "^0.41.0",
+    "prettier": "^3.3.3",
     "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.1.2",
-    "typescript": "^5.4.5"
+    "ts-jest": "^29.2.3",
+    "typescript": "^5.5.4"
   }
 }