bump actions/attest to v2.0.0 (#126)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.github/dependabot.yml

@@ -10,7 +10,7 @@ updates:
           - minor
           - patch
     ignore:
-      - dependency-name: "actions/attest-sbom"
+      - dependency-name: 'actions/attest-sbom'
 
   - package-ecosystem: npm
     directory: /

.github/workflows/ci.yml

@@ -47,7 +47,7 @@ jobs:
         run: npm run ci-test
 
   test-attest-sbom:
-    name: Test attest-sbom action with local sbom file 
+    name: Test attest-sbom action with local sbom file
     runs-on: ubuntu-latest
     permissions:
       attestations: write

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v6
+        uses: super-linter/super-linter/slim@v7
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*
@@ -46,4 +46,5 @@ jobs:
           TYPESCRIPT_DEFAULT_STYLE: prettier
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JAVASCRIPT_STANDARD: false
-          VALIDATE_JSCPD: false
+          VALIDATE_TYPESCRIPT_STANDARD: false
+          VALIDATE_JSCPD: false

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,22 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/publish-immutable-action@v0.0.4

README.md

@@ -18,9 +18,12 @@ Once the attestation has been created and signed, it will be uploaded to the GH
 attestations API and associated with the repository from which the workflow was
 initiated.
 
-Attestations can be verified using the `attestation` command in the [GitHub
+Attestations can be verified using the [`attestation` command in the GitHub
 CLI][7].
 
+See [Using artifact attestations to establish provenance for builds][11] for
+more information on artifact attestations.
+
 ## Usage
 
 Within the GitHub Actions workflow which builds some artifact you would like to
@@ -38,7 +41,8 @@ attest:
    necessary to request a Sigstore signing certificate. The `attestations`
    permission is necessary to persist the attestation.
 
-1. Add the following to your workflow after your artifact has been built:
+1. Add the following to your workflow after your artifact has been built and
+   your SBOM has been generated:
 
    ```yaml
    - uses: actions/attest-sbom@v1
@@ -47,7 +51,7 @@ attest:
        sbom-path: '<PATH TO SBOM>'
    ```
 
-   The `subject-path` parameter should identity the artifact for which you want
+   The `subject-path` parameter should identify the artifact for which you want
    to generate an SBOM attestation. The `sbom-path` parameter should identify
    the SBOM document to be associated with the subject.
 
@@ -56,13 +60,14 @@ attest:
 See [action.yml](action.yml)
 
 ```yaml
-- uses: actions/attest@v1
+- uses: actions/attest-sbom@v1
   with:
     # Path to the artifact serving as the subject of the attestation. Must
-    # specify exactly one of "subject-path" or "subject-digest".
+    # specify exactly one of "subject-path" or "subject-digest". May contain a
+    # glob pattern or list of paths (total subject count cannot exceed 1024).
     subject-path:
 
-    # SHA256 digest of the subject for for the attestation. Must be in the form
+    # SHA256 digest of the subject for the attestation. Must be in the form
     # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
     # of "subject-path" or "subject-digest".
     subject-digest:
@@ -72,8 +77,8 @@ See [action.yml](action.yml)
     # path.
     subject-name:
 
-    # Path to the JSON-formatted SBOM file to attest. When specified, the
+    # Path to the JSON-formatted SBOM file to attest. File size cannot exceed
-    # "scan-path" and "sbom-format" inputs are ignored.
+    # 16MB.
     sbom-path:
 
     # Whether to push the attestation to the image registry. Requires that the
@@ -81,6 +86,10 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to attach a list of generated attestations to the workflow run
+    # summary page. Defaults to true.
+    show-summary:
+
     # The GitHub token used to make authenticated API requests. Default is
     # ${{ github.token }}
     github-token:
@@ -90,17 +99,26 @@ See [action.yml](action.yml)
 
 <!-- markdownlint-disable MD013 -->
 
-| Name          | Description                                                    | Example                 |
+| Name          | Description                                                    | Example                |
-| ------------- | -------------------------------------------------------------- | ----------------------- |
+| ------------- | -------------------------------------------------------------- | ---------------------- |
-| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestaion.jsonl` |
+| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestaion.json` |
 
 <!-- markdownlint-enable MD013 -->
 
 Attestations are saved in the JSON-serialized [Sigstore bundle][8] format.
 
-If multiple subjects are being attested at the same time, each attestation will
+If multiple subjects are being attested at the same time, a single attestation
-be written to the output file on a separate line (using the [JSON Lines][9]
+will be created with references to each of the supplied subjects.
-format).
+
+## Attestation Limits
+
+### Subject Limits
+
+No more than 1024 subjects can be attested at the same time.
+
+### SBOM Limits
+
+The SBOM supplied via the `sbom-path` input cannot exceed 16MB.
 
 ## Examples
 
@@ -129,18 +147,21 @@ jobs:
       - name: Build artifact
         run: make my-app
       - name: Generate SBOM
-        run: make sbom
+        uses: anchore/sbom-action@v0
+        with:
+          format: 'spdx-json'
+          output-file: 'sbom.spdx.json'
       - name: Attest
         uses: actions/attest-sbom@v1
         with:
           subject-path: '${{ github.workspace }}/my-app'
-          sbom-path: '${{ github.workspace }}/my-app.sbom.spdx.json'
+          sbom-path: 'sbom.spdx.json'
 ```
 
-### Identify Subjects by Wildcard
+### Identify Multiple Subjects
 
-If you are generating multiple artifacts, you can generate an attestation for
+If you are generating multiple artifacts, you can attest all of them at the same
-each by using a wildcard in the `subject-path` input.
+time by using a wildcard in the `subject-path` input.
 
 ```yaml
 - uses: actions/attest-sbom@v1
@@ -152,6 +173,23 @@ each by using a wildcard in the `subject-path` input.
 For supported wildcards along with behavior and documentation, see
 [@actions/glob][10] which is used internally to search for files.
 
+Alternatively, you can explicitly list multiple subjects with either a comma or
+newline delimited list:
+
+```yaml
+- uses: actions/attest-sbom@v1
+  with:
+    subject-path: 'dist/foo, dist/bar'
+```
+
+```yaml
+- uses: actions/attest-sbom@v1
+  with:
+    subject-path: |
+      dist/foo
+      dist/bar
+```
+
 ### Container Image
 
 When working with container images you can invoke the action with the
@@ -202,7 +240,11 @@ jobs:
           push: true
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
       - name: Generate SBOM
-        run: make sbom
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          format: 'cyclonedx-json'
+          output-file: 'sbom.cyclonedx.json'
       - name: Attest
         uses: actions/attest-sbom@v1
         id: attest
@@ -218,8 +260,9 @@ jobs:
 [4]: https://spdx.dev/
 [5]: https://cyclonedx.org/
 [6]: https://www.sigstore.dev/
-[7]: https://cli.github.com/
+[7]: https://cli.github.com/manual/gh_attestation_verify
 [8]:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
-[9]: https://jsonlines.org/
 [10]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
+[11]:
+  https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

RELEASE.md

@@ -1,12 +1,12 @@
 # Release Instructions
 
-Follow the steps below to tag a new release for the
+Follow the steps below to tag a new release for the `actions/attest-sbom`
-`actions/attest-sbom` action.
+action.
 
-If changes were made to the internal `actions/attest-sbom/predicate`
+If changes were made to the internal `actions/attest-sbom/predicate` action (any
-action (any updates to [`./predicate/action.yaml`](./predicate/action.yml) or
+updates to [`./predicate/action.yaml`](./predicate/action.yml) or any of the
-any of the code in the [`./src`](./src) directory), start with step #1;
+code in the [`./src`](./src) directory), start with step #1; otherwise, skip
-otherwise, skip directly to step #5.
+directly to step #5.
 
 1. Merge the latest changes to the `main` branch.
 1. Create and push a new predicate tag of the form `predicate@X.X.X` following
@@ -17,9 +17,8 @@ otherwise, skip directly to step #5.
    git push --tags
    ```
 
-1. Update the reference to the `actions/attest-sbom/predicate`
+1. Update the reference to the `actions/attest-sbom/predicate` action in
-   action in [`action.yml`](./action.yml) to point to the SHA of the newly
+   [`action.yml`](./action.yml) to point to the SHA of the newly created tag.
-   created tag.
 1. Push the `action.yml` change and open a PR. Once it has been reviewed, merge
    the PR and proceed with the release instructions.
 1. Create a new release for the top-level action using a tag of the form
@@ -28,3 +27,11 @@ otherwise, skip directly to step #5.
    ```shell
    gh release create vX.X.X
    ```
+
+1. Move (or create) the major version tag to point to the same commit tagged
+   above:
+
+   ```shell
+   git tag -fa vX -m "vX"
+   git push origin vX --force
+   ```

__tests__/data/sbom.json

@@ -1,41 +1,38 @@
 {
-    "spdxVersion": "SPDX-2.3",
+  "spdxVersion": "SPDX-2.3",
-    "dataLicense": "CC0-1.0",
+  "dataLicense": "CC0-1.0",
-    "SPDXID": "SPDXRef-DOCUMENT",
+  "SPDXID": "SPDXRef-DOCUMENT",
-    "name": "./",
+  "name": "./",
-    "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
+  "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
-    "creationInfo": {
+  "creationInfo": {
-      "licenseListVersion": "3.22",
+    "licenseListVersion": "3.22",
-      "creators": [
+    "creators": ["Organization: Anchore, Inc", "Tool: syft-0.103.1"],
-        "Organization: Anchore, Inc",
+    "created": "2024-01-31T18:22:50Z"
-        "Tool: syft-0.103.1"
+  },
-      ],
+  "packages": [
-      "created": "2024-01-31T18:22:50Z"
+    {
-    },
+      "name": "@ampproject/remapping",
-    "packages": [
+      "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
-      {
+      "versionInfo": "2.2.1",
-        "name": "@ampproject/remapping",
+      "supplier": "NOASSERTION",
-        "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
+      "downloadLocation": "NOASSERTION",
-        "versionInfo": "2.2.1",
+      "filesAnalyzed": false,
-        "supplier": "NOASSERTION",
+      "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
-        "downloadLocation": "NOASSERTION",
+      "licenseConcluded": "NOASSERTION",
-        "filesAnalyzed": false,
+      "licenseDeclared": "Apache-2.0",
-        "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
+      "copyrightText": "NOASSERTION",
-        "licenseConcluded": "NOASSERTION",
+      "externalRefs": [
-        "licenseDeclared": "Apache-2.0",
+        {
-        "copyrightText": "NOASSERTION",
+          "referenceCategory": "SECURITY",
-        "externalRefs": [
+          "referenceType": "cpe23Type",
-          {
+          "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
-            "referenceCategory": "SECURITY",
+        },
-            "referenceType": "cpe23Type",
+        {
-            "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
+          "referenceCategory": "PACKAGE-MANAGER",
-          },
+          "referenceType": "purl",
-          {
+          "referenceLocator": "pkg:npm/%40ampproject/remapping@2.2.1"
-            "referenceCategory": "PACKAGE-MANAGER",
+        }
-            "referenceType": "purl",
+      ]
-            "referenceLocator": "pkg:npm/%40ampproject/remapping@2.2.1"
+    }
-          }
+  ]
-        ]
+}
-      }
-    ]
-}

__tests__/main.test.ts

@@ -27,7 +27,7 @@ describe('SBOM Action', () => {
   })
 
   afterEach(() => {
-    fs.rmdirSync(tempDir, { recursive: true })
+    fs.rmSync(tempDir, { recursive: true })
     outputs = {}
   })
 

__tests__/sbom.test.ts

@@ -17,7 +17,7 @@ describe('parseSBOMFromPath', () => {
   })
 
   afterEach(() => {
-    fs.rmdirSync(tempDir, { recursive: true })
+    fs.rmSync(tempDir, { recursive: true })
   })
 
   it('correctly parses an SPDX file', async () => {

action.yml

@@ -1,16 +1,20 @@
 name: 'Attest SBOM'
 description: 'Generate SBOM attestations for build artifacts'
 author: 'GitHub'
+branding:
+  color: 'blue'
+  icon: 'paperclip'
 
 inputs:
   subject-path:
     description: >
       Path to the artifact serving as the subject of the attestation. Must
-      specify exactly one of "subject-path" or "subject-digest".
+      specify exactly one of "subject-path" or "subject-digest". May contain a
+      glob pattern or list of paths (total subject count cannot exceed 1024).
     required: false
   subject-digest:
     description: >
-      SHA256 digest of the subject for for the attestation. Must be in the form
+      SHA256 digest of the subject for the attestation. Must be in the form
       "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of
       "subject-path" or "subject-digest".
     required: false
@@ -21,9 +25,9 @@ inputs:
       path.
   sbom-path:
     description: >
-      Path to the JSON-formatted SBOM file to attest. When specified, the
+      Path to the JSON-formatted SBOM file to attest. File size cannot exceed
-      "scan-path" and "sbom-format" inputs are ignored.
+      16MB.
-    required: false
+    required: true
   push-to-registry:
     description: >
       Whether to push the provenance statement to the image registry. Requires
@@ -31,6 +35,12 @@ inputs:
       and that the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  show-summary:
+    description: >
+      Whether to attach a list of generated attestations to the workflow run
+      summary page. Defaults to true.
+    default: true
+    required: false
   github-token:
     description: >
       The GitHub token used to make authenticated API requests.
@@ -39,17 +49,17 @@ inputs:
 
 outputs:
   bundle-path:
-    description: 'The path to the file containing the attestation bundle(s).'
+    description: 'The path to the file containing the attestation bundle.'
     value: ${{ steps.attest.outputs.bundle-path }}
 
 runs:
   using: 'composite'
   steps:
-    - uses: actions/attest-sbom/predicate@847c6befa7ce187c962fa6c3e6cd3c96e4da9565 # predicate@0.1.0
+    - uses: actions/attest-sbom/predicate@534423496eab34674190bc45fdacbb8b1198e07f # predicate@1.0.0
       id: generate-sbom-predicate
       with:
-        sbom-path: ${{ inputs.sbom-path || steps.sbom-output.outputs.path }}
+        sbom-path: ${{ inputs.sbom-path }}
-    - uses: actions/attest@14e407ca15f1b08f4869fc058b059f7f1e434df6 # v0.1.0
+    - uses: actions/attest@v2.0.0
       id: attest
       with:
         subject-path: ${{ inputs.subject-path }}
@@ -60,4 +70,5 @@ runs:
         predicate-path:
           ${{ steps.generate-sbom-predicate.outputs.predicate-path }}
         push-to-registry: ${{ inputs.push-to-registry }}
+        show-summary: ${{ inputs.show-summary }}
         github-token: ${{ inputs.github-token }}

dist/licenses.txt

@@ -10,6 +10,18 @@ The above copyright notice and this permission notice shall be included in all c
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
+@actions/exec
+MIT
+The MIT License (MIT)
+
+Copyright 2019 GitHub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
 @actions/http-client
 MIT
 Actions Http Client for Node.js
@@ -35,6 +47,18 @@ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 
+@actions/io
+MIT
+The MIT License (MIT)
+
+Copyright 2019 GitHub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
 @fastify/busboy
 MIT
 Copyright Brian White. All rights reserved.
@@ -105,16 +129,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
-
-
-uuid
-MIT
-The MIT License (MIT)
-
-Copyright (c) 2010-2020 Robert Kieffer and other contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package.json

@@ -70,25 +70,25 @@
     ]
   },
   "dependencies": {
-    "@actions/core": "^1.10.1"
+    "@actions/core": "^1.11.1"
   },
   "devDependencies": {
-    "@actions/attest": "^1.1.0",
+    "@actions/attest": "^1.5.0",
-    "@types/jest": "^29.5.12",
+    "@types/jest": "^29.5.14",
-    "@types/node": "^20.12.7",
+    "@types/node": "^22.10.1",
-    "@typescript-eslint/eslint-plugin": "^7.7.0",
+    "@typescript-eslint/eslint-plugin": "^7.17.0",
-    "@typescript-eslint/parser": "^7.7.0",
+    "@typescript-eslint/parser": "^7.18.0",
-    "@vercel/ncc": "^0.38.1",
+    "@vercel/ncc": "^0.38.3",
-    "eslint": "^8.57.0",
+    "eslint": "^8.57.1",
-    "eslint-plugin-github": "^4.10.2",
+    "eslint-plugin-github": "^5.1.3",
-    "eslint-plugin-jest": "^28.2.0",
+    "eslint-plugin-jest": "^28.9.0",
-    "eslint-plugin-jsonc": "^2.15.1",
+    "eslint-plugin-jsonc": "^2.18.2",
-    "eslint-plugin-prettier": "^5.1.3",
+    "eslint-plugin-prettier": "^5.2.1",
     "jest": "^29.7.0",
-    "markdownlint-cli": "^0.39.0",
+    "markdownlint-cli": "^0.43.0",
-    "prettier": "^3.2.5",
+    "prettier": "^3.4.1",
     "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.1.2",
+    "ts-jest": "^29.2.5",
-    "typescript": "^5.4.5"
+    "typescript": "^5.7.2"
   }
 }