bump actions/attest from 1.4.0 to 1.4.1 (#98)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.github/dependabot.yml

@@ -10,7 +10,7 @@ updates:
           - minor
           - patch
     ignore:
-      - dependency-name: "actions/attest-sbom"
+      - dependency-name: 'actions/attest-sbom'
 
   - package-ecosystem: npm
     directory: /

.github/workflows/ci.yml

@@ -47,7 +47,7 @@ jobs:
         run: npm run ci-test
 
   test-attest-sbom:
-    name: Test attest-sbom action with local sbom file 
+    name: Test attest-sbom action with local sbom file
     runs-on: ubuntu-latest
     permissions:
       attestations: write

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v6
+        uses: super-linter/super-linter/slim@v7
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*
@@ -46,5 +46,5 @@ jobs:
           TYPESCRIPT_DEFAULT_STYLE: prettier
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JAVASCRIPT_STANDARD: false
+          VALIDATE_TYPESCRIPT_STANDARD: false
           VALIDATE_JSCPD: false
-          VALIDATE_GITHUB_ACTIONS: false

README.md

@@ -21,8 +21,8 @@ initiated.
 Attestations can be verified using the [`attestation` command in the GitHub
 CLI][7].
 
-See [Using artifact attestations to establish provenance for builds][11]
-for more information on artifact attestations.
+See [Using artifact attestations to establish provenance for builds][11] for
+more information on artifact attestations.
 
 ## Usage
 
@@ -63,7 +63,8 @@ See [action.yml](action.yml)
 - uses: actions/attest-sbom@v1
   with:
     # Path to the artifact serving as the subject of the attestation. Must
-    # specify exactly one of "subject-path" or "subject-digest".
+    # specify exactly one of "subject-path" or "subject-digest". May contain a
+    # glob pattern or list of paths (total subject count cannot exceed 2500).
     subject-path:
 
     # SHA256 digest of the subject for the attestation. Must be in the form
@@ -76,8 +77,8 @@ See [action.yml](action.yml)
     # path.
     subject-name:
 
-    # Path to the JSON-formatted SBOM file to attest. When specified, the
-    # "scan-path" and "sbom-format" inputs are ignored.
+    # Path to the JSON-formatted SBOM file to attest. File size cannot exceed
+    # 16MB.
     sbom-path:
 
     # Whether to push the attestation to the image registry. Requires that the
@@ -85,6 +86,10 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to attach a list of generated attestations to the workflow run
+    # summary page. Defaults to true.
+    show-summary:
+
     # The GitHub token used to make authenticated API requests. Default is
     # ${{ github.token }}
     github-token:
@@ -106,6 +111,19 @@ If multiple subjects are being attested at the same time, each attestation will
 be written to the output file on a separate line (using the [JSON Lines][9]
 format).
 
+## Attestation Limits
+
+### Subject Limits
+
+No more than 2500 subjects can be attested at the same time. Subjects will be
+processed in batches 50. After the initial group of 50, each subsequent batch
+will incur an exponentially increasing amount of delay (capped at 1 minute of
+delay per batch) to avoid overwhelming the attestation API.
+
+### SBOM Limits
+
+The SBOM supplied via the `sbom-path` input cannot exceed 16MB.
+
 ## Examples
 
 ### Identify Subject and SBOM by Path
@@ -144,7 +162,7 @@ jobs:
           sbom-path: 'sbom.spdx.json'
 ```
 
-### Identify Subjects by Wildcard
+### Identify Multiple Subjects
 
 If you are generating multiple artifacts, you can generate an attestation for
 each by using a wildcard in the `subject-path` input.
@@ -159,6 +177,23 @@ each by using a wildcard in the `subject-path` input.
 For supported wildcards along with behavior and documentation, see
 [@actions/glob][10] which is used internally to search for files.
 
+Alternatively, you can explicitly list multiple subjects with either a comma or
+newline delimited list:
+
+```yaml
+- uses: actions/attest-sbom@v1
+  with:
+    subject-path: 'dist/foo, dist/bar'
+```
+
+```yaml
+- uses: actions/attest-sbom@v1
+  with:
+    subject-path: |
+      dist/foo
+      dist/bar
+```
+
 ### Container Image
 
 When working with container images you can invoke the action with the
@@ -234,4 +269,5 @@ jobs:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
 [9]: https://jsonlines.org/
 [10]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
-[11]: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
+[11]:
+  https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

RELEASE.md

@@ -1,12 +1,12 @@
 # Release Instructions
 
-Follow the steps below to tag a new release for the
-`actions/attest-sbom` action.
+Follow the steps below to tag a new release for the `actions/attest-sbom`
+action.
 
-If changes were made to the internal `actions/attest-sbom/predicate`
-action (any updates to [`./predicate/action.yaml`](./predicate/action.yml) or
-any of the code in the [`./src`](./src) directory), start with step #1;
-otherwise, skip directly to step #5.
+If changes were made to the internal `actions/attest-sbom/predicate` action (any
+updates to [`./predicate/action.yaml`](./predicate/action.yml) or any of the
+code in the [`./src`](./src) directory), start with step #1; otherwise, skip
+directly to step #5.
 
 1. Merge the latest changes to the `main` branch.
 1. Create and push a new predicate tag of the form `predicate@X.X.X` following
@@ -17,9 +17,8 @@ otherwise, skip directly to step #5.
    git push --tags
    ```
 
-1. Update the reference to the `actions/attest-sbom/predicate`
-   action in [`action.yml`](./action.yml) to point to the SHA of the newly
-   created tag.
+1. Update the reference to the `actions/attest-sbom/predicate` action in
+   [`action.yml`](./action.yml) to point to the SHA of the newly created tag.
 1. Push the `action.yml` change and open a PR. Once it has been reviewed, merge
    the PR and proceed with the release instructions.
 1. Create a new release for the top-level action using a tag of the form

__tests__/data/sbom.json

@@ -1,41 +1,38 @@
 {
-    "spdxVersion": "SPDX-2.3",
-    "dataLicense": "CC0-1.0",
-    "SPDXID": "SPDXRef-DOCUMENT",
-    "name": "./",
-    "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
-    "creationInfo": {
-      "licenseListVersion": "3.22",
-      "creators": [
-        "Organization: Anchore, Inc",
-        "Tool: syft-0.103.1"
-      ],
-      "created": "2024-01-31T18:22:50Z"
-    },
-    "packages": [
-      {
-        "name": "@ampproject/remapping",
-        "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
-        "versionInfo": "2.2.1",
-        "supplier": "NOASSERTION",
-        "downloadLocation": "NOASSERTION",
-        "filesAnalyzed": false,
-        "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
-        "licenseConcluded": "NOASSERTION",
-        "licenseDeclared": "Apache-2.0",
-        "copyrightText": "NOASSERTION",
-        "externalRefs": [
-          {
-            "referenceCategory": "SECURITY",
-            "referenceType": "cpe23Type",
-            "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
-          },
-          {
-            "referenceCategory": "PACKAGE-MANAGER",
-            "referenceType": "purl",
-            "referenceLocator": "pkg:npm/%40ampproject/remapping@2.2.1"
-          }
-        ]
-      }
-    ]
-}
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "./",
+  "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
+  "creationInfo": {
+    "licenseListVersion": "3.22",
+    "creators": ["Organization: Anchore, Inc", "Tool: syft-0.103.1"],
+    "created": "2024-01-31T18:22:50Z"
+  },
+  "packages": [
+    {
+      "name": "@ampproject/remapping",
+      "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
+      "versionInfo": "2.2.1",
+      "supplier": "NOASSERTION",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "Apache-2.0",
+      "copyrightText": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceType": "cpe23Type",
+          "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/%40ampproject/remapping@2.2.1"
+        }
+      ]
+    }
+  ]
+}

action.yml

@@ -9,7 +9,8 @@ inputs:
   subject-path:
     description: >
       Path to the artifact serving as the subject of the attestation. Must
-      specify exactly one of "subject-path" or "subject-digest".
+      specify exactly one of "subject-path" or "subject-digest". May contain a
+      glob pattern or list of paths (total subject count cannot exceed 2500).
     required: false
   subject-digest:
     description: >
@@ -24,9 +25,9 @@ inputs:
       path.
   sbom-path:
     description: >
-      Path to the JSON-formatted SBOM file to attest. When specified, the
-      "scan-path" and "sbom-format" inputs are ignored.
-    required: false
+      Path to the JSON-formatted SBOM file to attest. File size cannot exceed
+      16MB.
+    required: true
   push-to-registry:
     description: >
       Whether to push the provenance statement to the image registry. Requires
@@ -34,6 +35,12 @@ inputs:
       and that the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  show-summary:
+    description: >
+      Whether to attach a list of generated attestations to the workflow run
+      summary page. Defaults to true.
+    default: true
+    required: false
   github-token:
     description: >
       The GitHub token used to make authenticated API requests.
@@ -51,8 +58,8 @@ runs:
     - uses: actions/attest-sbom/predicate@534423496eab34674190bc45fdacbb8b1198e07f # predicate@1.0.0
       id: generate-sbom-predicate
       with:
-        sbom-path: ${{ inputs.sbom-path || steps.sbom-output.outputs.path }}
-    - uses: actions/attest@32f49af6653ef9b7d1a40182d53fc9ebd53447d8 # v1.1.1
+        sbom-path: ${{ inputs.sbom-path }}
+    - uses: actions/attest@67422f5511b7ff725f4dbd6fb9bd2cd925c65a8d # v1.4.1
       id: attest
       with:
         subject-path: ${{ inputs.subject-path }}
@@ -63,4 +70,5 @@ runs:
         predicate-path:
           ${{ steps.generate-sbom-predicate.outputs.predicate-path }}
         push-to-registry: ${{ inputs.push-to-registry }}
+        show-summary: ${{ inputs.show-summary }}
         github-token: ${{ inputs.github-token }}

dist/index.js

@@ -24945,7 +24945,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.run = void 0;
+exports.run = run;
 const core = __importStar(__nccwpck_require__(2186));
 const sbom_1 = __nccwpck_require__(6210);
 /**
@@ -24969,7 +24969,6 @@ async function run() {
         core.setFailed(error.message);
     }
 }
-exports.run = run;
 
 
 /***/ }),
@@ -25006,7 +25005,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.generateSBOMPredicate = exports.storePredicate = exports.parseSBOMFromPath = void 0;
+exports.generateSBOMPredicate = exports.storePredicate = void 0;
+exports.parseSBOMFromPath = parseSBOMFromPath;
 const fs_1 = __importDefault(__nccwpck_require__(7147));
 const path = __importStar(__nccwpck_require__(1017));
 async function parseSBOMFromPath(filePath) {
@@ -25021,7 +25021,6 @@ async function parseSBOMFromPath(filePath) {
     }
     throw new Error('Unsupported SBOM format');
 }
-exports.parseSBOMFromPath = parseSBOMFromPath;
 function checkIsSPDX(sbomObject) {
     if (sbomObject?.spdxVersion && sbomObject?.SPDXID) {
         return true;

package.json

@@ -73,22 +73,22 @@
     "@actions/core": "^1.10.1"
   },
   "devDependencies": {
-    "@actions/attest": "^1.2.1",
+    "@actions/attest": "^1.4.0",
     "@types/jest": "^29.5.12",
-    "@types/node": "^20.12.8",
-    "@typescript-eslint/eslint-plugin": "^7.8.0",
-    "@typescript-eslint/parser": "^7.8.0",
+    "@types/node": "^22.4.1",
+    "@typescript-eslint/eslint-plugin": "^7.17.0",
+    "@typescript-eslint/parser": "^7.18.0",
     "@vercel/ncc": "^0.38.1",
     "eslint": "^8.57.0",
-    "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-jest": "^28.5.0",
-    "eslint-plugin-jsonc": "^2.15.1",
-    "eslint-plugin-prettier": "^5.1.3",
+    "eslint-plugin-github": "^5.0.1",
+    "eslint-plugin-jest": "^28.8.0",
+    "eslint-plugin-jsonc": "^2.16.0",
+    "eslint-plugin-prettier": "^5.2.1",
     "jest": "^29.7.0",
-    "markdownlint-cli": "^0.40.0",
-    "prettier": "^3.2.5",
+    "markdownlint-cli": "^0.41.0",
+    "prettier": "^3.3.3",
     "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.1.2",
-    "typescript": "^5.4.5"
+    "ts-jest": "^29.2.4",
+    "typescript": "^5.5.4"
   }
 }