bump attest-sbom/predicate to v2.0.0 (#206)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.eslintignore

@@ -1,4 +0,0 @@
-lib/
-dist/
-node_modules/
-coverage/

.github/dependabot.yml

@@ -10,7 +10,7 @@ updates:
           - minor
           - patch
     ignore:
-      - dependency-name: "actions/attest-sbom"
+      - dependency-name: 'actions/attest-sbom'
 
   - package-ecosystem: npm
     directory: /

.github/linters/.eslintrc.yml

@@ -1,83 +0,0 @@
-env:
-  node: true
-  es6: true
-  jest: true
-
-globals:
-  Atomics: readonly
-  SharedArrayBuffer: readonly
-
-ignorePatterns:
-  - '!.*'
-  - '**/node_modules/.*'
-  - '**/dist/.*'
-  - '**/coverage/.*'
-  - '*.json'
-
-parser: '@typescript-eslint/parser'
-
-parserOptions:
-  ecmaVersion: 2023
-  sourceType: module
-  project:
-    - './.github/linters/tsconfig.json'
-    - './tsconfig.json'
-
-plugins:
-  - jest
-  - '@typescript-eslint'
-
-extends:
-  - eslint:recommended
-  - plugin:@typescript-eslint/eslint-recommended
-  - plugin:@typescript-eslint/recommended
-  - plugin:github/recommended
-  - plugin:jest/recommended
-
-rules:
-  {
-    'camelcase': 'off',
-    'eslint-comments/no-use': 'off',
-    'eslint-comments/no-unused-disable': 'off',
-    'i18n-text/no-en': 'off',
-    'import/no-namespace': 'off',
-    'no-console': 'off',
-    'no-unused-vars': 'off',
-    'prettier/prettier': 'error',
-    'semi': 'off',
-    '@typescript-eslint/array-type': 'error',
-    '@typescript-eslint/await-thenable': 'error',
-    '@typescript-eslint/ban-ts-comment': 'error',
-    '@typescript-eslint/consistent-type-assertions': 'error',
-    '@typescript-eslint/explicit-member-accessibility':
-      ['error', { 'accessibility': 'no-public' }],
-    '@typescript-eslint/explicit-function-return-type':
-      ['error', { 'allowExpressions': true }],
-    '@typescript-eslint/func-call-spacing': ['error', 'never'],
-    '@typescript-eslint/no-array-constructor': 'error',
-    '@typescript-eslint/no-empty-interface': 'error',
-    '@typescript-eslint/no-explicit-any': 'error',
-    '@typescript-eslint/no-extraneous-class': 'error',
-    '@typescript-eslint/no-for-in-array': 'error',
-    '@typescript-eslint/no-inferrable-types': 'error',
-    '@typescript-eslint/no-misused-new': 'error',
-    '@typescript-eslint/no-namespace': 'error',
-    '@typescript-eslint/no-non-null-assertion': 'warn',
-    '@typescript-eslint/no-require-imports': 'error',
-    '@typescript-eslint/no-unnecessary-qualifier': 'error',
-    '@typescript-eslint/no-unnecessary-type-assertion': 'error',
-    '@typescript-eslint/no-unused-vars': 'error',
-    '@typescript-eslint/no-useless-constructor': 'error',
-    '@typescript-eslint/no-var-requires': 'error',
-    '@typescript-eslint/prefer-for-of': 'warn',
-    '@typescript-eslint/prefer-function-type': 'warn',
-    '@typescript-eslint/prefer-includes': 'error',
-    '@typescript-eslint/prefer-string-starts-ends-with': 'error',
-    '@typescript-eslint/promise-function-async': 'error',
-    '@typescript-eslint/require-array-sort-compare': 'error',
-    '@typescript-eslint/restrict-plus-operands': 'error',
-    '@typescript-eslint/semi': ['error', 'never'],
-    '@typescript-eslint/space-before-function-paren': 'off',
-    '@typescript-eslint/type-annotation-spacing': 'error',
-    '@typescript-eslint/unbound-method': 'error'
-  }

.github/linters/.yaml-lint.yml

@@ -1,10 +0,0 @@
-rules:
-  document-end: disable
-  document-start:
-    level: warning
-    present: false
-  line-length:
-    level: warning
-    max: 80
-    allow-non-breakable-words: true
-    allow-non-breakable-inline-mappings: true

.github/linters/tsconfig.json

@@ -1,9 +0,0 @@
-{
-  "$schema": "https://json.schemastore.org/tsconfig",
-  "extends": "../../tsconfig.json",
-  "compilerOptions": {
-    "noEmit": true
-  },
-  "include": ["../../__tests__/**/*", "../../src/**/*"],
-  "exclude": ["../../dist", "../../node_modules", "../../coverage", "*.json"]
-}

.github/workflows/check-dist.yml

@@ -28,11 +28,11 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version-file: .node-version
           cache: npm
@@ -60,7 +60,7 @@ jobs:
       - if: ${{ failure() && steps.diff.outcome == 'failure' }}
         name: Upload Artifact
         id: upload
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: dist
           path: dist/

.github/workflows/ci.yml

@@ -21,11 +21,11 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version-file: .node-version
           cache: npm
@@ -47,7 +47,7 @@ jobs:
         run: npm run ci-test
 
   test-attest-sbom:
-    name: Test attest-sbom action with local sbom file 
+    name: Test attest-sbom action with local sbom file
     runs-on: ubuntu-latest
     permissions:
       attestations: write
@@ -57,7 +57,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run attest-sbom
         id: attest-sbom
         uses: ./

.github/workflows/codeql-analysis.yml

@@ -32,19 +32,19 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize CodeQL
         id: initialize
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
         with:
           languages: ${{ matrix.language }}
           source-root: src
 
       - name: Autobuild
         id: autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
 
       - name: Perform CodeQL Analysis
         id: analyze
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9

.github/workflows/linter.yml

@@ -1,49 +0,0 @@
-name: Lint Codebase
-
-on:
-  pull_request:
-    branches:
-      - main
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-  packages: read
-  statuses: write
-
-jobs:
-  lint:
-    name: Lint Codebase
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        id: checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node.js
-        id: setup-node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: .node-version
-          cache: npm
-
-      - name: Install Dependencies
-        id: install
-        run: npm ci
-
-      - name: Lint Codebase
-        id: super-linter
-        uses: super-linter/super-linter/slim@v6
-        env:
-          DEFAULT_BRANCH: main
-          FILTER_REGEX_EXCLUDE: dist/**/*
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TYPESCRIPT_DEFAULT_STYLE: prettier
-          VALIDATE_ALL_CODEBASE: true
-          VALIDATE_JAVASCRIPT_STANDARD: false
-          VALIDATE_JSCPD: false

.node-version

@@ -1 +1 @@
-20.6.0
+24.5.0

README.md

@@ -24,6 +24,16 @@ CLI][7].
 See [Using artifact attestations to establish provenance for builds][11] for
 more information on artifact attestations.
 
+<!-- prettier-ignore-start -->
+> [!NOTE]
+> Artifact attestations are available in public repositories for all
+> current GitHub plans. They are not available on legacy plans, such as Bronze,
+> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
+> artifact attestations are only available for public repositories. To use
+> artifact attestations in private or internal repositories, you must be on a
+> GitHub Enterprise Cloud plan.
+<!-- prettier-ignore-end -->
+
 ## Usage
 
 Within the GitHub Actions workflow which builds some artifact you would like to
@@ -45,7 +55,7 @@ attest:
    your SBOM has been generated:
 
    ```yaml
-   - uses: actions/attest-sbom@v1
+   - uses: actions/attest-sbom@v2
      with:
        subject-path: '<PATH TO ARTIFACT>'
        sbom-path: '<PATH TO SBOM>'
@@ -60,23 +70,28 @@ attest:
 See [action.yml](action.yml)
 
 ```yaml
-- uses: actions/attest-sbom@v1
+- uses: actions/attest-sbom@v2
   with:
     # Path to the artifact serving as the subject of the attestation. Must
-    # specify exactly one of "subject-path" or "subject-digest". May contain a
-    # glob pattern or list of paths (total subject count cannot exceed 2500).
+    # specify exactly one of "subject-path", "subject-digest", or
+    # "subject-checksums". May contain a glob pattern or list of paths
+    # (total subject count cannot exceed 1024).
     subject-path:
 
     # SHA256 digest of the subject for the attestation. Must be in the form
     # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
-    # of "subject-path" or "subject-digest".
+    # of "subject-path", "subject-digest", or "subject-checksums".
     subject-digest:
 
-    # Subject name as it should appear in the attestation. Required unless
-    # "subject-path" is specified, in which case it will be inferred from the
-    # path.
+    # Subject name as it should appear in the attestation. Required when
+    # identifying the subject with the "subject-digest" input.
     subject-name:
 
+    # Path to checksums file containing digest and name of subjects for
+    # attestation. Must specify exactly one of "subject-path", "subject-digest",
+    # or "subject-checksums".
+    subject-checksums:
+
     # Path to the JSON-formatted SBOM file to attest. File size cannot exceed
     # 16MB.
     sbom-path:
@@ -86,6 +101,10 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to attach a list of generated attestations to the workflow run
+    # summary page. Defaults to true.
+    show-summary:
+
     # The GitHub token used to make authenticated API requests. Default is
     # ${{ github.token }}
     github-token:
@@ -95,26 +114,28 @@ See [action.yml](action.yml)
 
 <!-- markdownlint-disable MD013 -->
 
-| Name          | Description                                                    | Example                 |
-| ------------- | -------------------------------------------------------------- | ----------------------- |
-| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestaion.jsonl` |
+| Name              | Description                                                    | Example                                          |
+| ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
+| `attestation-id`  | GitHub ID for the attestation                                  | `123456`                                         |
+| `attestation-url` | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
+| `bundle-path`     | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
 
 <!-- markdownlint-enable MD013 -->
 
 Attestations are saved in the JSON-serialized [Sigstore bundle][8] format.
 
-If multiple subjects are being attested at the same time, each attestation will
-be written to the output file on a separate line (using the [JSON Lines][9]
-format).
+If multiple subjects are being attested at the same time, a single attestation
+will be created with references to each of the supplied subjects.
+
+The absolute path to the generated attestation is appended to the file
+`${RUNNER_TEMP}/created_attestation_paths.txt`. This file will accumulate the
+paths to all attestations created over the course of a single workflow.
 
 ## Attestation Limits
 
 ### Subject Limits
 
-No more than 2500 subjects can be attested at the same time. Subjects will be
-processed in batches 50. After the initial group of 50, each subsequent batch
-will incur an exponentially increasing amount of delay (capped at 1 minute of
-delay per batch) to avoid overwhelming the attestation API.
+No more than 1024 subjects can be attested at the same time.
 
 ### SBOM Limits
 
@@ -136,6 +157,7 @@ on:
 
 jobs:
   build:
+    runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
@@ -152,19 +174,19 @@ jobs:
           format: 'spdx-json'
           output-file: 'sbom.spdx.json'
       - name: Attest
-        uses: actions/attest-sbom@v1
+        uses: actions/attest-sbom@v2
         with:
           subject-path: '${{ github.workspace }}/my-app'
           sbom-path: 'sbom.spdx.json'
 ```
 
-### Identify Subjects by Wildcard
+### Identify Multiple Subjects
 
-If you are generating multiple artifacts, you can generate an attestation for
-each by using a wildcard in the `subject-path` input.
+If you are generating multiple artifacts, you can attest all of them at the same
+time by using a wildcard in the `subject-path` input.
 
 ```yaml
-- uses: actions/attest-sbom@v1
+- uses: actions/attest-sbom@v2
   with:
     subject-path: 'dist/**/my-bin-*'
     sbom-path: '${{ github.workspace }}/my-bin.sbom.spdx.json'
@@ -173,6 +195,58 @@ each by using a wildcard in the `subject-path` input.
 For supported wildcards along with behavior and documentation, see
 [@actions/glob][10] which is used internally to search for files.
 
+Alternatively, you can explicitly list multiple subjects with either a comma or
+newline delimited list:
+
+```yaml
+- uses: actions/attest-sbom@v2
+  with:
+    subject-path: 'dist/foo, dist/bar'
+```
+
+```yaml
+- uses: actions/attest-sbom@v2
+  with:
+    subject-path: |
+      dist/foo
+      dist/bar
+```
+
+### Identify Subjects with Checksums File
+
+If you are using tools like
+[goreleaser](https://goreleaser.com/customization/checksum/) or
+[jreleaser](https://jreleaser.org/guide/latest/reference/checksum.html) which
+generate a checksums file you can identify the attestation subjects by passing
+the path of the checksums file to the `subject-checksums` input. Each of the
+artifacts identified in the checksums file will be listed as a subject for the
+attestation.
+
+```yaml
+- name: Calculate artifact digests
+  run: |
+    shasum -a 256 foo_0.0.1_* > subject.checksums.txt
+- uses: actions/attest-sbom@v2
+  with:
+    subject-checksums: subject.checksums.txt
+    sbom-path: sbom.spdx.json
+```
+
+<!-- markdownlint-disable MD038 -->
+
+The file referenced by the `subject-checksums` input must conform to the same
+format used by the shasum tools. Each subject should be listed on a separate
+line including the hex-encoded digest (either SHA256 or SHA512), a space, a
+single character flag indicating either binary (`*`) or text (` `) input mode,
+and the filename.
+
+<!-- markdownlint-enable MD038 -->
+
+```text
+b569bf992b287f55d78bf8ee476497e9b7e9d2bf1c338860bfb905016218c740  foo_0.0.1_darwin_amd64
+a54fc515e616cac7fcf11a49d5c5ec9ec315948a5935c1e11dd610b834b14dde  foo_0.0.1_darwin_arm64
+```
+
 ### Container Image
 
 When working with container images you can invoke the action with the
@@ -229,7 +303,7 @@ jobs:
           format: 'cyclonedx-json'
           output-file: 'sbom.cyclonedx.json'
       - name: Attest
-        uses: actions/attest-sbom@v1
+        uses: actions/attest-sbom@v2
         id: attest
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -246,7 +320,6 @@ jobs:
 [7]: https://cli.github.com/manual/gh_attestation_verify
 [8]:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
-[9]: https://jsonlines.org/
 [10]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
 [11]:
   https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

RELEASE.md

@@ -1,12 +1,12 @@
 # Release Instructions
 
-Follow the steps below to tag a new release for the
-`actions/attest-sbom` action.
+Follow the steps below to tag a new release for the `actions/attest-sbom`
+action.
 
-If changes were made to the internal `actions/attest-sbom/predicate`
-action (any updates to [`./predicate/action.yaml`](./predicate/action.yml) or
-any of the code in the [`./src`](./src) directory), start with step #1;
-otherwise, skip directly to step #5.
+If changes were made to the internal `actions/attest-sbom/predicate` action (any
+updates to [`./predicate/action.yaml`](./predicate/action.yml) or any of the
+code in the [`./src`](./src) directory), start with step #1; otherwise, skip
+directly to step #5.
 
 1. Merge the latest changes to the `main` branch.
 1. Create and push a new predicate tag of the form `predicate@X.X.X` following
@@ -17,9 +17,8 @@ otherwise, skip directly to step #5.
    git push --tags
    ```
 
-1. Update the reference to the `actions/attest-sbom/predicate`
-   action in [`action.yml`](./action.yml) to point to the SHA of the newly
-   created tag.
+1. Update the reference to the `actions/attest-sbom/predicate` action in
+   [`action.yml`](./action.yml) to point to the SHA of the newly created tag.
 1. Push the `action.yml` change and open a PR. Once it has been reviewed, merge
    the PR and proceed with the release instructions.
 1. Create a new release for the top-level action using a tag of the form

__tests__/data/sbom.json

@@ -1,41 +1,38 @@
 {
-    "spdxVersion": "SPDX-2.3",
-    "dataLicense": "CC0-1.0",
-    "SPDXID": "SPDXRef-DOCUMENT",
-    "name": "./",
-    "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
-    "creationInfo": {
-      "licenseListVersion": "3.22",
-      "creators": [
-        "Organization: Anchore, Inc",
-        "Tool: syft-0.103.1"
-      ],
-      "created": "2024-01-31T18:22:50Z"
-    },
-    "packages": [
-      {
-        "name": "@ampproject/remapping",
-        "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
-        "versionInfo": "2.2.1",
-        "supplier": "NOASSERTION",
-        "downloadLocation": "NOASSERTION",
-        "filesAnalyzed": false,
-        "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
-        "licenseConcluded": "NOASSERTION",
-        "licenseDeclared": "Apache-2.0",
-        "copyrightText": "NOASSERTION",
-        "externalRefs": [
-          {
-            "referenceCategory": "SECURITY",
-            "referenceType": "cpe23Type",
-            "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
-          },
-          {
-            "referenceCategory": "PACKAGE-MANAGER",
-            "referenceType": "purl",
-            "referenceLocator": "pkg:npm/%40ampproject/remapping@2.2.1"
-          }
-        ]
-      }
-    ]
-}
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "./",
+  "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
+  "creationInfo": {
+    "licenseListVersion": "3.22",
+    "creators": ["Organization: Anchore, Inc", "Tool: syft-0.103.1"],
+    "created": "2024-01-31T18:22:50Z"
+  },
+  "packages": [
+    {
+      "name": "@ampproject/remapping",
+      "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
+      "versionInfo": "2.2.1",
+      "supplier": "NOASSERTION",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "Apache-2.0",
+      "copyrightText": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceType": "cpe23Type",
+          "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/%40ampproject/remapping@2.2.1"
+        }
+      ]
+    }
+  ]
+}

__tests__/index.test.ts

@@ -8,7 +8,7 @@ import * as main from '../src/main'
 const runMock = jest.spyOn(main, 'run').mockImplementation()
 
 describe('index', () => {
-  it('calls run when imported', async () => {
+  it('calls run when imported', () => {
     // eslint-disable-next-line @typescript-eslint/no-require-imports
     require('../src/index')
 

__tests__/main.test.ts

@@ -27,7 +27,7 @@ describe('SBOM Action', () => {
   })
 
   afterEach(() => {
-    fs.rmdirSync(tempDir, { recursive: true })
+    fs.rmSync(tempDir, { recursive: true })
     outputs = {}
   })
 

__tests__/sbom.test.ts

@@ -17,7 +17,7 @@ describe('parseSBOMFromPath', () => {
   })
 
   afterEach(() => {
-    fs.rmdirSync(tempDir, { recursive: true })
+    fs.rmSync(tempDir, { recursive: true })
   })
 
   it('correctly parses an SPDX file', async () => {
@@ -108,6 +108,13 @@ describe('generateSBOMPredicate', () => {
     expect(result.params).toEqual(sbom.object)
   })
 
+  it('throws an error for missing SPDX version', () => {
+    const sbom = { type: 'spdx' } as SBOM
+    expect(() => generateSBOMPredicate(sbom)).toThrow(
+      'Cannot find spdxVersion in the SBOM'
+    )
+  })
+
   it('generates CycloneDX predicate correctly', () => {
     const sbom = { type: 'cyclonedx', object: {} } as SBOM
     const result = generateSBOMPredicate(sbom)
@@ -116,10 +123,8 @@ describe('generateSBOMPredicate', () => {
   })
 
   it('throws error for unsupported SBOM formats', () => {
-    const sbom = { type: 'spdx', object: {} }
+    const sbom = { type: 'foo', object: {} }
     // @ts-expect-error test error case
-    expect(() => generateSBOMPredicate(sbom)).toThrow(
-      'Cannot find spdxVersion in the SBOM'
-    )
+    expect(() => generateSBOMPredicate(sbom)).toThrow('Unsupported SBOM format')
   })
 })

action.yml

@@ -9,20 +9,26 @@ inputs:
   subject-path:
     description: >
       Path to the artifact serving as the subject of the attestation. Must
-      specify exactly one of "subject-path" or "subject-digest". May contain a
-      glob pattern or list of paths (total subject count cannot exceed 2500).
+      specify exactly one of "subject-path", "subject-digest", or
+      "subject-checksums". May contain a glob pattern or list of paths (total
+      subject count cannot exceed 1024).
     required: false
   subject-digest:
     description: >
       SHA256 digest of the subject for the attestation. Must be in the form
       "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of
-      "subject-path" or "subject-digest".
+      "subject-path", "subject-digest", or "subject-checksums".
     required: false
   subject-name:
     description: >
-      Subject name as it should appear in the attestation. Required unless
-      "subject-path" is specified, in which case it will be inferred from the
-      path.
+      Subject name as it should appear in the attestation. Required when
+      identifying the subject with the "subject-digest" input.
+  subject-checksums:
+    description: >
+      Path to checksums file containing digest and name of subjects for
+      attestation. Must specify exactly one of "subject-path", "subject-digest",
+      or "subject-checksums".
+    required: false
   sbom-path:
     description: >
       Path to the JSON-formatted SBOM file to attest. File size cannot exceed
@@ -35,6 +41,12 @@ inputs:
       and that the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  show-summary:
+    description: >
+      Whether to attach a list of generated attestations to the workflow run
+      summary page. Defaults to true.
+    default: true
+    required: false
   github-token:
     description: >
       The GitHub token used to make authenticated API requests.
@@ -43,25 +55,35 @@ inputs:
 
 outputs:
   bundle-path:
-    description: 'The path to the file containing the attestation bundle(s).'
+    description: 'The path to the file containing the attestation bundle.'
     value: ${{ steps.attest.outputs.bundle-path }}
+  attestation-id:
+    description: 'The ID of the attestation.'
+    value: ${{ steps.attest.outputs.attestation-id }}
+  attestation-url:
+    description: 'The URL for the attestation summary.'
+    value: ${{ steps.attest.outputs.attestation-url }}
 
 runs:
   using: 'composite'
   steps:
-    - uses: actions/attest-sbom/predicate@534423496eab34674190bc45fdacbb8b1198e07f # predicate@1.0.0
+    - uses: actions/attest-sbom/predicate@55e972012fb8695c1b0049174547f1fcb4baa8a5 # predicate@2.0.0
       id: generate-sbom-predicate
       with:
         sbom-path: ${{ inputs.sbom-path }}
-    - uses: actions/attest@8afbcf6e5e31a04f9ef7ca7ee40a0d91e263da5a # v1.3.2
+    - uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
       id: attest
+      env:
+        NODE_OPTIONS: '--max-http-header-size=32768'
       with:
         subject-path: ${{ inputs.subject-path }}
         subject-digest: ${{ inputs.subject-digest }}
         subject-name: ${{ inputs.subject-name }}
+        subject-checksums: ${{ inputs.subject-checksums }}
         predicate-type:
           ${{ steps.generate-sbom-predicate.outputs.predicate-type }}
         predicate-path:
           ${{ steps.generate-sbom-predicate.outputs.predicate-path }}
         push-to-registry: ${{ inputs.push-to-registry }}
+        show-summary: ${{ inputs.show-summary }}
         github-token: ${{ inputs.github-token }}

dist/licenses.txt

@@ -10,6 +10,18 @@ The above copyright notice and this permission notice shall be included in all c
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
+@actions/exec
+MIT
+The MIT License (MIT)
+
+Copyright 2019 GitHub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
 @actions/http-client
 MIT
 Actions Http Client for Node.js
@@ -35,6 +47,18 @@ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 
+@actions/io
+MIT
+The MIT License (MIT)
+
+Copyright 2019 GitHub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
 @fastify/busboy
 MIT
 Copyright Brian White. All rights reserved.
@@ -105,16 +129,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
-
-
-uuid
-MIT
-The MIT License (MIT)
-
-Copyright (c) 2010-2020 Robert Kieffer and other contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

eslint.config.mjs

@@ -0,0 +1,92 @@
+import eslint from '@eslint/js'
+import importplugin from 'eslint-plugin-import'
+import jestplugin from 'eslint-plugin-jest'
+import tseslint from 'typescript-eslint'
+
+export default tseslint.config(
+  // Ignore non-project files
+  {
+    name: 'ignore',
+    ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js', 'eslint.config.mjs']
+  },
+  // Use recommended rules from ESLint, TypeScript, and other plugins
+  eslint.configs.recommended,
+  tseslint.configs.recommendedTypeChecked,
+  jestplugin.configs['flat/recommended'],
+  importplugin.flatConfigs.recommended,
+  importplugin.flatConfigs.typescript,
+  // Override some rules
+  {
+    name: 'project-settings',
+    languageOptions: {
+      ecmaVersion: 2023,
+      parserOptions: {
+        project: ['./tsconfig.lint.json']
+      }
+    },
+    rules: {
+      // eslint rules
+      eqeqeq: ['error', 'smart'],
+      'func-style': ['error', 'declaration', { allowArrowFunctions: true }],
+      'no-console': 'off',
+      'no-implicit-globals': 'error',
+      'no-inner-declarations': 'error',
+      'no-invalid-this': 'error',
+      'no-return-assign': 'error',
+      'no-sequences': 'error',
+      'no-shadow': 'error',
+      'no-useless-concat': 'error',
+      'object-shorthand': ['error', 'always', { avoidQuotes: true }],
+      'one-var': ['error', 'never'],
+      'prefer-template': 'error',
+
+      // typescript-eslint rules
+      '@typescript-eslint/array-type': 'error',
+      '@typescript-eslint/consistent-type-assertions': 'error',
+      '@typescript-eslint/explicit-function-return-type': [
+        'error',
+        { allowExpressions: true }
+      ],
+      '@typescript-eslint/explicit-member-accessibility': [
+        'error',
+        { accessibility: 'no-public' }
+      ],
+      '@typescript-eslint/no-extraneous-class': 'error',
+      '@typescript-eslint/no-inferrable-types': 'error',
+      '@typescript-eslint/no-non-null-assertion': 'warn',
+      '@typescript-eslint/no-unnecessary-qualifier': 'error',
+      '@typescript-eslint/no-unsafe-assignment': 'off',
+      '@typescript-eslint/no-useless-constructor': 'error',
+      '@typescript-eslint/prefer-for-of': 'warn',
+      '@typescript-eslint/prefer-function-type': 'warn',
+      '@typescript-eslint/prefer-includes': 'error',
+      '@typescript-eslint/prefer-string-starts-ends-with': 'error',
+      '@typescript-eslint/promise-function-async': 'error',
+      '@typescript-eslint/require-array-sort-compare': 'error',
+      '@typescript-eslint/restrict-template-expressions': 'off',
+
+      // eslint-plugin-import rules
+      'import/extensions': 'error',
+      'import/first': 'error',
+      'import/no-absolute-path': 'error',
+      'import/no-commonjs': 'error',
+      'import/no-deprecated': 'warn',
+      'import/no-dynamic-require': 'error',
+      'import/no-extraneous-dependencies': 'error',
+      'import/no-mutable-exports': 'error',
+      'import/no-namespace': 'off',
+      'import/no-unresolved': ['error', { ignore: ['csv-parse/sync'] }],
+      'import/no-anonymous-default-export': [
+        'error',
+        {
+          allowAnonymousClass: false,
+          allowAnonymousFunction: false,
+          allowArray: true,
+          allowArrowFunction: false,
+          allowLiteral: true,
+          allowObject: true
+        }
+      ]
+    }
+  }
+)

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest-sbom",
   "description": "Generate signed SBOM attestations",
-  "version": "1.0.0",
+  "version": "2.0.0",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest-sbom",
@@ -21,15 +21,15 @@
     ".": "./dist/index.js"
   },
   "engines": {
-    "node": ">=20"
+    "node": ">=24"
   },
   "scripts": {
     "bundle": "npm run format:write && npm run package",
     "ci-test": "jest",
     "format:write": "prettier --write **/*.ts",
     "format:check": "prettier --check **/*.ts",
-    "lint:eslint": "npx eslint . -c ./.github/linters/.eslintrc.yml",
-    "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
+    "lint:eslint": "npx eslint",
+    "lint:markdown": "npx markdownlint --config .markdown-lint.yml \"*.md\"",
     "lint": "npm run lint:eslint && npm run lint:markdown",
     "package": "ncc build src/index.ts --license licenses.txt",
     "package:watch": "npm run package -- --watch",
@@ -70,25 +70,22 @@
     ]
   },
   "dependencies": {
-    "@actions/core": "^1.10.1"
+    "@actions/core": "^1.11.1"
   },
   "devDependencies": {
-    "@actions/attest": "^1.3.0",
-    "@types/jest": "^29.5.12",
-    "@types/node": "^20.14.2",
-    "@typescript-eslint/eslint-plugin": "^7.13.0",
-    "@typescript-eslint/parser": "^7.13.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
-    "eslint-plugin-github": "^5.0.1",
-    "eslint-plugin-jest": "^28.6.0",
-    "eslint-plugin-jsonc": "^2.16.0",
-    "eslint-plugin-prettier": "^5.1.3",
-    "jest": "^29.7.0",
-    "markdownlint-cli": "^0.41.0",
-    "prettier": "^3.3.2",
-    "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.1.5",
-    "typescript": "^5.4.5"
+    "@actions/attest": "^1.6.0",
+    "@eslint/js": "^9.34.0",
+    "@types/jest": "^30.0.0",
+    "@types/node": "^24.3.0",
+    "@vercel/ncc": "^0.38.3",
+    "eslint": "^9.34.0",
+    "eslint-plugin-import": "^2.32.0",
+    "eslint-plugin-jest": "^29.0.1",
+    "jest": "^30.1.1",
+    "markdownlint-cli": "^0.45.0",
+    "prettier": "^3.6.2",
+    "ts-jest": "^29.4.1",
+    "typescript": "^5.9.2",
+    "typescript-eslint": "^8.41.0"
   }
 }

predicate/action.yml

@@ -15,5 +15,5 @@ outputs:
     description: >
       URI identifying the type of the predicate.
 runs:
-  using: node20
+  using: node24
   main: ../dist/index.js

src/sbom.ts

@@ -12,7 +12,7 @@ export async function parseSBOMFromPath(filePath: string): Promise<SBOM> {
   // Read the file content
   const fileContent = await fs.promises.readFile(filePath, 'utf8')
 
-  const sbom = JSON.parse(fileContent)
+  const sbom = JSON.parse(fileContent) as object
 
   if (checkIsSPDX(sbom)) {
     return { type: 'spdx', object: sbom }
@@ -66,13 +66,14 @@ export const storePredicate = (predicate: Predicate): string => {
 }
 
 export const generateSBOMPredicate = (sbom: SBOM): Predicate => {
-  if (sbom.type === 'spdx') {
-    return generateSPDXIntoto(sbom.object)
+  switch (sbom.type) {
+    case 'spdx':
+      return generateSPDXIntoto(sbom.object)
+    case 'cyclonedx':
+      return generateCycloneDXIntoto(sbom.object)
+    default:
+      throw new Error('Unsupported SBOM format')
   }
-  if (sbom.type === 'cyclonedx') {
-    return generateCycloneDXIntoto(sbom.object)
-  }
-  throw new Error('Unsupported SBOM format')
 }
 
 // ref: https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md

tsconfig.json

@@ -5,6 +5,7 @@
     "module": "NodeNext",
     "rootDir": "./src",
     "moduleResolution": "NodeNext",
+    "isolatedModules": true,
     "baseUrl": "./",
     "sourceMap": true,
     "outDir": "./dist",

tsconfig.lint.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "noEmit": true
+  },
+  "include": ["./__tests__/**/*", "./src/**/*"],
+  "exclude": ["./dist", "./node_modules", "./coverage", "*.json"]
+}