add attestation-id and attestation-url outputs (#137)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

README.md

@@ -24,6 +24,16 @@ CLI][7].
 See [Using artifact attestations to establish provenance for builds][11] for
 more information on artifact attestations.
 
+<!-- prettier-ignore-start -->
+> [!NOTE]
+> Artifact attestations are available in public repositories for all
+> current GitHub plans. They are not available on legacy plans, such as Bronze,
+> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
+> artifact attestations are only available for public repositories. To use
+> artifact attestations in private or internal repositories, you must be on a
+> GitHub Enterprise Cloud plan.
+<!-- prettier-ignore-end -->
+
 ## Usage
 
 Within the GitHub Actions workflow which builds some artifact you would like to
@@ -45,7 +55,7 @@ attest:
    your SBOM has been generated:
 
    ```yaml
-   - uses: actions/attest-sbom@v1
+   - uses: actions/attest-sbom@v2
      with:
        subject-path: '<PATH TO ARTIFACT>'
        sbom-path: '<PATH TO SBOM>'
@@ -60,7 +70,7 @@ attest:
 See [action.yml](action.yml)
 
 ```yaml
-- uses: actions/attest-sbom@v1
+- uses: actions/attest-sbom@v2
   with:
     # Path to the artifact serving as the subject of the attestation. Must
     # specify exactly one of "subject-path" or "subject-digest". May contain a
@@ -99,9 +109,11 @@ See [action.yml](action.yml)
 
 <!-- markdownlint-disable MD013 -->
 
-| Name          | Description                                                    | Example                |
-| ------------- | -------------------------------------------------------------- | ---------------------- |
-| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestaion.json` |
+| Name              | Description                                                    | Example                                          |
+| ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
+| `attestation-id`  | GitHub ID for the attestation                                  | `123456`                                         |
+| `attestation-url` | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
+| `bundle-path`     | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
 
 <!-- markdownlint-enable MD013 -->
 
@@ -136,6 +148,7 @@ on:
 
 jobs:
   build:
+    runs-on: ubuntu-latest
     permissions:
       id-token: write
       contents: read
@@ -152,7 +165,7 @@ jobs:
           format: 'spdx-json'
           output-file: 'sbom.spdx.json'
       - name: Attest
-        uses: actions/attest-sbom@v1
+        uses: actions/attest-sbom@v2
         with:
           subject-path: '${{ github.workspace }}/my-app'
           sbom-path: 'sbom.spdx.json'
@@ -164,7 +177,7 @@ If you are generating multiple artifacts, you can attest all of them at the same
 time by using a wildcard in the `subject-path` input.
 
 ```yaml
-- uses: actions/attest-sbom@v1
+- uses: actions/attest-sbom@v2
   with:
     subject-path: 'dist/**/my-bin-*'
     sbom-path: '${{ github.workspace }}/my-bin.sbom.spdx.json'
@@ -177,13 +190,13 @@ Alternatively, you can explicitly list multiple subjects with either a comma or
 newline delimited list:
 
 ```yaml
-- uses: actions/attest-sbom@v1
+- uses: actions/attest-sbom@v2
   with:
     subject-path: 'dist/foo, dist/bar'
 ```
 
 ```yaml
-- uses: actions/attest-sbom@v1
+- uses: actions/attest-sbom@v2
   with:
     subject-path: |
       dist/foo
@@ -246,7 +259,7 @@ jobs:
           format: 'cyclonedx-json'
           output-file: 'sbom.cyclonedx.json'
       - name: Attest
-        uses: actions/attest-sbom@v1
+        uses: actions/attest-sbom@v2
         id: attest
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

action.yml

@@ -51,6 +51,12 @@ outputs:
   bundle-path:
     description: 'The path to the file containing the attestation bundle.'
     value: ${{ steps.attest.outputs.bundle-path }}
+  attestation-id:
+    description: 'The ID of the attestation.'
+    value: ${{ steps.attest.outputs.attestation-id }}
+  attestation-url:
+    description: 'The URL for the attestation summary.'
+    value: ${{ steps.attest.outputs.attestation-url }}
 
 runs:
   using: 'composite'
@@ -59,7 +65,7 @@ runs:
       id: generate-sbom-predicate
       with:
         sbom-path: ${{ inputs.sbom-path }}
-    - uses: actions/attest@v2.0.0
+    - uses: actions/attest@v2.1.0
       id: attest
       with:
         subject-path: ${{ inputs.subject-path }}

package-lock.json

@@ -19,13 +19,13 @@
         "@typescript-eslint/parser": "^7.18.0",
         "@vercel/ncc": "^0.38.3",
         "eslint": "^8.57.1",
-        "eslint-plugin-github": "^5.1.3",
+        "eslint-plugin-github": "^5.1.4",
         "eslint-plugin-jest": "^28.9.0",
         "eslint-plugin-jsonc": "^2.18.2",
         "eslint-plugin-prettier": "^5.2.1",
         "jest": "^29.7.0",
         "markdownlint-cli": "^0.43.0",
-        "prettier": "^3.4.1",
+        "prettier": "^3.4.2",
         "prettier-eslint": "^16.3.0",
         "ts-jest": "^29.2.5",
         "typescript": "^5.7.2"
@@ -3833,11 +3833,10 @@
       }
     },
     "node_modules/eslint-plugin-github": {
-      "version": "5.1.3",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-5.1.3.tgz",
-      "integrity": "sha512-/0lyEqLLodXW3p+D9eYtmEp6e9DcJmV5FhnE9wNWV1bcqyShuZFXn5kOeJIvxSbFbdbrKiNO8zFiV/VXeSpRSw==",
+      "version": "5.1.4",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-5.1.4.tgz",
+      "integrity": "sha512-j5IgIxsDoch06zJzeqPvenfzRXDKI9Z8YwfUg1pm2ay1q44tMSFwvEu6l0uEIrTpA3v8QdPyLr98LqDl1TIhSA==",
       "dev": true,
-      "license": "MIT",
       "dependencies": {
         "@eslint/compat": "^1.2.3",
         "@eslint/eslintrc": "^3.1.0",
@@ -7472,11 +7471,10 @@
       }
     },
     "node_modules/prettier": {
-      "version": "3.4.1",
-      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.4.1.tgz",
-      "integrity": "sha512-G+YdqtITVZmOJje6QkXQWzl3fSfMxFwm1tjTyo9exhkmWSqC4Yhd1+lug++IlR2mvRVAxEDDWYkQdeSztajqgg==",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.4.2.tgz",
+      "integrity": "sha512-e9MewbtFo+Fevyuxn/4rrcDAaq0IYxPGLvObpQjiZBMAzB9IGmzlnG9RZy3FFas+eBMu2vA0CszMeduow5dIuQ==",
       "dev": true,
-      "license": "MIT",
       "bin": {
         "prettier": "bin/prettier.cjs"
       },

package.json

@@ -80,13 +80,13 @@
     "@typescript-eslint/parser": "^7.18.0",
     "@vercel/ncc": "^0.38.3",
     "eslint": "^8.57.1",
-    "eslint-plugin-github": "^5.1.3",
+    "eslint-plugin-github": "^5.1.4",
     "eslint-plugin-jest": "^28.9.0",
     "eslint-plugin-jsonc": "^2.18.2",
     "eslint-plugin-prettier": "^5.2.1",
     "jest": "^29.7.0",
     "markdownlint-cli": "^0.43.0",
-    "prettier": "^3.4.1",
+    "prettier": "^3.4.2",
     "prettier-eslint": "^16.3.0",
     "ts-jest": "^29.2.5",
     "typescript": "^5.7.2"