# `actions/attest-sbom`

<!-- prettier-ignore-start -->
> [!WARNING]
> This action is being deprecated in favor of [`actions/attest`][9]. `actions/attest-sbom` will continue to function as a wrapper on top of `actions/attest` for some period of time, but applications should make plans to migrate.
>
> All of the existing action inputs are compatible with the `actions/attest` interface.
<!-- prettier-ignore-end -->

Generate signed SBOM attestations for workflow artifacts. Internally powered by
the [@actions/attest][1] package.

Attestations bind some subject (a named artifact along with its digest) to a a
Software Bill of Materials (SBOM) using the [in-toto][2] format. The action
accepts SBOMs which have been generated by external tools. Provided SBOMs must
be in either the [SPDX][4] or [CycloneDX][5] JSON-serialized format.

A verifiable signature is generated for the attestation using a short-lived
[Sigstore][6]-issued signing certificate. If the repository initiating the
GitHub Actions workflow is public, the public-good instance of Sigstore will be
used to generate the attestation signature. If the repository is
private/internal, it will use the GitHub private Sigstore instance.

Once the attestation has been created and signed, it will be uploaded to the GH
attestations API and associated with the repository from which the workflow was
initiated.

Attestations can be verified using the [`attestation` command in the GitHub
CLI][7].

See [Using artifact attestations to establish provenance for builds][8] for more
information on artifact attestations.

<!-- prettier-ignore-start -->
> [!NOTE]
> Artifact attestations are available in public repositories for all
> current GitHub plans. They are not available on legacy plans, such as Bronze,
> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
> artifact attestations are only available for public repositories. To use
> artifact attestations in private or internal repositories, you must be on a
> GitHub Enterprise Cloud plan.
<!-- prettier-ignore-end -->

## Usage

**As of version 4, `actions/attest-sbom` is simply a wrapper on top of
[`actions/attest`][9].**

Please see the [`actions/attest`][9] repository for usage information.

Documentation for previous versions of this action can be found [here][10].

[1]: https://github.com/actions/toolkit/tree/main/packages/attest
[2]: https://github.com/in-toto/attestation/tree/main/spec/v1
[4]: https://spdx.dev/
[5]: https://cyclonedx.org/
[6]: https://www.sigstore.dev/
[7]: https://cli.github.com/manual/gh_attestation_verify
[8]:
  https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
[9]: https://github.com/actions/attest
[10]:
  https://github.com/actions/attest-sbom/tree/v3.0.0?tab=readme-ov-file#actionsattest-sbom