name: 'Attest SBOM'
description: 'Generate SBOM attestations for build artifacts'
author: 'GitHub'
branding:
  color: 'blue'
  icon: 'paperclip'

inputs:
  subject-path:
    description: >
      Path to the artifact serving as the subject of the attestation. Must
      specify exactly one of "subject-path", "subject-digest", or
      "subject-checksums". May contain a glob pattern or list of paths (total
      subject count cannot exceed 1024).
    required: false
  subject-digest:
    description: >
      SHA256 digest of the subject for the attestation. Must be in the form
      "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of
      "subject-path", "subject-digest", or "subject-checksums".
    required: false
  subject-name:
    description: >
      Subject name as it should appear in the attestation. Required when
      identifying the subject with the "subject-digest" input.
  subject-checksums:
    description: >
      Path to checksums file containing digest and name of subjects for
      attestation. Must specify exactly one of "subject-path", "subject-digest",
      or "subject-checksums".
    required: false
  sbom-path:
    description: >
      Path to the JSON-formatted SBOM file to attest. File size cannot exceed
      16MB.
    required: true
  push-to-registry:
    description: >
      Whether to push the provenance statement to the image registry. Requires
      that the "subject-name" parameter specify the fully-qualified image name
      and that the "subject-digest" parameter be specified. Defaults to false.
    default: false
    required: false
  show-summary:
    description: >
      Whether to attach a list of generated attestations to the workflow run
      summary page. Defaults to true.
    default: true
    required: false
  github-token:
    description: >
      The GitHub token used to make authenticated API requests.
    default: ${{ github.token }}
    required: false

outputs:
  bundle-path:
    description: 'The path to the file containing the attestation bundle.'
    value: ${{ steps.attest.outputs.bundle-path }}
  attestation-id:
    description: 'The ID of the attestation.'
    value: ${{ steps.attest.outputs.attestation-id }}
  attestation-url:
    description: 'The URL for the attestation summary.'
    value: ${{ steps.attest.outputs.attestation-url }}

runs:
  using: 'composite'
  steps:
    - shell: bash
      run: |
        echo "::warning::actions/attest-sbom has been deprecated, please use actions/attest instead"

    - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
      id: attest
      env:
        NODE_OPTIONS: '--max-http-header-size=32768'
      with:
        subject-path: ${{ inputs.subject-path }}
        subject-digest: ${{ inputs.subject-digest }}
        subject-name: ${{ inputs.subject-name }}
        subject-checksums: ${{ inputs.subject-checksums }}
        sbom-path: ${{ inputs.sbom-path }}
        push-to-registry: ${{ inputs.push-to-registry }}
        show-summary: ${{ inputs.show-summary }}
        github-token: ${{ inputs.github-token }}