name: 'Attest SBOM'
description: 'Generate SBOM attestations for build artifacts'
author: 'GitHub'

inputs:
  subject-path:
    description: >
      Path to the artifact serving as the subject of the attestation. Must
      specify exactly one of "subject-path" or "subject-digest".
    required: false
  subject-digest:
    description: >
      SHA256 digest of the subject for for the attestation. Must be in the form
      "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of
      "subject-path" or "subject-digest".
    required: false
  subject-name:
    description: >
      Subject name as it should appear in the attestation. Required unless
      "subject-path" is specified, in which case it will be inferred from the
      path.
  sbom-path:
    description: >
      Path to the JSON-formatted SBOM file to attest. When specified, the
      "scan-path" and "sbom-format" inputs are ignored.
    required: false
  scan-path:
    description: >
      Path on the filesystem to scan for SBOM generation. Ignored if "sbom-path"
      is specified.
    default: ${{ github.workspace }}
    required: false
  sbom-format:
    description: >
      Format to use for the generated SBOM output. Supported formats are "spdx"
      and "cyclonedx". Ignored if "sbom-path" is specified.
    default: 'spdx'
    required: false
  push-to-registry:
    description: >
      Whether to push the provenance statement to the image registry. Requires
      that the "subject-name" parameter specify the fully-qualified image name
      and that the "subject-digest" parameter be specified. Defaults to false.
    default: false
    required: false
  github-token:
    description: >
      The GitHub token used to make authenticated API requests.
    default: ${{ github.token }}
    required: false
outputs:
  bundle-path:
    description: 'The path to the file containing the attestation bundle(s).'
    value: ${{ steps.attest.outputs.bundle-path }}

runs:
  using: 'composite'
  steps:
    - name: Generate random SBOM output file name
      if: inputs.sbom-path == ''
      id: sbom-output
      run:
        echo "path=${{ runner.temp }}/sbom_$(openssl rand -hex 6).json" >> $GITHUB_OUTPUT
      shell: bash
    - name: SBOM format check
      id: check-sbom-format
      if: inputs.sbom-path == ''
      run: |
        if [ "${{inputs.sbom-format}}" != "spdx" ] && [ "${{inputs.sbom-format}}" != "cyclonedx" ] ]; then
          echo "Invalid SBOM format. Supported formats are spdx and cyclonedx."
          exit 1
        elif [ "${{inputs.sbom-format}}" == "spdx" ]; then
          echo "format=spdx-json" >> $GITHUB_OUTPUT
        elif [ "${{inputs.sbom-format}}" == "cyclonedx" ]; then
          echo "format=cyclonedx-json" >> $GITHUB_OUTPUT
        fi
      shell: bash
    - name: Generate SBOM
      if: inputs.sbom-path == ''
      uses: anchore/sbom-action@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
      with:
        path: ${{ inputs.scan-path }}
        output-file: ${{ steps.sbom-output.outputs.path }}
        format: ${{ steps.check-sbom-format.outputs.format }}
    - uses: actions/attest-sbom/predicate@main
      id: generate-sbom-predicate
      with:
        sbom-path: ${{ inputs.sbom-path || steps.sbom-output.outputs.path }}
    - uses: actions/attest@main
      id: attest
      with:
        subject-path: ${{ inputs.subject-path }}
        subject-digest: ${{ inputs.subject-digest }}
        subject-name: ${{ inputs.subject-name }}
        push-to-registry: ${{ inputs.push-to-registry }}
        predicate-type:
          ${{ steps.generate-sbom-predicate.outputs.predicate-type }}
        predicate-path:
          ${{ steps.generate-sbom-predicate.outputs.predicate-path }}
        github-token: ${{ inputs.github-token }}