101 lines
3.7 KiB
YAML
101 lines
3.7 KiB
YAML
name: 'Attest SBOM'
|
|
description: 'Generate SBOM attestations for build artifacts'
|
|
author: 'GitHub'
|
|
|
|
inputs:
|
|
subject-path:
|
|
description: >
|
|
Path to the artifact serving as the subject of the attestation. Must
|
|
specify exactly one of "subject-path" or "subject-digest".
|
|
required: false
|
|
subject-digest:
|
|
description: >
|
|
SHA256 digest of the subject for for the attestation. Must be in the form
|
|
"sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of
|
|
"subject-path" or "subject-digest".
|
|
required: false
|
|
subject-name:
|
|
description: >
|
|
Subject name as it should appear in the attestation. Required unless
|
|
"subject-path" is specified, in which case it will be inferred from the
|
|
path.
|
|
sbom-path:
|
|
description: >
|
|
Path to the JSON-formatted SBOM file to attest. When specified, the
|
|
"scan-path" and "sbom-format" inputs are ignored.
|
|
required: false
|
|
scan-path:
|
|
description: >
|
|
Path on the filesystem to scan for SBOM generation. Ignored if "sbom-path"
|
|
is specified.
|
|
default: ${{ github.workspace }}
|
|
required: false
|
|
sbom-format:
|
|
description: >
|
|
Format to use for the generated SBOM output. Supported formats are "spdx"
|
|
and "cyclonedx". Ignored if "sbom-path" is specified.
|
|
default: 'spdx'
|
|
required: false
|
|
push-to-registry:
|
|
description: >
|
|
Whether to push the provenance statement to the image registry. Requires
|
|
that the "subject-name" parameter specify the fully-qualified image name
|
|
and that the "subject-digest" parameter be specified. Defaults to false.
|
|
default: false
|
|
required: false
|
|
github-token:
|
|
description: >
|
|
The GitHub token used to make authenticated API requests.
|
|
default: ${{ github.token }}
|
|
required: false
|
|
outputs:
|
|
bundle-path:
|
|
description: 'The path to the file containing the attestation bundle(s).'
|
|
value: ${{ steps.attest.outputs.bundle-path }}
|
|
|
|
runs:
|
|
using: 'composite'
|
|
steps:
|
|
- name: Generate random SBOM output file name
|
|
if: inputs.sbom-path == ''
|
|
id: sbom-output
|
|
run:
|
|
echo "path=${{ runner.temp }}/sbom_$(openssl rand -hex 6).json" >> $GITHUB_OUTPUT
|
|
shell: bash
|
|
- name: SBOM format check
|
|
id: check-sbom-format
|
|
if: inputs.sbom-path == ''
|
|
run: |
|
|
if [ "${{inputs.sbom-format}}" != "spdx" ] && [ "${{inputs.sbom-format}}" != "cyclonedx" ] ]; then
|
|
echo "Invalid SBOM format. Supported formats are spdx and cyclonedx."
|
|
exit 1
|
|
elif [ "${{inputs.sbom-format}}" == "spdx" ]; then
|
|
echo "format=spdx-json" >> $GITHUB_OUTPUT
|
|
elif [ "${{inputs.sbom-format}}" == "cyclonedx" ]; then
|
|
echo "format=cyclonedx-json" >> $GITHUB_OUTPUT
|
|
fi
|
|
shell: bash
|
|
- name: Generate SBOM
|
|
if: inputs.sbom-path == ''
|
|
uses: anchore/sbom-action@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
|
|
with:
|
|
path: ${{ inputs.scan-path }}
|
|
output-file: ${{ steps.sbom-output.outputs.path }}
|
|
format: ${{ steps.check-sbom-format.outputs.format }}
|
|
- uses: actions/attest-sbom/predicate@main
|
|
id: generate-sbom-predicate
|
|
with:
|
|
sbom-path: ${{ inputs.sbom-path || steps.sbom-output.outputs.path }}
|
|
- uses: actions/attest@main
|
|
id: attest
|
|
with:
|
|
subject-path: ${{ inputs.subject-path }}
|
|
subject-digest: ${{ inputs.subject-digest }}
|
|
subject-name: ${{ inputs.subject-name }}
|
|
push-to-registry: ${{ inputs.push-to-registry }}
|
|
predicate-type:
|
|
${{ steps.generate-sbom-predicate.outputs.predicate-type }}
|
|
predicate-path:
|
|
${{ steps.generate-sbom-predicate.outputs.predicate-path }}
|
|
github-token: ${{ inputs.github-token }}
|