88 lines
3.2 KiB
YAML
88 lines
3.2 KiB
YAML
name: 'Attest SBOM'
|
|
description: 'Generate SBOM attestations for build artifacts'
|
|
author: 'GitHub'
|
|
branding:
|
|
color: 'blue'
|
|
icon: 'paperclip'
|
|
|
|
inputs:
|
|
subject-path:
|
|
description: >
|
|
Path to the artifact serving as the subject of the attestation. Must
|
|
specify exactly one of "subject-path", "subject-digest", or
|
|
"subject-checksums". May contain a glob pattern or list of paths (total
|
|
subject count cannot exceed 1024).
|
|
required: false
|
|
subject-digest:
|
|
description: >
|
|
SHA256 digest of the subject for the attestation. Must be in the form
|
|
"sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of
|
|
"subject-path", "subject-digest", or "subject-checksums".
|
|
required: false
|
|
subject-name:
|
|
description: >
|
|
Subject name as it should appear in the attestation. Required when
|
|
identifying the subject with the "subject-digest" input.
|
|
subject-checksums:
|
|
description: >
|
|
Path to checksums file containing digest and name of subjects for
|
|
attestation. Must specify exactly one of "subject-path", "subject-digest",
|
|
or "subject-checksums".
|
|
required: false
|
|
sbom-path:
|
|
description: >
|
|
Path to the JSON-formatted SBOM file to attest. File size cannot exceed
|
|
16MB.
|
|
required: true
|
|
push-to-registry:
|
|
description: >
|
|
Whether to push the provenance statement to the image registry. Requires
|
|
that the "subject-name" parameter specify the fully-qualified image name
|
|
and that the "subject-digest" parameter be specified. Defaults to false.
|
|
default: false
|
|
required: false
|
|
show-summary:
|
|
description: >
|
|
Whether to attach a list of generated attestations to the workflow run
|
|
summary page. Defaults to true.
|
|
default: true
|
|
required: false
|
|
github-token:
|
|
description: >
|
|
The GitHub token used to make authenticated API requests.
|
|
default: ${{ github.token }}
|
|
required: false
|
|
|
|
outputs:
|
|
bundle-path:
|
|
description: 'The path to the file containing the attestation bundle.'
|
|
value: ${{ steps.attest.outputs.bundle-path }}
|
|
attestation-id:
|
|
description: 'The ID of the attestation.'
|
|
value: ${{ steps.attest.outputs.attestation-id }}
|
|
attestation-url:
|
|
description: 'The URL for the attestation summary.'
|
|
value: ${{ steps.attest.outputs.attestation-url }}
|
|
|
|
runs:
|
|
using: 'composite'
|
|
steps:
|
|
- uses: actions/attest-sbom/predicate@534423496eab34674190bc45fdacbb8b1198e07f # predicate@1.0.0
|
|
id: generate-sbom-predicate
|
|
with:
|
|
sbom-path: ${{ inputs.sbom-path }}
|
|
- uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0
|
|
id: attest
|
|
with:
|
|
subject-path: ${{ inputs.subject-path }}
|
|
subject-digest: ${{ inputs.subject-digest }}
|
|
subject-name: ${{ inputs.subject-name }}
|
|
subject-checksums: ${{ inputs.subject-checksums }}
|
|
predicate-type:
|
|
${{ steps.generate-sbom-predicate.outputs.predicate-type }}
|
|
predicate-path:
|
|
${{ steps.generate-sbom-predicate.outputs.predicate-path }}
|
|
push-to-registry: ${{ inputs.push-to-registry }}
|
|
show-summary: ${{ inputs.show-summary }}
|
|
github-token: ${{ inputs.github-token }}
|