create release attestation in CI test (#9)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
2024-02-27 16:41:49 -08:00
parent cd41983e6f
commit 6e9708eee5
2 changed files with 14 additions and 46 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -52,18 +52,27 @@ jobs:
      contents: read
      id-token: write
      packages: write
-
+    env:
+      SUBJECT: /repos/${{ github.repository }}/tarball/${{ github.sha }}
    steps:
      - name: Checkout
        id: checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Calculate subject digest
+        id: subject
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          SHA_256=$(gh api "${{ env.SUBJECT }}" | shasum -a 256 | cut -d " " -f 1)
+          echo "sha-256=${SHA_256}" >> "$GITHUB_OUTPUT"
      - name: Run attest
        id: attest
        uses: ./
        with:
-          subject-path: ${{ github.workspace }}/README.md
-          predicate-path: ${{ github.workspace }}/__tests__/data/sbom.json
-          predicate-type: 'https://spdx.dev/Document/v2.3'
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          subject-name: 'https://api.github.com${{ env.SUBJECT }}'
+          subject-digest: 'sha256:${{ steps.subject.outputs.sha-256 }}'
+          predicate-type: 'https://in-toto.io/attestation/release/v0.1'
+          predicate:
+            '{"purl":"pkg:github/${{ github.repository }}@${{ github.sha }}"}'
      - name: Dump output
        run: jq < ${{ steps.attest.outputs.bundle-path }}
--- a/tests/data/sbom.json
+++ b/tests/data/sbom.json
@@ -1,41 +0,0 @@
-{
-    "spdxVersion": "SPDX-2.3",
-    "dataLicense": "CC0-1.0",
-    "SPDXID": "SPDXRef-DOCUMENT",
-    "name": "./",
-    "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
-    "creationInfo": {
-      "licenseListVersion": "3.22",
-      "creators": [
-        "Organization: Anchore, Inc",
-        "Tool: syft-0.103.1"
-      ],
-      "created": "2024-01-31T18:22:50Z"
-    },
-    "packages": [
-      {
-        "name": "@ampproject/remapping",
-        "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
-        "versionInfo": "2.2.1",
-        "supplier": "NOASSERTION",
-        "downloadLocation": "NOASSERTION",
-        "filesAnalyzed": false,
-        "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
-        "licenseConcluded": "NOASSERTION",
-        "licenseDeclared": "Apache-2.0",
-        "copyrightText": "NOASSERTION",
-        "externalRefs": [
-          {
-            "referenceCategory": "SECURITY",
-            "referenceType": "cpe23Type",
-            "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
-          },
-          {
-            "referenceCategory": "PACKAGE-MANAGER",
-            "referenceType": "purl",
-            "referenceLocator": "pkg:npm/%40ampproject/remapping@2.2.1"
-          }
-        ]
-      }
-    ]
-}