From 6e9708eee513ccabaf36e025271a4d833d812741 Mon Sep 17 00:00:00 2001
From: Brian DeHamer <bdehamer@github.com>
Date: Tue, 27 Feb 2024 16:41:49 -0800
Subject: [PATCH] create release attestation in CI test (#9)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
---
 .github/workflows/ci.yml | 19 ++++++++++++++-----
 __tests__/data/sbom.json | 41 ----------------------------------------
 2 files changed, 14 insertions(+), 46 deletions(-)
 delete mode 100644 __tests__/data/sbom.json

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de9abc1..afeb689 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -52,18 +52,27 @@ jobs:
       contents: read
       id-token: write
       packages: write
-
+    env:
+      SUBJECT: /repos/${{ github.repository }}/tarball/${{ github.sha }}
     steps:
       - name: Checkout
         id: checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Calculate subject digest
+        id: subject
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          SHA_256=$(gh api "${{ env.SUBJECT }}" | shasum -a 256 | cut -d " " -f 1)
+          echo "sha-256=${SHA_256}" >> "$GITHUB_OUTPUT"
       - name: Run attest
         id: attest
         uses: ./
         with:
-          subject-path: ${{ github.workspace }}/README.md
-          predicate-path: ${{ github.workspace }}/__tests__/data/sbom.json
-          predicate-type: 'https://spdx.dev/Document/v2.3'
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          subject-name: 'https://api.github.com${{ env.SUBJECT }}'
+          subject-digest: 'sha256:${{ steps.subject.outputs.sha-256 }}'
+          predicate-type: 'https://in-toto.io/attestation/release/v0.1'
+          predicate:
+            '{"purl":"pkg:github/${{ github.repository }}@${{ github.sha }}"}'
       - name: Dump output
         run: jq < ${{ steps.attest.outputs.bundle-path }}
diff --git a/__tests__/data/sbom.json b/__tests__/data/sbom.json
deleted file mode 100644
index b99e92e..0000000
--- a/__tests__/data/sbom.json
+++ /dev/null
@@ -1,41 +0,0 @@
-{
-    "spdxVersion": "SPDX-2.3",
-    "dataLicense": "CC0-1.0",
-    "SPDXID": "SPDXRef-DOCUMENT",
-    "name": "./",
-    "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
-    "creationInfo": {
-      "licenseListVersion": "3.22",
-      "creators": [
-        "Organization: Anchore, Inc",
-        "Tool: syft-0.103.1"
-      ],
-      "created": "2024-01-31T18:22:50Z"
-    },
-    "packages": [
-      {
-        "name": "@ampproject/remapping",
-        "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
-        "versionInfo": "2.2.1",
-        "supplier": "NOASSERTION",
-        "downloadLocation": "NOASSERTION",
-        "filesAnalyzed": false,
-        "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
-        "licenseConcluded": "NOASSERTION",
-        "licenseDeclared": "Apache-2.0",
-        "copyrightText": "NOASSERTION",
-        "externalRefs": [
-          {
-            "referenceCategory": "SECURITY",
-            "referenceType": "cpe23Type",
-            "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
-          },
-          {
-            "referenceCategory": "PACKAGE-MANAGER",
-            "referenceType": "purl",
-            "referenceLocator": "pkg:npm/%40ampproject/remapping@2.2.1"
-          }
-        ]
-      }
-    ]
-}
\ No newline at end of file