Bump csv-parse from 5.5.6 to 5.6.0 (#175)

* Bump csv-parse from 5.5.6 to 5.6.0

Bumps [csv-parse](https://github.com/adaltas/node-csv/tree/HEAD/packages/csv-parse) from 5.5.6 to 5.6.0.
- [Changelog](https://github.com/adaltas/node-csv/blob/master/packages/csv-parse/CHANGELOG.md)
- [Commits](https://github.com/adaltas/node-csv/commits/csv-parse@5.6.0/packages/csv-parse)

---
updated-dependencies:
- dependency-name: csv-parse
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* rebuild dist

Signed-off-by: Brian DeHamer <bdehamer@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Brian DeHamer <bdehamer@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Brian DeHamer <bdehamer@github.com>

.github/linters/.eslintrc.yml

@@ -41,8 +41,7 @@ rules:
     'eslint-comments/no-unused-disable': 'off',
     'i18n-text/no-en': 'off',
     'import/no-namespace': 'off',
-    'import/no-unresolved':
-      ['error', { 'ignore': ['csv-parse/sync']}],
+    'import/no-unresolved': ['error', { 'ignore': ['csv-parse/sync'] }],
     'no-console': 'off',
     'no-unused-vars': 'off',
     'prettier/prettier': 'error',

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v6
+        uses: super-linter/super-linter/slim@v7
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*
@@ -46,5 +46,5 @@ jobs:
           TYPESCRIPT_DEFAULT_STYLE: prettier
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JAVASCRIPT_STANDARD: false
+          VALIDATE_TYPESCRIPT_STANDARD: false
           VALIDATE_JSCPD: false
-          VALIDATE_GITHUB_ACTIONS: false

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,22 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/publish-immutable-action@v0.0.4

README.md

@@ -65,7 +65,7 @@ See [action.yml](action.yml)
   with:
     # Path to the artifact serving as the subject of the attestation. Must
     # specify exactly one of "subject-path" or "subject-digest". May contain
-    # a glob pattern or list of paths (total subject count cannot exceed 64).
+    # a glob pattern or list of paths (total subject count cannot exceed 1024).
     subject-path:
 
     # SHA256 digest of the subject for the attestation. Must be in the form
@@ -81,12 +81,14 @@ See [action.yml](action.yml)
     # URI identifying the type of the predicate.
     predicate-type:
 
-    # JSON string containing the value for the attestation predicate. Must
-    # supply exactly one of "predicate-path" or "predicate".
+    # String containing the value for the attestation predicate. String length
+    # cannot exceed 16MB. Must supply exactly one of "predicate-path" or
+    # "predicate".
     predicate:
 
-    # Path to the file which contains the JSON content for the attestation
-    # predicate. Must supply exactly one of "predicate-path" or "predicate".
+    # Path to the file which contains the content for the attestation predicate.
+    # File size cannot exceed 16MB. Must supply exactly one of "predicate-path"
+    # or "predicate".
     predicate-path:
 
     # Whether to push the attestation to the image registry. Requires that the
@@ -94,6 +96,10 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to attach a list of generated attestations to the workflow run
+    # summary page. Defaults to true.
+    show-summary:
+
     # The GitHub token used to make authenticated API requests. Default is
     # ${{ github.token }}
     github-token:
@@ -103,17 +109,27 @@ See [action.yml](action.yml)
 
 <!-- markdownlint-disable MD013 -->
 
-| Name          | Description                                                    | Example                  |
-| ------------- | -------------------------------------------------------------- | ------------------------ |
-| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.jsonl` |
+| Name          | Description                                                    | Example                 |
+| ------------- | -------------------------------------------------------------- | ----------------------- |
+| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.json` |
 
 <!-- markdownlint-enable MD013 -->
 
 Attestations are saved in the JSON-serialized [Sigstore bundle][6] format.
 
-If multiple subjects are being attested at the same time, each attestation will
-be written to the output file on a separate line (using the [JSON Lines][7]
-format).
+If multiple subjects are being attested at the same time, a single attestation
+will be created with references to each of the supplied subjects.
+
+## Attestation Limits
+
+### Subject Limits
+
+No more than 1024 subjects can be attested at the same time.
+
+### Predicate Limits
+
+Whether supplied via the `predicate` or `predicatePath` input, the predicate
+string cannot exceed 16MB.
 
 ## Examples
 
@@ -148,10 +164,10 @@ jobs:
           predicate: '{}'
 ```
 
-### Identify Subjects by Wildcard
+### Identify Multiple Subjects
 
-If you are generating multiple artifacts, you can generate an attestation for
-each by using a wildcard in the `subject-path` input.
+If you are generating multiple artifacts, you can attest all of them at the same
+time by using a wildcard in the `subject-path` input.
 
 ```yaml
 - uses: actions/attest@v1
@@ -164,6 +180,23 @@ each by using a wildcard in the `subject-path` input.
 For supported wildcards along with behavior and documentation, see
 [@actions/glob][8] which is used internally to search for files.
 
+Alternatively, you can explicitly list multiple subjects with either a comma or
+newline delimited list:
+
+```yaml
+- uses: actions/attest@v1
+  with:
+    subject-path: 'dist/foo, dist/bar'
+```
+
+```yaml
+- uses: actions/attest@v1
+  with:
+    subject-path: |
+      dist/foo
+      dist/bar
+```
+
 ### Container Image
 
 When working with container images you can invoke the action with the
@@ -175,8 +208,8 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
 "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
 the specific image being attested is identified by the supplied digest.
 
-> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
-> registry portion of the image name.
+> **NOTE**: When pushing to Docker Hub, please use "docker.io" as the registry
+> portion of the image name.
 
 ```yaml
 name: build-attested-image
@@ -232,7 +265,6 @@ jobs:
 [5]: https://cli.github.com/manual/gh_attestation_verify
 [6]:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
-[7]: https://jsonlines.org/
 [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
 [9]:
   https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

RELEASE.md

@@ -11,6 +11,14 @@ Follow the steps below to tag a new release for the `actions/attest` action.
    gh release create vX.X.X
    ```
 
+1. Move (or create) the major version tag to point to the same commit tagged
+   above:
+
+   ```shell
+   git tag -fa vX -m "vX"
+   git push origin vX --force
+   ```
+
 1. As appropriate, update any actions like
    [`actions/attest-build-provenance`](https://github.com/actions/attest-build-provenance)
    and [`actions/attest-sbom`](https://github.com/actions/attest-sbom) which

__tests__/index.test.ts

@@ -2,12 +2,17 @@
  * Unit tests for the action's entrypoint, src/index.ts
  */
 
+import * as core from '@actions/core'
 import * as main from '../src/main'
 
 // Mock the action's entrypoint
 const runMock = jest.spyOn(main, 'run').mockImplementation()
+const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
 
 describe('index', () => {
+  beforeEach(() => {
+    getBooleanInputMock.mockImplementation(() => false)
+  })
   it('calls run when imported', async () => {
     // eslint-disable-next-line @typescript-eslint/no-require-imports
     require('../src/index')

__tests__/main.test.ts

@@ -20,8 +20,6 @@ import * as main from '../src/main'
 // Mock the GitHub Actions core library
 const infoMock = jest.spyOn(core, 'info')
 const startGroupMock = jest.spyOn(core, 'startGroup')
-const getInputMock = jest.spyOn(core, 'getInput')
-const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
 const setOutputMock = jest.spyOn(core, 'setOutput')
 const setFailedMock = jest.spyOn(core, 'setFailed')
 
@@ -38,12 +36,28 @@ const runMock = jest.spyOn(main, 'run')
 const mockAgent = new MockAgent()
 setGlobalDispatcher(mockAgent)
 
+const defaultInputs: main.RunInputs = {
+  predicate: '',
+  predicateType: '',
+  predicatePath: '',
+  subjectName: '',
+  subjectDigest: '',
+  subjectPath: '',
+  pushToRegistry: false,
+  showSummary: true,
+  githubToken: '',
+  privateSigning: false
+}
+
 describe('action', () => {
   // Capture original environment variables and GitHub context so we can restore
   // them after each test
   const originalEnv = process.env
   const originalContext = { ...github.context }
 
+  // Mock OIDC token endpoint
+  const tokenURL = 'https://token.url'
+
   // Fake an OIDC token
   const oidcSubject = 'foo@bar.com'
   const oidcPayload = { sub: oidcSubject, iss: '' }
@@ -62,9 +76,6 @@ describe('action', () => {
   beforeEach(() => {
     jest.clearAllMocks()
 
-    // Mock OIDC token endpoint
-    const tokenURL = 'https://token.url'
-
     nock(tokenURL)
       .get('/')
       .query({ audience: 'sigstore' })
@@ -95,56 +106,51 @@ describe('action', () => {
   })
 
   describe('when ACTIONS_ID_TOKEN_REQUEST_URL is not set', () => {
-    const inputs = {
-      'subject-digest': subjectDigest,
-      'subject-name': subjectName,
-      'predicate-type': predicateType,
+    const inputs: main.RunInputs = {
+      ...defaultInputs,
+      subjectDigest,
+      subjectName,
+      predicateType,
       predicate,
-      'github-token': 'gh-token'
+      githubToken: 'gh-token'
     }
 
     beforeEach(() => {
       // Nullify the OIDC token URL
       process.env.ACTIONS_ID_TOKEN_REQUEST_URL = ''
-
-      getInputMock.mockImplementation(mockInput(inputs))
-      getBooleanInputMock.mockImplementation(() => false)
     })
 
     it('sets a failed status', async () => {
-      await main.run()
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
-        expect.stringMatching(/missing "id-token" permission/)
-      )
-    })
-  })
-
-  describe('when no inputs are provided', () => {
-    beforeEach(() => {
-      getInputMock.mockImplementation(() => '')
-    })
-
-    it('sets a failed status', async () => {
-      await main.run()
-
-      expect(runMock).toHaveReturned()
-      expect(setFailedMock).toHaveBeenCalledWith(
-        expect.stringMatching(
-          /one of subject-path or subject-digest must be provided/i
+        new Error(
+          'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
         )
       )
     })
   })
 
+  describe('when no inputs are provided', () => {
+    it('sets a failed status', async () => {
+      await main.run(defaultInputs)
+
+      expect(runMock).toHaveReturned()
+      expect(setFailedMock).toHaveBeenCalledWith(
+        new Error('One of subject-path or subject-digest must be provided')
+      )
+    })
+  })
+
   describe('when the repository is private', () => {
-    const inputs = {
-      'subject-digest': subjectDigest,
-      'subject-name': subjectName,
-      'predicate-type': predicateType,
+    const inputs: main.RunInputs = {
+      ...defaultInputs,
+      subjectDigest,
+      subjectName,
+      predicateType,
       predicate,
-      'github-token': 'gh-token'
+      githubToken: 'gh-token'
     }
 
     beforeEach(async () => {
@@ -154,9 +160,6 @@ describe('action', () => {
         repo: { owner: 'foo', repo: 'bar' }
       })
 
-      getInputMock.mockImplementation(mockInput(inputs))
-      getBooleanInputMock.mockImplementation(() => false)
-
       await mockFulcio({
         baseURL: 'https://fulcio.githubapp.com',
         strict: false
@@ -165,7 +168,7 @@ describe('action', () => {
     })
 
     it('invokes the action w/o error', async () => {
-      await main.run()
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).not.toHaveBeenCalledWith()
@@ -194,7 +197,7 @@ describe('action', () => {
       expect(setOutputMock).toHaveBeenNthCalledWith(
         1,
         'bundle-path',
-        expect.stringMatching('attestation.jsonl')
+        expect.stringMatching('attestation.json')
       )
       expect(setFailedMock).not.toHaveBeenCalled()
     })
@@ -204,12 +207,14 @@ describe('action', () => {
     const getRegCredsSpy = jest.spyOn(oci, 'getRegistryCredentials')
     const attachArtifactSpy = jest.spyOn(oci, 'attachArtifactToImage')
 
-    const inputs = {
-      'subject-digest': subjectDigest,
-      'subject-name': subjectName,
-      'predicate-type': predicateType,
+    const inputs: main.RunInputs = {
+      ...defaultInputs,
+      subjectDigest,
+      subjectName,
+      predicateType,
       predicate,
-      'github-token': 'gh-token'
+      githubToken: 'gh-token',
+      pushToRegistry: true
     }
 
     beforeEach(async () => {
@@ -219,11 +224,6 @@ describe('action', () => {
         repo: { owner: 'foo', repo: 'bar' }
       })
 
-      // Mock the action's inputs
-      getInputMock.mockImplementation(mockInput(inputs))
-      // This is where we mock the push-to-registry input
-      getBooleanInputMock.mockImplementation(() => true)
-
       await mockFulcio({
         baseURL: 'https://fulcio.sigstore.dev',
         strict: false
@@ -244,7 +244,7 @@ describe('action', () => {
     })
 
     it('invokes the action w/o error', async () => {
-      await main.run()
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).not.toHaveBeenCalled()
@@ -283,17 +283,18 @@ describe('action', () => {
       expect(setOutputMock).toHaveBeenNthCalledWith(
         1,
         'bundle-path',
-        expect.stringMatching('attestation.jsonl')
+        expect.stringMatching('attestation.json')
       )
       expect(setFailedMock).not.toHaveBeenCalled()
     })
   })
 
-  describe('when too many subjects are specified', () => {
+  describe('when the subject count is greater than 1', () => {
     let dir = ''
+    const filename = 'subject'
 
     beforeEach(async () => {
-      const filename = 'subject'
+      const subjectCount = 5
       const content = 'file content'
 
       // Set-up temp directory
@@ -301,7 +302,7 @@ describe('action', () => {
       dir = await fs.mkdtemp(tmpDir + path.sep)
 
       // Add files for glob testing
-      for (let i = 0; i < 65; i++) {
+      for (let i = 0; i < subjectCount; i++) {
         await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
       }
 
@@ -311,14 +312,63 @@ describe('action', () => {
         repo: { owner: 'foo', repo: 'bar' }
       })
 
-      // Mock the action's inputs
-      getInputMock.mockImplementation(
-        mockInput({
-          predicate: '{}',
-          'subject-path': path.join(dir, `${filename}-*`)
-        })
+      // Set-up a Fulcio mock for each subject
+      await mockFulcio({
+        baseURL: 'https://fulcio.githubapp.com',
+        strict: false
+      })
+
+      // Set-up a TSA mock for each subject
+      await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
+    })
+
+    afterEach(async () => {
+      // Clean-up temp directory
+      await fs.rm(dir, { recursive: true })
+    })
+
+    it('invokes the action w/o error', async () => {
+      const inputs: main.RunInputs = {
+        ...defaultInputs,
+        subjectPath: path.join(dir, `${filename}-*`),
+        predicateType,
+        predicate,
+        githubToken: 'gh-token'
+      }
+      await main.run(inputs)
+
+      expect(runMock).toHaveReturned()
+      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(infoMock).toHaveBeenNthCalledWith(
+        1,
+        expect.stringMatching('Attestation created for 5 subjects')
       )
     })
+  })
+
+  describe('when the subject count exceeds the max', () => {
+    let dir = ''
+    const filename = 'subject'
+
+    beforeEach(async () => {
+      const subjectCount = 1025
+      const content = 'file content'
+
+      // Set-up temp directory
+      const tmpDir = await fs.realpath(os.tmpdir())
+      dir = await fs.mkdtemp(tmpDir + path.sep)
+
+      // Add files for glob testing
+      for (let i = 0; i < subjectCount; i++) {
+        await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
+      }
+
+      // Set the GH context with private repository visibility and a repo owner.
+      setGHContext({
+        payload: { repository: { visibility: 'private' } },
+        repo: { owner: 'foo', repo: 'bar' }
+      })
+    })
 
     afterEach(async () => {
       // Clean-up temp directory
@@ -326,25 +376,25 @@ describe('action', () => {
     })
 
     it('sets a failed status', async () => {
-      await main.run()
+      const inputs: main.RunInputs = {
+        ...defaultInputs,
+        subjectPath: path.join(dir, `${filename}-*`),
+        predicateType,
+        predicate,
+        githubToken: 'gh-token'
+      }
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
-        'Too many subjects specified. The maximum number of subjects is 64.'
+        new Error(
+          'Too many subjects specified. The maximum number of subjects is 1024.'
+        )
       )
     })
   })
 })
 
-function mockInput(inputs: Record<string, string>): typeof core.getInput {
-  return (name: string): string => {
-    if (name in inputs) {
-      return inputs[name]
-    }
-    return ''
-  }
-}
-
 // Stubbing the GitHub context is a bit tricky. We need to use
 // `Object.defineProperty` because `github.context` is read-only.
 function setGHContext(context: object): void {

__tests__/predicate.test.ts

@@ -1,92 +1,129 @@
 import fs from 'fs/promises'
 import os from 'os'
 import path from 'path'
-import { predicateFromInputs } from '../src/predicate'
+import { predicateFromInputs, PredicateInputs } from '../src/predicate'
 
 describe('subjectFromInputs', () => {
-  afterEach(() => {
-    process.env['INPUT_PREDICATE'] = ''
-    process.env['INPUT_PREDICATE-PATH'] = ''
-    process.env['INPUT_PREDICATE-TYPE'] = ''
-  })
+  const blankInputs: PredicateInputs = {
+    predicateType: '',
+    predicate: '',
+    predicatePath: ''
+  }
 
   describe('when no inputs are provided', () => {
     it('throws an error', () => {
-      expect(() => predicateFromInputs()).toThrow(/predicate-type/i)
+      expect(() => predicateFromInputs(blankInputs)).toThrow(/predicate-type/i)
     })
   })
 
   describe('when neither predicate path nor predicate are provided', () => {
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
-    })
-
     it('throws an error', () => {
-      expect(() => predicateFromInputs()).toThrow(
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType: 'https://example.com/predicate'
+      }
+
+      expect(() => predicateFromInputs(inputs)).toThrow(
         /one of predicate-path or predicate must be provided/i
       )
     })
   })
 
   describe('when both predicate path and predicate are provided', () => {
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE-PATH'] = 'path/to/predicate'
-      process.env['INPUT_PREDICATE'] = '{}'
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
-    })
-
     it('throws an error', () => {
-      expect(() => predicateFromInputs()).toThrow(
+      const inputs: PredicateInputs = {
+        predicateType: 'https://example.com/predicate',
+        predicate: '{}',
+        predicatePath: 'path/to/predicate'
+      }
+
+      expect(() => predicateFromInputs(inputs)).toThrow(
         /only one of predicate-path or predicate may be provided/i
       )
     })
   })
 
   describe('when specifying a predicate path', () => {
-    let dir = ''
-    const filename = 'subject'
+    const predicateType = 'https://example.com/predicate'
     const content = '{}'
+    let predicatePath = ''
 
     beforeEach(async () => {
       // Set-up temp directory
       const tmpDir = await fs.realpath(os.tmpdir())
-      dir = await fs.mkdtemp(tmpDir + path.sep)
+      const dir = await fs.mkdtemp(tmpDir + path.sep)
+
+      const filename = 'subject'
+      predicatePath = path.join(dir, filename)
 
       // Write file to temp directory
-      await fs.writeFile(path.join(dir, filename), content)
+      await fs.writeFile(predicatePath, content)
     })
 
     afterEach(async () => {
       // Clean-up temp directory
-      await fs.rm(dir, { recursive: true })
-    })
-
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE-PATH'] = path.join(dir, filename)
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
+      await fs.rm(path.parse(predicatePath).dir, { recursive: true })
     })
 
     it('returns the predicate', () => {
-      expect(predicateFromInputs()).toEqual({
-        type: 'https://example.com/predicate',
-        params: {}
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicatePath
+      }
+      expect(predicateFromInputs(inputs)).toEqual({
+        type: predicateType,
+        params: JSON.parse(content)
       })
     })
   })
 
+  describe('when specifying a predicate path that does not exist', () => {
+    const predicateType = 'https://example.com/predicate'
+    const predicatePath = 'foo'
+
+    it('returns the predicate', () => {
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicatePath
+      }
+      expect(() => predicateFromInputs(inputs)).toThrow(/file not found/)
+    })
+  })
+
   describe('when specifying a predicate value', () => {
+    const predicateType = 'https://example.com/predicate'
     const content = '{}'
 
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE'] = content
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
-    })
-
     it('returns the predicate', () => {
-      expect(predicateFromInputs()).toEqual({
-        type: 'https://example.com/predicate',
-        params: {}
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicate: content
+      }
+
+      expect(predicateFromInputs(inputs)).toEqual({
+        type: predicateType,
+        params: JSON.parse(content)
       })
     })
   })
+
+  describe('when specifying a predicate value exceeding the max size', () => {
+    const predicateType = 'https://example.com/predicate'
+    const content = JSON.stringify({ a: 'a'.repeat(16 * 1024 * 1024) })
+
+    it('throws an error', () => {
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicate: content
+      }
+
+      expect(() => predicateFromInputs(inputs)).toThrow(
+        /predicate string exceeds maximum/
+      )
+    })
+  })
 })

__tests__/style.test.ts

@@ -0,0 +1,15 @@
+import { highlight, mute } from '../src/style'
+
+describe('style', () => {
+  describe('highlight', () => {
+    it('adds cyan color to the string', () => {
+      expect(highlight('foo')).toBe('\x1B[36mfoo\x1B[39m')
+    })
+  })
+
+  describe('mute', () => {
+    it('adds gray color to the string', () => {
+      expect(mute('foo')).toBe('\x1B[38;5;244mfoo\x1B[39m')
+    })
+  })
+})

__tests__/subject.test.ts

@@ -2,85 +2,94 @@ import crypto from 'crypto'
 import fs from 'fs/promises'
 import os from 'os'
 import path from 'path'
-import { subjectFromInputs } from '../src/subject'
+import {
+  formatSubjectDigest,
+  subjectFromInputs,
+  SubjectInputs
+} from '../src/subject'
 
 describe('subjectFromInputs', () => {
-  afterEach(() => {
-    process.env['INPUT_SUBJECT-PATH'] = ''
-    process.env['INPUT_SUBJECT-DIGEST'] = ''
-    process.env['INPUT_SUBJECT-NAME'] = ''
-  })
+  const blankInputs: SubjectInputs = {
+    subjectPath: '',
+    subjectName: '',
+    subjectDigest: ''
+  }
 
   describe('when no inputs are provided', () => {
     it('throws an error', async () => {
-      await expect(subjectFromInputs()).rejects.toThrow(
+      await expect(subjectFromInputs(blankInputs)).rejects.toThrow(
         /one of subject-path or subject-digest must be provided/i
       )
     })
   })
 
   describe('when both subject path and subject digest are provided', () => {
-    beforeEach(() => {
-      process.env['INPUT_SUBJECT-PATH'] = 'path/to/subject'
-      process.env['INPUT_SUBJECT-DIGEST'] = 'digest'
-    })
-
     it('throws an error', async () => {
-      await expect(subjectFromInputs()).rejects.toThrow(
+      const inputs: SubjectInputs = {
+        subjectName: 'foo',
+        subjectPath: 'path/to/subject',
+        subjectDigest: 'digest'
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(
         /only one of subject-path or subject-digest may be provided/i
       )
     })
   })
 
   describe('when subject digest is provided but not the name', () => {
-    beforeEach(() => {
-      process.env['INPUT_SUBJECT-DIGEST'] = 'digest'
-    })
-
     it('throws an error', async () => {
-      await expect(subjectFromInputs()).rejects.toThrow(
+      const inputs: SubjectInputs = {
+        ...blankInputs,
+        subjectDigest: 'digest'
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(
         /subject-name must be provided when using subject-digest/i
       )
     })
   })
 
   describe('when specifying a subject digest', () => {
-    const name = 'subject'
+    const name = 'Subject'
 
     describe('when the digest is malformed', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = 'digest'
-        process.env['INPUT_SUBJECT-NAME'] = 'subject'
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: 'digest',
+          subjectName: name
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /subject-digest must be in the format "sha256:<hex-digest>"/i
         )
       })
     })
 
     describe('when the alogrithm is not supported', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = 'md5:deadbeef'
-        process.env['INPUT_SUBJECT-NAME'] = 'subject'
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: 'md5:deadbeef',
+          subjectName: name
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /subject-digest must be in the format "sha256:<hex-digest>"/i
         )
       })
     })
 
     describe('when the sha256 digest is malformed', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = 'sha256:deadbeef'
-        process.env['INPUT_SUBJECT-NAME'] = 'subject'
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: 'sha256:deadbeef',
+          subjectName: name
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /subject-digest must be in the format "sha256:<hex-digest>"/i
         )
       })
@@ -91,13 +100,14 @@ describe('subjectFromInputs', () => {
       const digest =
         '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
 
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = `${alg}:${digest}`
-        process.env['INPUT_SUBJECT-NAME'] = name
-      })
-
       it('returns the subject', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: `${alg}:${digest}`,
+          subjectName: name
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -105,23 +115,47 @@ describe('subjectFromInputs', () => {
         expect(subject[0].digest).toEqual({ [alg]: digest })
       })
     })
+
+    describe('when the downcaseName is true', () => {
+      const imageName = 'ghcr.io/FOO/bar'
+      const alg = 'sha256'
+      const digest =
+        '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+
+      it('returns the subject (with name downcased)', async () => {
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: `${alg}:${digest}`,
+          subjectName: imageName,
+          downcaseName: true
+        }
+
+        const subject = await subjectFromInputs(inputs)
+
+        expect(subject).toBeDefined()
+        expect(subject).toHaveLength(1)
+        expect(subject[0].name).toEqual(imageName.toLowerCase())
+        expect(subject[0].digest).toEqual({ [alg]: digest })
+      })
+    })
   })
 
   describe('when specifying a subject path', () => {
     describe('when the file does NOT exist', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-PATH'] = '/f/a/k/e'
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: '/f/a/k/e'
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /could not find subject at path/i
         )
       })
     })
   })
 
-  describe('when the file eixts', () => {
+  describe('when the file exists', () => {
     let dir = ''
     const filename = 'subject'
     const content = 'file content'
@@ -152,12 +186,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when no name is provided', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-PATH'] = path.join(dir, filename)
-      })
-
       it('returns the subject', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: path.join(dir, filename)
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -169,13 +204,14 @@ describe('subjectFromInputs', () => {
     describe('when a name is provided', () => {
       const name = 'mysubject'
 
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-PATH'] = path.join(dir, filename)
-        process.env['INPUT_SUBJECT-NAME'] = name
-      })
-
       it('returns the subject', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: path.join(dir, filename),
+          subjectName: name
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -185,12 +221,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a file glob is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] = path.join(dir, 'subject-*')
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: path.join(dir, 'subject-*')
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(3)
@@ -204,12 +241,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a file glob is supplied which also matches non-files', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] = `${dir}*`
-      })
-
       it('returns the subjects (excluding non-files)', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${dir}*`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(7)
@@ -217,13 +255,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a comma-separated list is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] =
-          `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(2)
@@ -240,13 +278,36 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a multi-line list is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] =
-          `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(2)
+
+        expect(subjects).toContainEqual({
+          name: 'subject-0',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-2',
+          digest: { sha256: expectedDigest }
+        })
+      })
+    })
+
+    describe('when an excluding glob is supplied', () => {
+      it('returns the multiple subjects', async () => {
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-*')},!${path.join(dir, 'subject-1')}`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(2)
@@ -263,13 +324,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a multi-line glob list is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] =
-          `${path.join(dir, 'subject-*')}\n  ${path.join(dir, 'other-*')} `
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-*')}\n  ${path.join(dir, 'other-*')} `
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(6)
@@ -303,3 +364,15 @@ describe('subjectFromInputs', () => {
     })
   })
 })
+
+describe('subjectDigest', () => {
+  it('returns the digest', () => {
+    const subject = {
+      name: 'foo',
+      digest: { sha1: 'deadbeef' }
+    }
+
+    const digest = formatSubjectDigest(subject)
+    expect(digest).toEqual('sha1:deadbeef')
+  })
+})

action.yml

@@ -10,7 +10,7 @@ inputs:
     description: >
       Path to the artifact serving as the subject of the attestation. Must
       specify exactly one of "subject-path" or "subject-digest". May contain a
-      glob pattern or list of paths (total subject count cannot exceed 64).
+      glob pattern or list of paths (total subject count cannot exceed 1024).
     required: false
   subject-digest:
     description: >
@@ -30,13 +30,15 @@ inputs:
     required: true
   predicate:
     description: >
-      String containing the value for the attestation predicate. Must supply
-      exactly one of "predicate-path" or "predicate".
+      String containing the value for the attestation predicate. String length
+      cannot exceed 16MB. Must supply exactly one of "predicate-path" or
+      "predicate".
     required: false
   predicate-path:
     description: >
       Path to the file which contains the content for the attestation predicate.
-      Must supply exactly one of "predicate-path" or "predicate".
+      File size cannot exceed 16MB. Must supply exactly one of "predicate-path"
+      or "predicate".
     required: false
   push-to-registry:
     description: >
@@ -45,6 +47,12 @@ inputs:
       the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  show-summary:
+    description: >
+      Whether to attach a list of generated attestations to the workflow run
+      summary page. Defaults to true.
+    default: true
+    required: false
   github-token:
     description: >
       The GitHub token used to make authenticated API requests.
@@ -52,7 +60,7 @@ inputs:
     required: false
 outputs:
   bundle-path:
-    description: 'The path to the file containing the attestation bundle(s).'
+    description: 'The path to the file containing the attestation bundle.'
 
 runs:
   using: node20

dist/606.index.js

@@ -0,0 +1,287 @@
+"use strict";
+exports.id = 606;
+exports.ids = [606];
+exports.modules = {
+
+/***/ 606:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   "default": () => (/* binding */ pMap)
+/* harmony export */ });
+/* unused harmony exports pMapIterable, pMapSkip */
+async function pMap(
+	iterable,
+	mapper,
+	{
+		concurrency = Number.POSITIVE_INFINITY,
+		stopOnError = true,
+		signal,
+	} = {},
+) {
+	return new Promise((resolve, reject_) => {
+		if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
+			throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
+		}
+
+		if (typeof mapper !== 'function') {
+			throw new TypeError('Mapper function is required');
+		}
+
+		if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
+			throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
+		}
+
+		const result = [];
+		const errors = [];
+		const skippedIndexesMap = new Map();
+		let isRejected = false;
+		let isResolved = false;
+		let isIterableDone = false;
+		let resolvingCount = 0;
+		let currentIndex = 0;
+		const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
+
+		const reject = reason => {
+			isRejected = true;
+			isResolved = true;
+			reject_(reason);
+		};
+
+		if (signal) {
+			if (signal.aborted) {
+				reject(signal.reason);
+			}
+
+			signal.addEventListener('abort', () => {
+				reject(signal.reason);
+			});
+		}
+
+		const next = async () => {
+			if (isResolved) {
+				return;
+			}
+
+			const nextItem = await iterator.next();
+
+			const index = currentIndex;
+			currentIndex++;
+
+			// Note: `iterator.next()` can be called many times in parallel.
+			// This can cause multiple calls to this `next()` function to
+			// receive a `nextItem` with `done === true`.
+			// The shutdown logic that rejects/resolves must be protected
+			// so it runs only one time as the `skippedIndex` logic is
+			// non-idempotent.
+			if (nextItem.done) {
+				isIterableDone = true;
+
+				if (resolvingCount === 0 && !isResolved) {
+					if (!stopOnError && errors.length > 0) {
+						reject(new AggregateError(errors)); // eslint-disable-line unicorn/error-message
+						return;
+					}
+
+					isResolved = true;
+
+					if (skippedIndexesMap.size === 0) {
+						resolve(result);
+						return;
+					}
+
+					const pureResult = [];
+
+					// Support multiple `pMapSkip`'s.
+					for (const [index, value] of result.entries()) {
+						if (skippedIndexesMap.get(index) === pMapSkip) {
+							continue;
+						}
+
+						pureResult.push(value);
+					}
+
+					resolve(pureResult);
+				}
+
+				return;
+			}
+
+			resolvingCount++;
+
+			// Intentionally detached
+			(async () => {
+				try {
+					const element = await nextItem.value;
+
+					if (isResolved) {
+						return;
+					}
+
+					const value = await mapper(element, index);
+
+					// Use Map to stage the index of the element.
+					if (value === pMapSkip) {
+						skippedIndexesMap.set(index, value);
+					}
+
+					result[index] = value;
+
+					resolvingCount--;
+					await next();
+				} catch (error) {
+					if (stopOnError) {
+						reject(error);
+					} else {
+						errors.push(error);
+						resolvingCount--;
+
+						// In that case we can't really continue regardless of `stopOnError` state
+						// since an iterable is likely to continue throwing after it throws once.
+						// If we continue calling `next()` indefinitely we will likely end up
+						// in an infinite loop of failed iteration.
+						try {
+							await next();
+						} catch (error) {
+							reject(error);
+						}
+					}
+				}
+			})();
+		};
+
+		// Create the concurrent runners in a detached (non-awaited)
+		// promise. We need this so we can await the `next()` calls
+		// to stop creating runners before hitting the concurrency limit
+		// if the iterable has already been marked as done.
+		// NOTE: We *must* do this for async iterators otherwise we'll spin up
+		// infinite `next()` calls by default and never start the event loop.
+		(async () => {
+			for (let index = 0; index < concurrency; index++) {
+				try {
+					// eslint-disable-next-line no-await-in-loop
+					await next();
+				} catch (error) {
+					reject(error);
+					break;
+				}
+
+				if (isIterableDone || isRejected) {
+					break;
+				}
+			}
+		})();
+	});
+}
+
+function pMapIterable(
+	iterable,
+	mapper,
+	{
+		concurrency = Number.POSITIVE_INFINITY,
+		backpressure = concurrency,
+	} = {},
+) {
+	if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
+		throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
+	}
+
+	if (typeof mapper !== 'function') {
+		throw new TypeError('Mapper function is required');
+	}
+
+	if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
+		throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
+	}
+
+	if (!((Number.isSafeInteger(backpressure) && backpressure >= concurrency) || backpressure === Number.POSITIVE_INFINITY)) {
+		throw new TypeError(`Expected \`backpressure\` to be an integer from \`concurrency\` (${concurrency}) and up or \`Infinity\`, got \`${backpressure}\` (${typeof backpressure})`);
+	}
+
+	return {
+		async * [Symbol.asyncIterator]() {
+			const iterator = iterable[Symbol.asyncIterator] === undefined ? iterable[Symbol.iterator]() : iterable[Symbol.asyncIterator]();
+
+			const promises = [];
+			let runningMappersCount = 0;
+			let isDone = false;
+			let index = 0;
+
+			function trySpawn() {
+				if (isDone || !(runningMappersCount < concurrency && promises.length < backpressure)) {
+					return;
+				}
+
+				const promise = (async () => {
+					const {done, value} = await iterator.next();
+
+					if (done) {
+						return {done: true};
+					}
+
+					runningMappersCount++;
+
+					// Spawn if still below concurrency and backpressure limit
+					trySpawn();
+
+					try {
+						const returnValue = await mapper(await value, index++);
+
+						runningMappersCount--;
+
+						if (returnValue === pMapSkip) {
+							const index = promises.indexOf(promise);
+
+							if (index > 0) {
+								promises.splice(index, 1);
+							}
+						}
+
+						// Spawn if still below backpressure limit and just dropped below concurrency limit
+						trySpawn();
+
+						return {done: false, value: returnValue};
+					} catch (error) {
+						isDone = true;
+						return {error};
+					}
+				})();
+
+				promises.push(promise);
+			}
+
+			trySpawn();
+
+			while (promises.length > 0) {
+				const {error, done, value} = await promises[0]; // eslint-disable-line no-await-in-loop
+
+				promises.shift();
+
+				if (error) {
+					throw error;
+				}
+
+				if (done) {
+					return;
+				}
+
+				// Spawn if just dropped below backpressure limit and below the concurrency limit
+				trySpawn();
+
+				if (value === pMapSkip) {
+					continue;
+				}
+
+				yield value;
+			}
+		},
+	};
+}
+
+const pMapSkip = Symbol('skip');
+
+
+/***/ })
+
+};
+;

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest",
   "description": "Generate signed attestations for workflow artifacts",
-  "version": "1.1.0",
+  "version": "2.0.0",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest",
@@ -69,33 +69,33 @@
     ]
   },
   "dependencies": {
-    "@actions/attest": "^1.2.1",
-    "@actions/core": "^1.10.1",
-    "@actions/glob": "^0.4.0",
-    "@sigstore/oci": "^0.3.0",
-    "csv-parse": "^5.5.5"
+    "@actions/attest": "^1.5.0",
+    "@actions/core": "^1.11.1",
+    "@actions/glob": "^0.5.0",
+    "@sigstore/oci": "^0.4.0",
+    "csv-parse": "^5.6.0"
   },
   "devDependencies": {
-    "@sigstore/mock": "^0.7.2",
-    "@types/jest": "^29.5.12",
+    "@sigstore/mock": "^0.8.0",
+    "@types/jest": "^29.5.14",
     "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^20.12.7",
-    "@typescript-eslint/eslint-plugin": "^7.8.0",
-    "@typescript-eslint/parser": "^7.8.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
-    "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-jest": "^28.3.0",
-    "eslint-plugin-jsonc": "^2.15.1",
-    "eslint-plugin-prettier": "^5.1.3",
+    "@types/node": "^22.9.4",
+    "@typescript-eslint/eslint-plugin": "^7.18.0",
+    "@typescript-eslint/parser": "^7.18.0",
+    "@vercel/ncc": "^0.38.3",
+    "eslint": "^8.57.1",
+    "eslint-plugin-github": "^5.1.2",
+    "eslint-plugin-jest": "^28.9.0",
+    "eslint-plugin-jsonc": "^2.18.2",
+    "eslint-plugin-prettier": "^5.2.1",
     "jest": "^29.7.0",
     "js-yaml": "^4.1.0",
-    "markdownlint-cli": "^0.39.0",
-    "nock": "^13.5.4",
-    "prettier": "^3.2.5",
+    "markdownlint-cli": "^0.43.0",
+    "nock": "^13.5.6",
+    "prettier": "^3.3.3",
     "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.1.2",
-    "typescript": "^5.4.5",
+    "ts-jest": "^29.2.5",
+    "typescript": "^5.7.2",
     "undici": "^5.28.4"
   }
 }

src/attest.ts

@@ -0,0 +1,54 @@
+import { Attestation, Predicate, Subject, attest } from '@actions/attest'
+import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
+import { formatSubjectDigest } from './subject'
+
+const OCI_TIMEOUT = 30000
+const OCI_RETRY = 3
+
+export type SigstoreInstance = 'public-good' | 'github'
+export type AttestResult = Attestation & {
+  attestationDigest?: string
+}
+
+export const createAttestation = async (
+  subjects: Subject[],
+  predicate: Predicate,
+  opts: {
+    sigstoreInstance: SigstoreInstance
+    pushToRegistry: boolean
+    githubToken: string
+  }
+): Promise<AttestResult> => {
+  // Sign provenance w/ Sigstore
+  const attestation = await attest({
+    subjects,
+    predicateType: predicate.type,
+    predicate: predicate.params,
+    sigstore: opts.sigstoreInstance,
+    token: opts.githubToken
+  })
+
+  const result: AttestResult = attestation
+
+  if (subjects.length === 1 && opts.pushToRegistry) {
+    const subject = subjects[0]
+    const credentials = getRegistryCredentials(subject.name)
+    const artifact = await attachArtifactToImage({
+      credentials,
+      imageName: subject.name,
+      imageDigest: formatSubjectDigest(subject),
+      artifact: Buffer.from(JSON.stringify(attestation.bundle)),
+      mediaType: attestation.bundle.mediaType,
+      annotations: {
+        'dev.sigstore.bundle.content': 'dsse-envelope',
+        'dev.sigstore.bundle.predicateType': predicate.type
+      },
+      fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
+    })
+
+    // Add the attestation's digest to the result
+    result.attestationDigest = artifact.digest
+  }
+
+  return result
+}

src/index.ts

@@ -1,7 +1,24 @@
 /**
  * The entrypoint for the action.
  */
-import { run } from './main'
+import * as core from '@actions/core'
+import { run, RunInputs } from './main'
+
+const inputs: RunInputs = {
+  subjectPath: core.getInput('subject-path'),
+  subjectName: core.getInput('subject-name'),
+  subjectDigest: core.getInput('subject-digest'),
+  predicateType: core.getInput('predicate-type'),
+  predicate: core.getInput('predicate'),
+  predicatePath: core.getInput('predicate-path'),
+  pushToRegistry: core.getBooleanInput('push-to-registry'),
+  showSummary: core.getBooleanInput('show-summary'),
+  githubToken: core.getInput('github-token'),
+  // undocumented -- not part of public interface
+  privateSigning: ['true', 'True', 'TRUE', '1'].includes(
+    core.getInput('private-signing')
+  )
+}
 
 // eslint-disable-next-line @typescript-eslint/no-floating-promises
-run()
+run(inputs)

src/main.ts

@@ -1,123 +1,126 @@
-import { Attestation, Predicate, Subject, attest } from '@actions/attest'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
-import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
 import fs from 'fs'
 import os from 'os'
 import path from 'path'
+import { AttestResult, SigstoreInstance, createAttestation } from './attest'
 import { SEARCH_PUBLIC_GOOD_URL } from './endpoints'
-import { predicateFromInputs } from './predicate'
-import { subjectFromInputs } from './subject'
+import { PredicateInputs, predicateFromInputs } from './predicate'
+import * as style from './style'
+import {
+  SubjectInputs,
+  formatSubjectDigest,
+  subjectFromInputs
+} from './subject'
 
-type SigstoreInstance = 'public-good' | 'github'
-type AttestedSubject = { subject: Subject; attestationID: string }
+import type { Subject } from '@actions/attest'
 
-const COLOR_CYAN = '\x1B[36m'
-const COLOR_DEFAULT = '\x1B[39m'
-const ATTESTATION_FILE_NAME = 'attestation.jsonl'
+const ATTESTATION_FILE_NAME = 'attestation.json'
 
-const MAX_SUBJECT_COUNT = 64
+export type RunInputs = SubjectInputs &
+  PredicateInputs & {
+    pushToRegistry: boolean
+    githubToken: string
+    showSummary: boolean
+    privateSigning: boolean
+  }
+
+/* istanbul ignore next */
+const logHandler = (level: string, ...args: unknown[]): void => {
+  // Send any HTTP-related log events to the GitHub Actions debug log
+  if (level === 'http') {
+    core.debug(args.join(' '))
+  }
+}
 
 /**
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
  */
-export async function run(): Promise<void> {
+export async function run(inputs: RunInputs): Promise<void> {
+  process.on('log', logHandler)
+
   // Provenance visibility will be public ONLY if we can confirm that the
   // repository is public AND the undocumented "private-signing" arg is NOT set.
   // Otherwise, it will be private.
   const sigstoreInstance: SigstoreInstance =
     github.context.payload.repository?.visibility === 'public' &&
-    core.getInput('private-signing') !== 'true'
+    !inputs.privateSigning
       ? 'public-good'
       : 'github'
 
   try {
-    const atts: AttestedSubject[] = []
     if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
       throw new Error(
         'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
       )
     }
 
-    // Gather list of subjets
-    const subjects = await subjectFromInputs()
-    if (subjects.length > MAX_SUBJECT_COUNT) {
-      throw new Error(
-        `Too many subjects specified. The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
-      )
-    }
+    const subjects = await subjectFromInputs({
+      ...inputs,
+      downcaseName: inputs.pushToRegistry
+    })
+    const predicate = predicateFromInputs(inputs)
 
-    const predicate = predicateFromInputs()
     const outputPath = path.join(tempDir(), ATTESTATION_FILE_NAME)
-
-    // Generate attestations for each subject serially
-    for (const subject of subjects) {
-      const att = await createAttestation(subject, predicate, sigstoreInstance)
-
-      // Write attestation bundle to output file
-      fs.writeFileSync(outputPath, JSON.stringify(att.bundle) + os.EOL, {
-        encoding: 'utf-8',
-        flag: 'a'
-      })
-
-      if (att.attestationID) {
-        atts.push({ subject, attestationID: att.attestationID })
-      }
-    }
-
-    if (atts.length > 0) {
-      core.summary.addHeading(
-        /* istanbul ignore next */
-        atts.length > 1 ? 'Attestations Created' : 'Attestation Created',
-        3
-      )
-
-      for (const { subject, attestationID } of atts) {
-        core.summary.addLink(
-          `${subject.name}@${subjectDigest(subject)}`,
-          attestationURL(attestationID)
-        )
-      }
-      core.summary.write()
-    }
-
     core.setOutput('bundle-path', outputPath)
+
+    const att = await createAttestation(subjects, predicate, {
+      sigstoreInstance,
+      pushToRegistry: inputs.pushToRegistry,
+      githubToken: inputs.githubToken
+    })
+
+    logAttestation(subjects, att, sigstoreInstance)
+
+    // Write attestation bundle to output file
+    fs.writeFileSync(outputPath, JSON.stringify(att.bundle) + os.EOL, {
+      encoding: 'utf-8',
+      flag: 'a'
+    })
+
+    if (inputs.showSummary) {
+      logSummary(att)
+    }
   } catch (err) {
     // Fail the workflow run if an error occurs
     core.setFailed(
-      err instanceof Error ? err.message : /* istanbul ignore next */ `${err}`
+      err instanceof Error ? err : /* istanbul ignore next */ `${err}`
     )
 
+    // Log the cause of the error if one is available
     /* istanbul ignore if */
     if (err instanceof Error && 'cause' in err) {
       const innerErr = err.cause
-      core.debug(innerErr instanceof Error ? innerErr.message : `${innerErr}}`)
+      core.info(
+        style.mute(
+          innerErr instanceof Error ? innerErr.toString() : `${innerErr}`
+        )
+      )
     }
+  } finally {
+    process.removeListener('log', logHandler)
   }
 }
 
-const createAttestation = async (
-  subject: Subject,
-  predicate: Predicate,
+// Log details about the attestation to the GitHub Actions run
+const logAttestation = (
+  subjects: Subject[],
+  attestation: AttestResult,
   sigstoreInstance: SigstoreInstance
-): Promise<Attestation> => {
-  // Sign provenance w/ Sigstore
-  const attestation = await attest({
-    subjectName: subject.name,
-    subjectDigest: subject.digest,
-    predicateType: predicate.type,
-    predicate: predicate.params,
-    sigstore: sigstoreInstance,
-    token: core.getInput('github-token')
-  })
-
-  core.info(`Attestation created for ${subject.name}@${subjectDigest(subject)}`)
+): void => {
+  if (subjects.length === 1) {
+    core.info(
+      `Attestation created for ${subjects[0].name}@${formatSubjectDigest(subjects[0])}`
+    )
+  } else {
+    core.info(`Attestation created for ${subjects.length} subjects`)
+  }
 
   const instanceName =
     sigstoreInstance === 'public-good' ? 'Public Good' : 'GitHub'
   core.startGroup(
-    highlight(
+    style.highlight(
       `Attestation signed using certificate from ${instanceName} Sigstore instance`
     )
   )
@@ -126,37 +129,35 @@ const createAttestation = async (
 
   if (attestation.tlogID) {
     core.info(
-      highlight('Attestation signature uploaded to Rekor transparency log')
+      style.highlight(
+        'Attestation signature uploaded to Rekor transparency log'
+      )
     )
     core.info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`)
   }
 
   if (attestation.attestationID) {
-    core.info(highlight('Attestation uploaded to repository'))
+    core.info(style.highlight('Attestation uploaded to repository'))
     core.info(attestationURL(attestation.attestationID))
   }
 
-  if (core.getBooleanInput('push-to-registry', { required: false })) {
-    const credentials = getRegistryCredentials(subject.name)
-    const artifact = await attachArtifactToImage({
-      credentials,
-      imageName: subject.name,
-      imageDigest: subjectDigest(subject),
-      artifact: Buffer.from(JSON.stringify(attestation.bundle)),
-      mediaType: attestation.bundle.mediaType,
-      annotations: {
-        'dev.sigstore.bundle.content': 'dsse-envelope',
-        'dev.sigstore.bundle.predicateType': core.getInput('predicate-type')
-      }
-    })
-    core.info(highlight('Attestation uploaded to registry'))
-    core.info(`${subject.name}@${artifact.digest}`)
+  if (attestation.attestationDigest) {
+    core.info(style.highlight('Attestation uploaded to registry'))
+    core.info(`${subjects[0].name}@${attestation.attestationDigest}`)
   }
-
-  return attestation
 }
 
-const highlight = (str: string): string => `${COLOR_CYAN}${str}${COLOR_DEFAULT}`
+// Attach summary information to the GitHub Actions run
+const logSummary = (attestation: AttestResult): void => {
+  const { attestationID } = attestation
+
+  if (attestationID) {
+    const url = attestationURL(attestationID)
+    core.summary.addHeading('Attestation Created', 3)
+    core.summary.addList([`<a href="${url}">${url}</a>`])
+    core.summary.write()
+  }
+}
 
 const tempDir = (): string => {
   const basePath = process.env['RUNNER_TEMP']
@@ -169,12 +170,5 @@ const tempDir = (): string => {
   return fs.mkdtempSync(path.join(basePath, path.sep))
 }
 
-// Returns the subject's digest as a formatted string of the form
-// "<algorithm>:<digest>".
-const subjectDigest = (subject: Subject): string => {
-  const alg = Object.keys(subject.digest).sort()[0]
-  return `${alg}:${subject.digest[alg]}`
-}
-
 const attestationURL = (id: string): string =>
   `${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/attestations/${id}`

src/predicate.ts

@@ -1,26 +1,56 @@
-import * as core from '@actions/core'
 import fs from 'fs'
 
 import type { Predicate } from '@actions/attest'
 
+export type PredicateInputs = {
+  predicateType: string
+  predicate: string
+  predicatePath: string
+}
+
+const MAX_PREDICATE_SIZE_BYTES = 16 * 1024 * 1024
+
 // Returns the predicate specified by the action's inputs. The predicate value
 // may be specified as a path to a file or as a string.
-export const predicateFromInputs = (): Predicate => {
-  const predicateType = core.getInput('predicate-type', { required: true })
-  const predicateStr = core.getInput('predicate', { required: false })
-  const predicatePath = core.getInput('predicate-path', { required: false })
+export const predicateFromInputs = (inputs: PredicateInputs): Predicate => {
+  const { predicateType, predicate, predicatePath } = inputs
 
-  if (!predicatePath && !predicateStr) {
+  if (!predicateType) {
+    throw new Error('predicate-type must be provided')
+  }
+
+  if (!predicatePath && !predicate) {
     throw new Error('One of predicate-path or predicate must be provided')
   }
 
-  if (predicatePath && predicateStr) {
+  if (predicatePath && predicate) {
     throw new Error('Only one of predicate-path or predicate may be provided')
   }
 
-  const params = predicatePath
-    ? fs.readFileSync(predicatePath, 'utf-8')
-    : predicateStr
+  let params: string = predicate
+
+  if (predicatePath) {
+    if (!fs.existsSync(predicatePath)) {
+      throw new Error(`predicate file not found: ${predicatePath}`)
+    }
+
+    /* istanbul ignore next */
+    if (fs.statSync(predicatePath).size > MAX_PREDICATE_SIZE_BYTES) {
+      throw new Error(
+        `predicate file exceeds maximum allowed size: ${MAX_PREDICATE_SIZE_BYTES} bytes`
+      )
+    }
+
+    params = fs.readFileSync(predicatePath, 'utf-8')
+  } else {
+    if (predicate.length > MAX_PREDICATE_SIZE_BYTES) {
+      throw new Error(
+        `predicate string exceeds maximum allowed size: ${MAX_PREDICATE_SIZE_BYTES} bytes`
+      )
+    }
+
+    params = predicate
+  }
 
   return { type: predicateType, params: JSON.parse(params) }
 }

src/style.ts

@@ -0,0 +1,11 @@
+const COLOR_CYAN = '\x1B[36m'
+const COLOR_GRAY = '\x1B[38;5;244m'
+const COLOR_DEFAULT = '\x1B[39m'
+
+// Emphasis string using ANSI color codes
+export const highlight = (str: string): string =>
+  `${COLOR_CYAN}${str}${COLOR_DEFAULT}`
+
+// De-emphasize string using ANSI color codes
+export const mute = (str: string): string =>
+  `${COLOR_GRAY}${str}${COLOR_DEFAULT}`

src/subject.ts

@@ -1,4 +1,3 @@
-import * as core from '@actions/core'
 import * as glob from '@actions/glob'
 import crypto from 'crypto'
 import { parse } from 'csv-parse/sync'
@@ -7,16 +6,23 @@ import path from 'path'
 
 import type { Subject } from '@actions/attest'
 
+const MAX_SUBJECT_COUNT = 1024
 const DIGEST_ALGORITHM = 'sha256'
 
+export type SubjectInputs = {
+  subjectPath: string
+  subjectName: string
+  subjectDigest: string
+  downcaseName?: boolean
+}
 // Returns the subject specified by the action's inputs. The subject may be
 // specified as a path to a file or as a digest. If a path is provided, the
 // file's digest is calculated and returned along with the subject's name. If a
 // digest is provided, the name must also be provided.
-export const subjectFromInputs = async (): Promise<Subject[]> => {
-  const subjectPath = core.getInput('subject-path', { required: false })
-  const subjectDigest = core.getInput('subject-digest', { required: false })
-  const subjectName = core.getInput('subject-name', { required: false })
+export const subjectFromInputs = async (
+  inputs: SubjectInputs
+): Promise<Subject[]> => {
+  const { subjectPath, subjectDigest, subjectName, downcaseName } = inputs
 
   if (!subjectPath && !subjectDigest) {
     throw new Error('One of subject-path or subject-digest must be provided')
@@ -32,47 +38,60 @@ export const subjectFromInputs = async (): Promise<Subject[]> => {
     throw new Error('subject-name must be provided when using subject-digest')
   }
 
+  // If push-to-registry is enabled, ensure the subject name is lowercase
+  // to conform to OCI image naming conventions
+  const name = downcaseName ? subjectName.toLowerCase() : subjectName
+
   if (subjectPath) {
-    return await getSubjectFromPath(subjectPath, subjectName)
+    return await getSubjectFromPath(subjectPath, name)
   } else {
-    return [getSubjectFromDigest(subjectDigest, subjectName)]
+    return [getSubjectFromDigest(subjectDigest, name)]
   }
 }
 
+// Returns the subject's digest as a formatted string of the form
+// "<algorithm>:<digest>".
+export const formatSubjectDigest = (subject: Subject): string => {
+  const alg = Object.keys(subject.digest).sort()[0]
+  return `${alg}:${subject.digest[alg]}`
+}
+
 // Returns the subject specified by the path to a file. The file's digest is
 // calculated and returned along with the subject's name.
 const getSubjectFromPath = async (
   subjectPath: string,
   subjectName?: string
 ): Promise<Subject[]> => {
-  const subjects: Subject[] = []
+  const digestedSubjects: Subject[] = []
 
   // Parse the list of subject paths
-  const subjectPaths = parseList(subjectPath)
+  const subjectPaths = parseList(subjectPath).join('\n')
 
-  for (const subPath of subjectPaths) {
-    // Expand the globbed path to a list of files
-    /* eslint-disable-next-line github/no-then */
-    const files = await glob.create(subPath).then(async g => g.glob())
+  // Expand the globbed paths to a list of actual paths
+  /* eslint-disable-next-line github/no-then */
+  const paths = await glob.create(subjectPaths).then(async g => g.glob())
 
-    for (const file of files) {
-      // Skip anything that is NOT a file
-      if (!fs.statSync(file).isFile()) {
-        continue
-      }
+  // Filter path list to just the files (not directories)
+  const files = paths.filter(p => fs.statSync(p).isFile())
 
-      const name = subjectName || path.parse(file).base
-      const digest = await digestFile(DIGEST_ALGORITHM, file)
-
-      subjects.push({ name, digest: { [DIGEST_ALGORITHM]: digest } })
-    }
+  if (files.length > MAX_SUBJECT_COUNT) {
+    throw new Error(
+      `Too many subjects specified. The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
+    )
   }
 
-  if (subjects.length === 0) {
+  for (const file of files) {
+    const name = subjectName || path.parse(file).base
+    const digest = await digestFile(DIGEST_ALGORITHM, file)
+
+    digestedSubjects.push({ name, digest: { [DIGEST_ALGORITHM]: digest } })
+  }
+
+  if (digestedSubjects.length === 0) {
     throw new Error(`Could not find subject at path ${subjectPath}`)
   }
 
-  return Promise.all(subjects)
+  return digestedSubjects
 }
 
 // Returns the subject specified by the digest of a file. The digest is returned