bump package version to 1.3.3 (#102)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.github/workflows/linter.yml

@@ -47,4 +47,3 @@ jobs:
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JAVASCRIPT_STANDARD: false
           VALIDATE_JSCPD: false
-          VALIDATE_GITHUB_ACTIONS: false

README.md

@@ -65,7 +65,7 @@ See [action.yml](action.yml)
   with:
     # Path to the artifact serving as the subject of the attestation. Must
     # specify exactly one of "subject-path" or "subject-digest". May contain
-    # a glob pattern or list of paths (total subject count cannot exceed 64).
+    # a glob pattern or list of paths (total subject count cannot exceed 2500).
     subject-path:
 
     # SHA256 digest of the subject for the attestation. Must be in the form
@@ -81,12 +81,14 @@ See [action.yml](action.yml)
     # URI identifying the type of the predicate.
     predicate-type:
 
-    # JSON string containing the value for the attestation predicate. Must
-    # supply exactly one of "predicate-path" or "predicate".
+    # String containing the value for the attestation predicate. String length
+    # cannot exceed 16MB. Must supply exactly one of "predicate-path" or
+    # "predicate".
     predicate:
 
-    # Path to the file which contains the JSON content for the attestation
-    # predicate. Must supply exactly one of "predicate-path" or "predicate".
+    # Path to the file which contains the content for the attestation predicate.
+    # File size cannot exceed 16MB. Must supply exactly one of "predicate-path"
+    # or "predicate".
     predicate-path:
 
     # Whether to push the attestation to the image registry. Requires that the
@@ -115,6 +117,20 @@ If multiple subjects are being attested at the same time, each attestation will
 be written to the output file on a separate line (using the [JSON Lines][7]
 format).
 
+## Attestation Limits
+
+### Subject Limits
+
+No more than 2500 subjects can be attested at the same time. Subjects will be
+processed in batches 50. After the initial group of 50, each subsequent batch
+will incur an exponentially increasing amount of delay (capped at 1 minute of
+delay per batch) to avoid overwhelming the attestation API.
+
+### Predicate Limits
+
+Whether supplied via the `predicate` or `predicatePath` input, the predicate
+string cannot exceed 16MB.
+
 ## Examples
 
 ### Identify Subject by Path
@@ -148,7 +164,7 @@ jobs:
           predicate: '{}'
 ```
 
-### Identify Subjects by Wildcard
+### Identify Multiple Subjects
 
 If you are generating multiple artifacts, you can generate an attestation for
 each by using a wildcard in the `subject-path` input.
@@ -164,6 +180,23 @@ each by using a wildcard in the `subject-path` input.
 For supported wildcards along with behavior and documentation, see
 [@actions/glob][8] which is used internally to search for files.
 
+Alternatively, you can explicitly list multiple subjects with either a comma or
+newline delimited list:
+
+```yaml
+- uses: actions/attest@v1
+  with:
+    subject-path: 'dist/foo, dist/bar'
+```
+
+```yaml
+- uses: actions/attest@v1
+  with:
+    subject-path: |
+      dist/foo
+      dist/bar
+```
+
 ### Container Image
 
 When working with container images you can invoke the action with the
@@ -175,8 +208,8 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
 "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
 the specific image being attested is identified by the supplied digest.
 
-> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
-> registry portion of the image name.
+> **NOTE**: When pushing to Docker Hub, please use "docker.io" as the registry
+> portion of the image name.
 
 ```yaml
 name: build-attested-image

__tests__/index.test.ts

@@ -2,12 +2,17 @@
  * Unit tests for the action's entrypoint, src/index.ts
  */
 
+import * as core from '@actions/core'
 import * as main from '../src/main'
 
 // Mock the action's entrypoint
 const runMock = jest.spyOn(main, 'run').mockImplementation()
+const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
 
 describe('index', () => {
+  beforeEach(() => {
+    getBooleanInputMock.mockImplementation(() => false)
+  })
   it('calls run when imported', async () => {
     // eslint-disable-next-line @typescript-eslint/no-require-imports
     require('../src/index')

__tests__/main.test.ts

@@ -20,8 +20,6 @@ import * as main from '../src/main'
 // Mock the GitHub Actions core library
 const infoMock = jest.spyOn(core, 'info')
 const startGroupMock = jest.spyOn(core, 'startGroup')
-const getInputMock = jest.spyOn(core, 'getInput')
-const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
 const setOutputMock = jest.spyOn(core, 'setOutput')
 const setFailedMock = jest.spyOn(core, 'setFailed')
 
@@ -38,12 +36,28 @@ const runMock = jest.spyOn(main, 'run')
 const mockAgent = new MockAgent()
 setGlobalDispatcher(mockAgent)
 
+const defaultInputs: main.RunInputs = {
+  predicate: '',
+  predicateType: '',
+  predicatePath: '',
+  subjectName: '',
+  subjectDigest: '',
+  subjectPath: '',
+  pushToRegistry: false,
+  githubToken: '',
+  privateSigning: false,
+  batchSize: 50
+}
+
 describe('action', () => {
   // Capture original environment variables and GitHub context so we can restore
   // them after each test
   const originalEnv = process.env
   const originalContext = { ...github.context }
 
+  // Mock OIDC token endpoint
+  const tokenURL = 'https://token.url'
+
   // Fake an OIDC token
   const oidcSubject = 'foo@bar.com'
   const oidcPayload = { sub: oidcSubject, iss: '' }
@@ -62,9 +76,6 @@ describe('action', () => {
   beforeEach(() => {
     jest.clearAllMocks()
 
-    // Mock OIDC token endpoint
-    const tokenURL = 'https://token.url'
-
     nock(tokenURL)
       .get('/')
       .query({ audience: 'sigstore' })
@@ -95,24 +106,22 @@ describe('action', () => {
   })
 
   describe('when ACTIONS_ID_TOKEN_REQUEST_URL is not set', () => {
-    const inputs = {
-      'subject-digest': subjectDigest,
-      'subject-name': subjectName,
-      'predicate-type': predicateType,
+    const inputs: main.RunInputs = {
+      ...defaultInputs,
+      subjectDigest,
+      subjectName,
+      predicateType,
       predicate,
-      'github-token': 'gh-token'
+      githubToken: 'gh-token'
     }
 
     beforeEach(() => {
       // Nullify the OIDC token URL
       process.env.ACTIONS_ID_TOKEN_REQUEST_URL = ''
-
-      getInputMock.mockImplementation(mockInput(inputs))
-      getBooleanInputMock.mockImplementation(() => false)
     })
 
     it('sets a failed status', async () => {
-      await main.run()
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
@@ -124,12 +133,8 @@ describe('action', () => {
   })
 
   describe('when no inputs are provided', () => {
-    beforeEach(() => {
-      getInputMock.mockImplementation(() => '')
-    })
-
     it('sets a failed status', async () => {
-      await main.run()
+      await main.run(defaultInputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
@@ -139,12 +144,13 @@ describe('action', () => {
   })
 
   describe('when the repository is private', () => {
-    const inputs = {
-      'subject-digest': subjectDigest,
-      'subject-name': subjectName,
-      'predicate-type': predicateType,
+    const inputs: main.RunInputs = {
+      ...defaultInputs,
+      subjectDigest,
+      subjectName,
+      predicateType,
       predicate,
-      'github-token': 'gh-token'
+      githubToken: 'gh-token'
     }
 
     beforeEach(async () => {
@@ -154,9 +160,6 @@ describe('action', () => {
         repo: { owner: 'foo', repo: 'bar' }
       })
 
-      getInputMock.mockImplementation(mockInput(inputs))
-      getBooleanInputMock.mockImplementation(() => false)
-
       await mockFulcio({
         baseURL: 'https://fulcio.githubapp.com',
         strict: false
@@ -165,7 +168,7 @@ describe('action', () => {
     })
 
     it('invokes the action w/o error', async () => {
-      await main.run()
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).not.toHaveBeenCalledWith()
@@ -204,12 +207,14 @@ describe('action', () => {
     const getRegCredsSpy = jest.spyOn(oci, 'getRegistryCredentials')
     const attachArtifactSpy = jest.spyOn(oci, 'attachArtifactToImage')
 
-    const inputs = {
-      'subject-digest': subjectDigest,
-      'subject-name': subjectName,
-      'predicate-type': predicateType,
+    const inputs: main.RunInputs = {
+      ...defaultInputs,
+      subjectDigest,
+      subjectName,
+      predicateType,
       predicate,
-      'github-token': 'gh-token'
+      githubToken: 'gh-token',
+      pushToRegistry: true
     }
 
     beforeEach(async () => {
@@ -219,11 +224,6 @@ describe('action', () => {
         repo: { owner: 'foo', repo: 'bar' }
       })
 
-      // Mock the action's inputs
-      getInputMock.mockImplementation(mockInput(inputs))
-      // This is where we mock the push-to-registry input
-      getBooleanInputMock.mockImplementation(() => true)
-
       await mockFulcio({
         baseURL: 'https://fulcio.sigstore.dev',
         strict: false
@@ -244,7 +244,7 @@ describe('action', () => {
     })
 
     it('invokes the action w/o error', async () => {
-      await main.run()
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).not.toHaveBeenCalled()
@@ -289,11 +289,16 @@ describe('action', () => {
     })
   })
 
-  describe('when too many subjects are specified', () => {
+  describe('when the subject count exceeds the batch size', () => {
     let dir = ''
+    const filename = 'subject'
+    let scope: nock.Scope
 
     beforeEach(async () => {
-      const filename = 'subject'
+      // Start from scratch
+      nock.cleanAll()
+
+      const subjectCount = 5
       const content = 'file content'
 
       // Set-up temp directory
@@ -301,7 +306,90 @@ describe('action', () => {
       dir = await fs.mkdtemp(tmpDir + path.sep)
 
       // Add files for glob testing
-      for (let i = 0; i < 65; i++) {
+      for (let i = 0; i < subjectCount; i++) {
+        await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
+
+        // Set-up a Fulcio mock for each subject
+        await mockFulcio({
+          baseURL: 'https://fulcio.githubapp.com',
+          strict: false
+        })
+
+        // Set-up a TSA mock for each subject
+        await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
+
+        // Set-up a GH API mock for each subject
+        mockAgent
+          .get('https://api.github.com')
+          .intercept({
+            path: /^\/repos\/.*\/.*\/attestations$/,
+            method: 'post'
+          })
+          .reply(201, { id: attestationID })
+      }
+
+      // Set-up a OIDC token mock for each subject
+      scope = nock(tokenURL)
+        .get('/')
+        .query({ audience: 'sigstore' })
+        .times(subjectCount)
+        .reply(200, { value: oidcToken })
+
+      // Set the GH context with private repository visibility and a repo owner.
+      setGHContext({
+        payload: { repository: { visibility: 'private' } },
+        repo: { owner: 'foo', repo: 'bar' }
+      })
+    })
+
+    afterEach(async () => {
+      // Clean-up temp directory
+      await fs.rm(dir, { recursive: true })
+    })
+
+    it('invokes the action w/o error', async () => {
+      const inputs: main.RunInputs = {
+        ...defaultInputs,
+        subjectPath: path.join(dir, `${filename}-*`),
+        predicateType,
+        predicate,
+        githubToken: 'gh-token',
+        batchSize: 2
+      }
+      await main.run(inputs)
+
+      expect(runMock).toHaveReturned()
+      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(infoMock).toHaveBeenNthCalledWith(
+        1,
+        expect.stringMatching('Processing subject batch 1/3')
+      )
+      expect(infoMock).toHaveBeenNthCalledWith(
+        10,
+        expect.stringMatching('Processing subject batch 2/3')
+      )
+      expect(infoMock).toHaveBeenNthCalledWith(
+        19,
+        expect.stringMatching('Processing subject batch 3/3')
+      )
+      expect(scope.isDone()).toBe(true)
+    })
+  })
+
+  describe('when the subject count exceeds the max', () => {
+    let dir = ''
+    const filename = 'subject'
+
+    beforeEach(async () => {
+      const subjectCount = 2501
+      const content = 'file content'
+
+      // Set-up temp directory
+      const tmpDir = await fs.realpath(os.tmpdir())
+      dir = await fs.mkdtemp(tmpDir + path.sep)
+
+      // Add files for glob testing
+      for (let i = 0; i < subjectCount; i++) {
         await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
       }
 
@@ -310,14 +398,6 @@ describe('action', () => {
         payload: { repository: { visibility: 'private' } },
         repo: { owner: 'foo', repo: 'bar' }
       })
-
-      // Mock the action's inputs
-      getInputMock.mockImplementation(
-        mockInput({
-          predicate: '{}',
-          'subject-path': path.join(dir, `${filename}-*`)
-        })
-      )
     })
 
     afterEach(async () => {
@@ -326,27 +406,25 @@ describe('action', () => {
     })
 
     it('sets a failed status', async () => {
-      await main.run()
+      const inputs: main.RunInputs = {
+        ...defaultInputs,
+        subjectPath: path.join(dir, `${filename}-*`),
+        predicateType,
+        predicate,
+        githubToken: 'gh-token'
+      }
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
         new Error(
-          'Too many subjects specified. The maximum number of subjects is 64.'
+          'Too many subjects specified. The maximum number of subjects is 2500.'
         )
       )
     })
   })
 })
 
-function mockInput(inputs: Record<string, string>): typeof core.getInput {
-  return (name: string): string => {
-    if (name in inputs) {
-      return inputs[name]
-    }
-    return ''
-  }
-}
-
 // Stubbing the GitHub context is a bit tricky. We need to use
 // `Object.defineProperty` because `github.context` is read-only.
 function setGHContext(context: object): void {

__tests__/predicate.test.ts

@@ -1,92 +1,129 @@
 import fs from 'fs/promises'
 import os from 'os'
 import path from 'path'
-import { predicateFromInputs } from '../src/predicate'
+import { predicateFromInputs, PredicateInputs } from '../src/predicate'
 
 describe('subjectFromInputs', () => {
-  afterEach(() => {
-    process.env['INPUT_PREDICATE'] = ''
-    process.env['INPUT_PREDICATE-PATH'] = ''
-    process.env['INPUT_PREDICATE-TYPE'] = ''
-  })
+  const blankInputs: PredicateInputs = {
+    predicateType: '',
+    predicate: '',
+    predicatePath: ''
+  }
 
   describe('when no inputs are provided', () => {
     it('throws an error', () => {
-      expect(() => predicateFromInputs()).toThrow(/predicate-type/i)
+      expect(() => predicateFromInputs(blankInputs)).toThrow(/predicate-type/i)
     })
   })
 
   describe('when neither predicate path nor predicate are provided', () => {
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
-    })
-
     it('throws an error', () => {
-      expect(() => predicateFromInputs()).toThrow(
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType: 'https://example.com/predicate'
+      }
+
+      expect(() => predicateFromInputs(inputs)).toThrow(
         /one of predicate-path or predicate must be provided/i
       )
     })
   })
 
   describe('when both predicate path and predicate are provided', () => {
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE-PATH'] = 'path/to/predicate'
-      process.env['INPUT_PREDICATE'] = '{}'
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
-    })
-
     it('throws an error', () => {
-      expect(() => predicateFromInputs()).toThrow(
+      const inputs: PredicateInputs = {
+        predicateType: 'https://example.com/predicate',
+        predicate: '{}',
+        predicatePath: 'path/to/predicate'
+      }
+
+      expect(() => predicateFromInputs(inputs)).toThrow(
         /only one of predicate-path or predicate may be provided/i
       )
     })
   })
 
   describe('when specifying a predicate path', () => {
-    let dir = ''
-    const filename = 'subject'
+    const predicateType = 'https://example.com/predicate'
     const content = '{}'
+    let predicatePath = ''
 
     beforeEach(async () => {
       // Set-up temp directory
       const tmpDir = await fs.realpath(os.tmpdir())
-      dir = await fs.mkdtemp(tmpDir + path.sep)
+      const dir = await fs.mkdtemp(tmpDir + path.sep)
+
+      const filename = 'subject'
+      predicatePath = path.join(dir, filename)
 
       // Write file to temp directory
-      await fs.writeFile(path.join(dir, filename), content)
+      await fs.writeFile(predicatePath, content)
     })
 
     afterEach(async () => {
       // Clean-up temp directory
-      await fs.rm(dir, { recursive: true })
-    })
-
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE-PATH'] = path.join(dir, filename)
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
+      await fs.rm(path.parse(predicatePath).dir, { recursive: true })
     })
 
     it('returns the predicate', () => {
-      expect(predicateFromInputs()).toEqual({
-        type: 'https://example.com/predicate',
-        params: {}
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicatePath
+      }
+      expect(predicateFromInputs(inputs)).toEqual({
+        type: predicateType,
+        params: JSON.parse(content)
       })
     })
   })
 
+  describe('when specifying a predicate path that does not exist', () => {
+    const predicateType = 'https://example.com/predicate'
+    const predicatePath = 'foo'
+
+    it('returns the predicate', () => {
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicatePath
+      }
+      expect(() => predicateFromInputs(inputs)).toThrow(/file not found/)
+    })
+  })
+
   describe('when specifying a predicate value', () => {
+    const predicateType = 'https://example.com/predicate'
     const content = '{}'
 
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE'] = content
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
-    })
-
     it('returns the predicate', () => {
-      expect(predicateFromInputs()).toEqual({
-        type: 'https://example.com/predicate',
-        params: {}
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicate: content
+      }
+
+      expect(predicateFromInputs(inputs)).toEqual({
+        type: predicateType,
+        params: JSON.parse(content)
       })
     })
   })
+
+  describe('when specifying a predicate value exceeding the max size', () => {
+    const predicateType = 'https://example.com/predicate'
+    const content = JSON.stringify({ a: 'a'.repeat(16 * 1024 * 1024) })
+
+    it('throws an error', () => {
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicate: content
+      }
+
+      expect(() => predicateFromInputs(inputs)).toThrow(
+        /predicate string exceeds maximum/
+      )
+    })
+  })
 })

__tests__/style.test.ts

@@ -0,0 +1,15 @@
+import { highlight, mute } from '../src/style'
+
+describe('style', () => {
+  describe('highlight', () => {
+    it('adds cyan color to the string', () => {
+      expect(highlight('foo')).toBe('\x1B[36mfoo\x1B[39m')
+    })
+  })
+
+  describe('mute', () => {
+    it('adds gray color to the string', () => {
+      expect(mute('foo')).toBe('\x1B[38;5;244mfoo\x1B[39m')
+    })
+  })
+})

__tests__/subject.test.ts

@@ -2,85 +2,90 @@ import crypto from 'crypto'
 import fs from 'fs/promises'
 import os from 'os'
 import path from 'path'
-import { subjectFromInputs } from '../src/subject'
+import { subjectFromInputs, SubjectInputs } from '../src/subject'
 
 describe('subjectFromInputs', () => {
-  afterEach(() => {
-    process.env['INPUT_SUBJECT-PATH'] = ''
-    process.env['INPUT_SUBJECT-DIGEST'] = ''
-    process.env['INPUT_SUBJECT-NAME'] = ''
-  })
+  const blankInputs: SubjectInputs = {
+    subjectPath: '',
+    subjectName: '',
+    subjectDigest: ''
+  }
 
   describe('when no inputs are provided', () => {
     it('throws an error', async () => {
-      await expect(subjectFromInputs()).rejects.toThrow(
+      await expect(subjectFromInputs(blankInputs)).rejects.toThrow(
         /one of subject-path or subject-digest must be provided/i
       )
     })
   })
 
   describe('when both subject path and subject digest are provided', () => {
-    beforeEach(() => {
-      process.env['INPUT_SUBJECT-PATH'] = 'path/to/subject'
-      process.env['INPUT_SUBJECT-DIGEST'] = 'digest'
-    })
-
     it('throws an error', async () => {
-      await expect(subjectFromInputs()).rejects.toThrow(
+      const inputs: SubjectInputs = {
+        subjectName: 'foo',
+        subjectPath: 'path/to/subject',
+        subjectDigest: 'digest'
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(
         /only one of subject-path or subject-digest may be provided/i
       )
     })
   })
 
   describe('when subject digest is provided but not the name', () => {
-    beforeEach(() => {
-      process.env['INPUT_SUBJECT-DIGEST'] = 'digest'
-    })
-
     it('throws an error', async () => {
-      await expect(subjectFromInputs()).rejects.toThrow(
+      const inputs: SubjectInputs = {
+        ...blankInputs,
+        subjectDigest: 'digest'
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(
         /subject-name must be provided when using subject-digest/i
       )
     })
   })
 
   describe('when specifying a subject digest', () => {
-    const name = 'subject'
+    const name = 'Subject'
 
     describe('when the digest is malformed', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = 'digest'
-        process.env['INPUT_SUBJECT-NAME'] = 'subject'
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: 'digest',
+          subjectName: name
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /subject-digest must be in the format "sha256:<hex-digest>"/i
         )
       })
     })
 
     describe('when the alogrithm is not supported', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = 'md5:deadbeef'
-        process.env['INPUT_SUBJECT-NAME'] = 'subject'
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: 'md5:deadbeef',
+          subjectName: name
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /subject-digest must be in the format "sha256:<hex-digest>"/i
         )
       })
     })
 
     describe('when the sha256 digest is malformed', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = 'sha256:deadbeef'
-        process.env['INPUT_SUBJECT-NAME'] = 'subject'
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: 'sha256:deadbeef',
+          subjectName: name
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /subject-digest must be in the format "sha256:<hex-digest>"/i
         )
       })
@@ -91,13 +96,14 @@ describe('subjectFromInputs', () => {
       const digest =
         '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
 
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = `${alg}:${digest}`
-        process.env['INPUT_SUBJECT-NAME'] = name
-      })
-
       it('returns the subject', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: `${alg}:${digest}`,
+          subjectName: name
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -105,23 +111,47 @@ describe('subjectFromInputs', () => {
         expect(subject[0].digest).toEqual({ [alg]: digest })
       })
     })
+
+    describe('when the downcaseName is true', () => {
+      const imageName = 'ghcr.io/FOO/bar'
+      const alg = 'sha256'
+      const digest =
+        '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+
+      it('returns the subject (with name downcased)', async () => {
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: `${alg}:${digest}`,
+          subjectName: imageName,
+          downcaseName: true
+        }
+
+        const subject = await subjectFromInputs(inputs)
+
+        expect(subject).toBeDefined()
+        expect(subject).toHaveLength(1)
+        expect(subject[0].name).toEqual(imageName.toLowerCase())
+        expect(subject[0].digest).toEqual({ [alg]: digest })
+      })
+    })
   })
 
   describe('when specifying a subject path', () => {
     describe('when the file does NOT exist', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-PATH'] = '/f/a/k/e'
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: '/f/a/k/e'
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /could not find subject at path/i
         )
       })
     })
   })
 
-  describe('when the file eixts', () => {
+  describe('when the file exists', () => {
     let dir = ''
     const filename = 'subject'
     const content = 'file content'
@@ -152,12 +182,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when no name is provided', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-PATH'] = path.join(dir, filename)
-      })
-
       it('returns the subject', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: path.join(dir, filename)
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -169,13 +200,14 @@ describe('subjectFromInputs', () => {
     describe('when a name is provided', () => {
       const name = 'mysubject'
 
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-PATH'] = path.join(dir, filename)
-        process.env['INPUT_SUBJECT-NAME'] = name
-      })
-
       it('returns the subject', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: path.join(dir, filename),
+          subjectName: name
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -185,12 +217,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a file glob is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] = path.join(dir, 'subject-*')
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: path.join(dir, 'subject-*')
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(3)
@@ -204,12 +237,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a file glob is supplied which also matches non-files', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] = `${dir}*`
-      })
-
       it('returns the subjects (excluding non-files)', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${dir}*`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(7)
@@ -217,13 +251,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a comma-separated list is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] =
-          `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(2)
@@ -240,13 +274,36 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a multi-line list is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] =
-          `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(2)
+
+        expect(subjects).toContainEqual({
+          name: 'subject-0',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-2',
+          digest: { sha256: expectedDigest }
+        })
+      })
+    })
+
+    describe('when an excluding glob is supplied', () => {
+      it('returns the multiple subjects', async () => {
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-*')},!${path.join(dir, 'subject-1')}`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(2)
@@ -263,13 +320,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a multi-line glob list is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] =
-          `${path.join(dir, 'subject-*')}\n  ${path.join(dir, 'other-*')} `
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-*')}\n  ${path.join(dir, 'other-*')} `
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(6)

action.yml

@@ -10,7 +10,7 @@ inputs:
     description: >
       Path to the artifact serving as the subject of the attestation. Must
       specify exactly one of "subject-path" or "subject-digest". May contain a
-      glob pattern or list of paths (total subject count cannot exceed 64).
+      glob pattern or list of paths (total subject count cannot exceed 2500).
     required: false
   subject-digest:
     description: >
@@ -30,13 +30,15 @@ inputs:
     required: true
   predicate:
     description: >
-      String containing the value for the attestation predicate. Must supply
-      exactly one of "predicate-path" or "predicate".
+      String containing the value for the attestation predicate. String length
+      cannot exceed 16MB. Must supply exactly one of "predicate-path" or
+      "predicate".
     required: false
   predicate-path:
     description: >
       Path to the file which contains the content for the attestation predicate.
-      Must supply exactly one of "predicate-path" or "predicate".
+      File size cannot exceed 16MB. Must supply exactly one of "predicate-path"
+      or "predicate".
     required: false
   push-to-registry:
     description: >

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest",
   "description": "Generate signed attestations for workflow artifacts",
-  "version": "1.1.1",
+  "version": "1.3.3",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest",
@@ -69,33 +69,33 @@
     ]
   },
   "dependencies": {
-    "@actions/attest": "^1.2.1",
+    "@actions/attest": "^1.3.0",
     "@actions/core": "^1.10.1",
     "@actions/glob": "^0.4.0",
-    "@sigstore/oci": "^0.3.2",
-    "csv-parse": "^5.5.5"
+    "@sigstore/oci": "^0.3.7",
+    "csv-parse": "^5.5.6"
   },
   "devDependencies": {
-    "@sigstore/mock": "^0.7.2",
+    "@sigstore/mock": "^0.7.5",
     "@types/jest": "^29.5.12",
     "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^20.12.10",
-    "@typescript-eslint/eslint-plugin": "^7.8.0",
-    "@typescript-eslint/parser": "^7.8.0",
+    "@types/node": "^20.14.10",
+    "@typescript-eslint/eslint-plugin": "^7.16.0",
+    "@typescript-eslint/parser": "^7.16.0",
     "@vercel/ncc": "^0.38.1",
     "eslint": "^8.57.0",
-    "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-jest": "^28.5.0",
-    "eslint-plugin-jsonc": "^2.15.1",
+    "eslint-plugin-github": "^5.0.1",
+    "eslint-plugin-jest": "^28.6.0",
+    "eslint-plugin-jsonc": "^2.16.0",
     "eslint-plugin-prettier": "^5.1.3",
     "jest": "^29.7.0",
     "js-yaml": "^4.1.0",
-    "markdownlint-cli": "^0.40.0",
+    "markdownlint-cli": "^0.41.0",
     "nock": "^13.5.4",
-    "prettier": "^3.2.5",
+    "prettier": "^3.3.2",
     "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.1.2",
-    "typescript": "^5.4.5",
+    "ts-jest": "^29.2.0",
+    "typescript": "^5.5.3",
     "undici": "^5.28.4"
   }
 }

src/attest.ts

@@ -0,0 +1,67 @@
+import { Attestation, Predicate, Subject, attest } from '@actions/attest'
+import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
+
+const OCI_TIMEOUT = 30000
+const OCI_RETRY = 3
+
+export type SigstoreInstance = 'public-good' | 'github'
+export type AttestResult = Attestation & {
+  subjectName: string
+  subjectDigest: string
+  attestationDigest?: string
+}
+
+export const createAttestation = async (
+  subject: Subject,
+  predicate: Predicate,
+  opts: {
+    sigstoreInstance: SigstoreInstance
+    pushToRegistry: boolean
+    githubToken: string
+  }
+): Promise<AttestResult> => {
+  // Sign provenance w/ Sigstore
+  const attestation = await attest({
+    subjectName: subject.name,
+    subjectDigest: subject.digest,
+    predicateType: predicate.type,
+    predicate: predicate.params,
+    sigstore: opts.sigstoreInstance,
+    token: opts.githubToken
+  })
+
+  const subDigest = subjectDigest(subject)
+  const result: AttestResult = {
+    ...attestation,
+    subjectName: subject.name,
+    subjectDigest: subDigest
+  }
+
+  if (opts.pushToRegistry) {
+    const credentials = getRegistryCredentials(subject.name)
+    const artifact = await attachArtifactToImage({
+      credentials,
+      imageName: subject.name,
+      imageDigest: subDigest,
+      artifact: Buffer.from(JSON.stringify(attestation.bundle)),
+      mediaType: attestation.bundle.mediaType,
+      annotations: {
+        'dev.sigstore.bundle.content': 'dsse-envelope',
+        'dev.sigstore.bundle.predicateType': predicate.type
+      },
+      fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
+    })
+
+    // Add the attestation's digest to the result
+    result.attestationDigest = artifact.digest
+  }
+
+  return result
+}
+
+// Returns the subject's digest as a formatted string of the form
+// "<algorithm>:<digest>".
+const subjectDigest = (subject: Subject): string => {
+  const alg = Object.keys(subject.digest).sort()[0]
+  return `${alg}:${subject.digest[alg]}`
+}

src/index.ts

@@ -1,7 +1,27 @@
 /**
  * The entrypoint for the action.
  */
-import { run } from './main'
+import * as core from '@actions/core'
+import { run, RunInputs } from './main'
+
+const DEFAULT_BATCH_SIZE = 50
+
+const inputs: RunInputs = {
+  subjectPath: core.getInput('subject-path'),
+  subjectName: core.getInput('subject-name'),
+  subjectDigest: core.getInput('subject-digest'),
+  predicateType: core.getInput('predicate-type'),
+  predicate: core.getInput('predicate'),
+  predicatePath: core.getInput('predicate-path'),
+  pushToRegistry: core.getBooleanInput('push-to-registry'),
+  githubToken: core.getInput('github-token'),
+  // undocumented -- not part of public interface
+  privateSigning: ['true', 'True', 'TRUE', '1'].includes(
+    core.getInput('private-signing')
+  ),
+  // internal only
+  batchSize: DEFAULT_BATCH_SIZE
+}
 
 // eslint-disable-next-line @typescript-eslint/no-floating-promises
-run()
+run(inputs)

src/main.ts

@@ -1,26 +1,25 @@
-import { Attestation, Predicate, Subject, attest } from '@actions/attest'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
-import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
 import fs from 'fs'
 import os from 'os'
 import path from 'path'
+import { AttestResult, SigstoreInstance, createAttestation } from './attest'
 import { SEARCH_PUBLIC_GOOD_URL } from './endpoints'
-import { predicateFromInputs } from './predicate'
-import { subjectFromInputs } from './subject'
+import { PredicateInputs, predicateFromInputs } from './predicate'
+import * as style from './style'
+import { SubjectInputs, subjectFromInputs } from './subject'
 
-type SigstoreInstance = 'public-good' | 'github'
-type AttestedSubject = { subject: Subject; attestationID: string }
-
-const COLOR_CYAN = '\x1B[36m'
-const COLOR_GRAY = '\x1B[38;5;244m'
-const COLOR_DEFAULT = '\x1B[39m'
 const ATTESTATION_FILE_NAME = 'attestation.jsonl'
+const DELAY_INTERVAL_MS = 75
+const DELAY_MAX_MS = 1200
 
-const MAX_SUBJECT_COUNT = 64
-
-const OCI_TIMEOUT = 2000
-const OCI_RETRY = 3
+export type RunInputs = SubjectInputs &
+  PredicateInputs & {
+    pushToRegistry: boolean
+    githubToken: string
+    privateSigning: boolean
+    batchSize: number
+  }
 
 /* istanbul ignore next */
 const logHandler = (level: string, ...args: unknown[]): void => {
@@ -34,7 +33,7 @@ const logHandler = (level: string, ...args: unknown[]): void => {
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
  */
-export async function run(): Promise<void> {
+export async function run(inputs: RunInputs): Promise<void> {
   process.on('log', logHandler)
 
   // Provenance visibility will be public ONLY if we can confirm that the
@@ -42,61 +41,62 @@ export async function run(): Promise<void> {
   // Otherwise, it will be private.
   const sigstoreInstance: SigstoreInstance =
     github.context.payload.repository?.visibility === 'public' &&
-    core.getInput('private-signing') !== 'true'
+    !inputs.privateSigning
       ? 'public-good'
       : 'github'
 
   try {
-    const atts: AttestedSubject[] = []
+    const atts: AttestResult[] = []
     if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
       throw new Error(
         'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
       )
     }
 
-    // Gather list of subjets
-    const subjects = await subjectFromInputs()
-    if (subjects.length > MAX_SUBJECT_COUNT) {
-      throw new Error(
-        `Too many subjects specified. The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
-      )
-    }
+    const subjects = await subjectFromInputs({
+      ...inputs,
+      downcaseName: inputs.pushToRegistry
+    })
+    const predicate = predicateFromInputs(inputs)
 
-    const predicate = predicateFromInputs()
     const outputPath = path.join(tempDir(), ATTESTATION_FILE_NAME)
-
-    // Generate attestations for each subject serially
-    for (const subject of subjects) {
-      const att = await createAttestation(subject, predicate, sigstoreInstance)
-
-      // Write attestation bundle to output file
-      fs.writeFileSync(outputPath, JSON.stringify(att.bundle) + os.EOL, {
-        encoding: 'utf-8',
-        flag: 'a'
-      })
-
-      if (att.attestationID) {
-        atts.push({ subject, attestationID: att.attestationID })
-      }
-    }
-
-    if (atts.length > 0) {
-      core.summary.addHeading(
-        /* istanbul ignore next */
-        atts.length > 1 ? 'Attestations Created' : 'Attestation Created',
-        3
-      )
-
-      for (const { subject, attestationID } of atts) {
-        core.summary.addLink(
-          `${subject.name}@${subjectDigest(subject)}`,
-          attestationURL(attestationID)
-        )
-      }
-      core.summary.write()
-    }
-
     core.setOutput('bundle-path', outputPath)
+
+    const subjectChunks = chunkArray(subjects, inputs.batchSize)
+
+    // Generate attestations for each subject serially, working in batches
+    for (let i = 0; i < subjectChunks.length; i++) {
+      if (subjectChunks.length > 1) {
+        core.info(`Processing subject batch ${i + 1}/${subjectChunks.length}`)
+      }
+
+      // Calculate the delay time for this batch
+      const delayTime = delay(i)
+
+      for (const subject of subjectChunks[i]) {
+        // Delay between attestations (only when chunk size > 1)
+        if (i > 0) {
+          await new Promise(resolve => setTimeout(resolve, delayTime))
+        }
+
+        const att = await createAttestation(subject, predicate, {
+          sigstoreInstance,
+          pushToRegistry: inputs.pushToRegistry,
+          githubToken: inputs.githubToken
+        })
+        atts.push(att)
+
+        logAttestation(att, sigstoreInstance)
+
+        // Write attestation bundle to output file
+        fs.writeFileSync(outputPath, JSON.stringify(att.bundle) + os.EOL, {
+          encoding: 'utf-8',
+          flag: 'a'
+        })
+      }
+    }
+
+    logSummary(atts)
   } catch (err) {
     // Fail the workflow run if an error occurs
     core.setFailed(
@@ -108,7 +108,9 @@ export async function run(): Promise<void> {
     if (err instanceof Error && 'cause' in err) {
       const innerErr = err.cause
       core.info(
-        mute(innerErr instanceof Error ? innerErr.toString() : `${innerErr}`)
+        style.mute(
+          innerErr instanceof Error ? innerErr.toString() : `${innerErr}`
+        )
       )
     }
   } finally {
@@ -116,27 +118,19 @@ export async function run(): Promise<void> {
   }
 }
 
-const createAttestation = async (
-  subject: Subject,
-  predicate: Predicate,
+// Log details about the attestation to the GitHub Actions run
+const logAttestation = (
+  attestation: AttestResult,
   sigstoreInstance: SigstoreInstance
-): Promise<Attestation> => {
-  // Sign provenance w/ Sigstore
-  const attestation = await attest({
-    subjectName: subject.name,
-    subjectDigest: subject.digest,
-    predicateType: predicate.type,
-    predicate: predicate.params,
-    sigstore: sigstoreInstance,
-    token: core.getInput('github-token')
-  })
-
-  core.info(`Attestation created for ${subject.name}@${subjectDigest(subject)}`)
+): void => {
+  core.info(
+    `Attestation created for ${attestation.subjectName}@${attestation.subjectDigest}`
+  )
 
   const instanceName =
     sigstoreInstance === 'public-good' ? 'Public Good' : 'GitHub'
   core.startGroup(
-    highlight(
+    style.highlight(
       `Attestation signed using certificate from ${instanceName} Sigstore instance`
     )
   )
@@ -145,43 +139,44 @@ const createAttestation = async (
 
   if (attestation.tlogID) {
     core.info(
-      highlight('Attestation signature uploaded to Rekor transparency log')
+      style.highlight(
+        'Attestation signature uploaded to Rekor transparency log'
+      )
     )
     core.info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`)
   }
 
   if (attestation.attestationID) {
-    core.info(highlight('Attestation uploaded to repository'))
+    core.info(style.highlight('Attestation uploaded to repository'))
     core.info(attestationURL(attestation.attestationID))
   }
 
-  if (core.getBooleanInput('push-to-registry', { required: false })) {
-    const credentials = getRegistryCredentials(subject.name)
-    const artifact = await attachArtifactToImage({
-      credentials,
-      imageName: subject.name,
-      imageDigest: subjectDigest(subject),
-      artifact: Buffer.from(JSON.stringify(attestation.bundle)),
-      mediaType: attestation.bundle.mediaType,
-      annotations: {
-        'dev.sigstore.bundle.content': 'dsse-envelope',
-        'dev.sigstore.bundle.predicateType': core.getInput('predicate-type')
-      },
-      fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
-    })
-    core.info(highlight('Attestation uploaded to registry'))
-    core.info(`${subject.name}@${artifact.digest}`)
+  if (attestation.attestationDigest) {
+    core.info(style.highlight('Attestation uploaded to registry'))
+    core.info(`${attestation.subjectName}@${attestation.attestationDigest}`)
   }
-
-  return attestation
 }
 
-// Emphasis string using ANSI color codes
-const highlight = (str: string): string => `${COLOR_CYAN}${str}${COLOR_DEFAULT}`
+// Attach summary information to the GitHub Actions run
+const logSummary = (attestations: AttestResult[]): void => {
+  if (attestations.length > 0) {
+    core.summary.addHeading(
+      /* istanbul ignore next */
+      attestations.length > 1 ? 'Attestations Created' : 'Attestation Created',
+      3
+    )
 
-// De-emphasize string using ANSI color codes
-/* istanbul ignore next */
-const mute = (str: string): string => `${COLOR_GRAY}${str}${COLOR_DEFAULT}`
+    for (const { subjectName, subjectDigest, attestationID } of attestations) {
+      if (attestationID) {
+        core.summary.addLink(
+          `${subjectName}@${subjectDigest}`,
+          attestationURL(attestationID)
+        )
+      }
+    }
+    core.summary.write()
+  }
+}
 
 const tempDir = (): string => {
   const basePath = process.env['RUNNER_TEMP']
@@ -194,12 +189,18 @@ const tempDir = (): string => {
   return fs.mkdtempSync(path.join(basePath, path.sep))
 }
 
-// Returns the subject's digest as a formatted string of the form
-// "<algorithm>:<digest>".
-const subjectDigest = (subject: Subject): string => {
-  const alg = Object.keys(subject.digest).sort()[0]
-  return `${alg}:${subject.digest[alg]}`
+// Transforms an array into an array of arrays, each containing at most
+// `chunkSize` elements.
+const chunkArray = <T>(array: T[], chunkSize: number): T[][] => {
+  return Array.from(
+    { length: Math.ceil(array.length / chunkSize) },
+    (_, index) => array.slice(index * chunkSize, (index + 1) * chunkSize)
+  )
 }
 
+// Calculate the delay time for a given iteration
+const delay = (iteration: number): number =>
+  Math.min(DELAY_INTERVAL_MS * 2 ** iteration, DELAY_MAX_MS)
+
 const attestationURL = (id: string): string =>
   `${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/attestations/${id}`

src/predicate.ts

@@ -1,26 +1,56 @@
-import * as core from '@actions/core'
 import fs from 'fs'
 
 import type { Predicate } from '@actions/attest'
 
+export type PredicateInputs = {
+  predicateType: string
+  predicate: string
+  predicatePath: string
+}
+
+const MAX_PREDICATE_SIZE_BYTES = 16 * 1024 * 1024
+
 // Returns the predicate specified by the action's inputs. The predicate value
 // may be specified as a path to a file or as a string.
-export const predicateFromInputs = (): Predicate => {
-  const predicateType = core.getInput('predicate-type', { required: true })
-  const predicateStr = core.getInput('predicate', { required: false })
-  const predicatePath = core.getInput('predicate-path', { required: false })
+export const predicateFromInputs = (inputs: PredicateInputs): Predicate => {
+  const { predicateType, predicate, predicatePath } = inputs
 
-  if (!predicatePath && !predicateStr) {
+  if (!predicateType) {
+    throw new Error('predicate-type must be provided')
+  }
+
+  if (!predicatePath && !predicate) {
     throw new Error('One of predicate-path or predicate must be provided')
   }
 
-  if (predicatePath && predicateStr) {
+  if (predicatePath && predicate) {
     throw new Error('Only one of predicate-path or predicate may be provided')
   }
 
-  const params = predicatePath
-    ? fs.readFileSync(predicatePath, 'utf-8')
-    : predicateStr
+  let params: string = predicate
+
+  if (predicatePath) {
+    if (!fs.existsSync(predicatePath)) {
+      throw new Error(`predicate file not found: ${predicatePath}`)
+    }
+
+    /* istanbul ignore next */
+    if (fs.statSync(predicatePath).size > MAX_PREDICATE_SIZE_BYTES) {
+      throw new Error(
+        `predicate file exceeds maximum allowed size: ${MAX_PREDICATE_SIZE_BYTES} bytes`
+      )
+    }
+
+    params = fs.readFileSync(predicatePath, 'utf-8')
+  } else {
+    if (predicate.length > MAX_PREDICATE_SIZE_BYTES) {
+      throw new Error(
+        `predicate string exceeds maximum allowed size: ${MAX_PREDICATE_SIZE_BYTES} bytes`
+      )
+    }
+
+    params = predicate
+  }
 
   return { type: predicateType, params: JSON.parse(params) }
 }

src/style.ts

@@ -0,0 +1,11 @@
+const COLOR_CYAN = '\x1B[36m'
+const COLOR_GRAY = '\x1B[38;5;244m'
+const COLOR_DEFAULT = '\x1B[39m'
+
+// Emphasis string using ANSI color codes
+export const highlight = (str: string): string =>
+  `${COLOR_CYAN}${str}${COLOR_DEFAULT}`
+
+// De-emphasize string using ANSI color codes
+export const mute = (str: string): string =>
+  `${COLOR_GRAY}${str}${COLOR_DEFAULT}`

src/subject.ts

@@ -1,4 +1,3 @@
-import * as core from '@actions/core'
 import * as glob from '@actions/glob'
 import crypto from 'crypto'
 import { parse } from 'csv-parse/sync'
@@ -7,16 +6,23 @@ import path from 'path'
 
 import type { Subject } from '@actions/attest'
 
+const MAX_SUBJECT_COUNT = 2500
 const DIGEST_ALGORITHM = 'sha256'
 
+export type SubjectInputs = {
+  subjectPath: string
+  subjectName: string
+  subjectDigest: string
+  downcaseName?: boolean
+}
 // Returns the subject specified by the action's inputs. The subject may be
 // specified as a path to a file or as a digest. If a path is provided, the
 // file's digest is calculated and returned along with the subject's name. If a
 // digest is provided, the name must also be provided.
-export const subjectFromInputs = async (): Promise<Subject[]> => {
-  const subjectPath = core.getInput('subject-path', { required: false })
-  const subjectDigest = core.getInput('subject-digest', { required: false })
-  const subjectName = core.getInput('subject-name', { required: false })
+export const subjectFromInputs = async (
+  inputs: SubjectInputs
+): Promise<Subject[]> => {
+  const { subjectPath, subjectDigest, subjectName, downcaseName } = inputs
 
   if (!subjectPath && !subjectDigest) {
     throw new Error('One of subject-path or subject-digest must be provided')
@@ -32,10 +38,14 @@ export const subjectFromInputs = async (): Promise<Subject[]> => {
     throw new Error('subject-name must be provided when using subject-digest')
   }
 
+  // If push-to-registry is enabled, ensure the subject name is lowercase
+  // to conform to OCI image naming conventions
+  const name = downcaseName ? subjectName.toLowerCase() : subjectName
+
   if (subjectPath) {
-    return await getSubjectFromPath(subjectPath, subjectName)
+    return await getSubjectFromPath(subjectPath, name)
   } else {
-    return [getSubjectFromDigest(subjectDigest, subjectName)]
+    return [getSubjectFromDigest(subjectDigest, name)]
   }
 }
 
@@ -45,34 +55,38 @@ const getSubjectFromPath = async (
   subjectPath: string,
   subjectName?: string
 ): Promise<Subject[]> => {
-  const subjects: Subject[] = []
+  const digestedSubjects: Subject[] = []
 
   // Parse the list of subject paths
-  const subjectPaths = parseList(subjectPath)
+  const subjectPaths = parseList(subjectPath).join('\n')
 
-  for (const subPath of subjectPaths) {
-    // Expand the globbed path to a list of files
-    /* eslint-disable-next-line github/no-then */
-    const files = await glob.create(subPath).then(async g => g.glob())
+  // Expand the globbed paths to a list of files
+  /* eslint-disable-next-line github/no-then */
+  const files = await glob.create(subjectPaths).then(async g => g.glob())
 
-    for (const file of files) {
-      // Skip anything that is NOT a file
-      if (!fs.statSync(file).isFile()) {
-        continue
-      }
-
-      const name = subjectName || path.parse(file).base
-      const digest = await digestFile(DIGEST_ALGORITHM, file)
-
-      subjects.push({ name, digest: { [DIGEST_ALGORITHM]: digest } })
-    }
+  if (files.length > MAX_SUBJECT_COUNT) {
+    throw new Error(
+      `Too many subjects specified. The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
+    )
   }
 
-  if (subjects.length === 0) {
+  for (const file of files) {
+    // Skip anything that is NOT a file
+    if (!fs.statSync(file).isFile()) {
+      continue
+    }
+
+    const name = subjectName || path.parse(file).base
+    const digest = await digestFile(DIGEST_ALGORITHM, file)
+
+    digestedSubjects.push({ name, digest: { [DIGEST_ALGORITHM]: digest } })
+  }
+
+  if (digestedSubjects.length === 0) {
     throw new Error(`Could not find subject at path ${subjectPath}`)
   }
 
-  return Promise.all(subjects)
+  return digestedSubjects
 }
 
 // Returns the subject specified by the digest of a file. The digest is returned