bump package version to 2.4.0 (#253)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.eslintignore

@@ -1,4 +0,0 @@
-lib/
-dist/
-node_modules/
-coverage/

.github/linters/.eslintrc.yml

@@ -1,85 +0,0 @@
-env:
-  node: true
-  es6: true
-  jest: true
-
-globals:
-  Atomics: readonly
-  SharedArrayBuffer: readonly
-
-ignorePatterns:
-  - '!.*'
-  - '**/node_modules/.*'
-  - '**/dist/.*'
-  - '**/coverage/.*'
-  - '*.json'
-
-parser: '@typescript-eslint/parser'
-
-parserOptions:
-  ecmaVersion: 2023
-  sourceType: module
-  project:
-    - './.github/linters/tsconfig.json'
-    - './tsconfig.json'
-
-plugins:
-  - jest
-  - '@typescript-eslint'
-
-extends:
-  - eslint:recommended
-  - plugin:@typescript-eslint/eslint-recommended
-  - plugin:@typescript-eslint/recommended
-  - plugin:github/recommended
-  - plugin:jest/recommended
-
-rules:
-  {
-    'camelcase': 'off',
-    'eslint-comments/no-use': 'off',
-    'eslint-comments/no-unused-disable': 'off',
-    'i18n-text/no-en': 'off',
-    'import/no-namespace': 'off',
-    'import/no-unresolved':
-      ['error', { 'ignore': ['csv-parse/sync']}],
-    'no-console': 'off',
-    'no-unused-vars': 'off',
-    'prettier/prettier': 'error',
-    'semi': 'off',
-    '@typescript-eslint/array-type': 'error',
-    '@typescript-eslint/await-thenable': 'error',
-    '@typescript-eslint/ban-ts-comment': 'error',
-    '@typescript-eslint/consistent-type-assertions': 'error',
-    '@typescript-eslint/explicit-member-accessibility':
-      ['error', { 'accessibility': 'no-public' }],
-    '@typescript-eslint/explicit-function-return-type':
-      ['error', { 'allowExpressions': true }],
-    '@typescript-eslint/func-call-spacing': ['error', 'never'],
-    '@typescript-eslint/no-array-constructor': 'error',
-    '@typescript-eslint/no-empty-interface': 'error',
-    '@typescript-eslint/no-explicit-any': 'error',
-    '@typescript-eslint/no-extraneous-class': 'error',
-    '@typescript-eslint/no-for-in-array': 'error',
-    '@typescript-eslint/no-inferrable-types': 'error',
-    '@typescript-eslint/no-misused-new': 'error',
-    '@typescript-eslint/no-namespace': 'error',
-    '@typescript-eslint/no-non-null-assertion': 'warn',
-    '@typescript-eslint/no-require-imports': 'error',
-    '@typescript-eslint/no-unnecessary-qualifier': 'error',
-    '@typescript-eslint/no-unnecessary-type-assertion': 'error',
-    '@typescript-eslint/no-unused-vars': 'error',
-    '@typescript-eslint/no-useless-constructor': 'error',
-    '@typescript-eslint/no-var-requires': 'error',
-    '@typescript-eslint/prefer-for-of': 'warn',
-    '@typescript-eslint/prefer-function-type': 'warn',
-    '@typescript-eslint/prefer-includes': 'error',
-    '@typescript-eslint/prefer-string-starts-ends-with': 'error',
-    '@typescript-eslint/promise-function-async': 'error',
-    '@typescript-eslint/require-array-sort-compare': 'error',
-    '@typescript-eslint/restrict-plus-operands': 'error',
-    '@typescript-eslint/semi': ['error', 'never'],
-    '@typescript-eslint/space-before-function-paren': 'off',
-    '@typescript-eslint/type-annotation-spacing': 'error',
-    '@typescript-eslint/unbound-method': 'error'
-  }

.github/linters/eslint.config.mjs

@@ -0,0 +1,93 @@
+import eslint from '@eslint/js'
+import importplugin from 'eslint-plugin-import'
+import jestplugin from 'eslint-plugin-jest'
+import tseslint from 'typescript-eslint'
+
+export default tseslint.config(
+  // Ignore non-project files
+  {
+    name: 'ignore',
+    ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js']
+  },
+  // Use recommended rules from ESLint, TypeScript, and other plugins
+  eslint.configs.recommended,
+  tseslint.configs.recommendedTypeChecked,
+  jestplugin.configs['flat/recommended'],
+  importplugin.flatConfigs.recommended,
+  importplugin.flatConfigs.typescript,
+  // Override some rules
+  {
+    name: 'project-settings',
+    languageOptions: {
+      ecmaVersion: 2023,
+      parserOptions: {
+        project: ['./.github/linters/tsconfig.json', './tsconfig.json']
+      }
+    },
+    rules: {
+      // eslint rules
+      eqeqeq: ['error', 'smart'],
+      'func-style': ['error', 'declaration', { allowArrowFunctions: true }],
+      'no-console': 'off',
+      'no-implicit-globals': 'error',
+      'no-inner-declarations': 'error',
+      'no-invalid-this': 'error',
+      'no-return-assign': 'error',
+      'no-sequences': 'error',
+      'no-shadow': 'error',
+      'no-useless-concat': 'error',
+      'object-shorthand': ['error', 'always', { avoidQuotes: true }],
+      'one-var': ['error', 'never'],
+      'prefer-template': 'error',
+
+      // typescript-eslint rules
+      '@typescript-eslint/array-type': 'error',
+      '@typescript-eslint/consistent-type-assertions': 'error',
+      '@typescript-eslint/explicit-function-return-type': [
+        'error',
+        { allowExpressions: true }
+      ],
+      '@typescript-eslint/explicit-member-accessibility': [
+        'error',
+        { accessibility: 'no-public' }
+      ],
+      '@typescript-eslint/no-extraneous-class': 'error',
+      '@typescript-eslint/no-inferrable-types': 'error',
+      '@typescript-eslint/no-non-null-assertion': 'warn',
+      '@typescript-eslint/no-unnecessary-qualifier': 'error',
+      '@typescript-eslint/no-unsafe-argument': 'off',
+      '@typescript-eslint/no-unsafe-assignment': 'off',
+      '@typescript-eslint/no-useless-constructor': 'error',
+      '@typescript-eslint/prefer-for-of': 'warn',
+      '@typescript-eslint/prefer-function-type': 'warn',
+      '@typescript-eslint/prefer-includes': 'error',
+      '@typescript-eslint/prefer-string-starts-ends-with': 'error',
+      '@typescript-eslint/promise-function-async': 'error',
+      '@typescript-eslint/require-array-sort-compare': 'error',
+      '@typescript-eslint/restrict-template-expressions': 'off',
+
+      // eslint-plugin-import rules
+      'import/extensions': 'error',
+      'import/first': 'error',
+      'import/no-absolute-path': 'error',
+      'import/no-commonjs': 'error',
+      'import/no-deprecated': 'warn',
+      'import/no-dynamic-require': 'error',
+      'import/no-extraneous-dependencies': 'error',
+      'import/no-mutable-exports': 'error',
+      'import/no-namespace': 'off',
+      'import/no-unresolved': ['error', { ignore: ['csv-parse/sync'] }],
+      'import/no-anonymous-default-export': [
+        'error',
+        {
+          allowAnonymousClass: false,
+          allowAnonymousFunction: false,
+          allowArray: true,
+          allowArrowFunction: false,
+          allowLiteral: true,
+          allowObject: true
+        }
+      ]
+    }
+  }
+)

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v6
+        uses: super-linter/super-linter/slim@v7.4.0
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*
@@ -46,5 +46,9 @@ jobs:
           TYPESCRIPT_DEFAULT_STYLE: prettier
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JAVASCRIPT_STANDARD: false
+          VALIDATE_TYPESCRIPT_STANDARD: false
+          VALIDATE_TYPESCRIPT_ES: false
           VALIDATE_JSCPD: false
-          VALIDATE_GITHUB_ACTIONS: false
+
+      - name: Run eslint
+        run: npm run lint:eslint

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,22 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [published]
+
+permissions: {}
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/publish-immutable-action@v0.0.4

README.md

@@ -18,12 +18,29 @@ Once the attestation has been created and signed, it will be uploaded to the GH
 attestations API and associated with the repository from which the workflow was
 initiated.
 
+When an attestation is created, the attestation is stored on the local
+filesystem used by the runner. For each attestation created, the filesystem path
+will be appended to the file `${RUNNER_TEMP}/created_attestation_paths.txt`.
+This can be used to gather all attestations created by all jobs during a the
+workflow.
+
 Attestations can be verified using the [`attestation` command in the GitHub
 CLI][5].
 
 See [Using artifact attestations to establish provenance for builds][9] for more
 information on artifact attestations.
 
+<!-- prettier-ignore-start -->
+> [!NOTE]
+> Artifact attestations are available in public repositories for all
+> current GitHub plans.
+>
+> To use artifact attestations in private or internal repositories, you must
+> be on a GitHub Enterprise Cloud plan.
+>
+> Artifact attestations are NOT supported on GitHub Enterprise Server.
+<!-- prettier-ignore-end -->
+
 ## Usage
 
 Within the GitHub Actions workflow which builds some artifact you would like to
@@ -44,7 +61,7 @@ attest:
 1. Add the following to your workflow after your artifact has been built:
 
    ```yaml
-   - uses: actions/attest@v1
+   - uses: actions/attest@v2
      with:
        subject-path: '<PATH TO ARTIFACT>'
        predicate-type: '<PREDICATE URI>'
@@ -54,39 +71,46 @@ attest:
    The `subject-path` parameter should identify the artifact for which you want
    to generate an attestation. The `predicate-type` can be any of the the
    [vetted predicate types][3] or a custom value. The `predicate-path`
-   identifies a file containg the JSON-encoded predicate parameters.
+   identifies a file containing the JSON-encoded predicate parameters.
 
 ### Inputs
 
 See [action.yml](action.yml)
 
 ```yaml
-- uses: actions/attest@v1
+- uses: actions/attest@v2
   with:
     # Path to the artifact serving as the subject of the attestation. Must
-    # specify exactly one of "subject-path" or "subject-digest". May contain
-    # a glob pattern or list of paths (total subject count cannot exceed 64).
+    # specify exactly one of "subject-path", "subject-digest", or
+    # "subject-checksums". May contain a glob pattern or list of paths
+    # (total subject count cannot exceed 1024).
     subject-path:
 
     # SHA256 digest of the subject for the attestation. Must be in the form
     # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
-    # of "subject-path" or "subject-digest".
+    # of "subject-path", "subject-digest", or "subject-checksums".
     subject-digest:
 
-    # Subject name as it should appear in the attestation. Required unless
-    # "subject-path" is specified, in which case it will be inferred from the
-    # path.
+    # Subject name as it should appear in the attestation. Required when
+    # identifying the subject with the "subject-digest" input.
     subject-name:
 
+    # Path to checksums file containing digest and name of subjects for
+    # attestation. Must specify exactly one of "subject-path", "subject-digest",
+    # or "subject-checksums".
+    subject-checksums:
+
     # URI identifying the type of the predicate.
     predicate-type:
 
-    # JSON string containing the value for the attestation predicate. Must
-    # supply exactly one of "predicate-path" or "predicate".
+    # String containing the value for the attestation predicate. String length
+    # cannot exceed 16MB. Must supply exactly one of "predicate-path" or
+    # "predicate".
     predicate:
 
-    # Path to the file which contains the JSON content for the attestation
-    # predicate. Must supply exactly one of "predicate-path" or "predicate".
+    # Path to the file which contains the content for the attestation predicate.
+    # File size cannot exceed 16MB. Must supply exactly one of "predicate-path"
+    # or "predicate".
     predicate-path:
 
     # Whether to push the attestation to the image registry. Requires that the
@@ -94,6 +118,10 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to attach a list of generated attestations to the workflow run
+    # summary page. Defaults to true.
+    show-summary:
+
     # The GitHub token used to make authenticated API requests. Default is
     # ${{ github.token }}
     github-token:
@@ -103,17 +131,29 @@ See [action.yml](action.yml)
 
 <!-- markdownlint-disable MD013 -->
 
-| Name          | Description                                                    | Example                  |
-| ------------- | -------------------------------------------------------------- | ------------------------ |
-| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.jsonl` |
+| Name              | Description                                                    | Example                                          |
+| ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
+| `attestation-id`  | GitHub ID for the attestation                                  | `123456`                                         |
+| `attestation-url` | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
+| `bundle-path`     | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
 
 <!-- markdownlint-enable MD013 -->
 
 Attestations are saved in the JSON-serialized [Sigstore bundle][6] format.
 
-If multiple subjects are being attested at the same time, each attestation will
-be written to the output file on a separate line (using the [JSON Lines][7]
-format).
+If multiple subjects are being attested at the same time, a single attestation
+will be created with references to each of the supplied subjects.
+
+## Attestation Limits
+
+### Subject Limits
+
+No more than 1024 subjects can be attested at the same time.
+
+### Predicate Limits
+
+Whether supplied via the `predicate` or `predicatePath` input, the predicate
+string cannot exceed 16MB.
 
 ## Examples
 
@@ -141,20 +181,20 @@ jobs:
       - name: Build artifact
         run: make my-app
       - name: Attest
-        uses: actions/attest@v1
+        uses: actions/attest@v2
         with:
           subject-path: '${{ github.workspace }}/my-app'
           predicate-type: 'https://example.com/predicate/v1'
           predicate: '{}'
 ```
 
-### Identify Subjects by Wildcard
+### Identify Multiple Subjects
 
-If you are generating multiple artifacts, you can generate an attestation for
-each by using a wildcard in the `subject-path` input.
+If you are generating multiple artifacts, you can attest all of them at the same
+time by using a wildcard in the `subject-path` input.
 
 ```yaml
-- uses: actions/attest@v1
+- uses: actions/attest@v2
   with:
     subject-path: 'dist/**/my-bin-*'
     predicate-type: 'https://example.com/predicate/v1'
@@ -164,6 +204,60 @@ each by using a wildcard in the `subject-path` input.
 For supported wildcards along with behavior and documentation, see
 [@actions/glob][8] which is used internally to search for files.
 
+Alternatively, you can explicitly list multiple subjects with either a comma or
+newline delimited list:
+
+```yaml
+- uses: actions/attest@v2
+  with:
+    subject-path: 'dist/foo, dist/bar'
+```
+
+```yaml
+- uses: actions/attest@v2
+  with:
+    subject-path: |
+      dist/foo
+      dist/bar
+```
+
+### Identify Subjects with Checksums File
+
+If you are using tools like
+[goreleaser](https://goreleaser.com/customization/checksum/) or
+[jreleaser](https://jreleaser.org/guide/latest/reference/checksum.html) which
+generate a checksums file you can identify the attestation subjects by passing
+the path of the checksums file to the `subject-checksums` input. Each of the
+artifacts identified in the checksums file will be listed as a subject for the
+attestation.
+
+```yaml
+- name: Calculate artifact digests
+  run: |
+    shasum -a 256 foo_0.0.1_* > subject.checksums.txt
+
+- uses: actions/attest@v2
+  with:
+    subject-checksums: subject.checksums.txt
+    predicate-type: 'https://example.com/predicate/v1'
+    predicate: '{}'
+```
+
+<!-- markdownlint-disable MD038 -->
+
+The file referenced by the `subject-checksums` input must conform to the same
+format used by the shasum tools. Each subject should be listed on a separate
+line including the hex-encoded digest (either SHA256 or SHA512), a space, a
+single character flag indicating either binary (`*`) or text (` `) input mode,
+and the filename.
+
+<!-- markdownlint-enable MD038 -->
+
+```text
+b569bf992b287f55d78bf8ee476497e9b7e9d2bf1c338860bfb905016218c740  foo_0.0.1_darwin_amd64
+a54fc515e616cac7fcf11a49d5c5ec9ec315948a5935c1e11dd610b834b14dde  foo_0.0.1_darwin_arm64
+```
+
 ### Container Image
 
 When working with container images you can invoke the action with the
@@ -175,8 +269,8 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
 "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
 the specific image being attested is identified by the supplied digest.
 
-> **NOTE**: When pushing to Docker Hub, please use "docker.io" as the
-> registry portion of the image name.
+> **NOTE**: When pushing to Docker Hub, please use "docker.io" as the registry
+> portion of the image name.
 
 ```yaml
 name: build-attested-image
@@ -214,7 +308,7 @@ jobs:
           push: true
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
       - name: Attest
-        uses: actions/attest@v1
+        uses: actions/attest@v2
         id: attest
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -232,7 +326,6 @@ jobs:
 [5]: https://cli.github.com/manual/gh_attestation_verify
 [6]:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
-[7]: https://jsonlines.org/
 [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
 [9]:
   https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

__tests__/index.test.ts

@@ -2,13 +2,18 @@
  * Unit tests for the action's entrypoint, src/index.ts
  */
 
+import * as core from '@actions/core'
 import * as main from '../src/main'
 
 // Mock the action's entrypoint
 const runMock = jest.spyOn(main, 'run').mockImplementation()
+const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
 
 describe('index', () => {
-  it('calls run when imported', async () => {
+  beforeEach(() => {
+    getBooleanInputMock.mockImplementation(() => false)
+  })
+  it('calls run when imported', () => {
     // eslint-disable-next-line @typescript-eslint/no-require-imports
     require('../src/index')
 

__tests__/main.test.ts

@@ -20,8 +20,6 @@ import * as main from '../src/main'
 // Mock the GitHub Actions core library
 const infoMock = jest.spyOn(core, 'info')
 const startGroupMock = jest.spyOn(core, 'startGroup')
-const getInputMock = jest.spyOn(core, 'getInput')
-const getBooleanInputMock = jest.spyOn(core, 'getBooleanInput')
 const setOutputMock = jest.spyOn(core, 'setOutput')
 const setFailedMock = jest.spyOn(core, 'setFailed')
 
@@ -38,12 +36,29 @@ const runMock = jest.spyOn(main, 'run')
 const mockAgent = new MockAgent()
 setGlobalDispatcher(mockAgent)
 
+const defaultInputs: main.RunInputs = {
+  predicate: '',
+  predicateType: '',
+  predicatePath: '',
+  subjectName: '',
+  subjectDigest: '',
+  subjectPath: '',
+  subjectChecksums: '',
+  pushToRegistry: false,
+  showSummary: true,
+  githubToken: '',
+  privateSigning: false
+}
+
 describe('action', () => {
   // Capture original environment variables and GitHub context so we can restore
   // them after each test
   const originalEnv = process.env
   const originalContext = { ...github.context }
 
+  // Mock OIDC token endpoint
+  const tokenURL = 'https://token.url'
+
   // Fake an OIDC token
   const oidcSubject = 'foo@bar.com'
   const oidcPayload = { sub: oidcSubject, iss: '' }
@@ -62,9 +77,6 @@ describe('action', () => {
   beforeEach(() => {
     jest.clearAllMocks()
 
-    // Mock OIDC token endpoint
-    const tokenURL = 'https://token.url'
-
     nock(tokenURL)
       .get('/')
       .query({ audience: 'sigstore' })
@@ -95,24 +107,22 @@ describe('action', () => {
   })
 
   describe('when ACTIONS_ID_TOKEN_REQUEST_URL is not set', () => {
-    const inputs = {
-      'subject-digest': subjectDigest,
-      'subject-name': subjectName,
-      'predicate-type': predicateType,
+    const inputs: main.RunInputs = {
+      ...defaultInputs,
+      subjectDigest,
+      subjectName,
+      predicateType,
       predicate,
-      'github-token': 'gh-token'
+      githubToken: 'gh-token'
     }
 
     beforeEach(() => {
       // Nullify the OIDC token URL
       process.env.ACTIONS_ID_TOKEN_REQUEST_URL = ''
-
-      getInputMock.mockImplementation(mockInput(inputs))
-      getBooleanInputMock.mockImplementation(() => false)
     })
 
     it('sets a failed status', async () => {
-      await main.run()
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
@@ -124,27 +134,26 @@ describe('action', () => {
   })
 
   describe('when no inputs are provided', () => {
-    beforeEach(() => {
-      getInputMock.mockImplementation(() => '')
-    })
-
     it('sets a failed status', async () => {
-      await main.run()
+      await main.run(defaultInputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
-        new Error('One of subject-path or subject-digest must be provided')
+        new Error(
+          'One of subject-path, subject-digest, or subject-checksums must be provided'
+        )
       )
     })
   })
 
   describe('when the repository is private', () => {
-    const inputs = {
-      'subject-digest': subjectDigest,
-      'subject-name': subjectName,
-      'predicate-type': predicateType,
+    const inputs: main.RunInputs = {
+      ...defaultInputs,
+      subjectDigest,
+      subjectName,
+      predicateType,
       predicate,
-      'github-token': 'gh-token'
+      githubToken: 'gh-token'
     }
 
     beforeEach(async () => {
@@ -154,9 +163,6 @@ describe('action', () => {
         repo: { owner: 'foo', repo: 'bar' }
       })
 
-      getInputMock.mockImplementation(mockInput(inputs))
-      getBooleanInputMock.mockImplementation(() => false)
-
       await mockFulcio({
         baseURL: 'https://fulcio.githubapp.com',
         strict: false
@@ -165,7 +171,7 @@ describe('action', () => {
     })
 
     it('invokes the action w/o error', async () => {
-      await main.run()
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).not.toHaveBeenCalledWith()
@@ -194,7 +200,17 @@ describe('action', () => {
       expect(setOutputMock).toHaveBeenNthCalledWith(
         1,
         'bundle-path',
-        expect.stringMatching('attestation.jsonl')
+        expect.stringMatching('attestation.json')
+      )
+      expect(setOutputMock).toHaveBeenNthCalledWith(
+        2,
+        'attestation-id',
+        expect.stringMatching(attestationID)
+      )
+      expect(setOutputMock).toHaveBeenNthCalledWith(
+        3,
+        'attestation-url',
+        expect.stringContaining(`foo/bar/attestations/${attestationID}`)
       )
       expect(setFailedMock).not.toHaveBeenCalled()
     })
@@ -204,12 +220,14 @@ describe('action', () => {
     const getRegCredsSpy = jest.spyOn(oci, 'getRegistryCredentials')
     const attachArtifactSpy = jest.spyOn(oci, 'attachArtifactToImage')
 
-    const inputs = {
-      'subject-digest': subjectDigest,
-      'subject-name': subjectName,
-      'predicate-type': predicateType,
+    const inputs: main.RunInputs = {
+      ...defaultInputs,
+      subjectDigest,
+      subjectName,
+      predicateType,
       predicate,
-      'github-token': 'gh-token'
+      githubToken: 'gh-token',
+      pushToRegistry: true
     }
 
     beforeEach(async () => {
@@ -219,11 +237,6 @@ describe('action', () => {
         repo: { owner: 'foo', repo: 'bar' }
       })
 
-      // Mock the action's inputs
-      getInputMock.mockImplementation(mockInput(inputs))
-      // This is where we mock the push-to-registry input
-      getBooleanInputMock.mockImplementation(() => true)
-
       await mockFulcio({
         baseURL: 'https://fulcio.sigstore.dev',
         strict: false
@@ -244,7 +257,7 @@ describe('action', () => {
     })
 
     it('invokes the action w/o error', async () => {
-      await main.run()
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).not.toHaveBeenCalled()
@@ -283,17 +296,28 @@ describe('action', () => {
       expect(setOutputMock).toHaveBeenNthCalledWith(
         1,
         'bundle-path',
-        expect.stringMatching('attestation.jsonl')
+        expect.stringMatching('attestation.json')
+      )
+      expect(setOutputMock).toHaveBeenNthCalledWith(
+        2,
+        'attestation-id',
+        expect.stringMatching(attestationID)
+      )
+      expect(setOutputMock).toHaveBeenNthCalledWith(
+        3,
+        'attestation-url',
+        expect.stringContaining(`foo/bar/attestations/${attestationID}`)
       )
       expect(setFailedMock).not.toHaveBeenCalled()
     })
   })
 
-  describe('when too many subjects are specified', () => {
+  describe('when the subject count is greater than 1', () => {
     let dir = ''
+    const filename = 'subject'
 
     beforeEach(async () => {
-      const filename = 'subject'
+      const subjectCount = 5
       const content = 'file content'
 
       // Set-up temp directory
@@ -301,7 +325,7 @@ describe('action', () => {
       dir = await fs.mkdtemp(tmpDir + path.sep)
 
       // Add files for glob testing
-      for (let i = 0; i < 65; i++) {
+      for (let i = 0; i < subjectCount; i++) {
         await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
       }
 
@@ -311,14 +335,63 @@ describe('action', () => {
         repo: { owner: 'foo', repo: 'bar' }
       })
 
-      // Mock the action's inputs
-      getInputMock.mockImplementation(
-        mockInput({
-          predicate: '{}',
-          'subject-path': path.join(dir, `${filename}-*`)
-        })
+      // Set-up a Fulcio mock for each subject
+      await mockFulcio({
+        baseURL: 'https://fulcio.githubapp.com',
+        strict: false
+      })
+
+      // Set-up a TSA mock for each subject
+      await mockTSA({ baseURL: 'https://timestamp.githubapp.com' })
+    })
+
+    afterEach(async () => {
+      // Clean-up temp directory
+      await fs.rm(dir, { recursive: true })
+    })
+
+    it('invokes the action w/o error', async () => {
+      const inputs: main.RunInputs = {
+        ...defaultInputs,
+        subjectPath: path.join(dir, `${filename}-*`),
+        predicateType,
+        predicate,
+        githubToken: 'gh-token'
+      }
+      await main.run(inputs)
+
+      expect(runMock).toHaveReturned()
+      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(infoMock).toHaveBeenNthCalledWith(
+        1,
+        expect.stringMatching('Attestation created for 5 subjects')
       )
     })
+  })
+
+  describe('when the subject count exceeds the max', () => {
+    let dir = ''
+    const filename = 'subject'
+
+    beforeEach(async () => {
+      const subjectCount = 1025
+      const content = 'file content'
+
+      // Set-up temp directory
+      const tmpDir = await fs.realpath(os.tmpdir())
+      dir = await fs.mkdtemp(tmpDir + path.sep)
+
+      // Add files for glob testing
+      for (let i = 0; i < subjectCount; i++) {
+        await fs.writeFile(path.join(dir, `${filename}-${i}`), content)
+      }
+
+      // Set the GH context with private repository visibility and a repo owner.
+      setGHContext({
+        payload: { repository: { visibility: 'private' } },
+        repo: { owner: 'foo', repo: 'bar' }
+      })
+    })
 
     afterEach(async () => {
       // Clean-up temp directory
@@ -326,27 +399,25 @@ describe('action', () => {
     })
 
     it('sets a failed status', async () => {
-      await main.run()
+      const inputs: main.RunInputs = {
+        ...defaultInputs,
+        subjectPath: path.join(dir, `${filename}-*`),
+        predicateType,
+        predicate,
+        githubToken: 'gh-token'
+      }
+      await main.run(inputs)
 
       expect(runMock).toHaveReturned()
       expect(setFailedMock).toHaveBeenCalledWith(
         new Error(
-          'Too many subjects specified. The maximum number of subjects is 64.'
+          'Too many subjects specified. The maximum number of subjects is 1024.'
         )
       )
     })
   })
 })
 
-function mockInput(inputs: Record<string, string>): typeof core.getInput {
-  return (name: string): string => {
-    if (name in inputs) {
-      return inputs[name]
-    }
-    return ''
-  }
-}
-
 // Stubbing the GitHub context is a bit tricky. We need to use
 // `Object.defineProperty` because `github.context` is read-only.
 function setGHContext(context: object): void {

__tests__/predicate.test.ts

@@ -1,92 +1,129 @@
 import fs from 'fs/promises'
 import os from 'os'
 import path from 'path'
-import { predicateFromInputs } from '../src/predicate'
+import { predicateFromInputs, PredicateInputs } from '../src/predicate'
 
 describe('subjectFromInputs', () => {
-  afterEach(() => {
-    process.env['INPUT_PREDICATE'] = ''
-    process.env['INPUT_PREDICATE-PATH'] = ''
-    process.env['INPUT_PREDICATE-TYPE'] = ''
-  })
+  const blankInputs: PredicateInputs = {
+    predicateType: '',
+    predicate: '',
+    predicatePath: ''
+  }
 
   describe('when no inputs are provided', () => {
     it('throws an error', () => {
-      expect(() => predicateFromInputs()).toThrow(/predicate-type/i)
+      expect(() => predicateFromInputs(blankInputs)).toThrow(/predicate-type/i)
     })
   })
 
   describe('when neither predicate path nor predicate are provided', () => {
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
-    })
-
     it('throws an error', () => {
-      expect(() => predicateFromInputs()).toThrow(
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType: 'https://example.com/predicate'
+      }
+
+      expect(() => predicateFromInputs(inputs)).toThrow(
         /one of predicate-path or predicate must be provided/i
       )
     })
   })
 
   describe('when both predicate path and predicate are provided', () => {
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE-PATH'] = 'path/to/predicate'
-      process.env['INPUT_PREDICATE'] = '{}'
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
-    })
-
     it('throws an error', () => {
-      expect(() => predicateFromInputs()).toThrow(
+      const inputs: PredicateInputs = {
+        predicateType: 'https://example.com/predicate',
+        predicate: '{}',
+        predicatePath: 'path/to/predicate'
+      }
+
+      expect(() => predicateFromInputs(inputs)).toThrow(
         /only one of predicate-path or predicate may be provided/i
       )
     })
   })
 
   describe('when specifying a predicate path', () => {
-    let dir = ''
-    const filename = 'subject'
+    const predicateType = 'https://example.com/predicate'
     const content = '{}'
+    let predicatePath = ''
 
     beforeEach(async () => {
       // Set-up temp directory
       const tmpDir = await fs.realpath(os.tmpdir())
-      dir = await fs.mkdtemp(tmpDir + path.sep)
+      const dir = await fs.mkdtemp(tmpDir + path.sep)
+
+      const filename = 'subject'
+      predicatePath = path.join(dir, filename)
 
       // Write file to temp directory
-      await fs.writeFile(path.join(dir, filename), content)
+      await fs.writeFile(predicatePath, content)
     })
 
     afterEach(async () => {
       // Clean-up temp directory
-      await fs.rm(dir, { recursive: true })
-    })
-
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE-PATH'] = path.join(dir, filename)
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
+      await fs.rm(path.parse(predicatePath).dir, { recursive: true })
     })
 
     it('returns the predicate', () => {
-      expect(predicateFromInputs()).toEqual({
-        type: 'https://example.com/predicate',
-        params: {}
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicatePath
+      }
+      expect(predicateFromInputs(inputs)).toEqual({
+        type: predicateType,
+        params: JSON.parse(content)
       })
     })
   })
 
+  describe('when specifying a predicate path that does not exist', () => {
+    const predicateType = 'https://example.com/predicate'
+    const predicatePath = 'foo'
+
+    it('returns the predicate', () => {
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicatePath
+      }
+      expect(() => predicateFromInputs(inputs)).toThrow(/file not found/)
+    })
+  })
+
   describe('when specifying a predicate value', () => {
+    const predicateType = 'https://example.com/predicate'
     const content = '{}'
 
-    beforeEach(() => {
-      process.env['INPUT_PREDICATE'] = content
-      process.env['INPUT_PREDICATE-TYPE'] = 'https://example.com/predicate'
-    })
-
     it('returns the predicate', () => {
-      expect(predicateFromInputs()).toEqual({
-        type: 'https://example.com/predicate',
-        params: {}
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicate: content
+      }
+
+      expect(predicateFromInputs(inputs)).toEqual({
+        type: predicateType,
+        params: JSON.parse(content)
       })
     })
   })
+
+  describe('when specifying a predicate value exceeding the max size', () => {
+    const predicateType = 'https://example.com/predicate'
+    const content = JSON.stringify({ a: 'a'.repeat(16 * 1024 * 1024) })
+
+    it('throws an error', () => {
+      const inputs: PredicateInputs = {
+        ...blankInputs,
+        predicateType,
+        predicate: content
+      }
+
+      expect(() => predicateFromInputs(inputs)).toThrow(
+        /predicate string exceeds maximum/
+      )
+    })
+  })
 })

__tests__/style.test.ts

@@ -0,0 +1,15 @@
+import { highlight, mute } from '../src/style'
+
+describe('style', () => {
+  describe('highlight', () => {
+    it('adds cyan color to the string', () => {
+      expect(highlight('foo')).toBe('\x1B[36mfoo\x1B[39m')
+    })
+  })
+
+  describe('mute', () => {
+    it('adds gray color to the string', () => {
+      expect(mute('foo')).toBe('\x1B[38;5;244mfoo\x1B[39m')
+    })
+  })
+})

__tests__/subject.test.ts

@@ -2,47 +2,81 @@ import crypto from 'crypto'
 import fs from 'fs/promises'
 import os from 'os'
 import path from 'path'
-import { subjectFromInputs } from '../src/subject'
+import {
+  formatSubjectDigest,
+  subjectFromInputs,
+  SubjectInputs
+} from '../src/subject'
 
 describe('subjectFromInputs', () => {
-  beforeEach(() => {
-    process.env['INPUT_PUSH-TO-REGISTRY'] = 'false'
-  })
-
-  afterEach(() => {
-    process.env['INPUT_SUBJECT-PATH'] = ''
-    process.env['INPUT_SUBJECT-DIGEST'] = ''
-    process.env['INPUT_SUBJECT-NAME'] = ''
-  })
+  const blankInputs: SubjectInputs = {
+    subjectPath: '',
+    subjectName: '',
+    subjectDigest: '',
+    subjectChecksums: ''
+  }
 
   describe('when no inputs are provided', () => {
     it('throws an error', async () => {
-      await expect(subjectFromInputs()).rejects.toThrow(
-        /one of subject-path or subject-digest must be provided/i
+      await expect(subjectFromInputs(blankInputs)).rejects.toThrow(
+        /one of subject-path, subject-digest, or subject-checksums must be provided/i
       )
     })
   })
 
   describe('when both subject path and subject digest are provided', () => {
-    beforeEach(() => {
-      process.env['INPUT_SUBJECT-PATH'] = 'path/to/subject'
-      process.env['INPUT_SUBJECT-DIGEST'] = 'digest'
-    })
-
     it('throws an error', async () => {
-      await expect(subjectFromInputs()).rejects.toThrow(
-        /only one of subject-path or subject-digest may be provided/i
+      const inputs: SubjectInputs = {
+        subjectName: 'foo',
+        subjectPath: 'path/to/subject',
+        subjectDigest: 'digest',
+        subjectChecksums: ''
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(
+        /only one of subject-path, subject-digest, or subject-checksums may be provided/i
+      )
+    })
+  })
+
+  describe('when both subject path and subject checksums are provided', () => {
+    it('throws an error', async () => {
+      const inputs: SubjectInputs = {
+        subjectName: '',
+        subjectPath: 'path/to/subject',
+        subjectDigest: '',
+        subjectChecksums: 'path/to/checksums'
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(
+        /only one of subject-path, subject-digest, or subject-checksums may be provided/i
+      )
+    })
+  })
+
+  describe('when both subject digest and subject checksums are provided', () => {
+    it('throws an error', async () => {
+      const inputs: SubjectInputs = {
+        subjectName: 'foo',
+        subjectPath: '',
+        subjectDigest: 'digest',
+        subjectChecksums: 'path/to/checksums'
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(
+        /only one of subject-path, subject-digest, or subject-checksums may be provided/i
       )
     })
   })
 
   describe('when subject digest is provided but not the name', () => {
-    beforeEach(() => {
-      process.env['INPUT_SUBJECT-DIGEST'] = 'digest'
-    })
-
     it('throws an error', async () => {
-      await expect(subjectFromInputs()).rejects.toThrow(
+      const inputs: SubjectInputs = {
+        ...blankInputs,
+        subjectDigest: 'digest'
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(
         /subject-name must be provided when using subject-digest/i
       )
     })
@@ -52,39 +86,42 @@ describe('subjectFromInputs', () => {
     const name = 'Subject'
 
     describe('when the digest is malformed', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = 'digest'
-        process.env['INPUT_SUBJECT-NAME'] = name
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: 'digest',
+          subjectName: name
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /subject-digest must be in the format "sha256:<hex-digest>"/i
         )
       })
     })
 
-    describe('when the alogrithm is not supported', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = 'md5:deadbeef'
-        process.env['INPUT_SUBJECT-NAME'] = name
-      })
-
+    describe('when the algorithm is not supported', () => {
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: 'md5:deadbeef',
+          subjectName: name
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /subject-digest must be in the format "sha256:<hex-digest>"/i
         )
       })
     })
 
     describe('when the sha256 digest is malformed', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = 'sha256:deadbeef'
-        process.env['INPUT_SUBJECT-NAME'] = name
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: 'sha256:deadbeef',
+          subjectName: name
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /subject-digest must be in the format "sha256:<hex-digest>"/i
         )
       })
@@ -95,13 +132,14 @@ describe('subjectFromInputs', () => {
       const digest =
         '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
 
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = `${alg}:${digest}`
-        process.env['INPUT_SUBJECT-NAME'] = name
-      })
-
       it('returns the subject', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: `${alg}:${digest}`,
+          subjectName: name
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -110,20 +148,21 @@ describe('subjectFromInputs', () => {
       })
     })
 
-    describe('when the push-to-registry is true', () => {
+    describe('when the downcaseName is true', () => {
       const imageName = 'ghcr.io/FOO/bar'
       const alg = 'sha256'
       const digest =
         '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
 
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-DIGEST'] = `${alg}:${digest}`
-        process.env['INPUT_SUBJECT-NAME'] = imageName
-        process.env['INPUT_PUSH-TO-REGISTRY'] = 'true'
-      })
-
       it('returns the subject (with name downcased)', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectDigest: `${alg}:${digest}`,
+          subjectName: imageName,
+          downcaseName: true
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -135,19 +174,20 @@ describe('subjectFromInputs', () => {
 
   describe('when specifying a subject path', () => {
     describe('when the file does NOT exist', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-PATH'] = '/f/a/k/e'
-      })
-
       it('throws an error', async () => {
-        await expect(subjectFromInputs()).rejects.toThrow(
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: '/f/a/k/e'
+        }
+
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
           /could not find subject at path/i
         )
       })
     })
   })
 
-  describe('when the file eixts', () => {
+  describe('when the file exists', () => {
     let dir = ''
     const filename = 'subject'
     const content = 'file content'
@@ -178,12 +218,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when no name is provided', () => {
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-PATH'] = path.join(dir, filename)
-      })
-
       it('returns the subject', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: path.join(dir, filename)
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -195,13 +236,14 @@ describe('subjectFromInputs', () => {
     describe('when a name is provided', () => {
       const name = 'mysubject'
 
-      beforeEach(() => {
-        process.env['INPUT_SUBJECT-PATH'] = path.join(dir, filename)
-        process.env['INPUT_SUBJECT-NAME'] = name
-      })
-
       it('returns the subject', async () => {
-        const subject = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: path.join(dir, filename),
+          subjectName: name
+        }
+
+        const subject = await subjectFromInputs(inputs)
 
         expect(subject).toBeDefined()
         expect(subject).toHaveLength(1)
@@ -211,17 +253,17 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a file glob is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] = path.join(dir, 'subject-*')
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: path.join(dir, 'subject-*')
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(3)
 
-        /* eslint-disable-next-line github/array-foreach */
         subjects.forEach((subject, i) => {
           expect(subject.name).toEqual(`${filename}-${i}`)
           expect(subject.digest).toEqual({ sha256: expectedDigest })
@@ -230,12 +272,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a file glob is supplied which also matches non-files', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] = `${dir}*`
-      })
-
       it('returns the subjects (excluding non-files)', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${dir}*`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(7)
@@ -243,13 +286,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a comma-separated list is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] =
-          `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-1')},${path.join(dir, 'subject-2')}`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(2)
@@ -266,13 +309,36 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a multi-line list is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] =
-          `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-0')}\n${path.join(dir, 'subject-2')}`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(2)
+
+        expect(subjects).toContainEqual({
+          name: 'subject-0',
+          digest: { sha256: expectedDigest }
+        })
+        expect(subjects).toContainEqual({
+          name: 'subject-2',
+          digest: { sha256: expectedDigest }
+        })
+      })
+    })
+
+    describe('when an excluding glob is supplied', () => {
+      it('returns the multiple subjects', async () => {
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-*')},!${path.join(dir, 'subject-1')}`
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(2)
@@ -289,13 +355,13 @@ describe('subjectFromInputs', () => {
     })
 
     describe('when a multi-line glob list is supplied', () => {
-      beforeEach(async () => {
-        process.env['INPUT_SUBJECT-PATH'] =
-          `${path.join(dir, 'subject-*')}\n  ${path.join(dir, 'other-*')} `
-      })
-
       it('returns the multiple subjects', async () => {
-        const subjects = await subjectFromInputs()
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject-*')}\n  ${path.join(dir, 'other-*')} `
+        }
+
+        const subjects = await subjectFromInputs(inputs)
 
         expect(subjects).toBeDefined()
         expect(subjects).toHaveLength(6)
@@ -327,5 +393,154 @@ describe('subjectFromInputs', () => {
         })
       })
     })
+
+    describe('when duplicate subjects are supplied', () => {
+      let otherDir = ''
+
+      // Add duplicate subject in alternate directory
+      beforeEach(async () => {
+        // Set-up temp directory
+        const tmpDir = await fs.realpath(os.tmpdir())
+        otherDir = await fs.mkdtemp(tmpDir + path.sep)
+
+        // Write file to temp directory
+        await fs.writeFile(path.join(otherDir, filename), content)
+      })
+
+      it('returns de-duplicated subjects', async () => {
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectPath: `${path.join(dir, 'subject')}, ${path.join(otherDir, 'subject')} `
+        }
+        const subjects = await subjectFromInputs(inputs)
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(1)
+      })
+    })
+  })
+
+  describe('when specifying a subject checksums file', () => {
+    const checksums = `
+187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d  demo_0.0.1_linux_amd64
+badline
+5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718 demo_0.0.1_darwin_arm64`
+
+    let dir = ''
+    const filename = 'checksums'
+
+    beforeEach(async () => {
+      // Set-up temp directory
+      const tmpDir = await fs.realpath(os.tmpdir())
+      dir = await fs.mkdtemp(tmpDir + path.sep)
+
+      // Write file to temp directory
+      await fs.writeFile(path.join(dir, filename), checksums)
+    })
+
+    afterEach(async () => {
+      // Clean-up temp directory
+      await fs.rm(dir, { recursive: true })
+    })
+
+    describe('when the specified path is NOT a file', () => {
+      it('throws an error', async () => {
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectChecksums: dir
+        }
+        await expect(subjectFromInputs(inputs)).rejects.toThrow(
+          /subject checksums file not found/i
+        )
+      })
+    })
+
+    describe('when the specific path is a file', () => {
+      it('returns the multiple subjects', async () => {
+        const inputs: SubjectInputs = {
+          ...blankInputs,
+          subjectChecksums: path.join(dir, filename)
+        }
+        const subjects = await subjectFromInputs(inputs)
+
+        expect(subjects).toBeDefined()
+        expect(subjects).toHaveLength(2)
+
+        expect(subjects).toContainEqual({
+          name: 'demo_0.0.1_linux_amd64',
+          digest: {
+            sha256:
+              '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
+          }
+        })
+      })
+    })
+  })
+
+  describe('when specifying a subject checksums string', () => {
+    const checksums = `
+f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e  demo_0.0.1_linux_386
+187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d  demo_0.0.1_linux_amd64
+9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5  demo_0.0.1_linux_arm64`
+
+    it('returns the multiple subjects', async () => {
+      const inputs: SubjectInputs = {
+        ...blankInputs,
+        subjectChecksums: checksums
+      }
+      const subjects = await subjectFromInputs(inputs)
+
+      expect(subjects).toBeDefined()
+      expect(subjects).toHaveLength(3)
+
+      expect(subjects).toContainEqual({
+        name: 'demo_0.0.1_linux_386',
+        digest: {
+          sha256:
+            'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e'
+        }
+      })
+    })
+  })
+
+  describe('when specifying a subject checksums string with an unrecognized digest', () => {
+    const checksums = `f861e  demo_0.0.1_linux_386`
+
+    it('throws an error', async () => {
+      const inputs: SubjectInputs = {
+        ...blankInputs,
+        subjectChecksums: checksums
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(
+        /unknown digest algorithm/i
+      )
+    })
+  })
+
+  describe('when specifying a subject checksums string with an invalid digest', () => {
+    const checksums =
+      '!!!!e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e  demo_0.0.1_linux_386'
+
+    it('throws an error', async () => {
+      const inputs: SubjectInputs = {
+        ...blankInputs,
+        subjectChecksums: checksums
+      }
+
+      await expect(subjectFromInputs(inputs)).rejects.toThrow(/invalid digest/i)
+    })
+  })
+})
+
+describe('subjectDigest', () => {
+  it('returns the digest', () => {
+    const subject = {
+      name: 'foo',
+      digest: { sha1: 'deadbeef' }
+    }
+
+    const digest = formatSubjectDigest(subject)
+    expect(digest).toEqual('sha1:deadbeef')
   })
 })

action.yml

@@ -9,20 +9,26 @@ inputs:
   subject-path:
     description: >
       Path to the artifact serving as the subject of the attestation. Must
-      specify exactly one of "subject-path" or "subject-digest". May contain a
-      glob pattern or list of paths (total subject count cannot exceed 64).
+      specify exactly one of "subject-path",  "subject-digest", or
+      "subject-checksums". May contain a glob pattern or list of paths (total
+      subject count cannot exceed 1024).
     required: false
   subject-digest:
     description: >
       Digest of the subject for the attestation. Must be in the form
       "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
-      of "subject-path" or "subject-digest".
+      of "subject-path", "subject-digest", or "subject-checksums".
     required: false
   subject-name:
     description: >
-      Subject name as it should appear in the attestation. Required unless
-      "subject-path" is specified, in which case it will be inferred from the
-      path.
+      Subject name as it should appear in the attestation. Required when
+      identifying the subject with the "subject-digest" input.
+    required: false
+  subject-checksums:
+    description: >
+      Path to checksums file containing digest and name of subjects for
+      attestation. Must specify exactly one of "subject-path", "subject-digest",
+      or "subject-checksums".
     required: false
   predicate-type:
     description: >
@@ -30,13 +36,15 @@ inputs:
     required: true
   predicate:
     description: >
-      String containing the value for the attestation predicate. Must supply
-      exactly one of "predicate-path" or "predicate".
+      String containing the value for the attestation predicate. String length
+      cannot exceed 16MB. Must supply exactly one of "predicate-path" or
+      "predicate".
     required: false
   predicate-path:
     description: >
       Path to the file which contains the content for the attestation predicate.
-      Must supply exactly one of "predicate-path" or "predicate".
+      File size cannot exceed 16MB. Must supply exactly one of "predicate-path"
+      or "predicate".
     required: false
   push-to-registry:
     description: >
@@ -45,6 +53,12 @@ inputs:
       the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  show-summary:
+    description: >
+      Whether to attach a list of generated attestations to the workflow run
+      summary page. Defaults to true.
+    default: true
+    required: false
   github-token:
     description: >
       The GitHub token used to make authenticated API requests.
@@ -52,7 +66,11 @@ inputs:
     required: false
 outputs:
   bundle-path:
-    description: 'The path to the file containing the attestation bundle(s).'
+    description: 'The path to the file containing the attestation bundle.'
+  attestation-id:
+    description: 'The ID of the attestation.'
+  attestation-url:
+    description: 'The URL for the attestation summary.'
 
 runs:
   using: node20

dist/606.index.js

@@ -0,0 +1,287 @@
+"use strict";
+exports.id = 606;
+exports.ids = [606];
+exports.modules = {
+
+/***/ 606:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   "default": () => (/* binding */ pMap)
+/* harmony export */ });
+/* unused harmony exports pMapIterable, pMapSkip */
+async function pMap(
+	iterable,
+	mapper,
+	{
+		concurrency = Number.POSITIVE_INFINITY,
+		stopOnError = true,
+		signal,
+	} = {},
+) {
+	return new Promise((resolve, reject_) => {
+		if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
+			throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
+		}
+
+		if (typeof mapper !== 'function') {
+			throw new TypeError('Mapper function is required');
+		}
+
+		if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
+			throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
+		}
+
+		const result = [];
+		const errors = [];
+		const skippedIndexesMap = new Map();
+		let isRejected = false;
+		let isResolved = false;
+		let isIterableDone = false;
+		let resolvingCount = 0;
+		let currentIndex = 0;
+		const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();
+
+		const reject = reason => {
+			isRejected = true;
+			isResolved = true;
+			reject_(reason);
+		};
+
+		if (signal) {
+			if (signal.aborted) {
+				reject(signal.reason);
+			}
+
+			signal.addEventListener('abort', () => {
+				reject(signal.reason);
+			});
+		}
+
+		const next = async () => {
+			if (isResolved) {
+				return;
+			}
+
+			const nextItem = await iterator.next();
+
+			const index = currentIndex;
+			currentIndex++;
+
+			// Note: `iterator.next()` can be called many times in parallel.
+			// This can cause multiple calls to this `next()` function to
+			// receive a `nextItem` with `done === true`.
+			// The shutdown logic that rejects/resolves must be protected
+			// so it runs only one time as the `skippedIndex` logic is
+			// non-idempotent.
+			if (nextItem.done) {
+				isIterableDone = true;
+
+				if (resolvingCount === 0 && !isResolved) {
+					if (!stopOnError && errors.length > 0) {
+						reject(new AggregateError(errors)); // eslint-disable-line unicorn/error-message
+						return;
+					}
+
+					isResolved = true;
+
+					if (skippedIndexesMap.size === 0) {
+						resolve(result);
+						return;
+					}
+
+					const pureResult = [];
+
+					// Support multiple `pMapSkip`'s.
+					for (const [index, value] of result.entries()) {
+						if (skippedIndexesMap.get(index) === pMapSkip) {
+							continue;
+						}
+
+						pureResult.push(value);
+					}
+
+					resolve(pureResult);
+				}
+
+				return;
+			}
+
+			resolvingCount++;
+
+			// Intentionally detached
+			(async () => {
+				try {
+					const element = await nextItem.value;
+
+					if (isResolved) {
+						return;
+					}
+
+					const value = await mapper(element, index);
+
+					// Use Map to stage the index of the element.
+					if (value === pMapSkip) {
+						skippedIndexesMap.set(index, value);
+					}
+
+					result[index] = value;
+
+					resolvingCount--;
+					await next();
+				} catch (error) {
+					if (stopOnError) {
+						reject(error);
+					} else {
+						errors.push(error);
+						resolvingCount--;
+
+						// In that case we can't really continue regardless of `stopOnError` state
+						// since an iterable is likely to continue throwing after it throws once.
+						// If we continue calling `next()` indefinitely we will likely end up
+						// in an infinite loop of failed iteration.
+						try {
+							await next();
+						} catch (error) {
+							reject(error);
+						}
+					}
+				}
+			})();
+		};
+
+		// Create the concurrent runners in a detached (non-awaited)
+		// promise. We need this so we can await the `next()` calls
+		// to stop creating runners before hitting the concurrency limit
+		// if the iterable has already been marked as done.
+		// NOTE: We *must* do this for async iterators otherwise we'll spin up
+		// infinite `next()` calls by default and never start the event loop.
+		(async () => {
+			for (let index = 0; index < concurrency; index++) {
+				try {
+					// eslint-disable-next-line no-await-in-loop
+					await next();
+				} catch (error) {
+					reject(error);
+					break;
+				}
+
+				if (isIterableDone || isRejected) {
+					break;
+				}
+			}
+		})();
+	});
+}
+
+function pMapIterable(
+	iterable,
+	mapper,
+	{
+		concurrency = Number.POSITIVE_INFINITY,
+		backpressure = concurrency,
+	} = {},
+) {
+	if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
+		throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
+	}
+
+	if (typeof mapper !== 'function') {
+		throw new TypeError('Mapper function is required');
+	}
+
+	if (!((Number.isSafeInteger(concurrency) && concurrency >= 1) || concurrency === Number.POSITIVE_INFINITY)) {
+		throw new TypeError(`Expected \`concurrency\` to be an integer from 1 and up or \`Infinity\`, got \`${concurrency}\` (${typeof concurrency})`);
+	}
+
+	if (!((Number.isSafeInteger(backpressure) && backpressure >= concurrency) || backpressure === Number.POSITIVE_INFINITY)) {
+		throw new TypeError(`Expected \`backpressure\` to be an integer from \`concurrency\` (${concurrency}) and up or \`Infinity\`, got \`${backpressure}\` (${typeof backpressure})`);
+	}
+
+	return {
+		async * [Symbol.asyncIterator]() {
+			const iterator = iterable[Symbol.asyncIterator] === undefined ? iterable[Symbol.iterator]() : iterable[Symbol.asyncIterator]();
+
+			const promises = [];
+			let runningMappersCount = 0;
+			let isDone = false;
+			let index = 0;
+
+			function trySpawn() {
+				if (isDone || !(runningMappersCount < concurrency && promises.length < backpressure)) {
+					return;
+				}
+
+				const promise = (async () => {
+					const {done, value} = await iterator.next();
+
+					if (done) {
+						return {done: true};
+					}
+
+					runningMappersCount++;
+
+					// Spawn if still below concurrency and backpressure limit
+					trySpawn();
+
+					try {
+						const returnValue = await mapper(await value, index++);
+
+						runningMappersCount--;
+
+						if (returnValue === pMapSkip) {
+							const index = promises.indexOf(promise);
+
+							if (index > 0) {
+								promises.splice(index, 1);
+							}
+						}
+
+						// Spawn if still below backpressure limit and just dropped below concurrency limit
+						trySpawn();
+
+						return {done: false, value: returnValue};
+					} catch (error) {
+						isDone = true;
+						return {error};
+					}
+				})();
+
+				promises.push(promise);
+			}
+
+			trySpawn();
+
+			while (promises.length > 0) {
+				const {error, done, value} = await promises[0]; // eslint-disable-line no-await-in-loop
+
+				promises.shift();
+
+				if (error) {
+					throw error;
+				}
+
+				if (done) {
+					return;
+				}
+
+				// Spawn if just dropped below backpressure limit and below the concurrency limit
+				trySpawn();
+
+				if (value === pMapSkip) {
+					continue;
+				}
+
+				yield value;
+			}
+		},
+	};
+}
+
+const pMapSkip = Symbol('skip');
+
+
+/***/ })
+
+};
+;

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest",
   "description": "Generate signed attestations for workflow artifacts",
-  "version": "1.1.2",
+  "version": "2.4.0",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest",
@@ -27,7 +27,7 @@
     "ci-test": "jest",
     "format:write": "prettier --write **/*.ts",
     "format:check": "prettier --check **/*.ts",
-    "lint:eslint": "npx eslint . -c ./.github/linters/.eslintrc.yml",
+    "lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs",
     "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
     "lint": "npm run lint:eslint && npm run lint:markdown",
     "package": "ncc build src/index.ts --license licenses.txt",
@@ -69,33 +69,31 @@
     ]
   },
   "dependencies": {
-    "@actions/attest": "^1.2.1",
-    "@actions/core": "^1.10.1",
-    "@actions/glob": "^0.4.0",
-    "@sigstore/oci": "^0.3.3",
-    "csv-parse": "^5.5.5"
+    "@actions/attest": "^1.6.0",
+    "@actions/core": "^1.11.1",
+    "@actions/github": "^6.0.1",
+    "@actions/glob": "^0.5.0",
+    "@sigstore/oci": "^0.5.0",
+    "csv-parse": "^5.6.0"
   },
   "devDependencies": {
-    "@sigstore/mock": "^0.7.3",
-    "@types/jest": "^29.5.12",
+    "@eslint/js": "^9.28.0",
+    "@sigstore/mock": "^0.10.0",
+    "@types/jest": "^29.5.14",
     "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^20.12.11",
-    "@typescript-eslint/eslint-plugin": "^7.9.0",
-    "@typescript-eslint/parser": "^7.9.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
-    "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-jest": "^28.5.0",
-    "eslint-plugin-jsonc": "^2.15.1",
-    "eslint-plugin-prettier": "^5.1.3",
+    "@types/node": "^22.15.30",
+    "@vercel/ncc": "^0.38.3",
+    "eslint": "^9.28.0",
+    "eslint-plugin-import": "^2.31.0",
+    "eslint-plugin-jest": "^28.13.0",
     "jest": "^29.7.0",
     "js-yaml": "^4.1.0",
-    "markdownlint-cli": "^0.40.0",
-    "nock": "^13.5.4",
-    "prettier": "^3.2.5",
-    "prettier-eslint": "^16.3.0",
-    "ts-jest": "^29.1.2",
-    "typescript": "^5.4.5",
-    "undici": "^5.28.4"
+    "markdownlint-cli": "^0.45.0",
+    "nock": "^13.5.6",
+    "prettier": "^3.5.3",
+    "ts-jest": "^29.3.4",
+    "typescript": "^5.8.3",
+    "typescript-eslint": "^8.34.0",
+    "undici": "^5.29.0"
   }
 }

src/attest.ts

@@ -0,0 +1,54 @@
+import { Attestation, Predicate, Subject, attest } from '@actions/attest'
+import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
+import { formatSubjectDigest } from './subject'
+
+const OCI_TIMEOUT = 30000
+const OCI_RETRY = 3
+
+export type SigstoreInstance = 'public-good' | 'github'
+export type AttestResult = Attestation & {
+  attestationDigest?: string
+}
+
+export const createAttestation = async (
+  subjects: Subject[],
+  predicate: Predicate,
+  opts: {
+    sigstoreInstance: SigstoreInstance
+    pushToRegistry: boolean
+    githubToken: string
+  }
+): Promise<AttestResult> => {
+  // Sign provenance w/ Sigstore
+  const attestation = await attest({
+    subjects,
+    predicateType: predicate.type,
+    predicate: predicate.params,
+    sigstore: opts.sigstoreInstance,
+    token: opts.githubToken
+  })
+
+  const result: AttestResult = attestation
+
+  if (subjects.length === 1 && opts.pushToRegistry) {
+    const subject = subjects[0]
+    const credentials = getRegistryCredentials(subject.name)
+    const artifact = await attachArtifactToImage({
+      credentials,
+      imageName: subject.name,
+      imageDigest: formatSubjectDigest(subject),
+      artifact: Buffer.from(JSON.stringify(attestation.bundle)),
+      mediaType: attestation.bundle.mediaType,
+      annotations: {
+        'dev.sigstore.bundle.content': 'dsse-envelope',
+        'dev.sigstore.bundle.predicateType': predicate.type
+      },
+      fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
+    })
+
+    // Add the attestation's digest to the result
+    result.attestationDigest = artifact.digest
+  }
+
+  return result
+}

src/index.ts

@@ -1,7 +1,25 @@
 /**
  * The entrypoint for the action.
  */
-import { run } from './main'
+import * as core from '@actions/core'
+import { run, RunInputs } from './main'
 
-// eslint-disable-next-line @typescript-eslint/no-floating-promises
-run()
+const inputs: RunInputs = {
+  subjectPath: core.getInput('subject-path'),
+  subjectName: core.getInput('subject-name'),
+  subjectDigest: core.getInput('subject-digest'),
+  subjectChecksums: core.getInput('subject-checksums'),
+  predicateType: core.getInput('predicate-type'),
+  predicate: core.getInput('predicate'),
+  predicatePath: core.getInput('predicate-path'),
+  pushToRegistry: core.getBooleanInput('push-to-registry'),
+  showSummary: core.getBooleanInput('show-summary'),
+  githubToken: core.getInput('github-token'),
+  // undocumented -- not part of public interface
+  privateSigning: ['true', 'True', 'TRUE', '1'].includes(
+    core.getInput('private-signing')
+  )
+}
+
+/* eslint-disable-next-line @typescript-eslint/no-floating-promises */
+run(inputs)

src/main.ts

@@ -1,26 +1,30 @@
-import { Attestation, Predicate, Subject, attest } from '@actions/attest'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
-import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
 import fs from 'fs'
 import os from 'os'
 import path from 'path'
+import { AttestResult, SigstoreInstance, createAttestation } from './attest'
 import { SEARCH_PUBLIC_GOOD_URL } from './endpoints'
-import { predicateFromInputs } from './predicate'
-import { subjectFromInputs } from './subject'
+import { PredicateInputs, predicateFromInputs } from './predicate'
+import * as style from './style'
+import {
+  SubjectInputs,
+  formatSubjectDigest,
+  subjectFromInputs
+} from './subject'
 
-type SigstoreInstance = 'public-good' | 'github'
-type AttestedSubject = { subject: Subject; attestationID: string }
+import type { Subject } from '@actions/attest'
 
-const COLOR_CYAN = '\x1B[36m'
-const COLOR_GRAY = '\x1B[38;5;244m'
-const COLOR_DEFAULT = '\x1B[39m'
-const ATTESTATION_FILE_NAME = 'attestation.jsonl'
+const ATTESTATION_FILE_NAME = 'attestation.json'
+const ATTESTATION_PATHS_FILE_NAME = 'created_attestation_paths.txt'
 
-const MAX_SUBJECT_COUNT = 64
-
-const OCI_TIMEOUT = 2000
-const OCI_RETRY = 3
+export type RunInputs = SubjectInputs &
+  PredicateInputs & {
+    pushToRegistry: boolean
+    githubToken: string
+    showSummary: boolean
+    privateSigning: boolean
+  }
 
 /* istanbul ignore next */
 const logHandler = (level: string, ...args: unknown[]): void => {
@@ -34,7 +38,7 @@ const logHandler = (level: string, ...args: unknown[]): void => {
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
  */
-export async function run(): Promise<void> {
+export async function run(inputs: RunInputs): Promise<void> {
   process.on('log', logHandler)
 
   // Provenance visibility will be public ONLY if we can confirm that the
@@ -42,61 +46,62 @@ export async function run(): Promise<void> {
   // Otherwise, it will be private.
   const sigstoreInstance: SigstoreInstance =
     github.context.payload.repository?.visibility === 'public' &&
-    core.getInput('private-signing') !== 'true'
+    !inputs.privateSigning
       ? 'public-good'
       : 'github'
 
   try {
-    const atts: AttestedSubject[] = []
     if (!process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
       throw new Error(
         'missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.'
       )
     }
 
-    // Gather list of subjets
-    const subjects = await subjectFromInputs()
-    if (subjects.length > MAX_SUBJECT_COUNT) {
-      throw new Error(
-        `Too many subjects specified. The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
-      )
-    }
+    const subjects = await subjectFromInputs({
+      ...inputs,
+      downcaseName: inputs.pushToRegistry
+    })
+    const predicate = predicateFromInputs(inputs)
 
-    const predicate = predicateFromInputs()
     const outputPath = path.join(tempDir(), ATTESTATION_FILE_NAME)
+    core.setOutput('bundle-path', outputPath)
 
-    // Generate attestations for each subject serially
-    for (const subject of subjects) {
-      const att = await createAttestation(subject, predicate, sigstoreInstance)
+    const att = await createAttestation(subjects, predicate, {
+      sigstoreInstance,
+      pushToRegistry: inputs.pushToRegistry,
+      githubToken: inputs.githubToken
+    })
 
-      // Write attestation bundle to output file
-      fs.writeFileSync(outputPath, JSON.stringify(att.bundle) + os.EOL, {
+    logAttestation(subjects, att, sigstoreInstance)
+
+    // Write attestation bundle to output file
+    fs.writeFileSync(outputPath, JSON.stringify(att.bundle) + os.EOL, {
+      encoding: 'utf-8',
+      flag: 'a'
+    })
+
+    const baseDir = process.env.RUNNER_TEMP
+    if (baseDir) {
+      const outputSummaryPath = path.join(baseDir, ATTESTATION_PATHS_FILE_NAME)
+      // Append the output path to the attestations paths file
+      fs.appendFileSync(outputSummaryPath, outputPath + os.EOL, {
         encoding: 'utf-8',
         flag: 'a'
       })
-
-      if (att.attestationID) {
-        atts.push({ subject, attestationID: att.attestationID })
-      }
-    }
-
-    if (atts.length > 0) {
-      core.summary.addHeading(
-        /* istanbul ignore next */
-        atts.length > 1 ? 'Attestations Created' : 'Attestation Created',
-        3
+    } else {
+      core.warning(
+        'RUNNER_TEMP environment variable is not set. Cannot write attestation paths file.'
       )
-
-      for (const { subject, attestationID } of atts) {
-        core.summary.addLink(
-          `${subject.name}@${subjectDigest(subject)}`,
-          attestationURL(attestationID)
-        )
-      }
-      core.summary.write()
     }
 
-    core.setOutput('bundle-path', outputPath)
+    if (att.attestationID) {
+      core.setOutput('attestation-id', att.attestationID)
+      core.setOutput('attestation-url', attestationURL(att.attestationID))
+    }
+
+    if (inputs.showSummary) {
+      await logSummary(att)
+    }
   } catch (err) {
     // Fail the workflow run if an error occurs
     core.setFailed(
@@ -108,7 +113,9 @@ export async function run(): Promise<void> {
     if (err instanceof Error && 'cause' in err) {
       const innerErr = err.cause
       core.info(
-        mute(innerErr instanceof Error ? innerErr.toString() : `${innerErr}`)
+        style.mute(
+          innerErr instanceof Error ? innerErr.toString() : `${innerErr}`
+        )
       )
     }
   } finally {
@@ -116,27 +123,24 @@ export async function run(): Promise<void> {
   }
 }
 
-const createAttestation = async (
-  subject: Subject,
-  predicate: Predicate,
+// Log details about the attestation to the GitHub Actions run
+const logAttestation = (
+  subjects: Subject[],
+  attestation: AttestResult,
   sigstoreInstance: SigstoreInstance
-): Promise<Attestation> => {
-  // Sign provenance w/ Sigstore
-  const attestation = await attest({
-    subjectName: subject.name,
-    subjectDigest: subject.digest,
-    predicateType: predicate.type,
-    predicate: predicate.params,
-    sigstore: sigstoreInstance,
-    token: core.getInput('github-token')
-  })
-
-  core.info(`Attestation created for ${subject.name}@${subjectDigest(subject)}`)
+): void => {
+  if (subjects.length === 1) {
+    core.info(
+      `Attestation created for ${subjects[0].name}@${formatSubjectDigest(subjects[0])}`
+    )
+  } else {
+    core.info(`Attestation created for ${subjects.length} subjects`)
+  }
 
   const instanceName =
     sigstoreInstance === 'public-good' ? 'Public Good' : 'GitHub'
   core.startGroup(
-    highlight(
+    style.highlight(
       `Attestation signed using certificate from ${instanceName} Sigstore instance`
     )
   )
@@ -145,43 +149,35 @@ const createAttestation = async (
 
   if (attestation.tlogID) {
     core.info(
-      highlight('Attestation signature uploaded to Rekor transparency log')
+      style.highlight(
+        'Attestation signature uploaded to Rekor transparency log'
+      )
     )
     core.info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`)
   }
 
   if (attestation.attestationID) {
-    core.info(highlight('Attestation uploaded to repository'))
+    core.info(style.highlight('Attestation uploaded to repository'))
     core.info(attestationURL(attestation.attestationID))
   }
 
-  if (core.getBooleanInput('push-to-registry', { required: false })) {
-    const credentials = getRegistryCredentials(subject.name)
-    const artifact = await attachArtifactToImage({
-      credentials,
-      imageName: subject.name,
-      imageDigest: subjectDigest(subject),
-      artifact: Buffer.from(JSON.stringify(attestation.bundle)),
-      mediaType: attestation.bundle.mediaType,
-      annotations: {
-        'dev.sigstore.bundle.content': 'dsse-envelope',
-        'dev.sigstore.bundle.predicateType': core.getInput('predicate-type')
-      },
-      fetchOpts: { timeout: OCI_TIMEOUT, retry: OCI_RETRY }
-    })
-    core.info(highlight('Attestation uploaded to registry'))
-    core.info(`${subject.name}@${artifact.digest}`)
+  if (attestation.attestationDigest) {
+    core.info(style.highlight('Attestation uploaded to registry'))
+    core.info(`${subjects[0].name}@${attestation.attestationDigest}`)
   }
-
-  return attestation
 }
 
-// Emphasis string using ANSI color codes
-const highlight = (str: string): string => `${COLOR_CYAN}${str}${COLOR_DEFAULT}`
+// Attach summary information to the GitHub Actions run
+const logSummary = async (attestation: AttestResult): Promise<void> => {
+  const { attestationID } = attestation
 
-// De-emphasize string using ANSI color codes
-/* istanbul ignore next */
-const mute = (str: string): string => `${COLOR_GRAY}${str}${COLOR_DEFAULT}`
+  if (attestationID) {
+    const url = attestationURL(attestationID)
+    core.summary.addHeading('Attestation Created', 3)
+    core.summary.addList([`<a href="${url}">${url}</a>`])
+    await core.summary.write()
+  }
+}
 
 const tempDir = (): string => {
   const basePath = process.env['RUNNER_TEMP']
@@ -194,12 +190,5 @@ const tempDir = (): string => {
   return fs.mkdtempSync(path.join(basePath, path.sep))
 }
 
-// Returns the subject's digest as a formatted string of the form
-// "<algorithm>:<digest>".
-const subjectDigest = (subject: Subject): string => {
-  const alg = Object.keys(subject.digest).sort()[0]
-  return `${alg}:${subject.digest[alg]}`
-}
-
 const attestationURL = (id: string): string =>
   `${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/attestations/${id}`

src/predicate.ts

@@ -1,26 +1,56 @@
-import * as core from '@actions/core'
 import fs from 'fs'
 
 import type { Predicate } from '@actions/attest'
 
+export type PredicateInputs = {
+  predicateType: string
+  predicate: string
+  predicatePath: string
+}
+
+const MAX_PREDICATE_SIZE_BYTES = 16 * 1024 * 1024
+
 // Returns the predicate specified by the action's inputs. The predicate value
 // may be specified as a path to a file or as a string.
-export const predicateFromInputs = (): Predicate => {
-  const predicateType = core.getInput('predicate-type', { required: true })
-  const predicateStr = core.getInput('predicate', { required: false })
-  const predicatePath = core.getInput('predicate-path', { required: false })
+export const predicateFromInputs = (inputs: PredicateInputs): Predicate => {
+  const { predicateType, predicate, predicatePath } = inputs
 
-  if (!predicatePath && !predicateStr) {
+  if (!predicateType) {
+    throw new Error('predicate-type must be provided')
+  }
+
+  if (!predicatePath && !predicate) {
     throw new Error('One of predicate-path or predicate must be provided')
   }
 
-  if (predicatePath && predicateStr) {
+  if (predicatePath && predicate) {
     throw new Error('Only one of predicate-path or predicate may be provided')
   }
 
-  const params = predicatePath
-    ? fs.readFileSync(predicatePath, 'utf-8')
-    : predicateStr
+  let params: string = predicate
+
+  if (predicatePath) {
+    if (!fs.existsSync(predicatePath)) {
+      throw new Error(`predicate file not found: ${predicatePath}`)
+    }
+
+    /* istanbul ignore next */
+    if (fs.statSync(predicatePath).size > MAX_PREDICATE_SIZE_BYTES) {
+      throw new Error(
+        `predicate file exceeds maximum allowed size: ${MAX_PREDICATE_SIZE_BYTES} bytes`
+      )
+    }
+
+    params = fs.readFileSync(predicatePath, 'utf-8')
+  } else {
+    if (predicate.length > MAX_PREDICATE_SIZE_BYTES) {
+      throw new Error(
+        `predicate string exceeds maximum allowed size: ${MAX_PREDICATE_SIZE_BYTES} bytes`
+      )
+    }
+
+    params = predicate
+  }
 
   return { type: predicateType, params: JSON.parse(params) }
 }

src/style.ts

@@ -0,0 +1,11 @@
+const COLOR_CYAN = '\x1B[36m'
+const COLOR_GRAY = '\x1B[38;5;244m'
+const COLOR_DEFAULT = '\x1B[39m'
+
+// Emphasis string using ANSI color codes
+export const highlight = (str: string): string =>
+  `${COLOR_CYAN}${str}${COLOR_DEFAULT}`
+
+// De-emphasize string using ANSI color codes
+export const mute = (str: string): string =>
+  `${COLOR_GRAY}${str}${COLOR_DEFAULT}`

src/subject.ts

@@ -1,33 +1,52 @@
-import * as core from '@actions/core'
 import * as glob from '@actions/glob'
+import assert from 'assert'
 import crypto from 'crypto'
 import { parse } from 'csv-parse/sync'
 import fs from 'fs'
+import os from 'os'
 import path from 'path'
 
 import type { Subject } from '@actions/attest'
 
+const MAX_SUBJECT_COUNT = 1024
+const MAX_SUBJECT_CHECKSUM_SIZE_BYTES = 512 * MAX_SUBJECT_COUNT
 const DIGEST_ALGORITHM = 'sha256'
+const HEX_STRING_RE = /^[0-9a-fA-F]+$/
 
+export type SubjectInputs = {
+  subjectPath: string
+  subjectName: string
+  subjectDigest: string
+  subjectChecksums: string
+  downcaseName?: boolean
+}
 // Returns the subject specified by the action's inputs. The subject may be
 // specified as a path to a file or as a digest. If a path is provided, the
 // file's digest is calculated and returned along with the subject's name. If a
 // digest is provided, the name must also be provided.
-export const subjectFromInputs = async (): Promise<Subject[]> => {
-  const subjectPath = core.getInput('subject-path', { required: false })
-  const subjectDigest = core.getInput('subject-digest', { required: false })
-  const subjectName = core.getInput('subject-name', { required: false })
-  const pushToRegistry = core.getBooleanInput('push-to-registry', {
-    required: false
-  })
+export const subjectFromInputs = async (
+  inputs: SubjectInputs
+): Promise<Subject[]> => {
+  const {
+    subjectPath,
+    subjectDigest,
+    subjectName,
+    subjectChecksums,
+    downcaseName
+  } = inputs
 
-  if (!subjectPath && !subjectDigest) {
-    throw new Error('One of subject-path or subject-digest must be provided')
+  const enabledInputs = [subjectPath, subjectDigest, subjectChecksums].filter(
+    Boolean
+  )
+  if (enabledInputs.length === 0) {
+    throw new Error(
+      'One of subject-path, subject-digest, or subject-checksums must be provided'
+    )
   }
 
-  if (subjectPath && subjectDigest) {
+  if (enabledInputs.length > 1) {
     throw new Error(
-      'Only one of subject-path or subject-digest may be provided'
+      'Only one of subject-path, subject-digest, or subject-checksums may be provided'
     )
   }
 
@@ -37,49 +56,71 @@ export const subjectFromInputs = async (): Promise<Subject[]> => {
 
   // If push-to-registry is enabled, ensure the subject name is lowercase
   // to conform to OCI image naming conventions
-  const name = pushToRegistry ? subjectName.toLowerCase() : subjectName
+  const name = downcaseName ? subjectName.toLowerCase() : subjectName
 
-  if (subjectPath) {
-    return await getSubjectFromPath(subjectPath, name)
-  } else {
-    return [getSubjectFromDigest(subjectDigest, name)]
+  switch (true) {
+    case !!subjectPath:
+      return getSubjectFromPath(subjectPath, name)
+    case !!subjectDigest:
+      return [getSubjectFromDigest(subjectDigest, name)]
+    case !!subjectChecksums:
+      return getSubjectFromChecksums(subjectChecksums)
+    /* istanbul ignore next */
+    default:
+      // This should be unreachable, but TS requires a default case
+      assert.fail('unreachable')
   }
 }
 
+// Returns the subject's digest as a formatted string of the form
+// "<algorithm>:<digest>".
+export const formatSubjectDigest = (subject: Subject): string => {
+  const alg = Object.keys(subject.digest).sort()[0]
+  return `${alg}:${subject.digest[alg]}`
+}
+
 // Returns the subject specified by the path to a file. The file's digest is
 // calculated and returned along with the subject's name.
 const getSubjectFromPath = async (
   subjectPath: string,
   subjectName?: string
 ): Promise<Subject[]> => {
-  const subjects: Subject[] = []
+  const digestedSubjects: Subject[] = []
 
   // Parse the list of subject paths
-  const subjectPaths = parseList(subjectPath)
+  const subjectPaths = parseSubjectPathList(subjectPath).join('\n')
 
-  for (const subPath of subjectPaths) {
-    // Expand the globbed path to a list of files
-    /* eslint-disable-next-line github/no-then */
-    const files = await glob.create(subPath).then(async g => g.glob())
+  // Expand the globbed paths to a list of actual paths
+  const paths = await glob.create(subjectPaths).then(async g => g.glob())
 
-    for (const file of files) {
-      // Skip anything that is NOT a file
-      if (!fs.statSync(file).isFile()) {
-        continue
-      }
+  // Filter path list to just the files (not directories)
+  const files = paths.filter(p => fs.statSync(p).isFile())
 
-      const name = subjectName || path.parse(file).base
-      const digest = await digestFile(DIGEST_ALGORITHM, file)
+  if (files.length > MAX_SUBJECT_COUNT) {
+    throw new Error(
+      `Too many subjects specified. The maximum number of subjects is ${MAX_SUBJECT_COUNT}.`
+    )
+  }
 
-      subjects.push({ name, digest: { [DIGEST_ALGORITHM]: digest } })
+  for (const file of files) {
+    const name = subjectName || path.parse(file).base
+    const digest = await digestFile(DIGEST_ALGORITHM, file)
+
+    // Only add the subject if it is not already in the list
+    if (
+      !digestedSubjects.some(
+        s => s.name === name && s.digest[DIGEST_ALGORITHM] === digest
+      )
+    ) {
+      digestedSubjects.push({ name, digest: { [DIGEST_ALGORITHM]: digest } })
     }
   }
 
-  if (subjects.length === 0) {
+  if (digestedSubjects.length === 0) {
     throw new Error(`Could not find subject at path ${subjectPath}`)
   }
 
-  return Promise.all(subjects)
+  return digestedSubjects
 }
 
 // Returns the subject specified by the digest of a file. The digest is returned
@@ -101,6 +142,62 @@ const getSubjectFromDigest = (
   }
 }
 
+const getSubjectFromChecksums = (subjectChecksums: string): Subject[] => {
+  if (fs.existsSync(subjectChecksums)) {
+    return getSubjectFromChecksumsFile(subjectChecksums)
+  } else {
+    return getSubjectFromChecksumsString(subjectChecksums)
+  }
+}
+
+const getSubjectFromChecksumsFile = (checksumsPath: string): Subject[] => {
+  const stats = fs.statSync(checksumsPath)
+  if (!stats.isFile()) {
+    throw new Error(`subject checksums file not found: ${checksumsPath}`)
+  }
+
+  /* istanbul ignore next */
+  if (stats.size > MAX_SUBJECT_CHECKSUM_SIZE_BYTES) {
+    throw new Error(
+      `subject checksums file exceeds maximum allowed size: ${MAX_SUBJECT_CHECKSUM_SIZE_BYTES} bytes`
+    )
+  }
+
+  const checksums = fs.readFileSync(checksumsPath, 'utf-8')
+  return getSubjectFromChecksumsString(checksums)
+}
+
+const getSubjectFromChecksumsString = (checksums: string): Subject[] => {
+  const subjects: Subject[] = []
+
+  const records: string[] = checksums.split(os.EOL).filter(Boolean)
+
+  for (const record of records) {
+    // Find the space delimiter following the digest
+    const delimIndex = record.indexOf(' ')
+
+    // Skip any line that doesn't have a delimiter
+    if (delimIndex === -1) {
+      continue
+    }
+
+    // Swallow the type identifier character at the beginning of the name
+    const name = record.slice(delimIndex + 2)
+    const digest = record.slice(0, delimIndex)
+
+    if (!HEX_STRING_RE.test(digest)) {
+      throw new Error(`Invalid digest: ${digest}`)
+    }
+
+    subjects.push({
+      name,
+      digest: { [digestAlgorithm(digest)]: digest }
+    })
+  }
+
+  return subjects
+}
+
 // Calculates the digest of a file using the specified algorithm. The file is
 // streamed into the digest function to avoid loading the entire file into
 // memory. The returned digest is a hex string.
@@ -117,7 +214,7 @@ const digestFile = async (
   })
 }
 
-const parseList = (input: string): string[] => {
+const parseSubjectPathList = (input: string): string[] => {
   const res: string[] = []
 
   const records: string[][] = parse(input, {
@@ -133,3 +230,14 @@ const parseList = (input: string): string[] => {
 
   return res.filter(item => item).map(pat => pat.trim())
 }
+
+const digestAlgorithm = (digest: string): string => {
+  switch (digest.length) {
+    case 64:
+      return 'sha256'
+    case 128:
+      return 'sha512'
+    default:
+      throw new Error(`Unknown digest algorithm: ${digest}`)
+  }
+}