bump package version to 2.4.0 (#253)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.github/workflows/linter.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v7
+        uses: super-linter/super-linter/slim@v7.4.0
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*
@@ -47,4 +47,8 @@ jobs:
           VALIDATE_ALL_CODEBASE: true
           VALIDATE_JAVASCRIPT_STANDARD: false
           VALIDATE_TYPESCRIPT_STANDARD: false
+          VALIDATE_TYPESCRIPT_ES: false
           VALIDATE_JSCPD: false
+
+      - name: Run eslint
+        run: npm run lint:eslint

README.md

@@ -18,6 +18,12 @@ Once the attestation has been created and signed, it will be uploaded to the GH
 attestations API and associated with the repository from which the workflow was
 initiated.
 
+When an attestation is created, the attestation is stored on the local
+filesystem used by the runner. For each attestation created, the filesystem path
+will be appended to the file `${RUNNER_TEMP}/created_attestation_paths.txt`.
+This can be used to gather all attestations created by all jobs during a the
+workflow.
+
 Attestations can be verified using the [`attestation` command in the GitHub
 CLI][5].
 
@@ -27,11 +33,12 @@ information on artifact attestations.
 <!-- prettier-ignore-start -->
 > [!NOTE]
 > Artifact attestations are available in public repositories for all
-> current GitHub plans. They are not available on legacy plans, such as Bronze,
+> current GitHub plans.
-> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
+>
-> artifact attestations are only available for public repositories. To use
+> To use artifact attestations in private or internal repositories, you must
-> artifact attestations in private or internal repositories, you must be on a
+> be on a GitHub Enterprise Cloud plan.
-> GitHub Enterprise Cloud plan.
+>
+> Artifact attestations are NOT supported on GitHub Enterprise Server.
 <!-- prettier-ignore-end -->
 
 ## Usage
@@ -64,7 +71,7 @@ attest:
    The `subject-path` parameter should identify the artifact for which you want
    to generate an attestation. The `predicate-type` can be any of the the
    [vetted predicate types][3] or a custom value. The `predicate-path`
-   identifies a file containg the JSON-encoded predicate parameters.
+   identifies a file containing the JSON-encoded predicate parameters.
 
 ### Inputs
 

__tests__/subject.test.ts

@@ -99,7 +99,7 @@ describe('subjectFromInputs', () => {
       })
     })
 
-    describe('when the alogrithm is not supported', () => {
+    describe('when the algorithm is not supported', () => {
       it('throws an error', async () => {
         const inputs: SubjectInputs = {
           ...blankInputs,

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest",
   "description": "Generate signed attestations for workflow artifacts",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest",
@@ -69,31 +69,31 @@
     ]
   },
   "dependencies": {
-    "@actions/attest": "^1.5.0",
+    "@actions/attest": "^1.6.0",
     "@actions/core": "^1.11.1",
-    "@actions/github": "^6.0.0",
+    "@actions/github": "^6.0.1",
     "@actions/glob": "^0.5.0",
-    "@sigstore/oci": "^0.4.0",
+    "@sigstore/oci": "^0.5.0",
     "csv-parse": "^5.6.0"
   },
   "devDependencies": {
-    "@eslint/js": "^9.18.0",
+    "@eslint/js": "^9.28.0",
-    "@sigstore/mock": "^0.9.0",
+    "@sigstore/mock": "^0.10.0",
     "@types/jest": "^29.5.14",
     "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^22.10.7",
+    "@types/node": "^22.15.30",
     "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.18.0",
+    "eslint": "^9.28.0",
     "eslint-plugin-import": "^2.31.0",
-    "eslint-plugin-jest": "^28.11.0",
+    "eslint-plugin-jest": "^28.13.0",
     "jest": "^29.7.0",
     "js-yaml": "^4.1.0",
-    "markdownlint-cli": "^0.43.0",
+    "markdownlint-cli": "^0.45.0",
     "nock": "^13.5.6",
-    "prettier": "^3.4.2",
+    "prettier": "^3.5.3",
-    "ts-jest": "^29.2.5",
+    "ts-jest": "^29.3.4",
-    "typescript": "^5.7.3",
+    "typescript": "^5.8.3",
-    "typescript-eslint": "^8.21.0",
+    "typescript-eslint": "^8.34.0",
-    "undici": "^5.28.4"
+    "undici": "^5.29.0"
   }
 }

src/main.ts

@@ -16,6 +16,7 @@ import {
 import type { Subject } from '@actions/attest'
 
 const ATTESTATION_FILE_NAME = 'attestation.json'
+const ATTESTATION_PATHS_FILE_NAME = 'created_attestation_paths.txt'
 
 export type RunInputs = SubjectInputs &
   PredicateInputs & {
@@ -79,6 +80,20 @@ export async function run(inputs: RunInputs): Promise<void> {
       flag: 'a'
     })
 
+    const baseDir = process.env.RUNNER_TEMP
+    if (baseDir) {
+      const outputSummaryPath = path.join(baseDir, ATTESTATION_PATHS_FILE_NAME)
+      // Append the output path to the attestations paths file
+      fs.appendFileSync(outputSummaryPath, outputPath + os.EOL, {
+        encoding: 'utf-8',
+        flag: 'a'
+      })
+    } else {
+      core.warning(
+        'RUNNER_TEMP environment variable is not set. Cannot write attestation paths file.'
+      )
+    }
+
     if (att.attestationID) {
       core.setOutput('attestation-id', att.attestationID)
       core.setOutput('attestation-url', attestationURL(att.attestationID))