99 lines
3.6 KiB
YAML
99 lines
3.6 KiB
YAML
name: 'Generate Generic Attestations'
|
|
description: 'Generate attestations for build artifacts'
|
|
author: 'GitHub'
|
|
branding:
|
|
color: 'blue'
|
|
icon: 'link'
|
|
|
|
inputs:
|
|
subject-path:
|
|
description: >
|
|
Path to the artifact serving as the subject of the attestation. Must
|
|
specify exactly one of "subject-path", "subject-digest", or
|
|
"subject-checksums". May contain a glob pattern or list of paths (total
|
|
subject count cannot exceed 1024).
|
|
required: false
|
|
subject-digest:
|
|
description: >
|
|
Digest of the subject for the attestation. Must be in the form
|
|
"algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
|
|
of "subject-path", "subject-digest", or "subject-checksums".
|
|
required: false
|
|
subject-name:
|
|
description: >
|
|
Subject name as it should appear in the attestation. Required when
|
|
identifying the subject with the "subject-digest" input.
|
|
required: false
|
|
subject-checksums:
|
|
description: >
|
|
Path to checksums file containing digest and name of subjects for
|
|
attestation. Must specify exactly one of "subject-path", "subject-digest",
|
|
or "subject-checksums".
|
|
required: false
|
|
subject-version:
|
|
description: >
|
|
Version of the subject for the attestation. Only used when
|
|
"push-to-registry" and "create-storage-record" are both set to true.
|
|
required: false
|
|
sbom-path:
|
|
description: >
|
|
Path to the JSON-formatted SBOM file (SPDX or CycloneDX) to attest.
|
|
File size cannot exceed 16MB. When provided, creates an SBOM attestation.
|
|
Cannot be used together with "predicate-type", "predicate", or
|
|
"predicate-path".
|
|
required: false
|
|
predicate-type:
|
|
description: >
|
|
URI identifying the type of the predicate. Required when using "predicate"
|
|
or "predicate-path" for custom attestations.
|
|
required: false
|
|
predicate:
|
|
description: >
|
|
String containing the value for the attestation predicate. String length
|
|
cannot exceed 16MB. Must supply exactly one of "predicate-path" or
|
|
"predicate" when creating custom attestations.
|
|
required: false
|
|
predicate-path:
|
|
description: >
|
|
Path to the file which contains the content for the attestation predicate.
|
|
File size cannot exceed 16MB. Must supply exactly one of "predicate-path"
|
|
or "predicate" when creating custom attestations.
|
|
required: false
|
|
push-to-registry:
|
|
description: >
|
|
Whether to push the attestation to the image registry. Requires that the
|
|
"subject-name" parameter specify the fully-qualified image name and that
|
|
the "subject-digest" parameter be specified. Defaults to false.
|
|
default: false
|
|
required: false
|
|
create-storage-record:
|
|
description: >
|
|
Whether to create a storage record for the artifact.
|
|
Requires that push-to-registry is set to true. Defaults to true.
|
|
default: true
|
|
required: false
|
|
show-summary:
|
|
description: >
|
|
Whether to attach a list of generated attestations to the workflow run
|
|
summary page. Defaults to true.
|
|
default: true
|
|
required: false
|
|
github-token:
|
|
description: >
|
|
The GitHub token used to make authenticated API requests.
|
|
default: ${{ github.token }}
|
|
required: false
|
|
outputs:
|
|
bundle-path:
|
|
description: 'The path to the file containing the attestation bundle.'
|
|
attestation-id:
|
|
description: 'The ID of the attestation.'
|
|
attestation-url:
|
|
description: 'The URL for the attestation summary.'
|
|
storage-record-ids:
|
|
description: 'The IDs of the storage records created for the artifact.'
|
|
|
|
runs:
|
|
using: node24
|
|
main: ./dist/index.js
|