7667f588f2
* first pass at creating storage record Signed-off-by: Meredith Lancaster <malancas@github.com> * include storage record param in action config Signed-off-by: Meredith Lancaster <malancas@github.com> * use latest actions/attest version Signed-off-by: Meredith Lancaster <malancas@github.com> * update storage record params Signed-off-by: Meredith Lancaster <malancas@github.com> * include storage record id in result Signed-off-by: Meredith Lancaster <malancas@github.com> * regenerate dist Signed-off-by: Meredith Lancaster <malancas@github.com> * add documentation on storage records Signed-off-by: Meredith Lancaster <malancas@github.com> * log storage record creation Signed-off-by: Meredith Lancaster <malancas@github.com> * add storage record output Signed-off-by: Meredith Lancaster <malancas@github.com> * add new param Signed-off-by: Meredith Lancaster <malancas@github.com> * add storage record id output Signed-off-by: Meredith Lancaster <malancas@github.com> * fix linter errors Signed-off-by: Meredith Lancaster <malancas@github.com> * return all storage record ids Signed-off-by: Meredith Lancaster <malancas@github.com> * bump minor version Signed-off-by: Meredith Lancaster <malancas@github.com> * use expect string match function Signed-off-by: Meredith Lancaster <malancas@github.com> * add try catch block for storage record creation Signed-off-by: Meredith Lancaster <malancas@github.com> * fix table column spacing Signed-off-by: Meredith Lancaster <malancas@github.com> * check for protocol Signed-off-by: Meredith Lancaster <malancas@github.com> * check for artifact url protocol Signed-off-by: Meredith Lancaster <malancas@github.com> * only fill registry_url for now Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup protocol handling Signed-off-by: Meredith Lancaster <malancas@github.com> * regenerate dist Signed-off-by: Meredith Lancaster <malancas@github.com> * handle subject name correctly Signed-off-by: Meredith Lancaster <malancas@github.com> * move test Signed-off-by: Meredith Lancaster <malancas@github.com> * add back assert statements Signed-off-by: Meredith Lancaster <malancas@github.com> * add back output assert statements Signed-off-by: Meredith Lancaster <malancas@github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * use url for subject name parsing Signed-off-by: Meredith Lancaster <malancas@github.com> * add missing test setpu Signed-off-by: Meredith Lancaster <malancas@github.com> * fix storage record fail test Signed-off-by: Meredith Lancaster <malancas@github.com> * regenerate dist Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
86 lines
2.9 KiB
YAML
86 lines
2.9 KiB
YAML
name: 'Generate Generic Attestations'
|
|
description: 'Generate attestations for build artifacts'
|
|
author: 'GitHub'
|
|
branding:
|
|
color: 'blue'
|
|
icon: 'link'
|
|
|
|
inputs:
|
|
subject-path:
|
|
description: >
|
|
Path to the artifact serving as the subject of the attestation. Must
|
|
specify exactly one of "subject-path", "subject-digest", or
|
|
"subject-checksums". May contain a glob pattern or list of paths (total
|
|
subject count cannot exceed 1024).
|
|
required: false
|
|
subject-digest:
|
|
description: >
|
|
Digest of the subject for the attestation. Must be in the form
|
|
"algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
|
|
of "subject-path", "subject-digest", or "subject-checksums".
|
|
required: false
|
|
subject-name:
|
|
description: >
|
|
Subject name as it should appear in the attestation. Required when
|
|
identifying the subject with the "subject-digest" input.
|
|
required: false
|
|
subject-checksums:
|
|
description: >
|
|
Path to checksums file containing digest and name of subjects for
|
|
attestation. Must specify exactly one of "subject-path", "subject-digest",
|
|
or "subject-checksums".
|
|
required: false
|
|
predicate-type:
|
|
description: >
|
|
URI identifying the type of the predicate.
|
|
required: true
|
|
predicate:
|
|
description: >
|
|
String containing the value for the attestation predicate. String length
|
|
cannot exceed 16MB. Must supply exactly one of "predicate-path" or
|
|
"predicate".
|
|
required: false
|
|
predicate-path:
|
|
description: >
|
|
Path to the file which contains the content for the attestation predicate.
|
|
File size cannot exceed 16MB. Must supply exactly one of "predicate-path"
|
|
or "predicate".
|
|
required: false
|
|
push-to-registry:
|
|
description: >
|
|
Whether to push the attestation to the image registry. Requires that the
|
|
"subject-name" parameter specify the fully-qualified image name and that
|
|
the "subject-digest" parameter be specified. Defaults to false.
|
|
default: false
|
|
required: false
|
|
create-storage-record:
|
|
description: >
|
|
Whether to create a storage record for the artifact.
|
|
Requires that push-to-registry is set to true. Defaults to true.
|
|
default: true
|
|
required: false
|
|
show-summary:
|
|
description: >
|
|
Whether to attach a list of generated attestations to the workflow run
|
|
summary page. Defaults to true.
|
|
default: true
|
|
required: false
|
|
github-token:
|
|
description: >
|
|
The GitHub token used to make authenticated API requests.
|
|
default: ${{ github.token }}
|
|
required: false
|
|
outputs:
|
|
bundle-path:
|
|
description: 'The path to the file containing the attestation bundle.'
|
|
attestation-id:
|
|
description: 'The ID of the attestation.'
|
|
attestation-url:
|
|
description: 'The URL for the attestation summary.'
|
|
storage-record-ids:
|
|
description: 'The IDs of the storage records created for the artifact.'
|
|
|
|
runs:
|
|
using: node24
|
|
main: ./dist/index.js
|