Files
attest-build-provenance/action.yml
T

108 lines
4.0 KiB
YAML
Raw Normal View History

2026-02-25 14:38:07 -08:00
name: "Attest Build Provenance"
description: "Generate provenance attestations for build artifacts"
author: "GitHub"
2024-04-30 11:53:35 -07:00
branding:
2026-02-25 14:38:07 -08:00
color: "blue"
icon: "lock"
2024-02-20 11:26:39 -08:00
inputs:
2024-02-22 08:29:05 -08:00
subject-path:
description: >
Path to the artifact serving as the subject of the attestation. Must
specify exactly one of "subject-path", "subject-digest", or
2026-02-25 14:38:07 -08:00
"subject-checksums". May contain a glob pattern or list of paths (total
subject count cannot exceed 1024).
2024-02-22 08:29:05 -08:00
required: false
subject-digest:
description: >
Digest of the subject for which provenance will be generated. Must be in
the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify
exactly one of "subject-path", "subject-digest", or "subject-checksums".
2024-02-22 08:29:05 -08:00
required: false
subject-name:
description: >
Subject name as it should appear in the attestation. Required when
identifying the subject with the "subject-digest" input.
subject-checksums:
description: >
Path to checksums file containing digest and name of subjects for
attestation. Must specify exactly one of "subject-path", "subject-digest",
or "subject-checksums".
required: false
2026-02-25 14:38:07 -08:00
predicate-type:
description: >
URI identifying the type of the predicate. Required when using "predicate"
or "predicate-path" for custom attestations.
required: false
predicate:
description: >
String containing the value for the attestation predicate. String length
cannot exceed 16MB. Must supply exactly one of "predicate-path" or
"predicate" when creating custom attestations.
required: false
predicate-path:
description: >
Path to the file which contains the content for the attestation predicate.
File size cannot exceed 16MB. Must supply exactly one of "predicate-path"
or "predicate" when creating custom attestations.
required: false
2024-02-22 08:29:05 -08:00
push-to-registry:
description: >
Whether to push the provenance statement to the image registry. Requires
that the "subject-name" parameter specify the fully-qualified image name
and that the "subject-digest" parameter be specified. Defaults to false.
default: false
required: false
create-storage-record:
description: >
2026-02-25 14:38:07 -08:00
Whether to create a storage record for the artifact. Requires that
push-to-registry is set to true. Defaults to true.
default: true
required: false
show-summary:
description: >
Whether to attach a list of generated attestations to the workflow run
summary page. Defaults to true.
default: true
required: false
2024-02-28 18:11:21 -08:00
github-token:
description: >
The GitHub token used to make authenticated API requests.
default: ${{ github.token }}
required: false
2024-03-05 10:08:59 -08:00
2024-02-20 11:26:39 -08:00
outputs:
2024-02-22 08:29:05 -08:00
bundle-path:
2026-02-25 14:38:07 -08:00
description: "The path to the file containing the attestation bundle."
2024-02-22 08:29:05 -08:00
value: ${{ steps.attest.outputs.bundle-path }}
attestation-id:
2026-02-25 14:38:07 -08:00
description: "The ID of the attestation."
value: ${{ steps.attest.outputs.attestation-id }}
attestation-url:
2026-02-25 14:38:07 -08:00
description: "The URL for the attestation summary."
value: ${{ steps.attest.outputs.attestation-url }}
2026-02-25 14:38:07 -08:00
storage-record-ids:
description: "GitHub IDs for the storage records"
value: ${{ steps.attest.outputs.storage-record-ids }}
2024-02-20 11:26:39 -08:00
runs:
2026-02-25 14:38:07 -08:00
using: "composite"
2024-02-22 08:29:05 -08:00
steps:
2026-02-25 14:38:07 -08:00
- name: Attest
2024-02-22 08:29:05 -08:00
id: attest
2025-08-25 13:52:01 -07:00
env:
NODE_OPTIONS: "--max-http-header-size=32768"
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
2024-02-22 08:29:05 -08:00
with:
subject-path: ${{ inputs.subject-path }}
subject-name: ${{ inputs.subject-name }}
2026-02-25 14:38:07 -08:00
subject-digest: ${{ inputs.subject-digest }}
subject-checksums: ${{ inputs.subject-checksums }}
2026-02-25 14:38:07 -08:00
predicate-type: ${{ inputs.predicate-type }}
predicate: ${{ inputs.predicate }}
predicate-path: ${{ inputs.predicate-path }}
2024-03-05 10:08:59 -08:00
push-to-registry: ${{ inputs.push-to-registry }}
create-storage-record: ${{ inputs.create-storage-record }}
show-summary: ${{ inputs.show-summary }}
2024-03-05 10:08:59 -08:00
github-token: ${{ inputs.github-token }}