Files
attest-sbom/action.yml
T

102 lines
3.8 KiB
YAML
Raw Normal View History

2024-02-22 08:46:34 -08:00
name: 'Attest SBOM'
description: 'Generate SBOM attestations for build artifacts'
author: 'GitHub'
2024-02-20 11:28:19 -08:00
inputs:
2024-02-22 08:46:34 -08:00
path:
required: false
description: "A path to a directory on the filesystem to scan"
default: "."
format:
required: false
description: "The SBOM format to export"
default: "spdx-json"
2024-02-20 11:28:19 -08:00
2024-02-22 08:46:34 -08:00
github-token:
description: >
The GitHub token used to make authenticated API requests.
default: ${{ github.token }}
required: false
subject-path:
description: >
Path to the artifact for which provenance will be generated. Must specify
exactly one of "subject-path" or "subject-digest".
required: false
subject-digest:
description: >
Digest of the subject for which provenance will be generated. Must be in
the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify
exactly one of "subject-path" or "subject-digest".
required: false
subject-name:
description: >
Subject name as it should appear in the provenance statement. Required
unless "subject-path" is specified, in which case it will be inferred from
the path.
push-to-registry:
description: >
Whether to push the provenance statement to the image registry. Requires
that the "subject-name" parameter specify the fully-qualified image name
and that the "subject-digest" parameter be specified. Defaults to false.
default: false
required: false
sbom-path:
description: >
Path to the SBOM file to generate sbom statement.
required: false
default: ''
2024-02-20 11:28:19 -08:00
outputs:
2024-02-22 08:46:34 -08:00
bundle-path:
description: 'The path to the file containing the attestation bundle(s).'
value: ${{ steps.attest.outputs.bundle-path }}
2024-02-20 11:28:19 -08:00
runs:
2024-02-22 08:46:34 -08:00
using: 'composite'
steps:
- name: Generate random SBOM output file name
2024-02-23 12:28:03 -08:00
if: ${{ inputs.sbom-path == '' }}
2024-02-22 08:46:34 -08:00
run: echo "SBOM_FILENAME=${{ runner.temp }}/sbom_$(openssl rand -hex 6).json" >> $GITHUB_ENV
shell: bash
- name: SBOM format check
2024-02-23 12:28:03 -08:00
if: ${{ inputs.sbom-path == '' }}
2024-02-22 08:46:34 -08:00
run: |
if [ "${{inputs.format}}" != "spdx-json" ] && [ "${{inputs.format}}" != "cyclonedx-json" ] && [ "${{inputs.format}}" != "spdx" ] && [ "${{inputs.format}}" != "cyclonedx" ] ]; then
echo "Invalid SBOM format. Supported formats are spdx-json, cyclonedx-json, spdx, cyclonedx"
exit 1
fi
echo "SBOM_FORMAT=${{inputs.format}}" >> $GITHUB_ENV
if [ "${{inputs.format}}" == "spdx" ]; then
echo "SBOM_FORMAT=spdx-json" >> $GITHUB_ENV
elif [ "${{inputs.format}}" == "cyclonedx" ]; then
echo "SBOM_FORMAT=cyclonedx-json" >> $GITHUB_ENV
fi
shell: bash
- name: Generate SBOM
2024-02-23 12:28:03 -08:00
if: ${{ inputs.sbom-path == '' }}
2024-02-22 08:46:34 -08:00
uses: anchore/sbom-action@v0
with:
path: ${{inputs.path}}
output-file: ${{env.SBOM_FILENAME}}
format: ${{env.SBOM_FORMAT}}
config: ${{inputs.config}}
2024-02-26 10:01:57 -08:00
- uses: actions/attest-sbom/generate-sbom-statement@main
2024-02-22 08:46:34 -08:00
id: generate-sbom-statement
with:
github-token: ${{ inputs.github-token }}
subject-path: ${{ inputs.subject-path }}
subject-digest: ${{ inputs.subject-digest }}
subject-name: ${{ inputs.subject-name }}
push-to-registry: ${{ inputs.push-to-registry }}
sbom-path: ${{ inputs.sbom-path || env.SBOM_FILENAME }}
2024-02-23 10:47:42 -08:00
- uses: actions/attest@main
2024-02-22 08:46:34 -08:00
id: attest
with:
github-token: ${{ inputs.github-token }}
subject-path: ${{ inputs.subject-path }}
subject-digest: ${{ inputs.subject-digest }}
subject-name: ${{ inputs.subject-name }}
push-to-registry: ${{ inputs.push-to-registry }}
predicate-type: ${{ steps.generate-sbom-statement.outputs.predicate-type }}
2024-02-26 10:01:57 -08:00
predicate-path: ${{ steps.generate-sbom-statement.outputs.predicate-path }}