Files
attest-sbom/README.md
T

326 lines
11 KiB
Markdown
Raw Normal View History

2024-02-29 11:59:05 -08:00
# `actions/attest-sbom`
2024-02-20 11:28:19 -08:00
2024-02-29 11:59:05 -08:00
Generate signed SBOM attestations for workflow artifacts. Internally powered by
the [@actions/attest][1] package.
2024-02-29 11:59:05 -08:00
Attestations bind some subject (a named artifact along with its digest) to a a
Software Bill of Materials (SBOM) using the [in-toto][2] format. The action
2024-04-22 09:22:27 -07:00
accepts SBOMs which have been generated by external tools. Provided SBOMs must
be in either the [SPDX][4] or [CycloneDX][5] JSON-serialized format.
2024-02-29 11:59:05 -08:00
A verifiable signature is generated for the attestation using a short-lived
[Sigstore][6]-issued signing certificate. If the repository initiating the
GitHub Actions workflow is public, the public-good instance of Sigstore will be
used to generate the attestation signature. If the repository is
private/internal, it will use the GitHub private Sigstore instance.
Once the attestation has been created and signed, it will be uploaded to the GH
attestations API and associated with the repository from which the workflow was
initiated.
Attestations can be verified using the [`attestation` command in the GitHub
2024-02-29 11:59:05 -08:00
CLI][7].
2024-02-20 11:28:19 -08:00
See [Using artifact attestations to establish provenance for builds][11] for
more information on artifact attestations.
2024-05-01 13:58:45 -07:00
<!-- prettier-ignore-start -->
> [!NOTE]
> Artifact attestations are available in public repositories for all
> current GitHub plans. They are not available on legacy plans, such as Bronze,
> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
> artifact attestations are only available for public repositories. To use
> artifact attestations in private or internal repositories, you must be on a
> GitHub Enterprise Cloud plan.
<!-- prettier-ignore-end -->
2024-02-28 12:43:56 -08:00
## Usage
2024-02-20 11:28:19 -08:00
2024-02-28 12:43:56 -08:00
Within the GitHub Actions workflow which builds some artifact you would like to
2024-02-29 11:59:05 -08:00
attest:
2024-02-20 11:28:19 -08:00
2024-02-28 12:43:56 -08:00
1. Ensure that the following permissions are set:
2024-02-20 11:28:19 -08:00
2024-02-28 12:43:56 -08:00
```yaml
permissions:
id-token: write
attestations: write
2024-02-28 12:43:56 -08:00
```
2024-02-20 11:28:19 -08:00
2024-02-28 12:43:56 -08:00
The `id-token` permission gives the action the ability to mint the OIDC token
necessary to request a Sigstore signing certificate. The `attestations`
2024-02-28 12:43:56 -08:00
permission is necessary to persist the attestation.
2024-02-20 11:28:19 -08:00
1. Add the following to your workflow after your artifact has been built and
your SBOM has been generated:
2024-02-20 11:28:19 -08:00
2024-02-28 12:43:56 -08:00
```yaml
2025-08-28 16:23:26 -07:00
- uses: actions/attest-sbom@v3
2024-02-28 12:43:56 -08:00
with:
2024-02-29 11:59:05 -08:00
subject-path: '<PATH TO ARTIFACT>'
2024-04-22 09:22:27 -07:00
sbom-path: '<PATH TO SBOM>'
2024-02-28 12:43:56 -08:00
```
2024-02-20 11:28:19 -08:00
2024-05-06 12:14:46 -07:00
The `subject-path` parameter should identify the artifact for which you want
2024-04-22 09:22:27 -07:00
to generate an SBOM attestation. The `sbom-path` parameter should identify
the SBOM document to be associated with the subject.
2024-02-20 11:28:19 -08:00
2024-02-28 12:43:56 -08:00
### Inputs
2024-02-20 11:28:19 -08:00
2024-02-29 11:59:05 -08:00
See [action.yml](action.yml)
2024-02-20 11:28:19 -08:00
2024-02-29 11:59:05 -08:00
```yaml
2025-08-28 16:23:26 -07:00
- uses: actions/attest-sbom@v3
2024-02-29 11:59:05 -08:00
with:
# Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path", "subject-digest", or
# "subject-checksums". May contain a glob pattern or list of paths
# (total subject count cannot exceed 1024).
2024-02-29 11:59:05 -08:00
subject-path:
2024-05-06 12:14:46 -07:00
# SHA256 digest of the subject for the attestation. Must be in the form
2024-02-29 11:59:05 -08:00
# "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
# of "subject-path", "subject-digest", or "subject-checksums".
2024-02-29 11:59:05 -08:00
subject-digest:
# Subject name as it should appear in the attestation. Required when
# identifying the subject with the "subject-digest" input.
2024-02-29 11:59:05 -08:00
subject-name:
# Path to checksums file containing digest and name of subjects for
# attestation. Must specify exactly one of "subject-path", "subject-digest",
# or "subject-checksums".
subject-checksums:
# Path to the JSON-formatted SBOM file to attest. File size cannot exceed
# 16MB.
2024-02-29 11:59:05 -08:00
sbom-path:
# Whether to push the attestation to the image registry. Requires that the
# "subject-name" parameter specify the fully-qualified image name and that
# the "subject-digest" parameter be specified. Defaults to false.
push-to-registry:
# Whether to attach a list of generated attestations to the workflow run
# summary page. Defaults to true.
show-summary:
2024-02-29 11:59:05 -08:00
# The GitHub token used to make authenticated API requests. Default is
# ${{ github.token }}
github-token:
```
2024-02-20 11:28:19 -08:00
2024-02-29 11:59:05 -08:00
### Outputs
2024-02-20 11:28:19 -08:00
2024-02-29 11:59:05 -08:00
<!-- markdownlint-disable MD013 -->
2024-02-20 11:28:19 -08:00
| Name | Description | Example |
| ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
| `attestation-id` | GitHub ID for the attestation | `123456` |
| `attestation-url` | URL for the attestation summary | `https://github.com/foo/bar/attestations/123456` |
| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.json` |
2024-02-20 11:28:19 -08:00
2024-02-29 11:59:05 -08:00
<!-- markdownlint-enable MD013 -->
2024-02-20 11:28:19 -08:00
2024-02-29 11:59:05 -08:00
Attestations are saved in the JSON-serialized [Sigstore bundle][8] format.
2024-02-20 11:28:19 -08:00
2024-12-04 07:53:42 -08:00
If multiple subjects are being attested at the same time, a single attestation
will be created with references to each of the supplied subjects.
2024-02-20 11:28:19 -08:00
The absolute path to the generated attestation is appended to the file
`${RUNNER_TEMP}/created_attestation_paths.txt`. This file will accumulate the
paths to all attestations created over the course of a single workflow.
## Attestation Limits
### Subject Limits
2024-12-04 07:53:42 -08:00
No more than 1024 subjects can be attested at the same time.
### SBOM Limits
The SBOM supplied via the `sbom-path` input cannot exceed 16MB.
2024-02-29 11:59:05 -08:00
## Examples
2024-02-20 11:28:19 -08:00
2024-02-29 11:59:05 -08:00
### Identify Subject and SBOM by Path
2024-02-20 11:28:19 -08:00
2024-02-29 11:59:05 -08:00
For the basic use case, simply add the `attest-sbom` action to your workflow and
supply the path to the artifact and SBOM for which you want to generate
attestation.
2024-02-20 11:28:19 -08:00
2024-02-28 12:43:56 -08:00
```yaml
2024-02-29 11:59:05 -08:00
name: build-attest
2024-02-28 12:43:56 -08:00
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
2024-02-28 12:43:56 -08:00
permissions:
id-token: write
contents: read
attestations: write
2024-02-28 12:43:56 -08:00
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build artifact
2024-02-29 11:59:05 -08:00
run: make my-app
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
format: 'spdx-json'
output-file: 'sbom.spdx.json'
2024-02-29 11:59:05 -08:00
- name: Attest
2025-08-28 16:23:26 -07:00
uses: actions/attest-sbom@v3
2024-02-28 12:43:56 -08:00
with:
2024-02-29 11:59:05 -08:00
subject-path: '${{ github.workspace }}/my-app'
sbom-path: 'sbom.spdx.json'
2024-02-28 12:43:56 -08:00
```
2024-06-20 08:26:17 -07:00
### Identify Multiple Subjects
2024-02-20 11:28:19 -08:00
2024-12-04 07:53:42 -08:00
If you are generating multiple artifacts, you can attest all of them at the same
time by using a wildcard in the `subject-path` input.
2024-02-20 11:28:19 -08:00
```yaml
2025-08-28 16:23:26 -07:00
- uses: actions/attest-sbom@v3
2024-02-29 11:59:05 -08:00
with:
subject-path: 'dist/**/my-bin-*'
sbom-path: '${{ github.workspace }}/my-bin.sbom.spdx.json'
2024-02-20 11:28:19 -08:00
```
2024-02-28 12:43:56 -08:00
For supported wildcards along with behavior and documentation, see
2024-02-29 11:59:05 -08:00
[@actions/glob][10] which is used internally to search for files.
2024-02-20 11:28:19 -08:00
2024-06-20 08:26:17 -07:00
Alternatively, you can explicitly list multiple subjects with either a comma or
newline delimited list:
```yaml
2025-08-28 16:23:26 -07:00
- uses: actions/attest-sbom@v3
2024-06-20 08:26:17 -07:00
with:
subject-path: 'dist/foo, dist/bar'
```
```yaml
2025-08-28 16:23:26 -07:00
- uses: actions/attest-sbom@v3
2024-06-20 08:26:17 -07:00
with:
subject-path: |
dist/foo
dist/bar
```
### Identify Subjects with Checksums File
If you are using tools like
[goreleaser](https://goreleaser.com/customization/checksum/) or
[jreleaser](https://jreleaser.org/guide/latest/reference/checksum.html) which
generate a checksums file you can identify the attestation subjects by passing
the path of the checksums file to the `subject-checksums` input. Each of the
artifacts identified in the checksums file will be listed as a subject for the
attestation.
```yaml
- name: Calculate artifact digests
run: |
shasum -a 256 foo_0.0.1_* > subject.checksums.txt
2025-08-28 16:23:26 -07:00
- uses: actions/attest-sbom@v3
with:
subject-checksums: subject.checksums.txt
sbom-path: sbom.spdx.json
```
<!-- markdownlint-disable MD038 -->
The file referenced by the `subject-checksums` input must conform to the same
format used by the shasum tools. Each subject should be listed on a separate
line including the hex-encoded digest (either SHA256 or SHA512), a space, a
single character flag indicating either binary (`*`) or text (` `) input mode,
and the filename.
<!-- markdownlint-enable MD038 -->
```text
b569bf992b287f55d78bf8ee476497e9b7e9d2bf1c338860bfb905016218c740 foo_0.0.1_darwin_amd64
a54fc515e616cac7fcf11a49d5c5ec9ec315948a5935c1e11dd610b834b14dde foo_0.0.1_darwin_arm64
```
2024-02-28 12:43:56 -08:00
### Container Image
2024-02-29 11:59:05 -08:00
When working with container images you can invoke the action with the
`subject-name` and `subject-digest` inputs.
2024-02-20 11:28:19 -08:00
2024-02-28 12:43:56 -08:00
If you want to publish the attestation to the container registry with the
`push-to-registry` option, it is important that the `subject-name` specify the
fully-qualified image name (e.g. "ghcr.io/user/app" or
"acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
the specific image being attested is identified by the supplied digest.
2024-02-20 11:28:19 -08:00
2024-02-28 12:43:56 -08:00
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
> registry portion of the image name.
2024-02-20 11:28:19 -08:00
```yaml
2024-02-29 11:59:05 -08:00
name: build-attested-image
2024-02-28 12:43:56 -08:00
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
contents: read
attestations: write
2024-02-28 12:43:56 -08:00
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push image
id: push
uses: docker/build-push-action@v5.0.0
with:
context: .
push: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
2024-02-29 11:59:05 -08:00
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: 'cyclonedx-json'
output-file: 'sbom.cyclonedx.json'
2024-02-29 11:59:05 -08:00
- name: Attest
2025-08-28 16:23:26 -07:00
uses: actions/attest-sbom@v3
2024-02-29 11:59:05 -08:00
id: attest
2024-02-28 12:43:56 -08:00
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
2024-02-29 11:59:05 -08:00
sbom-path: 'sbom.cyclonedx.json'
push-to-registry: true
2024-02-20 11:28:19 -08:00
```
2024-02-29 11:59:05 -08:00
[1]: https://github.com/actions/toolkit/tree/main/packages/attest
[2]: https://github.com/in-toto/attestation/tree/main/spec/v1
[4]: https://spdx.dev/
[5]: https://cyclonedx.org/
[6]: https://www.sigstore.dev/
[7]: https://cli.github.com/manual/gh_attestation_verify
2024-02-29 11:59:05 -08:00
[8]:
https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
[10]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
[11]:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds