remove anchore/sbom-action (#45)
Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
@@ -69,31 +69,3 @@ jobs:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Dump output
|
||||
run: jq < ${{ steps.attest-sbom.outputs.bundle-path }}
|
||||
test-attest-sbom:
|
||||
name: Test attest-sbom action
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: write
|
||||
id-token: write
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
- name: Run attest-sbom with spdx format
|
||||
uses: ./
|
||||
with:
|
||||
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
|
||||
subject-name: 'subject'
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
sbom-format: 'spdx'
|
||||
- name: Run attest-sbom with cyclonedx format
|
||||
id: attest-sbom
|
||||
uses: ./
|
||||
env:
|
||||
INPUT_PRIVATE-SIGNING: 'true'
|
||||
with:
|
||||
subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
|
||||
subject-name: 'subject'
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
sbom-format: 'cyclonedx'
|
||||
|
||||
@@ -5,9 +5,8 @@ the [@actions/attest][1] package.
|
||||
|
||||
Attestations bind some subject (a named artifact along with its digest) to a a
|
||||
Software Bill of Materials (SBOM) using the [in-toto][2] format. The action
|
||||
accepts SBOMs which have been generated by external tools or can generate one
|
||||
automatically by invoking the [anchore/sbom-action][3]. Externally generated
|
||||
SBOMs must be in either the [SPDX][4] or [CycloneDX][5] JSON-serialized format.
|
||||
accepts SBOMs which have been generated by external tools. Provided SBOMs must
|
||||
be in either the [SPDX][4] or [CycloneDX][5] JSON-serialized format.
|
||||
|
||||
A verifiable signature is generated for the attestation using a short-lived
|
||||
[Sigstore][6]-issued signing certificate. If the repository initiating the
|
||||
@@ -45,12 +44,12 @@ attest:
|
||||
- uses: actions/attest-sbom@v1
|
||||
with:
|
||||
subject-path: '<PATH TO ARTIFACT>'
|
||||
sbom-path: '<PATH TO SBOM>'
|
||||
```
|
||||
|
||||
The `subject-path` parameter should identity the artifact for which you want
|
||||
to generate an SBOM attestation. When no other inputs are specified, the
|
||||
action will automatically generate an SPDX SBOM by scanning the
|
||||
`github.workspace` directory.
|
||||
to generate an SBOM attestation. The `sbom-path` parameter should identify
|
||||
the SBOM document to be associated with the subject.
|
||||
|
||||
### Inputs
|
||||
|
||||
@@ -77,15 +76,6 @@ See [action.yml](action.yml)
|
||||
# "scan-path" and "sbom-format" inputs are ignored.
|
||||
sbom-path:
|
||||
|
||||
# Path on the filesystem to scan for SBOM generation. Ignored if "sbom-path"
|
||||
# is specified. Defaults to ${{ github.workspace }}
|
||||
scan-path:
|
||||
|
||||
# Format to use for the generated SBOM output. Supported formats are
|
||||
# "spdx" and "cyclonedx". Ignored if "sbom-path" is specified. Defaults to
|
||||
# "spdx".
|
||||
sbom-format:
|
||||
|
||||
# Whether to push the attestation to the image registry. Requires that the
|
||||
# "subject-name" parameter specify the fully-qualified image name and that
|
||||
# the "subject-digest" parameter be specified. Defaults to false.
|
||||
|
||||
-38
@@ -24,18 +24,6 @@ inputs:
|
||||
Path to the JSON-formatted SBOM file to attest. When specified, the
|
||||
"scan-path" and "sbom-format" inputs are ignored.
|
||||
required: false
|
||||
scan-path:
|
||||
description: >
|
||||
Path on the filesystem to scan for SBOM generation. Ignored if "sbom-path"
|
||||
is specified.
|
||||
default: ${{ github.workspace }}
|
||||
required: false
|
||||
sbom-format:
|
||||
description: >
|
||||
Format to use for the generated SBOM output. Supported formats are "spdx"
|
||||
and "cyclonedx". Ignored if "sbom-path" is specified.
|
||||
default: 'spdx'
|
||||
required: false
|
||||
push-to-registry:
|
||||
description: >
|
||||
Whether to push the provenance statement to the image registry. Requires
|
||||
@@ -57,32 +45,6 @@ outputs:
|
||||
runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- name: Generate random SBOM output file name
|
||||
if: inputs.sbom-path == ''
|
||||
id: sbom-output
|
||||
run:
|
||||
echo "path=${{ runner.temp }}/sbom_$(openssl rand -hex 6).json" >> $GITHUB_OUTPUT
|
||||
shell: bash
|
||||
- name: SBOM format check
|
||||
id: check-sbom-format
|
||||
if: inputs.sbom-path == ''
|
||||
run: |
|
||||
if [ "${{inputs.sbom-format}}" != "spdx" ] && [ "${{inputs.sbom-format}}" != "cyclonedx" ] ]; then
|
||||
echo "Invalid SBOM format. Supported formats are spdx and cyclonedx."
|
||||
exit 1
|
||||
elif [ "${{inputs.sbom-format}}" == "spdx" ]; then
|
||||
echo "format=spdx-json" >> $GITHUB_OUTPUT
|
||||
elif [ "${{inputs.sbom-format}}" == "cyclonedx" ]; then
|
||||
echo "format=cyclonedx-json" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
shell: bash
|
||||
- name: Generate SBOM
|
||||
if: inputs.sbom-path == ''
|
||||
uses: anchore/sbom-action@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # v0.15.10
|
||||
with:
|
||||
path: ${{ inputs.scan-path }}
|
||||
output-file: ${{ steps.sbom-output.outputs.path }}
|
||||
format: ${{ steps.check-sbom-format.outputs.format }}
|
||||
- uses: actions/attest-sbom/predicate@847c6befa7ce187c962fa6c3e6cd3c96e4da9565 # predicate@0.1.0
|
||||
id: generate-sbom-predicate
|
||||
with:
|
||||
|
||||
Reference in New Issue
Block a user