diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 25ebc09..3921027 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,31 +69,3 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Dump output run: jq < ${{ steps.attest-sbom.outputs.bundle-path }} - test-attest-sbom: - name: Test attest-sbom action - runs-on: ubuntu-latest - permissions: - contents: write - id-token: write - - steps: - - name: Checkout - id: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Run attest-sbom with spdx format - uses: ./ - with: - subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' - subject-name: 'subject' - github-token: ${{ secrets.GITHUB_TOKEN }} - sbom-format: 'spdx' - - name: Run attest-sbom with cyclonedx format - id: attest-sbom - uses: ./ - env: - INPUT_PRIVATE-SIGNING: 'true' - with: - subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32' - subject-name: 'subject' - github-token: ${{ secrets.GITHUB_TOKEN }} - sbom-format: 'cyclonedx' diff --git a/README.md b/README.md index a1fdec6..ee8c1ee 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,8 @@ the [@actions/attest][1] package. Attestations bind some subject (a named artifact along with its digest) to a a Software Bill of Materials (SBOM) using the [in-toto][2] format. The action -accepts SBOMs which have been generated by external tools or can generate one -automatically by invoking the [anchore/sbom-action][3]. Externally generated -SBOMs must be in either the [SPDX][4] or [CycloneDX][5] JSON-serialized format. +accepts SBOMs which have been generated by external tools. Provided SBOMs must +be in either the [SPDX][4] or [CycloneDX][5] JSON-serialized format. A verifiable signature is generated for the attestation using a short-lived [Sigstore][6]-issued signing certificate. If the repository initiating the @@ -45,12 +44,12 @@ attest: - uses: actions/attest-sbom@v1 with: subject-path: '' + sbom-path: '' ``` The `subject-path` parameter should identity the artifact for which you want - to generate an SBOM attestation. When no other inputs are specified, the - action will automatically generate an SPDX SBOM by scanning the - `github.workspace` directory. + to generate an SBOM attestation. The `sbom-path` parameter should identify + the SBOM document to be associated with the subject. ### Inputs @@ -77,15 +76,6 @@ See [action.yml](action.yml) # "scan-path" and "sbom-format" inputs are ignored. sbom-path: - # Path on the filesystem to scan for SBOM generation. Ignored if "sbom-path" - # is specified. Defaults to ${{ github.workspace }} - scan-path: - - # Format to use for the generated SBOM output. Supported formats are - # "spdx" and "cyclonedx". Ignored if "sbom-path" is specified. Defaults to - # "spdx". - sbom-format: - # Whether to push the attestation to the image registry. Requires that the # "subject-name" parameter specify the fully-qualified image name and that # the "subject-digest" parameter be specified. Defaults to false. diff --git a/action.yml b/action.yml index 179b9e6..e8efc83 100644 --- a/action.yml +++ b/action.yml @@ -24,18 +24,6 @@ inputs: Path to the JSON-formatted SBOM file to attest. When specified, the "scan-path" and "sbom-format" inputs are ignored. required: false - scan-path: - description: > - Path on the filesystem to scan for SBOM generation. Ignored if "sbom-path" - is specified. - default: ${{ github.workspace }} - required: false - sbom-format: - description: > - Format to use for the generated SBOM output. Supported formats are "spdx" - and "cyclonedx". Ignored if "sbom-path" is specified. - default: 'spdx' - required: false push-to-registry: description: > Whether to push the provenance statement to the image registry. Requires @@ -57,32 +45,6 @@ outputs: runs: using: 'composite' steps: - - name: Generate random SBOM output file name - if: inputs.sbom-path == '' - id: sbom-output - run: - echo "path=${{ runner.temp }}/sbom_$(openssl rand -hex 6).json" >> $GITHUB_OUTPUT - shell: bash - - name: SBOM format check - id: check-sbom-format - if: inputs.sbom-path == '' - run: | - if [ "${{inputs.sbom-format}}" != "spdx" ] && [ "${{inputs.sbom-format}}" != "cyclonedx" ] ]; then - echo "Invalid SBOM format. Supported formats are spdx and cyclonedx." - exit 1 - elif [ "${{inputs.sbom-format}}" == "spdx" ]; then - echo "format=spdx-json" >> $GITHUB_OUTPUT - elif [ "${{inputs.sbom-format}}" == "cyclonedx" ]; then - echo "format=cyclonedx-json" >> $GITHUB_OUTPUT - fi - shell: bash - - name: Generate SBOM - if: inputs.sbom-path == '' - uses: anchore/sbom-action@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # v0.15.10 - with: - path: ${{ inputs.scan-path }} - output-file: ${{ steps.sbom-output.outputs.path }} - format: ${{ steps.check-sbom-format.outputs.format }} - uses: actions/attest-sbom/predicate@847c6befa7ce187c962fa6c3e6cd3c96e4da9565 # predicate@0.1.0 id: generate-sbom-predicate with: