Bump actions/attest from 1.1.2 to 1.2.0 (#67)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer
2024-06-03 10:53:32 -07:00
committed by GitHub
parent cb316d67b7
commit 49e7311f18
2 changed files with 27 additions and 11 deletions
+21 -6
View File
@@ -21,8 +21,8 @@ initiated.
Attestations can be verified using the [`attestation` command in the GitHub
CLI][7].
See [Using artifact attestations to establish provenance for builds][11]
for more information on artifact attestations.
See [Using artifact attestations to establish provenance for builds][11] for
more information on artifact attestations.
## Usage
@@ -63,7 +63,8 @@ See [action.yml](action.yml)
- uses: actions/attest-sbom@v1
with:
# Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path" or "subject-digest".
# specify exactly one of "subject-path" or "subject-digest". May contain a
# glob pattern or list of paths (total subject count cannot exceed 2500).
subject-path:
# SHA256 digest of the subject for the attestation. Must be in the form
@@ -76,8 +77,8 @@ See [action.yml](action.yml)
# path.
subject-name:
# Path to the JSON-formatted SBOM file to attest. When specified, the
# "scan-path" and "sbom-format" inputs are ignored.
# Path to the JSON-formatted SBOM file to attest. File size cannot exceed
# 16MB.
sbom-path:
# Whether to push the attestation to the image registry. Requires that the
@@ -106,6 +107,19 @@ If multiple subjects are being attested at the same time, each attestation will
be written to the output file on a separate line (using the [JSON Lines][9]
format).
## Attestation Limits
### Subject Limits
No more than 2500 subjects can be attested at the same time. Subjects will be
processed in batches 50. After the initial group of 50, each subsequent batch
will incur an exponentially increasing amount of delay (capped at 1 minute of
delay per batch) to avoid overwhelming the attestation API.
### SBOM Limits
The SBOM supplied via the `sbom-path` input cannot exceed 16MB.
## Examples
### Identify Subject and SBOM by Path
@@ -234,4 +248,5 @@ jobs:
https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
[9]: https://jsonlines.org/
[10]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
[11]: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
[11]:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds