Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| c2c8e8afdf | |||
| ef02dcfae5 | |||
| 88ac301612 |
@@ -45,11 +45,15 @@ attest:
|
||||
permissions:
|
||||
id-token: write
|
||||
attestations: write
|
||||
artifact-metadata: write
|
||||
```
|
||||
|
||||
The `id-token` permission gives the action the ability to mint the OIDC token
|
||||
necessary to request a Sigstore signing certificate. The `attestations`
|
||||
permission is necessary to persist the attestation.
|
||||
The `artifact-metadata` permission is required to generate artifact
|
||||
metadata storage records. If this permission is not included, the action
|
||||
will continue without creating the record.
|
||||
|
||||
1. Add the following to your workflow after your artifact has been built and
|
||||
your SBOM has been generated:
|
||||
@@ -101,6 +105,12 @@ See [action.yml](action.yml)
|
||||
# the "subject-digest" parameter be specified. Defaults to false.
|
||||
push-to-registry:
|
||||
|
||||
# Whether to create a storage record for the artifact.
|
||||
# Requires that push-to-registry is set to true.
|
||||
# Requires that the "subject-name" parameter specify the fully-qualified
|
||||
# image name. Defaults to true.
|
||||
create-storage-record:
|
||||
|
||||
# Whether to attach a list of generated attestations to the workflow run
|
||||
# summary page. Defaults to true.
|
||||
show-summary:
|
||||
@@ -258,6 +268,10 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
|
||||
"acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
|
||||
the specific image being attested is identified by the supplied digest.
|
||||
|
||||
If the `push-to-registry` option is set to true, the Action will also
|
||||
emit an Artifact Metadata Storage Record. If you do not want to emit a
|
||||
storage record, set `create-storage-record` to `false`.
|
||||
|
||||
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
|
||||
> registry portion of the image name.
|
||||
|
||||
|
||||
+8
-1
@@ -41,6 +41,12 @@ inputs:
|
||||
and that the "subject-digest" parameter be specified. Defaults to false.
|
||||
default: false
|
||||
required: false
|
||||
create-storage-record:
|
||||
description: >
|
||||
Whether to create a storage record for the artifact.
|
||||
Requires that push-to-registry is set to true. Defaults to true.
|
||||
default: true
|
||||
required: false
|
||||
show-summary:
|
||||
description: >
|
||||
Whether to attach a list of generated attestations to the workflow run
|
||||
@@ -71,7 +77,7 @@ runs:
|
||||
id: generate-sbom-predicate
|
||||
with:
|
||||
sbom-path: ${{ inputs.sbom-path }}
|
||||
- uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
|
||||
- uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
|
||||
id: attest
|
||||
env:
|
||||
NODE_OPTIONS: '--max-http-header-size=32768'
|
||||
@@ -85,5 +91,6 @@ runs:
|
||||
predicate-path:
|
||||
${{ steps.generate-sbom-predicate.outputs.predicate-path }}
|
||||
push-to-registry: ${{ inputs.push-to-registry }}
|
||||
create-storage-record: ${{ inputs.create-storage-record }}
|
||||
show-summary: ${{ inputs.show-summary }}
|
||||
github-token: ${{ inputs.github-token }}
|
||||
|
||||
Reference in New Issue
Block a user