Compare commits

...

3 Commits

Author SHA1 Message Date
Meredith Lancaster c2c8e8afdf update actions/attest version
Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-12-18 16:40:22 -08:00
Meredith Lancaster ef02dcfae5 add docs create-storage-record option and artifact-metadata permission
Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-12-18 16:25:02 -08:00
Meredith Lancaster 88ac301612 add create-storage-record option
Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-12-18 16:23:51 -08:00
2 changed files with 22 additions and 1 deletions
+14
View File
@@ -45,11 +45,15 @@ attest:
permissions:
id-token: write
attestations: write
artifact-metadata: write
```
The `id-token` permission gives the action the ability to mint the OIDC token
necessary to request a Sigstore signing certificate. The `attestations`
permission is necessary to persist the attestation.
The `artifact-metadata` permission is required to generate artifact
metadata storage records. If this permission is not included, the action
will continue without creating the record.
1. Add the following to your workflow after your artifact has been built and
your SBOM has been generated:
@@ -101,6 +105,12 @@ See [action.yml](action.yml)
# the "subject-digest" parameter be specified. Defaults to false.
push-to-registry:
# Whether to create a storage record for the artifact.
# Requires that push-to-registry is set to true.
# Requires that the "subject-name" parameter specify the fully-qualified
# image name. Defaults to true.
create-storage-record:
# Whether to attach a list of generated attestations to the workflow run
# summary page. Defaults to true.
show-summary:
@@ -258,6 +268,10 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
"acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
the specific image being attested is identified by the supplied digest.
If the `push-to-registry` option is set to true, the Action will also
emit an Artifact Metadata Storage Record. If you do not want to emit a
storage record, set `create-storage-record` to `false`.
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
> registry portion of the image name.
+8 -1
View File
@@ -41,6 +41,12 @@ inputs:
and that the "subject-digest" parameter be specified. Defaults to false.
default: false
required: false
create-storage-record:
description: >
Whether to create a storage record for the artifact.
Requires that push-to-registry is set to true. Defaults to true.
default: true
required: false
show-summary:
description: >
Whether to attach a list of generated attestations to the workflow run
@@ -71,7 +77,7 @@ runs:
id: generate-sbom-predicate
with:
sbom-path: ${{ inputs.sbom-path }}
- uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
- uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
id: attest
env:
NODE_OPTIONS: '--max-http-header-size=32768'
@@ -85,5 +91,6 @@ runs:
predicate-path:
${{ steps.generate-sbom-predicate.outputs.predicate-path }}
push-to-registry: ${{ inputs.push-to-registry }}
create-storage-record: ${{ inputs.create-storage-record }}
show-summary: ${{ inputs.show-summary }}
github-token: ${{ inputs.github-token }}