Compare commits
25 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| c2c8e8afdf | |||
| ef02dcfae5 | |||
| 88ac301612 | |||
| 6ec0860adb | |||
| 532af8af79 | |||
| 4f3e64cb63 | |||
| ba126a2b5e | |||
| 3867ba47a1 | |||
| 95613fb241 | |||
| b2a1607a55 | |||
| 2dab46ceb6 | |||
| 9dc6831a72 | |||
| b8f802ae8b | |||
| 542c22bbcc | |||
| d519ae0726 | |||
| fd7a65e0c0 | |||
| f2e6656b8e | |||
| c3380f58e7 | |||
| 61614eea5c | |||
| e24c2a9074 | |||
| 9e5a1e06d2 | |||
| 580d4aff21 | |||
| def7784df6 | |||
| 4e404e7097 | |||
| 4651f806c0 |
@@ -28,11 +28,11 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
||||
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
@@ -60,7 +60,7 @@ jobs:
|
||||
- if: ${{ failure() && steps.diff.outcome == 'failure' }}
|
||||
name: Upload Artifact
|
||||
id: upload
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
|
||||
@@ -21,11 +21,11 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
||||
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
@@ -57,7 +57,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
- name: Run attest-sbom
|
||||
id: attest-sbom
|
||||
uses: ./
|
||||
|
||||
@@ -32,19 +32,19 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
|
||||
- name: Initialize CodeQL
|
||||
id: initialize
|
||||
uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
|
||||
uses: github/codeql-action/init@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
source-root: src
|
||||
|
||||
- name: Autobuild
|
||||
id: autobuild
|
||||
uses: github/codeql-action/autobuild@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
|
||||
uses: github/codeql-action/autobuild@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
id: analyze
|
||||
uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
|
||||
uses: github/codeql-action/analyze@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
|
||||
|
||||
@@ -45,17 +45,21 @@ attest:
|
||||
permissions:
|
||||
id-token: write
|
||||
attestations: write
|
||||
artifact-metadata: write
|
||||
```
|
||||
|
||||
The `id-token` permission gives the action the ability to mint the OIDC token
|
||||
necessary to request a Sigstore signing certificate. The `attestations`
|
||||
permission is necessary to persist the attestation.
|
||||
The `artifact-metadata` permission is required to generate artifact
|
||||
metadata storage records. If this permission is not included, the action
|
||||
will continue without creating the record.
|
||||
|
||||
1. Add the following to your workflow after your artifact has been built and
|
||||
your SBOM has been generated:
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: '<PATH TO ARTIFACT>'
|
||||
sbom-path: '<PATH TO SBOM>'
|
||||
@@ -70,7 +74,7 @@ attest:
|
||||
See [action.yml](action.yml)
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
# Path to the artifact serving as the subject of the attestation. Must
|
||||
# specify exactly one of "subject-path", "subject-digest", or
|
||||
@@ -101,6 +105,12 @@ See [action.yml](action.yml)
|
||||
# the "subject-digest" parameter be specified. Defaults to false.
|
||||
push-to-registry:
|
||||
|
||||
# Whether to create a storage record for the artifact.
|
||||
# Requires that push-to-registry is set to true.
|
||||
# Requires that the "subject-name" parameter specify the fully-qualified
|
||||
# image name. Defaults to true.
|
||||
create-storage-record:
|
||||
|
||||
# Whether to attach a list of generated attestations to the workflow run
|
||||
# summary page. Defaults to true.
|
||||
show-summary:
|
||||
@@ -174,7 +184,7 @@ jobs:
|
||||
format: 'spdx-json'
|
||||
output-file: 'sbom.spdx.json'
|
||||
- name: Attest
|
||||
uses: actions/attest-sbom@v2
|
||||
uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: '${{ github.workspace }}/my-app'
|
||||
sbom-path: 'sbom.spdx.json'
|
||||
@@ -186,7 +196,7 @@ If you are generating multiple artifacts, you can attest all of them at the same
|
||||
time by using a wildcard in the `subject-path` input.
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: 'dist/**/my-bin-*'
|
||||
sbom-path: '${{ github.workspace }}/my-bin.sbom.spdx.json'
|
||||
@@ -199,13 +209,13 @@ Alternatively, you can explicitly list multiple subjects with either a comma or
|
||||
newline delimited list:
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: 'dist/foo, dist/bar'
|
||||
```
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: |
|
||||
dist/foo
|
||||
@@ -226,7 +236,7 @@ attestation.
|
||||
- name: Calculate artifact digests
|
||||
run: |
|
||||
shasum -a 256 foo_0.0.1_* > subject.checksums.txt
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-checksums: subject.checksums.txt
|
||||
sbom-path: sbom.spdx.json
|
||||
@@ -258,6 +268,10 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
|
||||
"acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
|
||||
the specific image being attested is identified by the supplied digest.
|
||||
|
||||
If the `push-to-registry` option is set to true, the Action will also
|
||||
emit an Artifact Metadata Storage Record. If you do not want to emit a
|
||||
storage record, set `create-storage-record` to `false`.
|
||||
|
||||
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
|
||||
> registry portion of the image name.
|
||||
|
||||
@@ -303,7 +317,7 @@ jobs:
|
||||
format: 'cyclonedx-json'
|
||||
output-file: 'sbom.cyclonedx.json'
|
||||
- name: Attest
|
||||
uses: actions/attest-sbom@v2
|
||||
uses: actions/attest-sbom@v3
|
||||
id: attest
|
||||
with:
|
||||
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||
|
||||
+9
-2
@@ -41,6 +41,12 @@ inputs:
|
||||
and that the "subject-digest" parameter be specified. Defaults to false.
|
||||
default: false
|
||||
required: false
|
||||
create-storage-record:
|
||||
description: >
|
||||
Whether to create a storage record for the artifact.
|
||||
Requires that push-to-registry is set to true. Defaults to true.
|
||||
default: true
|
||||
required: false
|
||||
show-summary:
|
||||
description: >
|
||||
Whether to attach a list of generated attestations to the workflow run
|
||||
@@ -67,11 +73,11 @@ outputs:
|
||||
runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- uses: actions/attest-sbom/predicate@534423496eab34674190bc45fdacbb8b1198e07f # predicate@1.0.0
|
||||
- uses: actions/attest-sbom/predicate@55e972012fb8695c1b0049174547f1fcb4baa8a5 # predicate@2.0.0
|
||||
id: generate-sbom-predicate
|
||||
with:
|
||||
sbom-path: ${{ inputs.sbom-path }}
|
||||
- uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
|
||||
- uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
|
||||
id: attest
|
||||
env:
|
||||
NODE_OPTIONS: '--max-http-header-size=32768'
|
||||
@@ -85,5 +91,6 @@ runs:
|
||||
predicate-path:
|
||||
${{ steps.generate-sbom-predicate.outputs.predicate-path }}
|
||||
push-to-registry: ${{ inputs.push-to-registry }}
|
||||
create-storage-record: ${{ inputs.create-storage-record }}
|
||||
show-summary: ${{ inputs.show-summary }}
|
||||
github-token: ${{ inputs.github-token }}
|
||||
|
||||
+1256
-1015
File diff suppressed because it is too large
Load Diff
Generated
+1022
-1069
File diff suppressed because it is too large
Load Diff
+13
-13
@@ -70,22 +70,22 @@
|
||||
]
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.11.1"
|
||||
"@actions/core": "^2.0.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@actions/attest": "^1.6.0",
|
||||
"@eslint/js": "^9.34.0",
|
||||
"@actions/attest": "^2.1.0",
|
||||
"@eslint/js": "^9.39.2",
|
||||
"@types/jest": "^30.0.0",
|
||||
"@types/node": "^24.3.0",
|
||||
"@vercel/ncc": "^0.38.3",
|
||||
"eslint": "^9.34.0",
|
||||
"@types/node": "^25.0.2",
|
||||
"@vercel/ncc": "^0.38.4",
|
||||
"eslint": "^9.39.2",
|
||||
"eslint-plugin-import": "^2.32.0",
|
||||
"eslint-plugin-jest": "^29.0.1",
|
||||
"jest": "^30.1.1",
|
||||
"markdownlint-cli": "^0.45.0",
|
||||
"prettier": "^3.6.2",
|
||||
"ts-jest": "^29.4.1",
|
||||
"typescript": "^5.9.2",
|
||||
"typescript-eslint": "^8.41.0"
|
||||
"eslint-plugin-jest": "^29.5.0",
|
||||
"jest": "^30.2.0",
|
||||
"markdownlint-cli": "^0.47.0",
|
||||
"prettier": "^3.7.4",
|
||||
"ts-jest": "^29.4.6",
|
||||
"typescript": "^5.9.3",
|
||||
"typescript-eslint": "^8.49.0"
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user