Compare commits
41 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| c2c8e8afdf | |||
| ef02dcfae5 | |||
| 88ac301612 | |||
| 6ec0860adb | |||
| 532af8af79 | |||
| 4f3e64cb63 | |||
| ba126a2b5e | |||
| 3867ba47a1 | |||
| 95613fb241 | |||
| b2a1607a55 | |||
| 2dab46ceb6 | |||
| 9dc6831a72 | |||
| b8f802ae8b | |||
| 542c22bbcc | |||
| d519ae0726 | |||
| fd7a65e0c0 | |||
| f2e6656b8e | |||
| c3380f58e7 | |||
| 61614eea5c | |||
| e24c2a9074 | |||
| 9e5a1e06d2 | |||
| 580d4aff21 | |||
| def7784df6 | |||
| 4e404e7097 | |||
| 4651f806c0 | |||
| 55e972012f | |||
| c2dd1df1ec | |||
| 87ab9bb01b | |||
| 24900ce153 | |||
| 484c81f0bd | |||
| eec1ec9904 | |||
| b06100ab07 | |||
| ccb8edd7db | |||
| 9a005994da | |||
| 57a8b1e21b | |||
| 0d73e3f2be | |||
| 2548367d4f | |||
| f4e8bae046 | |||
| 0486c4aa49 | |||
| e9b2cefbdf | |||
| 45bb4038a3 |
@@ -1,10 +0,0 @@
|
||||
rules:
|
||||
document-end: disable
|
||||
document-start:
|
||||
level: warning
|
||||
present: false
|
||||
line-length:
|
||||
level: warning
|
||||
max: 80
|
||||
allow-non-breakable-words: true
|
||||
allow-non-breakable-inline-mappings: true
|
||||
@@ -1,9 +0,0 @@
|
||||
{
|
||||
"$schema": "https://json.schemastore.org/tsconfig",
|
||||
"extends": "../../tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"noEmit": true
|
||||
},
|
||||
"include": ["../../__tests__/**/*", "../../src/**/*"],
|
||||
"exclude": ["../../dist", "../../node_modules", "../../coverage", "*.json"]
|
||||
}
|
||||
@@ -28,11 +28,11 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@v4
|
||||
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
@@ -60,7 +60,7 @@ jobs:
|
||||
- if: ${{ failure() && steps.diff.outcome == 'failure' }}
|
||||
name: Upload Artifact
|
||||
id: upload
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
|
||||
@@ -21,11 +21,11 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
|
||||
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
@@ -57,7 +57,7 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
- name: Run attest-sbom
|
||||
id: attest-sbom
|
||||
uses: ./
|
||||
|
||||
@@ -32,19 +32,19 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
||||
|
||||
- name: Initialize CodeQL
|
||||
id: initialize
|
||||
uses: github/codeql-action/init@v3
|
||||
uses: github/codeql-action/init@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
source-root: src
|
||||
|
||||
- name: Autobuild
|
||||
id: autobuild
|
||||
uses: github/codeql-action/autobuild@v3
|
||||
uses: github/codeql-action/autobuild@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
id: analyze
|
||||
uses: github/codeql-action/analyze@v3
|
||||
uses: github/codeql-action/analyze@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
|
||||
|
||||
@@ -1,54 +0,0 @@
|
||||
name: Lint Codebase
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: read
|
||||
statuses: write
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
name: Lint Codebase
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
id: checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Setup Node.js
|
||||
id: setup-node
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version-file: .node-version
|
||||
cache: npm
|
||||
|
||||
- name: Install Dependencies
|
||||
id: install
|
||||
run: npm ci
|
||||
|
||||
- name: Lint Codebase
|
||||
id: super-linter
|
||||
uses: super-linter/super-linter/slim@12150456a73e248bdc94d0794898f94e23127c88 # v7.4.0
|
||||
env:
|
||||
DEFAULT_BRANCH: main
|
||||
FILTER_REGEX_EXCLUDE: dist/**/*
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
TYPESCRIPT_DEFAULT_STYLE: prettier
|
||||
VALIDATE_ALL_CODEBASE: true
|
||||
VALIDATE_JAVASCRIPT_STANDARD: false
|
||||
VALIDATE_TYPESCRIPT_ES: false
|
||||
VALIDATE_TYPESCRIPT_STANDARD: false
|
||||
VALIDATE_JSCPD: false
|
||||
|
||||
- name: Run eslint
|
||||
run: npm run lint:eslint
|
||||
@@ -1,22 +0,0 @@
|
||||
name: 'Publish Immutable Action Version'
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
publish:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
packages: write
|
||||
|
||||
steps:
|
||||
- name: Checking out
|
||||
uses: actions/checkout@v4
|
||||
- name: Publish
|
||||
id: publish
|
||||
uses: actions/publish-immutable-action@v0.0.4
|
||||
+1
-1
@@ -1 +1 @@
|
||||
20.6.0
|
||||
24.5.0
|
||||
|
||||
@@ -45,17 +45,21 @@ attest:
|
||||
permissions:
|
||||
id-token: write
|
||||
attestations: write
|
||||
artifact-metadata: write
|
||||
```
|
||||
|
||||
The `id-token` permission gives the action the ability to mint the OIDC token
|
||||
necessary to request a Sigstore signing certificate. The `attestations`
|
||||
permission is necessary to persist the attestation.
|
||||
The `artifact-metadata` permission is required to generate artifact
|
||||
metadata storage records. If this permission is not included, the action
|
||||
will continue without creating the record.
|
||||
|
||||
1. Add the following to your workflow after your artifact has been built and
|
||||
your SBOM has been generated:
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: '<PATH TO ARTIFACT>'
|
||||
sbom-path: '<PATH TO SBOM>'
|
||||
@@ -70,7 +74,7 @@ attest:
|
||||
See [action.yml](action.yml)
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
# Path to the artifact serving as the subject of the attestation. Must
|
||||
# specify exactly one of "subject-path", "subject-digest", or
|
||||
@@ -101,6 +105,12 @@ See [action.yml](action.yml)
|
||||
# the "subject-digest" parameter be specified. Defaults to false.
|
||||
push-to-registry:
|
||||
|
||||
# Whether to create a storage record for the artifact.
|
||||
# Requires that push-to-registry is set to true.
|
||||
# Requires that the "subject-name" parameter specify the fully-qualified
|
||||
# image name. Defaults to true.
|
||||
create-storage-record:
|
||||
|
||||
# Whether to attach a list of generated attestations to the workflow run
|
||||
# summary page. Defaults to true.
|
||||
show-summary:
|
||||
@@ -174,7 +184,7 @@ jobs:
|
||||
format: 'spdx-json'
|
||||
output-file: 'sbom.spdx.json'
|
||||
- name: Attest
|
||||
uses: actions/attest-sbom@v2
|
||||
uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: '${{ github.workspace }}/my-app'
|
||||
sbom-path: 'sbom.spdx.json'
|
||||
@@ -186,7 +196,7 @@ If you are generating multiple artifacts, you can attest all of them at the same
|
||||
time by using a wildcard in the `subject-path` input.
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: 'dist/**/my-bin-*'
|
||||
sbom-path: '${{ github.workspace }}/my-bin.sbom.spdx.json'
|
||||
@@ -199,13 +209,13 @@ Alternatively, you can explicitly list multiple subjects with either a comma or
|
||||
newline delimited list:
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: 'dist/foo, dist/bar'
|
||||
```
|
||||
|
||||
```yaml
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-path: |
|
||||
dist/foo
|
||||
@@ -226,7 +236,7 @@ attestation.
|
||||
- name: Calculate artifact digests
|
||||
run: |
|
||||
shasum -a 256 foo_0.0.1_* > subject.checksums.txt
|
||||
- uses: actions/attest-sbom@v2
|
||||
- uses: actions/attest-sbom@v3
|
||||
with:
|
||||
subject-checksums: subject.checksums.txt
|
||||
sbom-path: sbom.spdx.json
|
||||
@@ -258,6 +268,10 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
|
||||
"acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
|
||||
the specific image being attested is identified by the supplied digest.
|
||||
|
||||
If the `push-to-registry` option is set to true, the Action will also
|
||||
emit an Artifact Metadata Storage Record. If you do not want to emit a
|
||||
storage record, set `create-storage-record` to `false`.
|
||||
|
||||
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
|
||||
> registry portion of the image name.
|
||||
|
||||
@@ -303,7 +317,7 @@ jobs:
|
||||
format: 'cyclonedx-json'
|
||||
output-file: 'sbom.cyclonedx.json'
|
||||
- name: Attest
|
||||
uses: actions/attest-sbom@v2
|
||||
uses: actions/attest-sbom@v3
|
||||
id: attest
|
||||
with:
|
||||
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||
|
||||
@@ -108,6 +108,13 @@ describe('generateSBOMPredicate', () => {
|
||||
expect(result.params).toEqual(sbom.object)
|
||||
})
|
||||
|
||||
it('throws an error for missing SPDX version', () => {
|
||||
const sbom = { type: 'spdx' } as SBOM
|
||||
expect(() => generateSBOMPredicate(sbom)).toThrow(
|
||||
'Cannot find spdxVersion in the SBOM'
|
||||
)
|
||||
})
|
||||
|
||||
it('generates CycloneDX predicate correctly', () => {
|
||||
const sbom = { type: 'cyclonedx', object: {} } as SBOM
|
||||
const result = generateSBOMPredicate(sbom)
|
||||
@@ -116,10 +123,8 @@ describe('generateSBOMPredicate', () => {
|
||||
})
|
||||
|
||||
it('throws error for unsupported SBOM formats', () => {
|
||||
const sbom = { type: 'spdx', object: {} }
|
||||
const sbom = { type: 'foo', object: {} }
|
||||
// @ts-expect-error test error case
|
||||
expect(() => generateSBOMPredicate(sbom)).toThrow(
|
||||
'Cannot find spdxVersion in the SBOM'
|
||||
)
|
||||
expect(() => generateSBOMPredicate(sbom)).toThrow('Unsupported SBOM format')
|
||||
})
|
||||
})
|
||||
|
||||
+11
-2
@@ -41,6 +41,12 @@ inputs:
|
||||
and that the "subject-digest" parameter be specified. Defaults to false.
|
||||
default: false
|
||||
required: false
|
||||
create-storage-record:
|
||||
description: >
|
||||
Whether to create a storage record for the artifact.
|
||||
Requires that push-to-registry is set to true. Defaults to true.
|
||||
default: true
|
||||
required: false
|
||||
show-summary:
|
||||
description: >
|
||||
Whether to attach a list of generated attestations to the workflow run
|
||||
@@ -67,12 +73,14 @@ outputs:
|
||||
runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- uses: actions/attest-sbom/predicate@534423496eab34674190bc45fdacbb8b1198e07f # predicate@1.0.0
|
||||
- uses: actions/attest-sbom/predicate@55e972012fb8695c1b0049174547f1fcb4baa8a5 # predicate@2.0.0
|
||||
id: generate-sbom-predicate
|
||||
with:
|
||||
sbom-path: ${{ inputs.sbom-path }}
|
||||
- uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0
|
||||
- uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
|
||||
id: attest
|
||||
env:
|
||||
NODE_OPTIONS: '--max-http-header-size=32768'
|
||||
with:
|
||||
subject-path: ${{ inputs.subject-path }}
|
||||
subject-digest: ${{ inputs.subject-digest }}
|
||||
@@ -83,5 +91,6 @@ runs:
|
||||
predicate-path:
|
||||
${{ steps.generate-sbom-predicate.outputs.predicate-path }}
|
||||
push-to-registry: ${{ inputs.push-to-registry }}
|
||||
create-storage-record: ${{ inputs.create-storage-record }}
|
||||
show-summary: ${{ inputs.show-summary }}
|
||||
github-token: ${{ inputs.github-token }}
|
||||
|
||||
+1263
-1021
File diff suppressed because it is too large
Load Diff
@@ -7,7 +7,7 @@ export default tseslint.config(
|
||||
// Ignore non-project files
|
||||
{
|
||||
name: 'ignore',
|
||||
ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js']
|
||||
ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js', 'eslint.config.mjs']
|
||||
},
|
||||
// Use recommended rules from ESLint, TypeScript, and other plugins
|
||||
eslint.configs.recommended,
|
||||
@@ -21,7 +21,7 @@ export default tseslint.config(
|
||||
languageOptions: {
|
||||
ecmaVersion: 2023,
|
||||
parserOptions: {
|
||||
project: ['./.github/linters/tsconfig.json', './tsconfig.json']
|
||||
project: ['./tsconfig.lint.json']
|
||||
}
|
||||
},
|
||||
rules: {
|
||||
Generated
+2751
-2299
File diff suppressed because it is too large
Load Diff
+19
-19
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "actions/attest-sbom",
|
||||
"description": "Generate signed SBOM attestations",
|
||||
"version": "1.0.0",
|
||||
"version": "2.0.0",
|
||||
"author": "",
|
||||
"private": true,
|
||||
"homepage": "https://github.com/actions/attest-sbom",
|
||||
@@ -21,15 +21,15 @@
|
||||
".": "./dist/index.js"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=20"
|
||||
"node": ">=24"
|
||||
},
|
||||
"scripts": {
|
||||
"bundle": "npm run format:write && npm run package",
|
||||
"ci-test": "jest",
|
||||
"format:write": "prettier --write **/*.ts",
|
||||
"format:check": "prettier --check **/*.ts",
|
||||
"lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs",
|
||||
"lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
|
||||
"lint:eslint": "npx eslint",
|
||||
"lint:markdown": "npx markdownlint --config .markdown-lint.yml \"*.md\"",
|
||||
"lint": "npm run lint:eslint && npm run lint:markdown",
|
||||
"package": "ncc build src/index.ts --license licenses.txt",
|
||||
"package:watch": "npm run package -- --watch",
|
||||
@@ -70,22 +70,22 @@
|
||||
]
|
||||
},
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.11.1"
|
||||
"@actions/core": "^2.0.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@actions/attest": "^1.6.0",
|
||||
"@eslint/js": "^9.28.0",
|
||||
"@types/jest": "^29.5.14",
|
||||
"@types/node": "^22.15.29",
|
||||
"@vercel/ncc": "^0.38.3",
|
||||
"eslint": "^9.28.0",
|
||||
"eslint-plugin-import": "^2.31.0",
|
||||
"eslint-plugin-jest": "^28.12.0",
|
||||
"jest": "^29.7.0",
|
||||
"markdownlint-cli": "^0.45.0",
|
||||
"prettier": "^3.5.3",
|
||||
"ts-jest": "^29.3.4",
|
||||
"typescript": "^5.8.3",
|
||||
"typescript-eslint": "^8.33.0"
|
||||
"@actions/attest": "^2.1.0",
|
||||
"@eslint/js": "^9.39.2",
|
||||
"@types/jest": "^30.0.0",
|
||||
"@types/node": "^25.0.2",
|
||||
"@vercel/ncc": "^0.38.4",
|
||||
"eslint": "^9.39.2",
|
||||
"eslint-plugin-import": "^2.32.0",
|
||||
"eslint-plugin-jest": "^29.5.0",
|
||||
"jest": "^30.2.0",
|
||||
"markdownlint-cli": "^0.47.0",
|
||||
"prettier": "^3.7.4",
|
||||
"ts-jest": "^29.4.6",
|
||||
"typescript": "^5.9.3",
|
||||
"typescript-eslint": "^8.49.0"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -15,5 +15,5 @@ outputs:
|
||||
description: >
|
||||
URI identifying the type of the predicate.
|
||||
runs:
|
||||
using: node20
|
||||
using: node24
|
||||
main: ../dist/index.js
|
||||
|
||||
+7
-6
@@ -66,13 +66,14 @@ export const storePredicate = (predicate: Predicate): string => {
|
||||
}
|
||||
|
||||
export const generateSBOMPredicate = (sbom: SBOM): Predicate => {
|
||||
if (sbom.type === 'spdx') {
|
||||
return generateSPDXIntoto(sbom.object)
|
||||
switch (sbom.type) {
|
||||
case 'spdx':
|
||||
return generateSPDXIntoto(sbom.object)
|
||||
case 'cyclonedx':
|
||||
return generateCycloneDXIntoto(sbom.object)
|
||||
default:
|
||||
throw new Error('Unsupported SBOM format')
|
||||
}
|
||||
if (sbom.type === 'cyclonedx') {
|
||||
return generateCycloneDXIntoto(sbom.object)
|
||||
}
|
||||
throw new Error('Unsupported SBOM format')
|
||||
}
|
||||
|
||||
// ref: https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
"module": "NodeNext",
|
||||
"rootDir": "./src",
|
||||
"moduleResolution": "NodeNext",
|
||||
"isolatedModules": true,
|
||||
"baseUrl": "./",
|
||||
"sourceMap": true,
|
||||
"outDir": "./dist",
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
{
|
||||
"$schema": "https://json.schemastore.org/tsconfig",
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"noEmit": true
|
||||
},
|
||||
"include": ["./__tests__/**/*", "./src/**/*"],
|
||||
"exclude": ["./dist", "./node_modules", "./coverage", "*.json"]
|
||||
}
|
||||
Reference in New Issue
Block a user