add new subject-version input (#364)

Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer
2026-02-26 12:38:12 -08:00
committed by GitHub
parent 8b290b8d86
commit ec072a1cb2
10 changed files with 41 additions and 7 deletions
+2
View File
@@ -30,6 +30,7 @@ describe('index', () => {
'subject-name': 'my-artifact', 'subject-name': 'my-artifact',
'subject-digest': '', 'subject-digest': '',
'subject-checksums': '', 'subject-checksums': '',
'subject-version': '',
'predicate-type': 'https://example.com/predicate', 'predicate-type': 'https://example.com/predicate',
predicate: '{}', predicate: '{}',
'predicate-path': '', 'predicate-path': '',
@@ -57,6 +58,7 @@ describe('index', () => {
subjectName: 'my-artifact', subjectName: 'my-artifact',
subjectDigest: '', subjectDigest: '',
subjectChecksums: '', subjectChecksums: '',
subjectVersion: '',
predicateType: 'https://example.com/predicate', predicateType: 'https://example.com/predicate',
predicate: '{}', predicate: '{}',
predicatePath: '', predicatePath: '',
+20 -2
View File
@@ -145,7 +145,8 @@ describe('createAttestation', () => {
const storageOpts = { const storageOpts = {
...defaultOpts, ...defaultOpts,
pushToRegistry: true, pushToRegistry: true,
createStorageRecord: true createStorageRecord: true,
subjectVersion: '1.2.3'
} }
it('should create storage record when enabled and owner is org', async () => { it('should create storage record when enabled and owner is org', async () => {
@@ -157,10 +158,27 @@ describe('createAttestation', () => {
storageOpts storageOpts
) )
expect(mockCreateStorageRecord).toHaveBeenCalled() expect(mockCreateStorageRecord).toHaveBeenCalledWith(
expect.objectContaining({ version: '1.2.3' }),
expect.anything(),
expect.anything()
)
expect(result.storageRecordIds).toEqual([12345]) expect(result.storageRecordIds).toEqual([12345])
}) })
it('should omit version from storage record when subjectVersion is empty', async () => {
const subjects = [TEST_SUBJECT_WITH_REGISTRY]
const opts = { ...storageOpts, subjectVersion: '' }
await createAttestation(subjects, TEST_PREDICATE, opts)
expect(mockCreateStorageRecord).toHaveBeenCalledWith(
expect.objectContaining({ version: undefined }),
expect.anything(),
expect.anything()
)
})
it('should skip storage record when owner is User', async () => { it('should skip storage record when owner is User', async () => {
mockGetOctokit.mockReturnValue(createOctokitMock('User')) mockGetOctokit.mockReturnValue(createOctokitMock('User'))
const subjects = [TEST_SUBJECT_WITH_REGISTRY] const subjects = [TEST_SUBJECT_WITH_REGISTRY]
+1
View File
@@ -101,6 +101,7 @@ const defaultInputs: RunInputs = {
subjectChecksums: '', subjectChecksums: '',
pushToRegistry: false, pushToRegistry: false,
createStorageRecord: false, createStorageRecord: false,
subjectVersion: '',
showSummary: false, showSummary: false,
githubToken: 'test-token', githubToken: 'test-token',
privateSigning: false privateSigning: false
+5
View File
@@ -30,6 +30,11 @@ inputs:
attestation. Must specify exactly one of "subject-path", "subject-digest", attestation. Must specify exactly one of "subject-path", "subject-digest",
or "subject-checksums". or "subject-checksums".
required: false required: false
subject-version:
description: >
Version of the subject for the attestation. Only used when
"push-to-registry" and "create-storage-record" are both set to true.
required: false
sbom-path: sbom-path:
description: > description: >
Path to the JSON-formatted SBOM file (SPDX or CycloneDX) to attest. Path to the JSON-formatted SBOM file (SPDX or CycloneDX) to attest.
Generated Vendored
+4 -1
View File
@@ -120899,7 +120899,8 @@ const createAttestation = async (subjects, predicate, opts) => {
const registryUrl = getRegistryURL(subject.name); const registryUrl = getRegistryURL(subject.name);
const artifactOpts = { const artifactOpts = {
name: subject.name, name: subject.name,
digest: subjectDigest digest: subjectDigest,
version: opts.subjectVersion || undefined
}; };
const packageRegistryOpts = { const packageRegistryOpts = {
registryUrl registryUrl
@@ -121157,6 +121158,7 @@ async function run(inputs) {
sigstoreInstance, sigstoreInstance,
pushToRegistry: inputs.pushToRegistry, pushToRegistry: inputs.pushToRegistry,
createStorageRecord: inputs.createStorageRecord, createStorageRecord: inputs.createStorageRecord,
subjectVersion: inputs.subjectVersion,
githubToken: inputs.githubToken githubToken: inputs.githubToken
}); });
logAttestation(subjects, att, sigstoreInstance); logAttestation(subjects, att, sigstoreInstance);
@@ -121298,6 +121300,7 @@ const inputs = {
predicatePath: getInput('predicate-path'), predicatePath: getInput('predicate-path'),
pushToRegistry: getBooleanInput('push-to-registry'), pushToRegistry: getBooleanInput('push-to-registry'),
createStorageRecord: getBooleanInput('create-storage-record'), createStorageRecord: getBooleanInput('create-storage-record'),
subjectVersion: getInput('subject-version'),
showSummary: getBooleanInput('show-summary'), showSummary: getBooleanInput('show-summary'),
githubToken: getInput('github-token'), githubToken: getInput('github-token'),
// undocumented -- not part of public interface // undocumented -- not part of public interface
+2 -2
View File
@@ -1,12 +1,12 @@
{ {
"name": "actions/attest", "name": "actions/attest",
"version": "4.0.0", "version": "4.1.0",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "actions/attest", "name": "actions/attest",
"version": "4.0.0", "version": "4.1.0",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/attest": "^3.2.0", "@actions/attest": "^3.2.0",
+1 -1
View File
@@ -1,7 +1,7 @@
{ {
"name": "actions/attest", "name": "actions/attest",
"description": "Generate signed attestations for workflow artifacts", "description": "Generate signed attestations for workflow artifacts",
"version": "4.0.0", "version": "4.1.0",
"author": "", "author": "",
"private": true, "private": true,
"type": "module", "type": "module",
+3 -1
View File
@@ -26,6 +26,7 @@ export const createAttestation = async (
sigstoreInstance: SigstoreInstance sigstoreInstance: SigstoreInstance
pushToRegistry: boolean pushToRegistry: boolean
createStorageRecord: boolean createStorageRecord: boolean
subjectVersion?: string
githubToken: string githubToken: string
} }
): Promise<AttestResult> => { ): Promise<AttestResult> => {
@@ -77,7 +78,8 @@ export const createAttestation = async (
const registryUrl = getRegistryURL(subject.name) const registryUrl = getRegistryURL(subject.name)
const artifactOpts = { const artifactOpts = {
name: subject.name, name: subject.name,
digest: subjectDigest digest: subjectDigest,
version: opts.subjectVersion || undefined
} }
const packageRegistryOpts = { const packageRegistryOpts = {
registryUrl registryUrl
+1
View File
@@ -15,6 +15,7 @@ const inputs: RunInputs = {
predicatePath: core.getInput('predicate-path'), predicatePath: core.getInput('predicate-path'),
pushToRegistry: core.getBooleanInput('push-to-registry'), pushToRegistry: core.getBooleanInput('push-to-registry'),
createStorageRecord: core.getBooleanInput('create-storage-record'), createStorageRecord: core.getBooleanInput('create-storage-record'),
subjectVersion: core.getInput('subject-version'),
showSummary: core.getBooleanInput('show-summary'), showSummary: core.getBooleanInput('show-summary'),
githubToken: core.getInput('github-token'), githubToken: core.getInput('github-token'),
// undocumented -- not part of public interface // undocumented -- not part of public interface
+2
View File
@@ -35,6 +35,7 @@ export type RunInputs = SubjectInputs &
SBOMInputs & { SBOMInputs & {
pushToRegistry: boolean pushToRegistry: boolean
createStorageRecord: boolean createStorageRecord: boolean
subjectVersion: string
githubToken: string githubToken: string
showSummary: boolean showSummary: boolean
privateSigning: boolean privateSigning: boolean
@@ -97,6 +98,7 @@ export async function run(inputs: RunInputs): Promise<void> {
sigstoreInstance, sigstoreInstance,
pushToRegistry: inputs.pushToRegistry, pushToRegistry: inputs.pushToRegistry,
createStorageRecord: inputs.createStorageRecord, createStorageRecord: inputs.createStorageRecord,
subjectVersion: inputs.subjectVersion,
githubToken: inputs.githubToken githubToken: inputs.githubToken
}) })