- Refactor the action from a 'node' action to a 'composite' action - Create and output a sha256 hash of the image manifest - Update action inputs & outputs - Integrate with the 'generate-build-provenance' action as part of the composite action
Publish Action Package
This action packages your action repository as OCI artifacts and publishes it to GHCR.
This allows your action to be consumed as an immutable package to make the actions ecosystem more secure.
The whole action repository is packaged by default. Set path input to specify which path you want to package.
Make sure you use the Starter Workflow (TODO) to run the action. Please also ensure you have the release trigger in the workflow where you use this action.
Usage
on:
release:
- uses: immutable-actions/publish-action-package@1.0.1
with:
# Personal access token (PAT) or GITHUB_TOKEN with write:package scope used to upload the package to GHCR. The GITHUB_TOKEN is taken by default.
#
# We recommend using a service account with the least permissions necessary. Also
# when generating a new PAT, select the least scopes necessary.
#
# [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
#
# Default: ${{ github.token }}
token: ''
# Relative path of the working directory of the repository to be tar archived
# and uploaded as OCI Artifact layer. You can mention multiple files/folders
# by mentioning relative paths as space separated values.
#
# This defaults to the entire action repository contents if not explicitly defined.
# Default: '.'
path: 'src/ action.yml dist/'
License
The scripts and documentation in this project are released under the MIT License
[Internal] Differences from previous implementation
This is a new implementation of an Action which publishes a given release to ghcr.io (GitHub Packages).
It will eventually be moved to our `actions`` org.
The key differences are:
- This Action goes directly to GitHub Packages rather than using an API endpoint to pass a bundle to.
- This Action uses Node.js libraries to create both a
zipandtar.gzof the content as layers. - This Action creates and publishes the OCI manifest which houses those archives, which was previously done on the backend.
- This Action has the goal of generating provenance attestations for any release that is created.
- This Action parses and validates that the release tag which triggered it is in a valid SemVer format, either
1.0.3-prereleaseorv1.0.0-prerelease.
[Internal] Features to consider adding to this Action
These are some features which should likely be part of this implementation.
- Parsing SemVer more strictly, based on what formats we decide to support (e.g. we might not support prerelease tags)
- Checking that there is a valid
action.ymlfile in the repository running the action, failing if it is not an Action repository- Could be as simple as just checking for the file, or could be validating it is yml with expected actions components
- Sanitising and validating relative paths passed into the
patharg- For example, checking that they're inside the repository of the action and not other places on the filsystem
- Integration with Attestations API (speak to
phillmvabout this) - A way to dynamically work out the Container Registry's URL rather than relying on the user to provide it
- Options seem to be an API endpoint or an environment variable in the runner, but this might be difficult for backwards compatibility