Merge pull request #3 from actions/eugene/init-attest-build-provenance

init attest build provenance

.eslintignore

@@ -2,3 +2,4 @@ lib/
 dist/
 node_modules/
 coverage/
+packages/

.github/linters/tsconfig.json

@@ -5,5 +5,8 @@
     "noEmit": true
   },
   "include": ["../../__tests__/**/*", "../../src/**/*"],
-  "exclude": ["../../dist", "../../node_modules", "../../coverage", "*.json"]
+  "exclude": ["../../dist", "../../node_modules", "../../coverage", "*.json"],
+  "references": [
+    { "path": "./packages/attest" }
+  ]
 }

.github/workflows/check-dist.yml

@@ -39,6 +39,9 @@ jobs:
         id: install
         run: npm ci
 
+      - name: Build @actions/attest
+        run: npm run build --workspace packages/attest
+
       - name: Build dist/ Directory
         id: build
         run: npm run bundle

.github/workflows/ci.yml

@@ -5,58 +5,66 @@ on:
   push:
     branches:
       - main
+      - 'releases/*'
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test-typescript:
     name: TypeScript Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
-          node-version-file: .node-version
+          node-version: 18
           cache: npm
 
       - name: Install Dependencies
         id: npm-ci
         run: npm ci
 
+      - name: Build @actions/attest
+        run: npm run build --workspace packages/attest
+
       - name: Check Format
         id: npm-format-check
         run: npm run format:check
 
       - name: Lint
         id: npm-lint
         run: npm run lint
+      # - name: Test
+      #   id: npm-ci-test
+      #   run: npm run ci-test
 
-      - name: Test
-        id: npm-ci-test
-        run: npm run ci-test
-
-  test-action:
-    name: GitHub Actions Test
+  test-attest-provenance:
+    name: Test attest-provenance action
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
 
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
-
-      - name: Test Local Action
-        id: test-action
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Run attest-provenance
+        id: attest-provenance
         uses: ./
         with:
-          milliseconds: 2000
+          subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+          subject-name: 'subject'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Dump output
+        run: jq < ${{ steps.attest-provenance.outputs.bundle-path }}
 
-      - name: Print Output
-        id: output
-        run: echo "${{ steps.test-action.outputs.time }}"

.github/workflows/linter.yml

@@ -32,6 +32,9 @@ jobs:
         id: install
         run: npm ci
 
+      - name: Build @actions/attest
+        run: npm run build --workspace packages/attest
+
       - name: Lint Codebase
         id: super-linter
         uses: super-linter/super-linter/slim@v5

.gitignore

@@ -101,3 +101,5 @@ __tests__/runner/*
 .idea
 .vscode
 *.code-workspace
+
+packages/attest/dist

action.yml

@@ -1,24 +1,59 @@
-name: 'The name of your action here'
-description: 'Provide a description here'
-author: 'Your name or organization here'
+name: 'Attest Build Provenance'
+description: 'Generate provenance attestations for build artifacts'
+author: 'GitHub'
 
-# Add your action's branding here. This will appear on the GitHub Marketplace.
-branding:
-  icon: 'heart'
-  color: 'red'
-
-# Define your inputs here.
 inputs:
-  milliseconds:
-    description: 'Your input description here'
-    required: true
-    default: '1000'
-
-# Define your outputs here.
+  github-token:
+    description: >
+      The GitHub token used to make authenticated API requests.
+    default: ${{ github.token }}
+    required: false
+  subject-path:
+    description: >
+      Path to the artifact for which provenance will be generated. Must specify
+      exactly one of "subject-path" or "subject-digest".
+    required: false
+  subject-digest:
+    description: >
+      Digest of the subject for which provenance will be generated. Must be in
+      the form "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify
+      exactly one of "subject-path" or "subject-digest".
+    required: false
+  subject-name:
+    description: >
+      Subject name as it should appear in the provenance statement. Required
+      unless "subject-path" is specified, in which case it will be inferred from
+      the path.
+  push-to-registry:
+    description: >
+      Whether to push the provenance statement to the image registry. Requires
+      that the "subject-name" parameter specify the fully-qualified image name
+      and that the "subject-digest" parameter be specified. Defaults to false.
+    default: false
+    required: false
 outputs:
-  time:
-    description: 'Your output description here'
+  bundle-path:
+    description: 'The path to the file containing the attestation bundle(s).'
+    value: ${{ steps.attest.outputs.bundle-path }}
 
 runs:
-  using: node20
-  main: dist/index.js
+  using: 'composite'
+  steps:
+    - uses: ./generate-build-provenance-statement
+      id: generate-build-provenance-statement
+      with:
+        github-token: ${{ inputs.github-token }}
+        subject-path: ${{ inputs.subject-path }}
+        subject-digest: ${{ inputs.subject-digest }}
+        subject-name: ${{ inputs.subject-name }}
+        push-to-registry: ${{ inputs.push-to-registry }}
+    - uses: actions/attest@main
+      id: attest
+      with:
+        github-token: ${{ inputs.github-token }}
+        subject-path: ${{ inputs.subject-path }}
+        subject-digest: ${{ inputs.subject-digest }}
+        subject-name: ${{ inputs.subject-name }}
+        push-to-registry: ${{ inputs.push-to-registry }}
+        predicate-type: ${{ steps.generate-build-provenance-statement.outputs.predicate-type }}
+        predicate: ${{ steps.generate-build-provenance-statement.outputs.predicate }}