-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaction.yml
50 lines (47 loc) · 2.84 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: "[Ledger Security] Attest an artefact"
description: |
The `attest` GitHub Action enables the generation and signing of provenance files using the **in-toto** attestation format. Leveraging OIDC authentication for keyless signing, this action securely creates verifiable metadata about your software artifacts without the need to manage sensitive signing keys manually.
Designed for seamless integration within Ledger's CI/CD pipeline, the `attest` action automates the creation of cryptographic attestations, enhancing the integrity, authenticity, and traceability of your software supply chain. By providing a secure method to verify the origin and build process of your artifacts, it helps safeguard against supply chain attacks and meets compliance requirements for software distribution.
inputs:
type-slsa:
description: 'Generate an attestations bind some subject (a named artifact along with its digest) to a SLSA build provenance predicate using the in-toto format.'
required: false
default: "true"
subject-path:
description: 'Path to the artifact serving as the subject of the attestation. Must specify exactly one of "subject-path" or "subject-digest". May contain a glob pattern or list of paths (total subject count cannot exceed 2500).'
required: false
default: ""
subject-digest:
description: 'SHA256 digest of the subject for the attestation. Must be in the form "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of "subject-path" or "subject-digest".'
required: false
default: ""
subject-name:
description: 'Subject name as it should appear in the attestation. Required unless "subject-path" is specified, in which case it will be inferred from the path.'
required: false
default: ""
push-to-registry:
description: 'Whether to push the attestation to the image registry. Requires that the "subject-name" parameter specify the fully-qualified image name and that the "subject-digest" parameter be specified. Defaults to false.'
required: false
default: "false"
#TODO: Support predicate
runs:
using: "composite"
steps:
- name: Generate and sign attestation (SLSA type)
uses: actions/attest-build-provenance@v1
if: ${{ inputs.type-slsa == 'true' }}
with:
subject-path: ${{ inputs.subject-path }}
subject-digest: ${{ inputs.subject-digest }}
subject-name: ${{ inputs.subject-name }}
push-to-registry: ${{ inputs.push-to-registry }}
show-summary: true
- name: Generate and sign attestation (custom type)
uses: actions/attest@v1
if: ${{ inputs.type-slsa == 'false' }}
with:
subject-path: ${{ inputs.subject-path }}
subject-digest: ${{ inputs.subject-digest }}
subject-name: ${{ inputs.subject-name }}
push-to-registry: ${{ inputs.push-to-registry }}
show-summary: true