feat!: add support for container attestation

LedgerHQ · Sep 10, 2024 · 623f0b0 · 623f0b0
1 parent cd4ad15
commit 623f0b0
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 6 deletions.
diff --git a/actions/attest/README.md b/actions/attest/README.md
@@ -33,8 +33,10 @@ jobs:
 
 | name | description | required | default |
 | --- | --- | --- | --- |
-| `subject-path` | <p>Path to the artefact to attest</p> | `true` | `./` |
-| `push-to-registry` | <p>Push the attestation to the registry</p> | `false` | `false` |
+| `subject-path` | <p>Path to the artifact serving as the subject of the attestation. Must specify exactly one of "subject-path" or "subject-digest". May contain a glob pattern or list of paths (total subject count cannot exceed 2500).</p> | `false` | `./` |
+| `subject-digest` | <p>SHA256 digest of the subject for the attestation. Must be in the form "sha256:hex_digest" (e.g. "sha256:abc123…"). Must specify exactly one of "subject-path" or "subject-digest".</p> | `false` | `false` |
+| `subject-name` | <p>Subject name as it should appear in the attestation. Required unless "subject-path" is specified, in which case it will be inferred from the path.</p> | `false` | `false` |
+| `push-to-registry` | <p>Whether to push the attestation to the image registry. Requires that the "subject-name" parameter specify the fully-qualified image name and that the "subject-digest" parameter be specified. Defaults to false.</p> | `false` | `false` |
 <!-- action-docs-inputs source="action.yml" -->
 
 <!-- action-docs-outputs source="action.yml" -->

diff --git a/actions/attest/action.yml b/actions/attest/action.yml
@@ -3,19 +3,30 @@ description: "This action is used to generate a provenance file and to sign it (
 
 inputs:
   subject-path:
-    description: "Path to the artefact to attest"
-    required: true
+    description: 'Path to the artifact serving as the subject of the attestation. Must specify exactly one of "subject-path" or "subject-digest". May contain a glob pattern or list of paths (total subject count cannot exceed 2500).'
+    required: false
     default: "./"
+  subject-digest:
+    description: 'SHA256 digest of the subject for the attestation. Must be in the form "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of "subject-path" or "subject-digest".'
+    required: false
+    default: "false"
+  subject-name:
+    description: 'Subject name as it should appear in the attestation. Required unless "subject-path" is specified, in which case it will be inferred from the path.'
+    required: false
+    default: "false"
   push-to-registry:
-    description: "Push the attestation to the registry"
+    description: 'Whether to push the attestation to the image registry. Requires that the "subject-name" parameter specify the fully-qualified image name and that the "subject-digest" parameter be specified. Defaults to false.'
     required: false
     default: "false"
+#TODO: Support predicate
 
 runs:
   using: "composite"
   steps:
     - uses: actions/attest-build-provenance@v1
       with:
         subject-path: ${{ inputs.subject-path }}
-        show-summary: true
+        subject-digest: ${{ inputs.subject-digest }}
+        subject-name: ${{ inputs.subject-name }}
         push-to-registry: ${{ inputs.push-to-registry }}
+        show-summary: true