From 623f0b05d8c09ae4bd150a5bef29f0e77deb8de8 Mon Sep 17 00:00:00 2001
From: Enguerrand Allamel <enguerrand.allamel@ledger.fr>
Date: Tue, 10 Sep 2024 11:39:29 +0200
Subject: [PATCH] feat!: add support for container attestation

---
 actions/attest/README.md  |  6 ++++--
 actions/attest/action.yml | 19 +++++++++++++++----
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/actions/attest/README.md b/actions/attest/README.md
index c1c7ad3..56ea4a3 100644
--- a/actions/attest/README.md
+++ b/actions/attest/README.md
@@ -33,8 +33,10 @@ jobs:
 
 | name | description | required | default |
 | --- | --- | --- | --- |
-| `subject-path` | <p>Path to the artefact to attest</p> | `true` | `./` |
-| `push-to-registry` | <p>Push the attestation to the registry</p> | `false` | `false` |
+| `subject-path` | <p>Path to the artifact serving as the subject of the attestation. Must specify exactly one of "subject-path" or "subject-digest". May contain a glob pattern or list of paths (total subject count cannot exceed 2500).</p> | `false` | `./` |
+| `subject-digest` | <p>SHA256 digest of the subject for the attestation. Must be in the form "sha256:hex_digest" (e.g. "sha256:abc123…"). Must specify exactly one of "subject-path" or "subject-digest".</p> | `false` | `false` |
+| `subject-name` | <p>Subject name as it should appear in the attestation. Required unless "subject-path" is specified, in which case it will be inferred from the path.</p> | `false` | `false` |
+| `push-to-registry` | <p>Whether to push the attestation to the image registry. Requires that the "subject-name" parameter specify the fully-qualified image name and that the "subject-digest" parameter be specified. Defaults to false.</p> | `false` | `false` |
 <!-- action-docs-inputs source="action.yml" -->
 
 <!-- action-docs-outputs source="action.yml" -->
diff --git a/actions/attest/action.yml b/actions/attest/action.yml
index a750915..11cc7f4 100644
--- a/actions/attest/action.yml
+++ b/actions/attest/action.yml
@@ -3,13 +3,22 @@ description: "This action is used to generate a provenance file and to sign it (
 
 inputs:
   subject-path:
-    description: "Path to the artefact to attest"
-    required: true
+    description: 'Path to the artifact serving as the subject of the attestation. Must specify exactly one of "subject-path" or "subject-digest". May contain a glob pattern or list of paths (total subject count cannot exceed 2500).'
+    required: false
     default: "./"
+  subject-digest:
+    description: 'SHA256 digest of the subject for the attestation. Must be in the form "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one of "subject-path" or "subject-digest".'
+    required: false
+    default: "false"
+  subject-name:
+    description: 'Subject name as it should appear in the attestation. Required unless "subject-path" is specified, in which case it will be inferred from the path.'
+    required: false
+    default: "false"
   push-to-registry:
-    description: "Push the attestation to the registry"
+    description: 'Whether to push the attestation to the image registry. Requires that the "subject-name" parameter specify the fully-qualified image name and that the "subject-digest" parameter be specified. Defaults to false.'
     required: false
     default: "false"
+#TODO: Support predicate
 
 runs:
   using: "composite"
@@ -17,5 +26,7 @@ runs:
     - uses: actions/attest-build-provenance@v1
       with:
         subject-path: ${{ inputs.subject-path }}
-        show-summary: true
+        subject-digest: ${{ inputs.subject-digest }}
+        subject-name: ${{ inputs.subject-name }}
         push-to-registry: ${{ inputs.push-to-registry }}
+        show-summary: true