From a7d2d9e06cb7a3c5d8527e6851ce0b211a300bd5 Mon Sep 17 00:00:00 2001 From: Mohammedalduhamshi <189298855+Mohammed-Alanazisa@users.noreply.github.com> Date: Thu, 5 Dec 2024 12:14:40 +0300 Subject: [PATCH] Revert "bump actions/attest to v2.0.0 (#321)" This reverts commit 619dbb2e03e0189af0c55118e7d3c5e129e99726. --- README.md | 23 ++++++++++++++--------- action.yml | 6 +++--- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 00806712..0faac02c 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ See [action.yml](action.yml) with: # Path to the artifact serving as the subject of the attestation. Must # specify exactly one of "subject-path" or "subject-digest". May contain a - # glob pattern or list of paths (total subject count cannot exceed 1024). + # glob pattern or list of paths (total subject count cannot exceed 2500). subject-path: # SHA256 digest of the subject for the attestation. Must be in the form @@ -93,22 +93,26 @@ See [action.yml](action.yml) -| Name | Description | Example | -| ------------- | -------------------------------------------------------------- | ----------------------- | -| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.json` | +| Name | Description | Example | +| ------------- | -------------------------------------------------------------- | ------------------------ | +| `bundle-path` | Absolute path to the file containing the generated attestation | `/tmp/attestation.jsonl` | Attestations are saved in the JSON-serialized [Sigstore bundle][6] format. -If multiple subjects are being attested at the same time, a single attestation -will be created with references to each of the supplied subjects. +If multiple subjects are being attested at the same time, each attestation will +be written to the output file on a separate line (using the [JSON Lines][7] +format). ## Attestation Limits ### Subject Limits -No more than 1024 subjects can be attested at the same time. +No more than 2500 subjects can be attested at the same time. Subjects will be +processed in batches 50. After the initial group of 50, each subsequent batch +will incur an exponentially increasing amount of delay (capped at 1 minute of +delay per batch) to avoid overwhelming the attestation API. ## Examples @@ -144,8 +148,8 @@ jobs: ### Identify Multiple Subjects -If you are generating multiple artifacts, you can attest all of them at the same -time by using a wildcard in the `subject-path` input. +If you are generating multiple artifacts, you can generate a provenance +attestation for each by using a wildcard in the `subject-path` input. ```yaml - uses: actions/attest-build-provenance@v1 @@ -241,6 +245,7 @@ jobs: [5]: https://cli.github.com/manual/gh_attestation_verify [6]: https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto +[7]: https://jsonlines.org/ [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns [9]: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds diff --git a/action.yml b/action.yml index a4ca096f..0fc77c1c 100644 --- a/action.yml +++ b/action.yml @@ -10,7 +10,7 @@ inputs: description: > Path to the artifact serving as the subject of the attestation. Must specify exactly one of "subject-path" or "subject-digest". May contain a - glob pattern or list of paths (total subject count cannot exceed 1024). + glob pattern or list of paths (total subject count cannot exceed 2500). required: false subject-digest: description: > @@ -44,7 +44,7 @@ inputs: outputs: bundle-path: - description: 'The path to the file containing the attestation bundle.' + description: 'The path to the file containing the attestation bundle(s).' value: ${{ steps.attest.outputs.bundle-path }} runs: @@ -52,7 +52,7 @@ runs: steps: - uses: actions/attest-build-provenance/predicate@36fa7d009e22618ca7cd599486979b8150596c74 # predicate@1.1.4 id: generate-build-provenance-predicate - - uses: actions/attest@v2.0.0 + - uses: actions/attest@67422f5511b7ff725f4dbd6fb9bd2cd925c65a8d # v1.4.1 id: attest with: subject-path: ${{ inputs.subject-path }}