Merge pull request #3 from actions/eugene/attest-sbom

init attest sbom
actions · Feb 23, 2024 · 2580b8b · 2580b8b
2 parents 622dcc0 + 9a8656b
commit 2580b8b
Show file tree

Hide file tree

Showing 17 changed files with 26,321 additions and 838 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,25 +5,27 @@ on:
   push:
     branches:
       - main
+      - 'releases/*'
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test-typescript:
     name: TypeScript Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
-          node-version-file: .node-version
+          node-version: 18
           cache: npm
 
       - name: Install Dependencies
@@ -37,26 +39,55 @@ jobs:
       - name: Lint
         id: npm-lint
         run: npm run lint
+      # - name: Test
+      #   id: npm-ci-test
+      #   run: npm run ci-test
 
-      - name: Test
-        id: npm-ci-test
-        run: npm run ci-test
-
-  test-action:
-    name: GitHub Actions Test
+  test-attest-sbom-with-local-sbom-file:
+    name: Test attest-sbom action with local sbom file 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
 
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
-
-      - name: Test Local Action
-        id: test-action
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Run attest-sbom
+        id: attest-sbom
         uses: ./
         with:
-          milliseconds: 2000
+          subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+          subject-name: 'subject'
+          sbom-path: '__tests__/data/sbom.json'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Dump output
+        run: jq < ${{ steps.attest-sbom.outputs.bundle-path }}
+  test-attest-sbom:
+    name: Test attest-sbom action
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
 
-      - name: Print Output
-        id: output
-        run: echo "${{ steps.test-action.outputs.time }}"
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Run attest-sbom with spdx format
+        uses: ./
+        with:
+          subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+          subject-name: 'subject'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          format: 'spdx'
+      - name: Run attest-sbom with cyclonedx format
+        uses: ./
+        with:
+          subject-digest: 'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+          subject-name: 'subject'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          format: 'cyclonedx'
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -31,7 +31,7 @@ jobs:
       - name: Install Dependencies
         id: install
         run: npm ci
-
+      
       - name: Lint Codebase
         id: super-linter
         uses: super-linter/super-linter/slim@v5

diff --git a/.gitignore b/.gitignore
@@ -100,4 +100,4 @@ __tests__/runner/*
 # IDE files
 .idea
 .vscode
-*.code-workspace
+*.code-workspace
diff --git a/__tests__/data/sbom.json b/__tests__/data/sbom.json
@@ -0,0 +1,41 @@
+{
+    "spdxVersion": "SPDX-2.3",
+    "dataLicense": "CC0-1.0",
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "./",
+    "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
+    "creationInfo": {
+      "licenseListVersion": "3.22",
+      "creators": [
+        "Organization: Anchore, Inc",
+        "Tool: syft-0.103.1"
+      ],
+      "created": "2024-01-31T18:22:50Z"
+    },
+    "packages": [
+      {
+        "name": "@ampproject/remapping",
+        "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
+        "versionInfo": "2.2.1",
+        "supplier": "NOASSERTION",
+        "downloadLocation": "NOASSERTION",
+        "filesAnalyzed": false,
+        "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
+        "licenseConcluded": "NOASSERTION",
+        "licenseDeclared": "Apache-2.0",
+        "copyrightText": "NOASSERTION",
+        "externalRefs": [
+          {
+            "referenceCategory": "SECURITY",
+            "referenceType": "cpe23Type",
+            "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
+          },
+          {
+            "referenceCategory": "PACKAGE-MANAGER",
+            "referenceType": "purl",
+            "referenceLocator": "pkg:npm/%40ampproject/[email protected]"
+          }
+        ]
+      }
+    ]
+}
diff --git a/__tests__/index.test.ts b/__tests__/index.test.ts
diff --git a/__tests__/main.test.ts b/__tests__/main.test.ts
diff --git a/__tests__/wait.test.ts b/__tests__/wait.test.ts