Merge pull request #4 from actions/eugene/initAttest

init attest action

.eslintignore

@@ -2,3 +2,4 @@ lib/
 dist/
 node_modules/
 coverage/
+packages/

.github/workflows/ci.yml

@@ -5,58 +5,66 @@ on:
   push:
     branches:
       - main
+      - 'releases/*'
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test-typescript:
     name: TypeScript Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
         with:
-          node-version-file: .node-version
+          node-version: 18
           cache: npm
 
       - name: Install Dependencies
         id: npm-ci
         run: npm ci
 
+      - name: Build @actions/attest
+        run: npm run build --workspace packages/attest
+
       - name: Check Format
         id: npm-format-check
         run: npm run format:check
 
       - name: Lint
         id: npm-lint
         run: npm run lint
+      # - name: Test
+      #   id: npm-ci-test
+      #   run: npm run ci-test
 
-      - name: Test
-        id: npm-ci-test
-        run: npm run ci-test
-
-  test-action:
-    name: GitHub Actions Test
+  test-attest:
+    name: Test attest action
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
 
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
-
-      - name: Test Local Action
-        id: test-action
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Run attest
+        id: attest
         uses: ./
         with:
-          milliseconds: 2000
-
-      - name: Print Output
-        id: output
-        run: echo "${{ steps.test-action.outputs.time }}"
+          subject-path: ${{ github.workspace }}/README.md
+          predicate-path: ${{ github.workspace }}/__tests__/data/sbom.json
+          predicate-type: 'https://spdx.dev/Document/v2.3'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Dump output
+        run: jq < ${{ steps.attest.outputs.bundle-path }}

.gitignore

@@ -101,3 +101,6 @@ __tests__/runner/*
 .idea
 .vscode
 *.code-workspace
+
+packages/**/dist
+packages/attest/dist

__tests__/data/sbom.json

@@ -0,0 +1,41 @@
+{
+    "spdxVersion": "SPDX-2.3",
+    "dataLicense": "CC0-1.0",
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "./",
+    "documentNamespace": "https://anchore.com/syft/dir/80b363b6-87f4-4162-853f-60d402537d20",
+    "creationInfo": {
+      "licenseListVersion": "3.22",
+      "creators": [
+        "Organization: Anchore, Inc",
+        "Tool: syft-0.103.1"
+      ],
+      "created": "2024-01-31T18:22:50Z"
+    },
+    "packages": [
+      {
+        "name": "@ampproject/remapping",
+        "SPDXID": "SPDXRef-Package-npm--ampproject-remapping-5266573ba4f24a42",
+        "versionInfo": "2.2.1",
+        "supplier": "NOASSERTION",
+        "downloadLocation": "NOASSERTION",
+        "filesAnalyzed": false,
+        "sourceInfo": "acquired package info from installed node module manifest file: /yarn.lock",
+        "licenseConcluded": "NOASSERTION",
+        "licenseDeclared": "Apache-2.0",
+        "copyrightText": "NOASSERTION",
+        "externalRefs": [
+          {
+            "referenceCategory": "SECURITY",
+            "referenceType": "cpe23Type",
+            "referenceLocator": "cpe:2.3:a:\\@ampproject\\/remapping:\\@ampproject\\/remapping:2.2.1:*:*:*:*:*:*:*"
+          },
+          {
+            "referenceCategory": "PACKAGE-MANAGER",
+            "referenceType": "purl",
+            "referenceLocator": "pkg:npm/%40ampproject/[email protected]"
+          }
+        ]
+      }
+    ]
+}

action.yml

@@ -1,24 +1,55 @@
-name: 'The name of your action here'
-description: 'Provide a description here'
-author: 'Your name or organization here'
+name: 'Generate Generic Attestations'
+description: 'Generate attestations for build artifacts'
+author: 'GitHub'
 
-# Add your action's branding here. This will appear on the GitHub Marketplace.
-branding:
-  icon: 'heart'
-  color: 'red'
-
-# Define your inputs here.
 inputs:
-  milliseconds:
-    description: 'Your input description here'
+  subject-path:
+    description: >
+      Path to the artifact serving as the subject of the attestation. Must
+      specify exactly one of "subject-path" or "subject-digest".
+    required: false
+  subject-digest:
+    description: >
+      Digest of the subject for for the attestation. Must be in the form
+      "algorithm:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
+      of "subject-path" or "subject-digest".
+    required: false
+  subject-name:
+    description: >
+      Subject name as it should appear in the attestation. Required unless
+      "subject-path" is specified, in which case it will be inferred from the
+      path.
+    required: false
+  predicate-type:
+    description: >
+      URI identifying the type of the predicate.
     required: true
-    default: '1000'
-
-# Define your outputs here.
+  predicate:
+    description: >
+      String containing the value for the attestation predicate. Must supply
+      exactly one of "predicate-path" or "predicate".
+    required: false
+  predicate-path:
+    description: >
+      Path to the file which contains the content for the attestation predicate.
+      Must supply exactly one of "predicate-path" or "predicate".
+    required: false
+  push-to-registry:
+    description: >
+      Whether to push the attestation to the image registry. Requires that the
+      "subject-name" parameter specify the fully-qualified image name and that
+      the "subject-digest" parameter be specified. Defaults to false.
+    default: false
+    required: false
+  github-token:
+    description: >
+      The GitHub token used to make authenticated API requests.
+    default: ${{ github.token }}
+    required: false
 outputs:
-  time:
-    description: 'Your output description here'
+  bundle-path:
+    description: 'The path to the file containing the attestation bundle(s).'
 
 runs:
   using: node20
-  main: dist/index.js
+  main: ./dist/index.js