Skip to content

Commit

Permalink
Bump actions/attest from 1.1.2 to 1.2.0 (#67)
Browse files Browse the repository at this point in the history
Signed-off-by: Brian DeHamer <[email protected]>
  • Loading branch information
bdehamer authored Jun 3, 2024
1 parent cb316d6 commit 49e7311
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 11 deletions.
27 changes: 21 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ initiated.
Attestations can be verified using the [`attestation` command in the GitHub
CLI][7].

See [Using artifact attestations to establish provenance for builds][11]
for more information on artifact attestations.
See [Using artifact attestations to establish provenance for builds][11] for
more information on artifact attestations.

## Usage

Expand Down Expand Up @@ -63,7 +63,8 @@ See [action.yml](action.yml)
- uses: actions/attest-sbom@v1
with:
# Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path" or "subject-digest".
# specify exactly one of "subject-path" or "subject-digest". May contain a
# glob pattern or list of paths (total subject count cannot exceed 2500).
subject-path:
# SHA256 digest of the subject for the attestation. Must be in the form
Expand All @@ -76,8 +77,8 @@ See [action.yml](action.yml)
# path.
subject-name:
# Path to the JSON-formatted SBOM file to attest. When specified, the
# "scan-path" and "sbom-format" inputs are ignored.
# Path to the JSON-formatted SBOM file to attest. File size cannot exceed
# 16MB.
sbom-path:
# Whether to push the attestation to the image registry. Requires that the
Expand Down Expand Up @@ -106,6 +107,19 @@ If multiple subjects are being attested at the same time, each attestation will
be written to the output file on a separate line (using the [JSON Lines][9]
format).

## Attestation Limits

### Subject Limits

No more than 2500 subjects can be attested at the same time. Subjects will be
processed in batches 50. After the initial group of 50, each subsequent batch
will incur an exponentially increasing amount of delay (capped at 1 minute of
delay per batch) to avoid overwhelming the attestation API.

### SBOM Limits

The SBOM supplied via the `sbom-path` input cannot exceed 16MB.

## Examples

### Identify Subject and SBOM by Path
Expand Down Expand Up @@ -234,4 +248,5 @@ jobs:
https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
[9]: https://jsonlines.org/
[10]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
[11]: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
[11]:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
11 changes: 6 additions & 5 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ inputs:
subject-path:
description: >
Path to the artifact serving as the subject of the attestation. Must
specify exactly one of "subject-path" or "subject-digest".
specify exactly one of "subject-path" or "subject-digest". May contain a
glob pattern or list of paths (total subject count cannot exceed 2500).
required: false
subject-digest:
description: >
Expand All @@ -24,9 +25,9 @@ inputs:
path.
sbom-path:
description: >
Path to the JSON-formatted SBOM file to attest. When specified, the
"scan-path" and "sbom-format" inputs are ignored.
required: false
Path to the JSON-formatted SBOM file to attest. File size cannot exceed
16MB.
required: true
push-to-registry:
description: >
Whether to push the provenance statement to the image registry. Requires
Expand All @@ -52,7 +53,7 @@ runs:
id: generate-sbom-predicate
with:
sbom-path: ${{ inputs.sbom-path || steps.sbom-output.outputs.path }}
- uses: actions/attest@12c083815ed46d5d78222e3824f4a26c42c234d3 # v1.1.2
- uses: actions/attest@32795ed9174327efe1734fa6d09c9223658ef225 # v1.2.0
id: attest
with:
subject-path: ${{ inputs.subject-path }}
Expand Down

0 comments on commit 49e7311

Please sign in to comment.