Skip to content

Latest commit

 

History

History

attest

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

README.md

GitHub Action: attest

Description

The attest GitHub Action enables the generation and signing of provenance files using the in-toto attestation format. Leveraging OIDC authentication for keyless signing, this action securely creates verifiable metadata about your software artifacts without the need to manage sensitive signing keys manually.

Designed for seamless integration within Ledger's CI/CD pipeline, the attest action automates the creation of cryptographic attestations, enhancing the integrity, authenticity, and traceability of your software supply chain. By providing a secure method to verify the origin and build process of your artifacts, it helps safeguard against supply chain attacks and meets compliance requirements for software distribution.

Usage

Permissions

To enable this action to work properly, ensure the following permissions are set in your workflow:

permissions:
    id-token: write
    attestations: write

Example Workflow

Here's how you can use the attest action within your workflow:

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - name: Attest
        id: attest
        uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
        with:
          subject-path: path/to/my/artefact/to/attest

Inputs

name description required default
type-slsa

Generate an attestations bind some subject (a named artifact along with its digest) to a SLSA build provenance predicate using the in-toto format.

 false true
subject-path

Path to the artifact serving as the subject of the attestation. Must specify exactly one of "subject-path" or "subject-digest". May contain a glob pattern or list of paths (total subject count cannot exceed 2500).

 false ""
subject-digest

SHA256 digest of the subject for the attestation. Must be in the form "sha256:hex_digest" (e.g. "sha256:abc123…"). Must specify exactly one of "subject-path" or "subject-digest".

 false ""
subject-name

Subject name as it should appear in the attestation. Required unless "subject-path" is specified, in which case it will be inferred from the path.

 false ""
push-to-registry

Whether to push the attestation to the image registry. Requires that the "subject-name" parameter specify the fully-qualified image name and that the "subject-digest" parameter be specified. Defaults to false.

 false false

Runs

This action is a composite action, which allows us to combine multiple workflow steps into a single, reusable action. This promotes modularity and simplifies our workflows.