You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be great if we could attest directly artifacts uploaded by actions/upload-artifact by passing, for instance, the artifact-id output to this action.
Why is this needed?
Although this action now supports wildcards as subjects, which is good for software that outputs multiple artifacts (for instance, a pipeline building ffmpeg usually outputs ffprobe, ffplay and ffmpeg), sometimes the build artifact is a single piece but with multiple file dependencies (software with dlls or web applications with chunk splitting and multiple .js bundles), so you want to sign it all "as a whole", not as individual files.
Current workaround
Right now, a good workaround for this would be to zip or tar all the files and sign the compressed output, and then upload it as an artifact, so consumers of the software get the same file that was signed. However, that creates a double compressed file, which is not always convenient and annoying, but there's no way to avoid GitHub Actions Artifacts API to upload artifacts as zip.
Hence, it would be awesome to directly attest those zips/artifact ids that GitHub Actions Artifacts provides.
The text was updated successfully, but these errors were encountered:
Hello!
What is expected
It would be great if we could attest directly artifacts uploaded by
actions/upload-artifactby passing, for instance, theartifact-idoutput to this action.Why is this needed?
Although this action now supports wildcards as subjects, which is good for software that outputs multiple artifacts (for instance, a pipeline building
ffmpegusually outputsffprobe,ffplayandffmpeg), sometimes the build artifact is a single piece but with multiple file dependencies (software withdllsor web applications with chunk splitting and multiple.jsbundles), so you want to sign it all "as a whole", not as individual files.Current workaround
Right now, a good workaround for this would be to
ziportarall the files and sign the compressed output, and then upload it as an artifact, so consumers of the software get the same file that was signed. However, that creates a double compressed file, which is not always convenient and annoying, but there's no way to avoid GitHub Actions Artifacts API to upload artifacts as zip.Hence, it would be awesome to directly attest those zips/artifact ids that GitHub Actions Artifacts provides.
The text was updated successfully, but these errors were encountered: