@actions/attest
Functions for generating signed attestations for workflow artifacts.
Attestations bind some subject (a named artifact along with its digest) to a
predicate (some assertion about that subject) using the in-toto
statement format. A
signature is generated for the attestation using a
Sigstore-issued signing certificate.
Once the attestation has been created and signed, it will be uploaded to the GH
attestations API and associated with the repository from which the workflow was
initiated.
See Using artifact attestations to establish provenance for builds
for more information on artifact attestations.
Usage
attest
The attest
function takes the supplied subject/predicate pair and generates a
signed attestation.
const { attest } = require('@actions/attest');
const core = require('@actions/core');
async function run() {
const ghToken = core.getInput('gh-token');
const attestation = await attest({
subjectName: 'my-artifact-name',
subjectDigest: { 'sha256': '36ab4667...'},
predicateType: 'https://in-toto.io/attestation/release',
predicate: { . . . },
token: ghToken
});
console.log(attestation);
}
run();
The attest
function supports the following options:
export type AttestOptions = {
subjectName: string
subjectDigest: Record<string, string>
predicateType: string
predicate: object
token: string
sigstore?: 'public-good' | 'github'
headers?: {[header: string]: string | number | undefined}
skipWrite?: boolean
}
attestProvenance
The attestProvenance
function accepts the name and digest of some artifact and
generates a build provenance attestation over those values.
The attestation is formed by first generating a SLSA provenance
predicate populated with
metadata
pulled from the GitHub Actions run.
const { attestProvenance } = require('@actions/attest');
const core = require('@actions/core');
async function run() {
const ghToken = core.getInput('gh-token');
const attestation = await attestProvenance({
subjectName: 'my-artifact-name',
subjectDigest: { 'sha256': '36ab4667...'},
token: ghToken
});
console.log(attestation);
}
run();
The attestProvenance
function supports the following options:
export type AttestProvenanceOptions = {
subjectName: string
subjectDigest: Record<string, string>
token: string
sigstore?: 'public-good' | 'github'
headers?: {[header: string]: string | number | undefined}
skipWrite?: boolean
issuer?: string
}
Attestation
The Attestation
returned by attest
/attestProvenance
has the following
fields:
export type Attestation = {
bundle: SerializedBundle
certificate: string
tlogID?: string
attestationID?: string
}
For details about the Sigstore bundle format, see the Bundle protobuf
specification.
Sigstore Instance
When generating the signed attestation there are two different Sigstore
instances which can be used to issue the signing certificate. By default,
workflows initiated from public repositories will use the Sigstore public-good
instance and persist the attestation signature to the public Rekor transparency
log. Workflows initiated from
private/internal repositories will use the GitHub-internal Sigstore instance
which uses a signed timestamp issued by GitHub's timestamp authority in place of
the public transparency log.
The default Sigstore instance selection can be overridden by passing an explicit
value of either "public-good" or "github" for the sigstore
option when calling
either attest
or attestProvenance
.
Storage
Attestations created by attest
/attestProvenance
will be uploaded to the GH
attestations API and associated with the appropriate repository. Attestation
storage is only supported for public repositories or repositories which belong
to a GitHub Enterprise Cloud account.
In order to generate attestations for private, non-Enterprise repositories, the
skipWrite
option should be set to true
.