Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attest Actions uploaded artifacts #290

Open
ferferga opened this issue Oct 23, 2024 · 7 comments
Open

Attest Actions uploaded artifacts #290

ferferga opened this issue Oct 23, 2024 · 7 comments

Comments

@ferferga
Copy link

Hello!

What is expected

It would be great if we could attest directly artifacts uploaded by actions/upload-artifact by passing, for instance, the artifact-id output to this action.

Why is this needed?

Although this action now supports wildcards as subjects, which is good for software that outputs multiple artifacts (for instance, a pipeline building ffmpeg usually outputs ffprobe, ffplay and ffmpeg), sometimes the build artifact is a single piece but with multiple file dependencies (software with dlls or web applications with chunk splitting and multiple .js bundles), so you want to sign it all "as a whole", not as individual files.

Current workaround

Right now, a good workaround for this would be to zip or tar all the files and sign the compressed output, and then upload it as an artifact, so consumers of the software get the same file that was signed. However, that creates a double compressed file, which is not always convenient and annoying, but there's no way to avoid GitHub Actions Artifacts API to upload artifacts as zip.

Hence, it would be awesome to directly attest those zips/artifact ids that GitHub Actions Artifacts provides.

@ferferga
Copy link
Author

ferferga commented Dec 4, 2024

The release of v2.0.0 improves this in some way, since now a single attestation could be created of a group of files. However, still not 100% the original request.

@bdehamer
Copy link
Collaborator

bdehamer commented Dec 6, 2024

@ferferga is your goal to create an attestation which references the archive created by actions/upload-artifact, or one which references each of the constituent files contained in the upload archive?

@ferferga
Copy link
Author

ferferga commented Dec 7, 2024

@bdehamer The former, a reference to the archive created.

@bdehamer
Copy link
Collaborator

@ferferga I updated the upload-artifact action so that it will output the digest of the archive that is created. This means that you can now string together the upload-artifact and attest-build-provenance actions with something like this:

- name: Upload build artifact
  id: upload
  uses: actions/upload-artifact@v4.5.0
  with:
    path: "dist/*"

- uses: actions/attest-build-provenance@v2
  with:
    subject-name: artifact.zip
    subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}

@ferferga
Copy link
Author

ferferga commented Dec 17, 2024

@bdehamer This is awesome, thank you very much! Would be great if this is documented somewhere though? Probably more referenciable than this issue. I can make a PR if desired.

@bdehamer
Copy link
Collaborator

The upload-artifact release with this feature just went out so I wanted to come update this issue. Will work to get an example added to the README.

@ferferga
Copy link
Author

I'll leave this open then, feel free to close when you have ticked all the checks internally.

Thank you very much again for the quick implementation and updates!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@bdehamer @ferferga and others