-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attest Actions uploaded artifacts #290
Comments
The release of v2.0.0 improves this in some way, since now a single attestation could be created of a group of files. However, still not 100% the original request. |
@ferferga is your goal to create an attestation which references the archive created by |
@bdehamer The former, a reference to the archive created. |
@ferferga I updated the - name: Upload build artifact
id: upload
uses: actions/upload-artifact@v4.5.0
with:
path: "dist/*"
- uses: actions/attest-build-provenance@v2
with:
subject-name: artifact.zip
subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }} |
@bdehamer This is awesome, thank you very much! Would be great if this is documented somewhere though? Probably more referenciable than this issue. I can make a PR if desired. |
The |
I'll leave this open then, feel free to close when you have ticked all the checks internally. Thank you very much again for the quick implementation and updates! |
Hello!
What is expected
It would be great if we could attest directly artifacts uploaded by
actions/upload-artifact
by passing, for instance, theartifact-id
output to this action.Why is this needed?
Although this action now supports wildcards as subjects, which is good for software that outputs multiple artifacts (for instance, a pipeline building
ffmpeg
usually outputsffprobe
,ffplay
andffmpeg
), sometimes the build artifact is a single piece but with multiple file dependencies (software withdlls
or web applications with chunk splitting and multiple.js
bundles), so you want to sign it all "as a whole", not as individual files.Current workaround
Right now, a good workaround for this would be to
zip
ortar
all the files and sign the compressed output, and then upload it as an artifact, so consumers of the software get the same file that was signed. However, that creates a double compressed file, which is not always convenient and annoying, but there's no way to avoid GitHub Actions Artifacts API to upload artifacts as zip.Hence, it would be awesome to directly attest those zips/artifact ids that GitHub Actions Artifacts provides.
The text was updated successfully, but these errors were encountered: