fix(attest): spli custom and slsa attestation mode

LedgerHQ · Sep 13, 2024 · 3a0d54b · 3a0d54b
1 parent 9b6e468
commit 3a0d54b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/actions/attest/README.md b/actions/attest/README.md
@@ -41,6 +41,7 @@ jobs:
 
 | name | description | required | default |
 | --- | --- | --- | --- |
+| `type-slsa` | <p>Generate an attestations bind some subject (a named artifact along with its digest) to a SLSA build provenance predicate using the in-toto format.</p> | `false` | `true` |
 | `subject-path` | <p>Path to the artifact serving as the subject of the attestation. Must specify exactly one of "subject-path" or "subject-digest". May contain a glob pattern or list of paths (total subject count cannot exceed 2500).</p> | `false` | `""` |
 | `subject-digest` | <p>SHA256 digest of the subject for the attestation. Must be in the form "sha256:hex_digest" (e.g. "sha256:abc123…"). Must specify exactly one of "subject-path" or "subject-digest".</p> | `false` | `""` |
 | `subject-name` | <p>Subject name as it should appear in the attestation. Required unless "subject-path" is specified, in which case it will be inferred from the path.</p> | `false` | `""` |

diff --git a/actions/attest/action.yml b/actions/attest/action.yml
@@ -5,6 +5,10 @@ description: |
   Designed for seamless integration within Ledger's CI/CD pipeline, the `attest` action automates the creation of cryptographic attestations, enhancing the integrity, authenticity, and traceability of your software supply chain. By providing a secure method to verify the origin and build process of your artifacts, it helps safeguard against supply chain attacks and meets compliance requirements for software distribution. 
 
 inputs:
+  type-slsa:
+    description: 'Generate an attestations bind some subject (a named artifact along with its digest) to a SLSA build provenance predicate using the in-toto format.'
+    required: false
+    default: "true"
   subject-path:
     description: 'Path to the artifact serving as the subject of the attestation. Must specify exactly one of "subject-path" or "subject-digest". May contain a glob pattern or list of paths (total subject count cannot exceed 2500).'
     required: false
@@ -26,7 +30,18 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/attest@v1
+    - name: Generate and sign attestation (SLSA type)
+      uses: actions/attest-build-provenance@v1
+      if: ${{ inputs.type-slsa == 'true' }}
+      with:
+        subject-path: ${{ inputs.subject-path }}
+        subject-digest: ${{ inputs.subject-digest }}
+        subject-name: ${{ inputs.subject-name }}
+        push-to-registry: ${{ inputs.push-to-registry }}
+        show-summary: true
+    - name: Generate and sign attestation (custom type)
+      uses: actions/attest@v1
+      if: ${{ inputs.type-slsa == 'false' }}
       with:
         subject-path: ${{ inputs.subject-path }}
         subject-digest: ${{ inputs.subject-digest }}