Skip to content

Commit

Permalink
Add example of upload-artifaction integration (#450)
Browse files Browse the repository at this point in the history 
Signed-off-by: Brian DeHamer <[email protected]>
  • Loading branch information
@bdehamer
bdehamer authored Jan 22, 2025
1 parent 3c016c1 commit 5d2ced9
Showing 1 changed file with 21 additions and 0 deletions.
21 changes: 21 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,26 @@ jobs:
push-to-registry: true
```

### Integration with `actions/upload-artifact`

If you'd like to create an attestation for an archive created with the
[actions/upload-artifact][11] action you can feed the digest of the generated
artifact directly into the `subject-digest` input of the attestation action.

```yaml
- name: Upload build artifact
id: upload
uses: actions/upload-artifact@v4
with:
path: dist/*
name: artifact.zip
- uses: actions/attest-build-provenance@v2
with:
subject-name: artifact.zip
subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
```

[1]: https://github.com/actions/toolkit/tree/main/packages/attest
[2]: https://github.com/in-toto/attestation/tree/main/spec/v1
[3]: https://slsa.dev/spec/v1.0/provenance
Expand All @@ -297,3 +317,4 @@ jobs:
[9]:
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
[10]: https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md
[11]: https://github.com/actions/upload-artifact

0 comments on commit 5d2ced9

Please sign in to comment.