File tree 1 file changed +21
-0
lines changed 1 file changed +21
-0
lines changed Original file line number Diff line number Diff line change @@ -286,6 +286,26 @@ jobs:
286286 push-to-registry: true
287287` ` `
288288
289+ # ## Integration with `actions/upload-artifact`
290+
291+ If you'd like to create an attestation for an archive created with the
292+ [actions/upload-artifact][11] action you can feed the digest of the generated
293+ artifact directly into the `subject-digest` input of the attestation action.
294+
295+ ` ` ` yaml
296+ - name: Upload build artifact
297+ id: upload
298+ uses: actions/upload-artifact@v4
299+ with:
300+ path: dist/*
301+ name: artifact.zip
302+
303+ - uses: actions/attest-build-provenance@v2
304+ with:
305+ subject-name: artifact.zip
306+ subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
307+ ` ` `
308+
289309[1] : https://github.com/actions/toolkit/tree/main/packages/attest
290310[2] : https://github.com/in-toto/attestation/tree/main/spec/v1
291311[3] : https://slsa.dev/spec/v1.0/provenance
@@ -297,3 +317,4 @@ jobs:
297317[9] :
298318 https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
299319[10] : https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md
320+ [11] : https://github.com/actions/upload-artifact
You can’t perform that action at this time.
0 commit comments