{"id":44511385,"url":"https://github.com/anotherdaniel/tsffer","last_synced_at":"2026-03-11T16:07:13.350Z","repository":{"id":290380638,"uuid":"974252082","full_name":"AnotherDaniel/tsffer","owner":"AnotherDaniel","description":"This action uploads a file (release asset) to a GitHub release, generates a Trustable Software Framework TSF manifest that contains some metadata for the asset, and uploaeds the metadata alongside the original release asset.","archived":false,"fork":false,"pushed_at":"2025-10-31T09:33:52.000Z","size":98,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-31T11:26:09.815Z","etag":null,"topics":["tsf"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"epl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AnotherDaniel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-28T13:41:15.000Z","updated_at":"2025-10-31T09:33:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"c9b1301a-d166-4471-91b8-810c0bc3bb27","html_url":"https://github.com/AnotherDaniel/tsffer","commit_stats":null,"previous_names":["anotherdaniel/tsffer"],"tags_count":59,"template":false,"template_full_name":null,"purl":"pkg:github/AnotherDaniel/tsffer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnotherDaniel%2Ftsffer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnotherDaniel%2Ftsffer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnotherDaniel%2Ftsffer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnotherDaniel%2Ftsffer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AnotherDaniel","download_url":"https://codeload.github.com/AnotherDaniel/tsffer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnotherDaniel%2Ftsffer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29411138,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-13T06:24:03.484Z","status":"ssl_error","status_checked_at":"2026-02-13T06:23:12.830Z","response_time":78,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["tsf"],"created_at":"2026-02-13T15:02:19.734Z","updated_at":"2026-03-11T16:07:13.343Z","avatar_url":"https://github.com/AnotherDaniel.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!--\n * Copyright (C) 2025 Eclipse Foundation and others. \n * \n * This program and the accompanying materials are made available under the\n * terms of the Eclipse Public License v. 2.0 which is available at\n * http://www.eclipse.org/legal/epl-2.0.\n * \n * SPDX-FileType: DOCUMENTATION\n * SPDX-FileCopyrightText: 2025 Eclipse Foundation\n * SPDX-License-Identifier: EPL-2.0\n--\u003e\n\n# tsffer Action\n\nThe tsffer action collects metadata about evidence that can support statements about quality and process adherence of a project - automated via the project release workflow. It is designed to support adoption of the Trustable Software Framework [TSF](https://codethinklabs.gitlab.io/trustable/trustable/).\nThe tsffer action has two operation modes:\n\n- mode `reference` (default): create tsffer evidence manifest file based on evidence reference properties as consumed by the TSF trudag tool, and optionally upload manifest to release file set.\n- mode `package`: typically run at the end of a release workflow, collect and package all generated tsffer manifest files into a single archive file, and optionally upload to release file set.\n\nThe asset manifest is using json syntax, and contains some metadata pertaining the the originating git repository and release run, as well as user-provided input like asset name, type of TSF evidence that is being referenced, an optional description, and a list of TSF IDs that the asset pertains to.\n\n## Inputs\n\n- `mode`: Operation mode: \"reference\" (default) or \"package\".\n- `release_upload`: Boolean (true/false) switch determining whether generated tsffer file/archive should be uploaded to release file set (default: false).\n- `reference_properties` (required if mode is \"reference\"): json snippet describing the referenced evidence (refer to examples below).\n- `asset_name` (required if mode is \"reference\"): Name of the asset.\n- `asset_description` (optional): More detailed description of the asset (Default: `\"\"`).\n- `asset_tsf_ids` (required if mode is \"reference\"): list of TSF identifiers that the evidence pertains to; can be one or more identifiers separated by commas (Default: `\"\"`).\n\n## Outputs\n\n- `tsffer_file`: Name of generated json file or tar archive containing tsffer metadata.\n\n## Target release and other expectations\n\nThis action expects to run in the context of a release (tag-initiated) GitHub worflow, using an Ubuntu runner:\n\n- `github.ref_name` and `github.ref` are set to valid/real values, as these are used to determine asset upload target\n- Ubuntu runner comes with pre-installed gh and jq binaries (this is currently the case on GitHub)\n\n## Example Usage\n\nUsing tsffer in your workflow looks like this:\n\n```yaml\njobs:\n  example:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Upload README to release\n        uses: svenstaro/upload-release-action@v2\n        id: upload_readme\n        with:\n          repo_token: ${{ secrets.GITHUB_TOKEN }}\n          file: README.md\n          tag: ${{ github.ref }}\n\n      - name: Collect README artifact\n        uses: anotherdaniel/tsffer\n        id: tsffer_README\n        with:\n          mode: reference\n          reference_properties: |\n            {\n              \"reference_type\": \"download_url\",\n              \"url\": \"${{ steps.upload_readme.outputs.browser_download_url }}\"\n            }\n          asset_description: \"For illustration purposes, we are providing a link to our README in the release artifacts\"\n          asset_name: \"Project README\"\n          asset_tsf_ids: \"TA-BEHAVIOURS\"\n\n      - name: Point to action in release workflow\n        uses: anotherdaniel/tsffer\n        id: tsffer_ReleaseCI\n        with:\n          mode: reference\n          reference_properties: |\n            [\n              {\n                \"reference_type\": \"github\",\n                \"repository\": \"${{ github.repository }}\",\n                \"path\": \".github/workflows/release.yml#L11\",\n                \"public\": true,\n                \"ref\": \"${{ github.ref_name }}\"\n              },\n              {\n                \"reference_type\": \"webpage\",\n                \"url\": \"https://www.example.org\",\n              }\n            ]\n          asset_description: \"Link to specific line in tsffer release automation\"\n          asset_name: \"ReleaseCI\"\n          asset_tsf_ids: \"TA-RELEASES,TA-ITERATIONS\"\n\n      - name: Package quality artifacts, but leave assets in place\n        uses: anotherdaniel/tsffer\n        id: tsffer_package\n        with:\n          mode: package\n          release_upload: true\n```\n\n## Example manifest\n\nThe above workflow will generate a `README.md.tsffer` manifest file pipeline run artifact, with the following content:\n\n```json\n{\n  \"asset-info\": {\n    \"checksum-sha256\": \"db930ec18bfb83cd6db0180faead58d645a9ca71cff7b02e78e1583e3c89c7ec\",\n    \"description\": \"For illustration purposes, we are providing a link to our README in the release artifacts\",\n    \"reference-properties\": \n      {\n        \"reference_type\": \"download_url\",\n        \"url\": \"https://github.com/AnotherDaniel/tsffer/releases/download/v0.0.42/README.md\"\n      }\n    \"name\": \"Project README\",\n    \"tsf-ids\": [\n      \"TA-BEHAVIOURS\"\n    ],\n  },\n  \"context-info\": {\n    \"by-workflow\": \".github/workflows/release.yml\",\n    \"commit-sha\": \"bc100425602aed8f55005f37e689b8603be94637\",\n    \"ref\": \"refs/tags/v0.0.42\",\n    \"release-url\": \"https://github.com/AnotherDaniel/tsffer/releases/tag/v0.0.42\",\n    \"repository\": \"AnotherDaniel/tsffer\"\n  }\n}\n````\n\nThe second tsffer step will generate a `ReleaseCI.tsffer` reference manifest, with the following content:\n\n```json\n{\n  \"asset-info\": {\n    \"checksum-sha256\": \"db930ec18bfb83cd6db0180faead58d645a9ca71cff7b02e78e1583e3c89c7ec\",\n    \"description\": \"Link to specific line in tsffer release automation\",\n    \"reference-properties\": \n    [\n      {\n        \"reference_type\": \"github\",\n        \"repository\": \"AnotherDaniel/tsffer\",\n        \"path\": \".github/workflows/release.yml#L11\",\n        \"public\": true,\n        \"ref\": \"v0.0.42\"\n      },\n      {\n        \"reference_type\": \"webpage\",\n        \"url\": \"https://www.example.org\",\n      }\n    ],\n    \"name\": \"ReleaseCI\",\n    \"tsf-ids\": [\n      \"TA-RELEASES\",\n      \"TA-ITERATIONS\"\n    ],\n  },\n  \"context-info\": {\n    \"by-workflow\": \".github/workflows/release.yml\",\n    \"commit-sha\": \"bc100425602aed8f55005f37e689b8603be94637\",\n    \"ref\": \"refs/tags/v0.0.42\",\n    \"release-url\": \"https://github.com/AnotherDaniel/tsffer/releases/tag/v0.0.42\",\n    \"repository\": \"AnotherDaniel/tsffer\"\n  }\n}\n````\n\nThe third tsffer step will package up the two previous files into an archive (`tsffer_assets.tar.bz2`), and upload this archive to the release file set (`release_upload` parameter set to `true`).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanotherdaniel%2Ftsffer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanotherdaniel%2Ftsffer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanotherdaniel%2Ftsffer/lists"}