https://github.com/in-toto/github-action

in-toto provenance github action
https://github.com/in-toto/github-action

Last synced: 5 months ago
JSON representation

in-toto provenance github action

• Host: GitHub
• URL: https://github.com/in-toto/github-action
• Owner: in-toto
• Created: 2022-10-27T20:02:53.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2022-10-31T16:04:54.000Z (over 2 years ago)
• Last Synced: 2024-12-15T13:47:58.346Z (5 months ago)
• Language: JavaScript
• Size: 8.48 MB
• Stars: 8
• Watchers: 7
• Forks: 0
• Open Issues: 5
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# in-toto-run action

This is a wrapper for the in-toto-run command. It is intended to be used by

developers to wrap the commands that are performed as part of their software

supply chain. The wrapper will record metadata for the passed command.

## Example Usage

```yaml

on: [push]

permissions:

  id-token: write # This is required for requesting the JWT

  contents: read  # This is required for actions/checkout

jobs:

  test:

    runs-on: ubuntu-latest

    name: test intoto-run

    steps:

      - uses: actions/checkout@v2

      - uses: testifysec/intoto-run-action@main

        name: intoto run command

        with:

          step-name: 'test'

          private-key: | 

            -----BEGIN PRIVATE KEY-----

            MC4CAQAwBQYDK2VwBCIEIOl8ZskJnvzzBzudkifLO9EPu8Nuy9+eo8ryIZ7cVbwF

            -----END PRIVATE KEY-----

          command: touch test.txt

          products: 'test.txt'

          exclude: "node_modules/"

      - name: show-attestation

        run: cat $RUNNER_TEMP/meta/*.link

```

## Roadmap

- [ ] Add support for multiple commands

- [ ] Intgration with Fulcio for signing attestations

- [ ] Upload link meta-data to Archivist

## Contributing

Contributions are welcome! Please see our [contributing guidelines](GOVERNANCE.md).

```