actions/attest-sbom
1
0
Fork 0
mirror of https://github.com/actions/attest-sbom synced 2026-04-05 18:24:52 +00:00
Code Issues Projects Releases Packages Wiki Activity
No description
198 commits 4 branches 28 tags 2.9 MiB
Find a file
Exact
dependabot[bot] c604332985
 Bump actions/attest from 4.0.0 to 4.1.0 in the actions-minor group (#255) 
Bumps the actions-minor group with 1 update: [actions/attest](https://github.com/actions/attest).


Updates `actions/attest` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/actions/attest/releases)
- [Changelog](https://github.com/actions/attest/blob/main/RELEASE.md)
- [Commits](c32b4b8b19...59d89421af)

---
updated-dependencies:
- dependency-name: actions/attest
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-02 17:24:35 -08:00
.github perpare v4 release (#253) 2026-02-25 15:03:50 -08:00
__tests__/data perpare v4 release (#253) 2026-02-25 15:03:50 -08:00
.gitattributes Initial commit 2024-02-20 11:28:19 -08:00
.gitignore remove attest lib 2024-02-23 14:56:17 -08:00
.markdown-lint.yml refactor eslint config (#200) 2025-08-28 15:21:40 -07:00
action.yml Bump actions/attest from 4.0.0 to 4.1.0 in the actions-minor group (#255) 2026-03-02 17:24:35 -08:00
CODEOWNERS add package-security team to CODEOWNERS 2024-02-23 17:16:44 -08:00
LICENSE Initial commit 2024-02-20 11:28:19 -08:00
README.md perpare v4 release (#253) 2026-02-25 15:03:50 -08:00
RELEASE.md update RELEASE.md docs (#254) 2026-02-25 16:02:29 -08:00

README.md

actions/attest-sbom

Warning

This action is being deprecated in favor of actions/attest. actions/attest-sbom will continue to function as a wrapper on top of actions/attest for some period of time, but applications should make plans to migrate.

All of the existing action inputs are compatible with the actions/attest interface.

Generate signed SBOM attestations for workflow artifacts. Internally powered by the @actions/attest package.

Attestations bind some subject (a named artifact along with its digest) to a a Software Bill of Materials (SBOM) using the in-toto format. The action accepts SBOMs which have been generated by external tools. Provided SBOMs must be in either the SPDX or CycloneDX JSON-serialized format.

A verifiable signature is generated for the attestation using a short-lived Sigstore-issued signing certificate. If the repository initiating the GitHub Actions workflow is public, the public-good instance of Sigstore will be used to generate the attestation signature. If the repository is private/internal, it will use the GitHub private Sigstore instance.

Once the attestation has been created and signed, it will be uploaded to the GH attestations API and associated with the repository from which the workflow was initiated.

Attestations can be verified using the attestation command in the GitHub CLI.

See Using artifact attestations to establish provenance for builds for more information on artifact attestations.

Note

Artifact attestations are available in public repositories for all current GitHub plans. They are not available on legacy plans, such as Bronze, Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan, artifact attestations are only available for public repositories. To use artifact attestations in private or internal repositories, you must be on a GitHub Enterprise Cloud plan.

Usage

As of version 4, actions/attest-sbom is simply a wrapper on top of actions/attest.

Please see the actions/attest repository for usage information.

Documentation for previous versions of this action can be found here.