Open
Description
https://github.com/actions/attest/actions/runs/12921612078/job/36045041753?pr=203
Run ./
Error: Error: missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.
It is possible to fix this in various ways:
- in PR checks Error: Failed to get ID token: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable #184 (comment)
- Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable when PR from a fork to upstream attest-build-provenance#99 (comment)
But, it's also possible to just do something like:
on:
pull_request:
branches:
- main
push:
- branches:
- - main
- - 'releases/*'
+ # no constraints for push, otherwise there's no CI for PRs from forks which is problematic
permissions: {}
jobs:
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version-file: .node-version
cache: npm
- name: Install Dependencies
id: npm-ci
run: npm ci
- name: Check Format
id: npm-format-check
run: npm run format:check
- name: Lint
id: npm-lint
run: npm run lint
- name: Test
id: npm-ci-test
run: npm run ci-test
test-attest:
name: Test attest action
runs-on: ubuntu-latest
permissions:
contents: read
attestations: write
id-token: write
env:
SUBJECT: /repos/${{ github.repository }}/tarball/${{ github.sha }}
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Calculate subject digest
id: subject
env:
GH_TOKEN: ${{ github.token }}
run: |
SHA_256=$(gh api "${{ env.SUBJECT }}" | shasum -a 256 | cut -d " " -f 1)
echo "sha-256=${SHA_256}" >> "$GITHUB_OUTPUT"
+ - name: Skip for PRs from forks
+ shell: bash
+ id: skip
+ if: github.event_name != 'push' || github.pull_request.head.user.login != github.pull_request.base.user.login
+ run: |
+ echo '::warning title=Test attest action skipped::Testing action requires permissions and isn't done for PRs from forks.'
+ echo 'skip=1' >> "$GITHUB_OUTPUT"
- name: Run attest
id: attest
+ if: ${{ ! steps.skip.outputs.skip }}
env:
INPUT_PRIVATE-SIGNING: 'true'
uses: ./
with:
subject-name: 'https://api.github.com${{ env.SUBJECT }}'
subject-digest: 'sha256:${{ steps.subject.outputs.sha-256 }}'
predicate-type: 'https://in-toto.io/attestation/release/v0.1'
predicate:
'{"purl":"pkg:github/${{ github.repository }}@${{ github.sha }}"}'Metadata
Metadata
Assignees
Labels
No labels