Request for guidance on using `reuse spdx` output with GitHub Attestations in spdx format

[puria]

Hi actions/attest team,

First, thank you for your excellent work on actions/attest! I’m new to supply chain security and am trying to understand how to incorporate SPDX SBOMs and licensing information into GitHub attestations using your GitHub Action. Most of my repositories are REUSE-compliant, and I’m trying to integrate the output of the reuse spdx command with attestations in GitHub.

If I’ve misunderstood anything, I apologize, and I’d greatly appreciate any guidance you can offer.

Questions:

1. How can I integrate the SPDX SBOM and license data generated by the reuse spdx command into GitHub attestations using actions/attest?
2. How can I generate and attach an SBOM using the npm sbom command and include it in a GitHub attestation using the in-toto format?
3. Is there a recommended workflow or example for integrating REUSE-generated SPDX data with GitHub's attestation framework?

I’d appreciate any examples or advice on how to use your tool in this context to ensure SPDX compliance and proper licensing documentation.

Thank you again for your support!

[bdehamer]

I don't have experience with the reuse CLI, but anything which outputs a standard SPDX or CycloneDX JSON-encoded SBOM should be fairly easy to integrate with the attest-sbom action. That action will take an SBOM, wrap it in the appropriate in-toto format, and then attest it.

Have a look at the examples in the readme and lemme know if you still have usage questions.