Consolidate attestation actions

[bdehamer]

Consolidate Attestation Actions

This PR consolidates the functionality of three attestation actions into actions/attest:

• actions/attest (custom attestations)
• actions/attest-build-provenance (SLSA provenance)
• actions/attest-sbom (SPDX/CycloneDX SBOM)

Overview

The action now supports three modes with automatic detection:

Mode	When Used	Description
Build Provenance	No sbom-path or predicate inputs	Auto-generates SLSA build provenance
SBOM	sbom-path is provided	Creates attestation from SPDX or CycloneDX SBOM
Custom	predicate-type/predicate/predicate-path provided	User-supplied predicate

Changes

New Features:

• Added sbom-path input for SBOM attestations
• Auto-detection of attestation type based on inputs
• SLSA provenance is now the default mode (no predicate inputs required)
• Subject deduplication by digest

New Files:

• src/detect.ts - Attestation type detection and input validation
• src/provenance.ts - SLSA provenance predicate generation
• src/sbom.ts - SBOM parsing (SPDX/CycloneDX) and predicate generation
• __tests__/detect.test.ts, __tests__/provenance.test.ts, __tests__/sbom.test.ts, __tests__/attest.test.ts

Modified Files:

• action.yml - Added sbom-path input, made predicate-type optional
• src/main.ts - Integrated detection and predicate generation by type
• src/subject.ts - Added deduplication for checksums-based subjects
• README.md - Documented three modes with examples

Usage Examples

Build Provenance (default):

- uses: actions/attest@v4
  with:
    subject-path: my-artifact

SBOM:

   - uses: actions/attest@v4
     with:
       subject-path: my-artifact
       sbom-path: sbom.spdx.json

Custom:

   - uses: actions/attest@v4
     with:
       subject-path: my-artifact
       predicate-type: https://example.com/predicate/v1
       predicate-path: predicate.json

Testing

• 83 tests passing
• 100% test coverage on subject.ts, sbom.ts, main.ts, attest.ts

Rendered README

[Copilot]

Pull request overview

This PR consolidates three separate attestation actions (actions/attest, actions/attest-build-provenance, and actions/attest-sbom) into a single unified action with automatic mode detection. The action now supports three distinct modes: Build Provenance (default), SBOM, and Custom attestations.

Changes:

• Added automatic attestation type detection with three modes: provenance (default when no predicate inputs), SBOM (when sbom-path is provided), and custom (when predicate inputs are provided)
• Made predicate-type input optional since it's no longer required for provenance/SBOM modes
• Implemented subject deduplication for checksum-based subjects to handle duplicate entries

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/detect.ts	New file implementing attestation type detection and input validation logic
src/provenance.ts	New file wrapping SLSA provenance predicate generation from @actions/attest
src/sbom.ts	New file for parsing SPDX/CycloneDX SBOMs and generating predicates
src/main.ts	Integrated detection logic and type-based predicate generation
src/subject.ts	Added deduplication by name and digest for checksum-based subjects
src/index.ts	Added sbomPath input parameter
action.yml	Updated input descriptions, made predicate-type optional, added sbom-path
package.json	Added --minify and --source-map flags to build command
README.md	Updated documentation with new attestation modes and usage examples
tests/*.test.ts	Comprehensive test coverage for new functionality
dist/*	Updated generated distribution files

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bdehamer]

I've got examples of running the new consolidated action in the various modes here:

• Custom predicate
• Build provenance
• SBOM

[ajbeattie]

Nice! This looks great to me - just one question and a small nit suggestion! Thanks for the very clear description and doc updates 💯

[ajbeattie]

🚀