The actions/nodejs/secure-attestations-download action provides a way to
download attestations generated by the Node.js
builder. The attestation can then
be used to publish the package or upload to a secondary storage.
jobs:
build:
permissions:
id-token: write
contents: read
actions: read
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v1.9.0
with:
run-scripts: "ci, build"
download:
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Download provenance
uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@v1.9.0
with:
name: ${{ needs.build.outputs.provenance-download-name }}
path: "attestations"
sha256: ${{ needs.build.outputs.provenance-download-sha256 }}This will download the attestation file to
<GITHUB_WORKSPACE>/attestations/<artifact name>/.
See Custom Publishing for a full example of publishing using a custom tool.
| Name | Required | Default | Description |
|---|---|---|---|
name |
yes | The GitHub Actions workflow run artifact name. Note that this is a name given to an upload, not the path or filename | |
path |
no | "." | The path to download the attestations into. Must be under the GITHUB_WORKSPACE |
sha256 |
yes | The SHA256 of the artifact for verification |
There are no outputs.