Skip to content
play

GitHub Action

in-toto-run

v0.0.1 Latest version

in-toto-run

play

in-toto-run

Creates Attesttion of CI Process

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: in-toto-run

              
  uses: in-toto/github-action@v0.0.1
Learn more about this action in in-toto/github-action

Choose a version

in-toto-run action

This is a wrapper for the in-toto-run command. It is intended to be used by developers to wrap the commands that are performed as part of their software supply chain. The wrapper will record metadata for the passed command.

Example Usage

on: [push]
permissions:
  id-token: write # This is required for requesting the JWT
  contents: read  # This is required for actions/checkout
jobs:
  test:
    runs-on: ubuntu-latest
    name: test intoto-run
    steps:
      - uses: actions/checkout@v2
      - uses: testifysec/intoto-run-action@main
        name: intoto run command
        with:
          step-name: 'test'
          private-key: | 
            -----BEGIN PRIVATE KEY-----
            MC4CAQAwBQYDK2VwBCIEIOl8ZskJnvzzBzudkifLO9EPu8Nuy9+eo8ryIZ7cVbwF
            -----END PRIVATE KEY-----
          command: touch test.txt
          products: 'test.txt'
          exclude: "node_modules/"
      - name: show-attestation
        run: cat $RUNNER_TEMP/meta/*.link

Roadmap

  • Add support for multiple commands
  • Intgration with Fulcio for signing attestations
  • Upload link meta-data to Archivist

Contributing

Contributions are welcome! Please see our contributing guidelines.