if we unwind createSingle/Multi attestations, we can call this like we did before.

I've now reverted this (logAttestation) to the previous state, passing the full subjects list instead of a per-attestation attestationSubjects. I'm not sure though that this is the right change to make.

The current design of actions/attest@v2 has a single attestation with multiple subjects. logAttestation is thus only ever called once, with the full list of subjects. This list of subjects matches the subjects attested in the single attestation. Should there only be a single artefact, the name and SHA256 digest are printed, else the number of subjects is printed.

This PR introduces a 1:1 relationship between subjects and attestations. We now call logAttestation once per attestation generated, but each time with the full list of subjects. We should thus print the name and digest of the single subject each time -- but we can't, as there's no easy way of linking the attested subject to the created attestation (I have looked through the fields of the Attestation type).

The result is that we only print the name and digest if there is exactly one subject being attested (i.e. the behaviour is the same regardless of this PR), and that for more than one subject we print "Attestation created for N subjects", N times. Clearly this is wrong.

As such, I think the right thing to do here is either restore attestationSubjects, or remove the == 1 check, and only print out the number of subjects. I understand not wanting to unnecessarily change the AttestationResult type, so the latter option may be the most pragmatic. (see below for context on why I contend that printing subjects is valuable, though).

The other half of this, and the reason behind my change to logSummary(), is that currently for a multiple-subject attestation the names of the said subjects aren't ever printed out. One can introspect the name by base64-decoding the DSSE Envelope's payload & extracting the inner subject key, but this isn't exactly ergonomic. Especially for glob input, I do feel that this action should print the names (and digests) of the attested subjects for overview and debugging.

Ideally, the underlying JavaScript / TypeScript code would be changed to allow easier access to the names of subjects, obviating the need for the custom attestationSubjects list, but I don't know if this is possible given that Sigstore specifications must be adhered to.

As such, I think the right thing to do here is either restore attestationSubjects, or remove the == 1 check, and only print out the number of subjects.

Shall we remove the == 1 check and the need to pass in subjects at all 😅 ?

is that currently for a multiple-subject attestation the names of the said subjects aren't ever printed out.

Genuine curiosity: how and why do you need this output? Just entirely for debugging?

(For the record, my interest here is in just keeping a small and tidy PR).

I'd support a) ditching subjects as a param to logAttestation and just having a logSubjects that prints the list separately with formatSubjectDigest 🙂.

As such, I think the right thing to do here is either restore attestationSubjects, or remove the == 1 check, and only print out the number of subjects.

Shall we remove the == 1 check and the need to pass in subjects at all 😅 ?

This might end up being the most pragmatic option for this PR.

is that currently for a multiple-subject attestation the names of the said subjects aren't ever printed out.

Genuine curiosity: how and why do you need this output? Just entirely for debugging?

(For the record, my interest here is in just keeping a small and tidy PR).

I agree small PRs are better. For the short term, the output is useful as a sanity check / for debugging. Longer term, it would be great to have some access to the names of subjects via the Attestation object, as my use-case involves converting to PEP 740 attestations for the Python Package Index, for which I need to know the filename of the subject.

I have pushed a logSubjects change as you suggest @phillmv.

Longer term, it would be great to have some access to the names of subjects via the Attestation object, as my use-case involves converting to PEP 740 attestations for the Python Package Index, for which I need to know the filename of the subject.

@AA-Turner is your idea that you would get this via sigstore/sigstore-js? if you want an easy way to pop this info, I hereby suggest:

gh at inspect --format=json bundle.json |jq .inspectedBundles[].statement.subject[].name

This is where my typescript knowledge ends! I don't know if it should be in sigstore, the JS library underlying this action, or some other location. My basic goal is to extract the subject names from JSON.

Currently, I have a custom Python script (convert_attestations.py) that does this, but to get the subjects it needs to extract base64-encoded JSON, rather than subjects just being a key at any level of the actual attestation JSON.

I ran the command you suggest ('at' are my initials, fun), and it seems to get the data that I need -- but running an external command isn't great here (I want to trust as few tools as possible whilst converting attestations), and I can't guarantee that all project contributors will have the gh CLI tool.

Thank you for the suggestions, though!

A