[TODO] Explore uploading attestations to GitHub as well #288
Comments
webknjaz
added
enhancement
|
Yep, this should be straightforward to do -- the attestation will either need to be uploaded to GH before it's munged into the PEP 740 shape, or re-munged back into a Sigstore bundle for subsequent uploading. One note: putting things in GH's attestations store also requires |
|
I haven't found a way to feature-test. So it'd probably be an upload attempt with error suppression... |
Makes sense to me 🙂 |
|
@woodruffw it might be a good idea to also explore exposing the signatures to the end-users (maybe, via action outputs?). As in, beyond telling them to scan the |
|
Yeah, that's a good idea -- I haven't been 100% sure how to do it since it's a one-many relationship in theory (one dist, potentially multiple attestations), so action outputs become a little hacky. I'll think about that some more. |
|
Probably wrap it as a JSON string. |
|
Good idea! Outputs are limited to 1MB, but they should be well below that. |
|
Yeah, I tend to be wrestling with passing complex data into and out of the actions (like alls-green) for a long time. And I settled on JSON, especially since they have builtin functions available ( |
This is how the official action does this: https://github.com/actions/toolkit/blob/77f247b/packages/attest/src/store.ts#L5-L44.
This is the API endpoint doc: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#create-an-attestation.
The text was updated successfully, but these errors were encountered: