GitHub Actions
Cimon Attest Action
The Cimon Attest action is the best method to run Cimon Attest in GitHub Actions, allowing you to generate and attest your provenance seamlessly within any GitHub Actions workflow.
Installation
To use the Cimon Attest action in your GitHub Actions workflow, you need to add it as a step in your workflow file.
Step 1: Sign in to your GitHub account and navigate to your repository.
Step 2: Create or open an existing workflow file (e.g., .github/workflows/main.yml).
Step 3: Add the following step to your workflow file after creating the desired artifacts:
- name: Cimon Attest
uses: cycodelabs/cimon-action/attest@v0
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
subjects: |
dist/artifact1
dist/artifact2
sign-key: private-key.pem
The subjects parameter should contain a list of paths to the artifacts, each separated by a line break, or base64-encoded subjects. The sign-key parameter is optional and should specify the path to a private ECDSA/RSA/ED25519 key used to sign the provenance statement.
Cimon Attest Parameters
The Cimon Attest action supports the following parameters:
| Parameter | Default Value | Description |
|---|---|---|
| client-id | Cimon client ID for authentication | |
| secret | Cimon secret for authentication | |
| url | Cimon endpoint for authentication | |
| release-path | Path to Cimon release file (Used for debugging) | |
| subjects | A white space seperated list of paths, or base64-encoded subjects. Each path can be file, directory or image reference | |
| image-ref | (deprecated) The container reference to generate provenance for. Either subjects or image-ref are required | |
| sign-key | Input path to a private ECDSA/RSA/ED25519 key used to sign the provenance statement. | |
| provenance-output | "provenance.intoto.jsonl" | Provenance output path. Can be an absolute path or a relative path to the default working directory. |
| signed-provenance-output | "provenance.intoto.jsonl.sig" | Signed provenance output path. Can be an absolute path or a relative path to the default working directory. |
| report-job-summary | true | Enable to report the provenance documents as job summary output. |
| report-artifact | true | Enable to report the provenance documents as job artifacts. |
| log-level | info | Log level used for debugging. |
| fail-on-error | false | Fail the CI if Cimon encounters an error. |
Cimon Attest Output
Cimon Attest action provides output information that can be used when action execution is over: In the example, we use two output variables of the CimonAttest action:
-
provenanceOutput - Path to a file that contains provenance output. It should exist if the action succeeded.
-
signedProvenanceOutput - Path to a file that contains signed provenance output. It should exist if the action succeeded and was given a signing key.
- name: Cimon Attest
id: cimonAttest
uses: cycodelabs/cimon-action/attest@v0
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
subjects: python@sha256:a7932e04b914facd8d75475998c232cb0e3912435eb4ca7ee02fd439c2dc585c
sign-key: ...
# provenanceOutput is the path to the provenance output file
- name: Print Provenance
run: |
cat provenance-stmt.intoto.jsonl | jq
# signedProvenanceOutput is the path to the signed provenance output file
# relevant only if signature keys were given.
- name: Print Signed Provenance
run: |
cat provenance-stmt.intoto.jsonl.sig | jq
Job Summary Report
Cimon Attest uploads the provenance document as a job summary for the Github actions job, which is available under the job summary. The report could be turned off by introducing the reportJobSummary: false parameter. Additional info for how it works can be found here.
Cimon Integration
Cimon Attest uploads signed or unsigned provenance documents to the Cycode platform for storage, enrichment, and verification. For that, you need to supply the task with service account credentials or personal access token, together with the endpoint URL:
- name: Cimon Attest
uses: cycodelabs/cimon-action/attest@v0
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
url: ${{ secrets.CIMON_URL }}
subjects: |
dist/
sign-key: private-key.pem
Note: The provided documentation assumes that you have already set up your GitHub Actions workflow and have access to the required secrets for authentication with Cimon. Please make sure to replace the placeholder values with the actual ones specific to your workflow and repository.