This action converts the Sigstore bundles generated by the attest-build-provenance GitHub action into PyPI attestations.
See action.yml
inputs:
bundles:
description: >-
Sigstore bundles to convert. Accepts only .jsonl files.
May contain a glob pattern or list of paths.
required: true
output-dir:
description: >-
Directory where to store the converted attestations.
Optional, if omitted a new temporary directory will be
created and returned as an output.
required: false
Name | Description | Example |
---|---|---|
output-dir |
Absolute path to the directory containing the converted attestations | /tmp/aao23HKb2/ |
- name: Create provenances
id: create-provenances
uses: actions/attest-build-provenance@v1
with:
subject-path: 'dist/*'
- name: Convert provenances
uses: trailofbits/gh-action-adapt-sigstore-pypi@main
with:
bundles: ${{ steps.create-provenances.outputs.bundle-path }}
output-dir: dist/