github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/actions/nodejs/secure-attestations-download/README.md (about) 1 # secure-attestations-download 2 3 The `actions/nodejs/secure-attestations-download` action provides a way to 4 download attestations generated by the [Node.js 5 builder](../../../internal/builders/nodejs/README.md). The attestation can then 6 be used to publish the package or upload to a secondary storage. 7 8 ## Example 9 10 ```yaml 11 jobs: 12 build: 13 permissions: 14 id-token: write 15 contents: read 16 actions: read 17 if: startsWith(github.ref, 'refs/tags/') 18 uses: yogeshkumararora/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v2.0.0 19 with: 20 run-scripts: "ci, build" 21 22 download: 23 needs: [build] 24 runs-on: ubuntu-latest 25 steps: 26 - name: Download provenance 27 uses: yogeshkumararora/slsa-github-generator/actions/nodejs/secure-attestations-download@v2.0.0 28 with: 29 name: ${{ needs.build.outputs.provenance-download-name }} 30 path: "attestations" 31 sha256: ${{ needs.build.outputs.provenance-download-sha256 }} 32 ``` 33 34 This will download the attestation file to 35 `<GITHUB_WORKSPACE>/attestations/<artifact name>/`. 36 37 See [Custom Publishing](../../../internal/builders/nodejs/README.md#custom-publishing) for 38 a full example of publishing using a custom tool. 39 40 ## Inputs 41 42 | Name | Required | Default | Description | 43 | -------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------- | 44 | `name` | yes | | The GitHub Actions workflow run artifact name. Note that this is a name given to an upload, not the path or filename | 45 | `path` | no | "." | The path to download the attestations into. Must be under the `GITHUB_WORKSPACE` | 46 | `sha256` | yes | | The SHA256 of the artifact for verification | 47 48 ## Outputs 49 50 There are no outputs.