https://github.com/actions/attest/actions/runs/12921612078/job/36045041753?pr=203
Run ./
Error: Error: missing "id-token" permission. Please add "permissions: id-token: write" to your workflow.
It is possible to fix this in various ways:
But, it's also possible to just do something like:
on:
pull_request:
branches:
- main
push:
- branches:
- - main
- - 'releases/*'
+ # no constraints for push, otherwise there's no CI for PRs from forks which is problematic
permissions: {}
jobs:
test-typescript:
name: TypeScript Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node.js
id: setup-node
uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
with:
node-version-file: .node-version
cache: npm
- name: Install Dependencies
id: npm-ci
run: npm ci
- name: Check Format
id: npm-format-check
run: npm run format:check
- name: Lint
id: npm-lint
run: npm run lint
- name: Test
id: npm-ci-test
run: npm run ci-test
test-attest:
name: Test attest action
runs-on: ubuntu-latest
permissions:
contents: read
attestations: write
id-token: write
env:
SUBJECT: /repos/${{ github.repository }}/tarball/${{ github.sha }}
steps:
- name: Checkout
id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Calculate subject digest
id: subject
env:
GH_TOKEN: ${{ github.token }}
run: |
SHA_256=$(gh api "${{ env.SUBJECT }}" | shasum -a 256 | cut -d " " -f 1)
echo "sha-256=${SHA_256}" >> "$GITHUB_OUTPUT"
+ - name: Skip for PRs from forks
+ shell: bash
+ id: skip
+ if: github.event_name != 'push' || github.pull_request.head.user.login != github.pull_request.base.user.login
+ run: |
+ echo '::warning title=Test attest action skipped::Testing action requires permissions and isn't done for PRs from forks.'
+ echo 'skip=1' >> "$GITHUB_OUTPUT"
- name: Run attest
id: attest
+ if: ${{ ! steps.skip.outputs.skip }}
env:
INPUT_PRIVATE-SIGNING: 'true'
uses: ./
with:
subject-name: 'https://api.github.com${{ env.SUBJECT }}'
subject-digest: 'sha256:${{ steps.subject.outputs.sha-256 }}'
predicate-type: 'https://in-toto.io/attestation/release/v0.1'
predicate:
'{"purl":"pkg:github/${{ github.repository }}@${{ github.sha }}"}'
https://github.com/actions/attest/actions/runs/12921612078/job/36045041753?pr=203
It is possible to fix this in various ways:
But, it's also possible to just do something like:
on: pull_request: branches: - main push: - branches: - - main - - 'releases/*' + # no constraints for push, otherwise there's no CI for PRs from forks which is problematic permissions: {} jobs: test-typescript: name: TypeScript Tests runs-on: ubuntu-latest permissions: contents: read steps: - name: Checkout id: checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Node.js id: setup-node uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 with: node-version-file: .node-version cache: npm - name: Install Dependencies id: npm-ci run: npm ci - name: Check Format id: npm-format-check run: npm run format:check - name: Lint id: npm-lint run: npm run lint - name: Test id: npm-ci-test run: npm run ci-test test-attest: name: Test attest action runs-on: ubuntu-latest permissions: contents: read attestations: write id-token: write env: SUBJECT: /repos/${{ github.repository }}/tarball/${{ github.sha }} steps: - name: Checkout id: checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Calculate subject digest id: subject env: GH_TOKEN: ${{ github.token }} run: | SHA_256=$(gh api "${{ env.SUBJECT }}" | shasum -a 256 | cut -d " " -f 1) echo "sha-256=${SHA_256}" >> "$GITHUB_OUTPUT" + - name: Skip for PRs from forks + shell: bash + id: skip + if: github.event_name != 'push' || github.pull_request.head.user.login != github.pull_request.base.user.login + run: | + echo '::warning title=Test attest action skipped::Testing action requires permissions and isn't done for PRs from forks.' + echo 'skip=1' >> "$GITHUB_OUTPUT" - name: Run attest id: attest + if: ${{ ! steps.skip.outputs.skip }} env: INPUT_PRIVATE-SIGNING: 'true' uses: ./ with: subject-name: 'https://api.github.com${{ env.SUBJECT }}' subject-digest: 'sha256:${{ steps.subject.outputs.sha-256 }}' predicate-type: 'https://in-toto.io/attestation/release/v0.1' predicate: '{"purl":"pkg:github/${{ github.repository }}@${{ github.sha }}"}'