Conversation
e802aa6 to
ca3ef68
Compare
There was a problem hiding this comment.
Pull request overview
This PR prepares the v4 release by converting actions/attest-sbom from a TypeScript-based action into a composite wrapper that forwards inputs/outputs directly to actions/attest@v4, while removing the now-unneeded source code, tests, and Node/TypeScript tooling.
Changes:
- Replace the internal predicate-generation + attest flow with a pass-through composite step invoking
actions/attest@v4(and emit a deprecation warning). - Remove the TypeScript implementation (
src/), unit tests (__tests__/), and Node/TS build + lint infrastructure. - Simplify repository automation by removing workflows and Dependabot entries that were specific to the removed TS/Node code.
Reviewed changes
Copilot reviewed 20 out of 24 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| action.yml | Switch to composite wrapper: emit deprecation warning and call actions/attest@v4, forwarding inputs and mapping outputs. |
| README.md | Add deprecation notice; update usage guidance to point to actions/attest and link legacy docs. |
| .github/workflows/ci.yml | Remove TypeScript test/lint job; keep action-level CI job. |
| .github/dependabot.yml | Remove npm ecosystem updates; keep GitHub Actions updates. |
| tsconfig.json / tsconfig.lint.json | Removed TS compilation configs (no longer needed). |
| eslint.config.mjs / .prettierrc.json / .prettierignore | Removed formatting/lint configuration (no longer needed). |
| package.json / jest.setup.js | Removed Node package definition and Jest setup (no longer needed). |
| src/* | Removed prior SBOM predicate generation implementation. |
| tests/* | Removed unit tests and fixtures. |
| predicate/action.yml | Removed nested predicate action (no longer needed). |
| dist/licenses.txt | Removed bundled licenses file (no longer needed after removing dist output). |
| .github/workflows/codeql-analysis.yml / check-dist.yml | Removed workflows tied to TS/Node build artifacts. |
| .node-version | Removed Node pin (no longer needed for composite-only action). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Brian DeHamer <bdehamer@github.com>
ca3ef68 to
5bc55fe
Compare
tingx2wang
approved these changes
Feb 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates the
action.ymlso that this action is now simply a pass-through toactions/attest. Theactions/attestaction now exposes all of the capabilities previously spread acrossactions/attest-build-provenanceandactions/attest-sbom.The major version bump here reflects the fact that the underlying implementation has fundamentally changed, but this should be backward-compatible for anyone using v3.x of this action.