docs: Add README for secure-attestations-download (#2607)

ianlewis · web-flow · commit b385571a6198 · 2023-08-09T05:47:06.000Z
Fixes #2529 --------- Signed-off-by: Ian Lewis <ianlewis@google.com>
diff --git a/actions/nodejs/secure-attestations-download/README.md b/actions/nodejs/secure-attestations-download/README.md
@@ -0,0 +1,50 @@
+# secure-attestations-download
+
+The `actions/nodejs/secure-attestations-download` action provides a way to
+download attestations generated by the [Node.js
+builder](../../../internal/builders/nodejs/README.md). The attestation can then
+be used to publish the package or upload to a secondary storage.
+
+## Example
+
+```yaml
+jobs:
+  build:
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+    if: startsWith(github.ref, 'refs/tags/')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v1.8.0
+    with:
+      run-scripts: "ci, build"
+
+  download:
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download provenance
+        uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@v1.8.0
+        with:
+          name: ${{ needs.build.outputs.provenance-download-name }}
+          path: "attestations"
+          sha256: ${{ needs.build.outputs.provenance-download-sha256 }}
+```
+
+This will download the attestation file to
+`<GITHUB_WORKSPACE>/attestations/<artifact name>/`.
+
+See [Custom Publishing](../../../internal/builders/nodejs/README.md#custom-publishing) for
+a full example of publishing using a custom tool.
+
+## Inputs
+
+| Name     | Required | Default | Description                                                                                                          |
+| -------- | -------- | ------- | -------------------------------------------------------------------------------------------------------------------- |
+| `name`   | yes      |         | The GitHub Actions workflow run artifact name. Note that this is a name given to an upload, not the path or filename |
+| `path`   | no       | "."     | The path to download the attestations into. Must be under the `GITHUB_WORKSPACE`                                     |
+| `sha256` | yes      |         | The SHA256 of the artifact for verification                                                                          |
+
+## Outputs
+
+There are no outputs.
diff --git a/internal/builders/nodejs/README.md b/internal/builders/nodejs/README.md
@@ -218,6 +218,10 @@ jobs:
 You will need a package management tool that supports providing the provenance
 file. Currently [npm], [lerna] or [pnpm] can support this.
 
+See the full documentation for the
+[`secure-attestations-download` action](../../../actions/nodejs/secure-attestations-download/README.md)
+for more information.
+
 ### Referencing the Node.js builder
 
 At present, the builder **MUST** be referenced by a tag of the form `@vX.Y.Z`,
