From 4da31af0f5c2e0f627a42e98919281a5a6185c89 Mon Sep 17 00:00:00 2001
From: Ronen Slavin <ronen@cycode.com>
Date: Sun, 17 May 2026 11:45:12 +0300
Subject: [PATCH] fix(attest): export install path so verify steps can find
 cimon
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #114 scoped the action's install directory to
$RUNNER_TEMP/cimon-<run_id>-<run_attempt>-<job>/ as a security fix, but
the docs + customer-facing demo workflow still hardcode the pre-#114
path of $RUNNER_TEMP/cimon/. A naive `cimon.exe attest verify` step
following the action now fails with "cimon.exe not found".

Surface the install path three ways so workflows can pick whichever
fits their pattern without ever reconstructing the per-job tmpdir
layout:

  1. core.addPath(dir) — `cimon` / `cimon.exe` resolves on PATH for
     plain `run:` steps in the same job.
  2. CIMON_PATH env var — absolute path, for callers that bypass PATH
     (locked-down self-hosted runners).
  3. step output cimon-path — chains cleanly into other jobs via
     ${{ steps.<id>.outputs.cimon-path }}.

Applies to all three install branches (Windows release-zip, Linux
install.sh, and the release-path input override).

After this lands, the docs example collapses from

  $exe = Join-Path $env:RUNNER_TEMP 'cimon\cimon.exe'
  & $exe attest verify ...

to just

  cimon.exe attest verify ...

— which is also what every other Marketplace action does.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 attest/action.yml    |  8 ++++++++
 attest/dist/index.js | 12 ++++++++++++
 attest/index.js      | 12 ++++++++++++
 3 files changed, 32 insertions(+)

diff --git a/attest/action.yml b/attest/action.yml
index 5f4fcb1..71feb65 100644
--- a/attest/action.yml
+++ b/attest/action.yml
@@ -86,6 +86,14 @@ inputs:
     required: false
     default: 'false'
 
+outputs:
+  cimon-path:
+    description: |
+      Absolute path to the installed cimon (or cimon.exe) binary used by
+      this action invocation. Downstream steps in the same job can also
+      reach the binary via the CIMON_PATH env var, or call `cimon` /
+      `cimon.exe` directly since the action adds the install dir to PATH.
+
 runs:
   using: node20
   main: 'dist/index.js'
diff --git a/attest/dist/index.js b/attest/dist/index.js
index 5c0db1c..d9106b7 100644
--- a/attest/dist/index.js
+++ b/attest/dist/index.js
@@ -127761,6 +127761,18 @@ async function run(config) {
         releasePath = CIMON_EXECUTABLE_PATH;
     }
 
+    // Expose the installed binary location to downstream workflow steps so
+    // they don't have to reconstruct the per-job tmpdir layout. Three
+    // surfaces, each for a different consumption pattern:
+    //   - PATH: a later `cimon.exe attest verify ...` step just works.
+    //   - CIMON_PATH env var: an absolute path for callers that bypass PATH
+    //     (e.g. self-hosted runners with locked-down PATH lookup).
+    //   - step output `cimon-path`: chains cleanly into another job via
+    //     ${{ steps.<id>.outputs.cimon-path }}.
+    _actions_core__WEBPACK_IMPORTED_MODULE_0__.addPath(path__WEBPACK_IMPORTED_MODULE_5__.dirname(releasePath));
+    _actions_core__WEBPACK_IMPORTED_MODULE_0__.exportVariable('CIMON_PATH', releasePath);
+    _actions_core__WEBPACK_IMPORTED_MODULE_0__.setOutput('cimon-path', releasePath);
+
     if (config.attest.imageRef !== '') {
         _actions_core__WEBPACK_IMPORTED_MODULE_0__.warning(
             'image-ref parameter is deprecated and will be removed in future versions. Please use subjects parameter instead.'
diff --git a/attest/index.js b/attest/index.js
index f2ae59d..7d3f7fc 100644
--- a/attest/index.js
+++ b/attest/index.js
@@ -201,6 +201,18 @@ async function run(config) {
         releasePath = CIMON_EXECUTABLE_PATH;
     }
 
+    // Expose the installed binary location to downstream workflow steps so
+    // they don't have to reconstruct the per-job tmpdir layout. Three
+    // surfaces, each for a different consumption pattern:
+    //   - PATH: a later `cimon.exe attest verify ...` step just works.
+    //   - CIMON_PATH env var: an absolute path for callers that bypass PATH
+    //     (e.g. self-hosted runners with locked-down PATH lookup).
+    //   - step output `cimon-path`: chains cleanly into another job via
+    //     ${{ steps.<id>.outputs.cimon-path }}.
+    core.addPath(path.dirname(releasePath));
+    core.exportVariable('CIMON_PATH', releasePath);
+    core.setOutput('cimon-path', releasePath);
+
     if (config.attest.imageRef !== '') {
         core.warning(
             'image-ref parameter is deprecated and will be removed in future versions. Please use subjects parameter instead.'