actions · AA-Turner · Feb 28, 2025 · Mar 1, 2025 · Mar 1, 2025 · Mar 1, 2025
@@ -137,6 +137,8 @@ Attestations are saved in the JSON-serialized [Sigstore bundle][6] format.
 
 If multiple subjects are being attested at the same time, a single attestation
 will be created with references to each of the supplied subjects.
+If `single-subject-attestations` is true, each attestation will be written
+to the output file on  a separate line (using the [JSON Lines][7] format).
 
 ## Attestation Limits
 
@@ -320,6 +322,7 @@ jobs:
 [5]: https://cli.github.com/manual/gh_attestation_verify
 [6]:
   https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
+[7]: https://jsonlines.org/
 [8]: https://github.com/actions/toolkit/tree/main/packages/glob#patterns
 [9]:
   https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
@@ -47,6 +47,7 @@ const defaultInputs: main.RunInputs = {
   pushToRegistry: false,
   showSummary: true,
   githubToken: '',
+  singleSubjectAttestations: false,
   privateSigning: false
 }
 

@@ -64,6 +64,13 @@ inputs:
       The GitHub token used to make authenticated API requests.
     default: ${{ github.token }}
     required: false
+  single-subject-attestations:
+    description: >
+      If true, generate one attestation per subject, 
+      otherwise generate a single attestations with multiple subjects.
+      Defaults to false.
+    default: false
+    required: false
 outputs:
   bundle-path:
     description: 'The path to the file containing the attestation bundle.'