A GitHub Action that downloads and executes another GitHub Action or direct command with Witness attestation for supply chain security.
name: Example Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run Action with Witness Attestation
id: attestation
uses: testifysec/action-wrapper@v4
with:
# Action to run
action-ref: "actions/hello-world-javascript-action@main"
who-to-greet: "World" # Passed to the nested action
# Witness configuration
step: "hello-world"
attestations: "command attestor.git"
enable-archivista: "true"
archivista-server: "https://archivista.example.com"name: Example Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run Command with Witness Attestation
id: command-attestation
uses: testifysec/action-wrapper@v4
with:
# Command to run
command: "echo hello > hello.txt"
# Witness configuration
step: "command-step"
attestations: "command environment git"
enable-sigstore: "true"This action combines the functionality of a GitHub Action wrapper with Witness attestation:
- Downloads Witness: First, it downloads and installs the Witness tool
- Downloads the Action: It fetches and extracts the specified GitHub Action
- Runs with Attestation: The action is executed through Witness, which creates attestations
- Stores Results: Attestations are stored (optionally in Archivista) and GitOIDs are returned
The action wrapper transparently passes inputs to the nested action:
- Any input parameters not used by the wrapper action itself will be passed to the nested action as-is
- For example, if using the hello-world action, use
who-to-greet: "World"directly - GitHub shows a harmless warning about "unexpected inputs", but this can be safely ignored
- The wrapper distinguishes between its own inputs and those meant for the nested action
- GitHub Action Execution: Run any JavaScript GitHub Action
- Witness Integration: Create attestations for the action's execution
- Archivista Support: Store attestations in an Archivista server
- Flexible Configuration: Comprehensive options for Witness configuration
- Attestor Support: Run multiple attestors on the action's execution
| Input | Description | Required | Default |
|---|---|---|---|
action-ref |
Reference to the nested action (e.g., owner/repo@ref) | No¹ | |
command |
Command to run with Witness (use this or action-ref) | No¹ |
¹ Either action-ref or command must be provided
| Input | Description | Required | Default |
|---|---|---|---|
witness-version |
Version of Witness to use | No | 0.8.1 |
witness-install-dir |
Directory to install Witness | No | ./ |
| Input | Description | Required | Default |
|---|---|---|---|
step |
Step name for the attestation | Yes | |
attestations |
Space-separated list of attestors to run | Yes | |
outfile |
Path to output file for the attestation | No |
| Input | Description | Required | Default |
|---|---|---|---|
enable-archivista |
Enable archivista for storing attestations | No | false |
archivista-server |
Archivista server URL | No |
| Input | Description | Required | Default |
|---|---|---|---|
certificate |
Path to certificate file | No | |
key |
Path to key file | No | |
intermediates |
Space-separated list of intermediate certificate paths | No |
| Input | Description | Required | Default |
|---|---|---|---|
enable-sigstore |
Enable sigstore for signing | No | false |
fulcio |
Fulcio URL | No | |
fulcio-oidc-client-id |
Fulcio OIDC client ID | No | |
fulcio-oidc-issuer |
Fulcio OIDC issuer | No | |
fulcio-token |
Fulcio token | No |
| Input | Description | Required | Default |
|---|---|---|---|
timestamp-servers |
Space-separated list of timestamp server URLs | No |
| Input | Description | Required | Default |
|---|---|---|---|
trace |
Enable tracing | No | |
spiffe-socket |
Path to SPIFFE socket | No |
| Input | Description | Required | Default |
|---|---|---|---|
product-exclude-glob |
Glob pattern for excluding products | No | |
product-include-glob |
Glob pattern for including products | No |
| Input | Description | Required | Default |
|---|---|---|---|
attestor-link-export |
Export link attestor | No | false |
attestor-sbom-export |
Export SBOM attestor | No | false |
attestor-slsa-export |
Export SLSA attestor | No | false |
attestor-maven-pom-path |
Path to Maven POM file | No |
| Input | Description | Required | Default |
|---|---|---|---|
* |
Any inputs not used by the wrapper action will be passed through to the nested action as-is | No |
| Output | Description |
|---|---|
git_oid |
GitOID of the attestation (if created) |
- name: Run with Witness
id: witness-action
uses: testifysec/action-wrapper@v4
with:
action-ref: "actions/hello-world-javascript-action@main"
input-who-to-greet: "World"
step: "hello-world"
attestations: "command"- name: Run with Archivista
id: archivista-action
uses: testifysec/action-wrapper@v4
with:
action-ref: "actions/hello-world-javascript-action@main"
who-to-greet: "World"
step: "hello-world-archivista"
attestations: "command attestor.git"
enable-archivista: "true"
archivista-server: "https://archivista.example.com"
- name: Use GitOID
run: echo "Generated attestation with ID ${{ steps.archivista-action.outputs.git_oid }}"- name: Run with Multiple Attestors
uses: testifysec/action-wrapper@v4
with:
action-ref: "actions/hello-world-javascript-action@main"
who-to-greet: "World"
step: "hello-world-attestors"
attestations: "command attestor.git attestor.slsa attestor.sbom"
attestor-slsa-export: "true"
attestor-sbom-export: "true"
outfile: "./attestation.json"