Skip to content

Commit 425fe29

Browse files
jkjellmikhailswift
jkjell
and
mikhailswift
authored
Merge recent GHA and Witness updates into main (#8)
Update to new version of Witness and GitHub action. Also enhances the policy. --------- Signed-off-by: John Kjell <[email protected]> Co-authored-by: Mikhail Swift <[email protected]>
1 parent 61f1419 commit 425fe29

File tree

6 files changed

+161
-174
lines changed

6 files changed

+161
-174
lines changed

.github/workflows/pipeline.yml

+42-39
Original file line numberDiff line numberDiff line change
@@ -6,67 +6,76 @@ name: pipeline
66

77
on:
88
push:
9-
branches: [ "main", "feat/witness-run-action" ]
9+
branches:
10+
- '*'
1011
pull_request:
11-
branches: [ "main", "feat/witness-run-action" ]
12+
branches:
13+
- '*'
1214

1315
jobs:
1416
fmt:
15-
uses: ./.github/workflows/witness.yml
17+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
1618
with:
1719
pull_request: ${{ github.event_name == 'pull_request' }}
1820
step: fmt
1921
attestations: "git github environment"
22+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
2023
command: go fmt ./...
2124

2225
vet:
23-
uses: ./.github/workflows/witness.yml
26+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
2427
with:
2528
pull_request: ${{ github.event_name == 'pull_request' }}
2629
step: vet
2730
attestations: "git github environment"
31+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
2832
command: go vet ./...
2933

3034
# --ignore DL3002
3135
lint:
32-
uses: ./.github/workflows/witness.yml
36+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
3337
with:
3438
pull_request: ${{ github.event_name == 'pull_request' }}
3539
step: lint
40+
pre-command-attestations: "git github environment"
3641
attestations: "git github environment"
42+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
3743
pre-command: |
3844
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
3945
chmod +x /usr/local/bin/hadolint
40-
command: hadolint -f sarif --ignore DL3002 Dockerfile > hadolint.sarif
46+
command: hadolint -f sarif Dockerfile > hadolint.sarif
4147
artifact-upload-name: hadolint.sarif
4248
artifact-upload-path: hadolint.sarif
4349

4450
unit-test:
4551
needs: [ fmt, vet, lint ]
46-
uses: ./.github/workflows/witness.yml
52+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
4753
with:
4854
pull_request: ${{ github.event_name == 'pull_request' }}
4955
step: unit-test
5056
attestations: "git github environment"
57+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
5158
command: go test ./... -coverprofile cover.out
5259
artifact-upload-name: cover.out
5360
artifact-upload-path: cover.out
5461

5562
sast:
5663
needs: [ fmt, vet, lint ]
57-
uses: ./.github/workflows/witness.yml
64+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
5865
with:
5966
pull_request: ${{ github.event_name == 'pull_request' }}
6067
step: sast
68+
pre-command-attestations: "git github environment"
6169
attestations: "git github environment"
70+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
6271
pre-command: python3 -m pip install semgrep==1.45.0
6372
command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
6473
artifact-upload-name: semgrep.sarif
6574
artifact-upload-path: semgrep.sarif
6675

6776
build:
6877
needs: [ unit-test, sast ]
69-
uses: ./.github/workflows/witness.yml
78+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
7079
with:
7180
pull_request: ${{ github.event_name == 'pull_request' }}
7281
step: build
@@ -107,64 +116,56 @@ jobs:
107116
use: true
108117

109118
- name: Build Image
110-
uses: testifysec/witness-run-action@2ae7f93c013ccf24b8ff52b4f042b32ca95ec7b8 # v0.1.5
119+
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
111120
with:
121+
version: 0.6.0
112122
step: build-image
113-
attestations: "git github environment"
123+
attestations: "git github environment slsa"
124+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
114125
command: |
115126
/bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ."
116127
outputs:
117128
tags: ${{ steps.meta.outputs.tags }}
118129

119130
save-image:
120131
needs: build-image
121-
uses: ./.github/workflows/witness.yml
132+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
122133
with:
123134
pull_request: ${{ github.event_name == 'pull_request' }}
124-
step: save-image
125-
attestations: "git github environment oci"
135+
step: save-image
136+
attestations: "git github environment slsa oci"
137+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
126138
command: |
127139
docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
128140
artifact-upload-name: image.tar
129141
artifact-upload-path: image.tar
130142

131143
generate-sbom:
132144
needs: save-image
133-
uses: ./.github/workflows/witness.yml
145+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
134146
with:
135147
pull_request: ${{ github.event_name == 'pull_request' }}
136148
step: generate-sbom
137-
attestations: "git github environment"
149+
pre-command-attestations: "git github environment"
150+
attestations: "git github environment sbom"
151+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
138152
artifact-download: image.tar
139153
pre-command: |
140154
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
141155
command: |
142-
syft packages docker-archive:/tmp/image.tar -o spdx-json --file syft.spdx.json
143-
artifact-upload-name: syft.spdx.json
144-
artifact-upload-path: syft.spdx.json
145-
146-
cve-scan:
147-
needs: save-image
148-
uses: ./.github/workflows/witness.yml
149-
with:
150-
pull_request: ${{ github.event_name == 'pull_request' }}
151-
step: cve-scan
152-
attestations: "git github environment"
153-
artifact-download: image.tar
154-
pre-command: |
155-
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
156-
command: |
157-
grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif
158-
artifact-upload-name: grype.sarif
159-
artifact-upload-path: grype.sarif
156+
syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json
157+
artifact-upload-name: sbom.cdx.json
158+
artifact-upload-path: sbom.cdx.json
160159

161160
secret-scan:
162161
needs: save-image
163-
uses: ./.github/workflows/witness.yml
162+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
164163
with:
165164
pull_request: ${{ github.event_name == 'pull_request' }}
166165
step: secret-scan
166+
pre-command-attestations: "git github environment"
167167
attestations: "git github environment"
168+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
168169
artifact-download: image.tar
169170
pre-command: |
170171
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
@@ -174,17 +175,19 @@ jobs:
174175
artifact-upload-path: trufflehog.json
175176

176177
verify:
177-
needs: [ generate-sbom, cve-scan, secret-scan]
178+
needs: [ generate-sbom, secret-scan]
178179

179180
if: ${{ github.event_name == 'push' }}
180-
uses: ./.github/workflows/witness.yml
181+
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
181182
with:
182183
pull_request: ${{ github.event_name == 'pull_request' }}
183184
step: verify
185+
pre-command-attestations: "git github environment"
184186
attestations: "git github environment"
187+
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
185188
artifact-download: image.tar
186189
pre-command: |
187-
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \
190+
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
188191
tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
189192
command: |
190-
witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug
193+
witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge-api.aws-sandbox-staging.testifysec.dev -l debug

.github/workflows/witness.yml

-80
This file was deleted.

Dockerfile

+1-1
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ RUN go build -o bin/software
2020

2121
FROM cgr.dev/chainguard/static@sha256:676e989769aa9a5254fbfe14abb698804674b91c4d574bb33368d87930c5c472
2222

23-
USER root
23+
#USER root
2424

2525
COPY --from=builder /build/bin/software /software
2626

policy-signed.json

+1-1
Large diffs are not rendered by default.

0 commit comments

Comments
 (0)