1919 pull_request : ${{ github.event_name == 'pull_request' }}
2020 step : fmt
2121 attestations : " git github environment"
22- archivista-server : " https://judge-api .aws-sandbox-staging.testifysec.dev"
22+ archivista-server : " https://judge.aws-sandbox-staging.testifysec.dev"
2323 command : go fmt ./...
2424
2525 vet :
2828 pull_request : ${{ github.event_name == 'pull_request' }}
2929 step : vet
3030 attestations : " git github environment"
31- archivista-server : " https://judge-api .aws-sandbox-staging.testifysec.dev"
31+ archivista-server : " https://judge.aws-sandbox-staging.testifysec.dev"
3232 command : go vet ./...
3333
3434 # --ignore DL3002
3939 step : lint
4040 pre-command-attestations : " git github environment"
4141 attestations : " git github environment"
42- archivista-server : " https://judge-api .aws-sandbox-staging.testifysec.dev"
42+ archivista-server : " https://judge.aws-sandbox-staging.testifysec.dev"
4343 pre-command : |
4444 curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
4545 chmod +x /usr/local/bin/hadolint
5454 pull_request : ${{ github.event_name == 'pull_request' }}
5555 step : unit-test
5656 attestations : " git github environment"
57- archivista-server : " https://judge-api .aws-sandbox-staging.testifysec.dev"
57+ archivista-server : " https://judge.aws-sandbox-staging.testifysec.dev"
5858 command : go test ./... -coverprofile cover.out
5959 artifact-upload-name : cover.out
6060 artifact-upload-path : cover.out
6767 step : sast
6868 pre-command-attestations : " git github environment"
6969 attestations : " git github environment sarif"
70- archivista-server : " https://judge-api .aws-sandbox-staging.testifysec.dev"
70+ archivista-server : " https://judge.aws-sandbox-staging.testifysec.dev"
7171 pre-command : python3 -m pip install semgrep==1.45.0
7272 command : semgrep scan --config auto ./ --sarif -o semgrep.sarif
7373 artifact-upload-name : semgrep.sarif
@@ -121,7 +121,7 @@ jobs:
121121 version : 0.6.0
122122 step : build-image
123123 attestations : " git github environment slsa"
124- archivista-server : " https://judge-api .aws-sandbox-staging.testifysec.dev"
124+ archivista-server : " https://judge.aws-sandbox-staging.testifysec.dev"
125125 command : |
126126 /bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ."
127127outputs :
@@ -134,7 +134,7 @@ jobs:
134134 pull_request : ${{ github.event_name == 'pull_request' }}
135135 step : save-image
136136 attestations : " git github environment slsa oci"
137- archivista-server : " https://judge-api .aws-sandbox-staging.testifysec.dev"
137+ archivista-server : " https://judge.aws-sandbox-staging.testifysec.dev"
138138 command : |
139139 docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
140140artifact-upload-name : image.tar
@@ -148,7 +148,7 @@ jobs:
148148 step : generate-sbom
149149 pre-command-attestations : " git github environment"
150150 attestations : " git github environment sbom"
151- archivista-server : " https://judge-api .aws-sandbox-staging.testifysec.dev"
151+ archivista-server : " https://judge.aws-sandbox-staging.testifysec.dev"
152152 artifact-download : image.tar
153153 pre-command : |
154154 curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
@@ -165,7 +165,7 @@ jobs:
165165 step : secret-scan
166166 pre-command-attestations : " git github environment"
167167 attestations : " git github environment"
168- archivista-server : " https://judge-api .aws-sandbox-staging.testifysec.dev"
168+ archivista-server : " https://judge.aws-sandbox-staging.testifysec.dev"
169169 artifact-download : image.tar
170170 pre-command : |
171171 curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
@@ -174,20 +174,21 @@ jobs:
174174artifact-upload-name : trufflehog.json
175175 artifact-upload-path : trufflehog.json
176176
177- verify :
178- needs : [ generate-sbom, secret-scan]
179-
180- if : ${{ github.event_name == 'push' }}
181- uses : testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
182- with :
183- pull_request : ${{ github.event_name == 'pull_request' }}
184- step : verify
185- pre-command-attestations : " git github environment"
186- attestations : " git github environment"
187- archivista-server : " https://judge-api.aws-sandbox-staging.testifysec.dev"
188- artifact-download : image.tar
189- pre-command : |
190- curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
191- tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
192- command : |
193- witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge-api.aws-sandbox-staging.testifysec.dev -l debug
177+ # NOTE: We can't verify from judge anymore as the route is restricted
178+ # verify:
179+ # needs: [ generate-sbom, secret-scan]
180+ #
181+ # if: ${{ github.event_name == 'push' }}
182+ # uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
183+ # with:
184+ # pull_request: ${{ github.event_name == 'pull_request' }}
185+ # step: verify
186+ # pre-command-attestations: "git github environment"
187+ # attestations: "git github environment"
188+ # archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
189+ # artifact-download: image.tar
190+ # pre-command: |
191+ # curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
192+ # tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
193+ # command: |
194+ # witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge.aws-sandbox-staging.testifysec.dev -l debug
0 commit comments