Skip to content

Enable witness

Enable witness #3

Workflow file for this run

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
name: pipeline
on:
push:
branches:
- '*'
pull_request:
branches:
- '*'
jobs:
build-image:
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
steps:
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}/swf
- name: Docker Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Buildx
uses: docker/setup-buildx-action@v3
- name: Checkout Code
uses: actions/checkout@v4.1.1
- name: Build Image
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
with:
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
step: build-image
attestations: "environment git github slsa"
command: /bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} --push ."
- name: Generate SBOM
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
with:
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
step: gen-sbom
attestations: "environment git github sbom"
command: |
/bin/sh -c "curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.7.0 && \
syft ${{ steps.meta.outputs.tags }} --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json"
- name: Upload SBOM
uses: actions/upload-artifact@v4.3.3
with:
name: sbom
path: sbom.cdx.json