Skip to content

wip: removed lint from policy #2

wip: removed lint from policy

wip: removed lint from policy #2

Workflow file for this run

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
name: CI/CD Pipeline
on:
push:
branches: [ "main", "feat/witness-run-action" ]
pull_request:
branches: [ "main", "feat/witness-run-action" ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Go environment
uses: actions/setup-go@v3
with:
go-version: 1.21
- name: Create directories
run: mkdir -p release/evidence release/attestations release/delivery
- name: Install hadolint
run: curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && chmod +x /usr/local/bin/hadolint
- name: Install semgrep
run: python3 -m pip install semgrep
- name: Test
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: test
enable-archivista: true
enable-sigstore: true
command: make test
- name: Format
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: fmt
enable-archivista: true
enable-sigstore: true
command: make fmt
- name: Vet
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: vet
enable-archivista: true
enable-sigstore: true
command: make vet
- name: Sast
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: sast
enable-archivista: true
enable-sigstore: true
command: make sast
- name: Lint
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: lint
enable-archivista: true
enable-sigstore: true
command: make lint
- name: Build
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: build
enable-archivista: true
enable-sigstore: true
command: make build
- name: Install Docker Build
uses: docker/setup-buildx-action@v3
- name: Docker build
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: docker-build
enable-archivista: true
enable-sigstore: true
command: make docker-build
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: image.tar
path: release/delivery/image.tar
scans:
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Go environment
uses: actions/setup-go@v3
with:
go-version: 1.21
- name: Create directories
run: mkdir -p release/evidence release/attestations release/delivery
- name: Download artifact
uses: actions/download-artifact@v3
with:
path: release/delivery/
name: image.tar
- name: Install syft
run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
- name: Install grype
run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
- name: Install trufflehog
run: curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
- name: Generate SBOM
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: generate-sbom
enable-archivista: true
enable-sigstore: true
command: make generate-sbom
- name: Secret Scan
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: secret-scan
enable-archivista: true
enable-sigstore: true
command: make secret-scan
- name: CVE Scan
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: cve-scan
enable-archivista: true
enable-sigstore: true
command: make cve-scan
release:
runs-on: ubuntu-latest
needs: verify
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Go environment
uses: actions/setup-go@v3
with:
go-version: 1.21
- name: Create directories
run: mkdir -p release/evidence release/attestations release/delivery
- name: Release
uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
with:
step: release
enable-archivista: true
enable-sigstore: true
command: make release
verify:
runs-on: ubuntu-latest
needs: scans
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Go environment
uses: actions/setup-go@v3
with:
go-version: 1.21
- name: Create directories
run: mkdir -p release/evidence release/attestations release/delivery
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: image.tar
path: release/delivery/
- name: Install witness
run: curl -sSfL https://github.com/testifysec/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
- name: Verify
run: witness verify -p policy-signed.json -k swfpublic.pem -f ./release/delivery/image.tar --enable-archivista -l debug