Skip to content

Fix linting and update date fulcio functionary cert #58

Fix linting and update date fulcio functionary cert

Fix linting and update date fulcio functionary cert #58

Workflow file for this run

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
name: pipeline
on:
push:
branches:
- '*'
pull_request:
branches:
- '*'
jobs:
fmt:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
attestations: "git github environment"
command: go fmt ./...
vet:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: vet
attestations: "git github environment"
command: go vet ./...
# --ignore DL3002
lint:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: lint
attestations: "git github environment"
pre-command: |
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
chmod +x /usr/local/bin/hadolint
command: hadolint -f sarif Dockerfile > hadolint.sarif
artifact-upload-name: hadolint.sarif
artifact-upload-path: hadolint.sarif
unit-test:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
attestations: "git github environment"
command: go test ./... -coverprofile cover.out
artifact-upload-name: cover.out
artifact-upload-path: cover.out
sast:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
attestations: "git github environment"
pre-command: python3 -m pip install semgrep==1.45.0
command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
artifact-upload-name: semgrep.sarif
artifact-upload-path: semgrep.sarif
build:
needs: [ unit-test, sast ]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: build
attestations: "git github environment"
command: go build -o bin/software main.go
build-image:
needs: [ unit-test, sast ]
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
steps:
- uses: actions/checkout@v4.1.1
- uses: docker/setup-buildx-action@v3.0.0
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/testifysec/swf/software
- name: Docker Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64,linux/arm64
install: true
use: true
- name: Build Image
uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta
with:
step: build-image
attestations: "git github environment slsa"
command: |
/bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ."
outputs:
tags: ${{ steps.meta.outputs.tags }}
save-image:
needs: build-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: save-image
attestations: "git github environment slsa oci"
command: |
docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
artifact-upload-name: image.tar
artifact-upload-path: image.tar
generate-sbom:
needs: save-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: generate-sbom
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
command: |
syft packages docker-archive:/tmp/image.tar -o spdx-json --file syft.spdx.json
artifact-upload-name: syft.spdx.json
artifact-upload-path: syft.spdx.json
cve-scan:
needs: save-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: cve-scan
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
command: |
grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif
artifact-upload-name: grype.sarif
artifact-upload-path: grype.sarif
secret-scan:
needs: save-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: secret-scan
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
command: |
trufflehog docker --image=file:///tmp/image.tar -j > trufflehog.json
artifact-upload-name: trufflehog.json
artifact-upload-path: trufflehog.json
verify:
needs: [ generate-sbom, cve-scan, secret-scan]
if: ${{ github.event_name == 'push' }}
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: verify
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.4.0-beta/witness_0.4.0-beta_linux_amd64.tar.gz -o witness.tar.gz && \
tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
command: |
witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug