Skip to content

Commit

Permalink
Update to new witness and witness action versions
Browse files Browse the repository at this point in the history
Signed-off-by: John Kjell <john@testifysec.com>
  • Loading branch information
jkjell committed Jun 18, 2024
1 parent c8620d3 commit 1e7cc44
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 121 deletions.
28 changes: 14 additions & 14 deletions .github/workflows/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,15 @@ on:

jobs:
fmt:
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
attestations: "git github environment"
command: go fmt ./...

vet:
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: vet
Expand All @@ -31,7 +31,7 @@ jobs:

# --ignore DL3002
lint:
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: lint
Expand All @@ -45,7 +45,7 @@ jobs:

unit-test:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
Expand All @@ -56,7 +56,7 @@ jobs:

sast:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
Expand All @@ -68,7 +68,7 @@ jobs:

build:
needs: [ unit-test, sast ]
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: build
Expand Down Expand Up @@ -109,7 +109,7 @@ jobs:
use: true

- name: Build Image
uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta
uses: testifysec/witness-run-action@85ddab8b46a86b2905a3b547a1806ab264fbb810 # v0.2.0
with:
step: build-image
attestations: "git github environment slsa"
Expand All @@ -120,7 +120,7 @@ jobs:

save-image:
needs: build-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: save-image
Expand All @@ -132,11 +132,11 @@ jobs:

generate-sbom:
needs: save-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: generate-sbom
attestations: "git github environment"
attestations: "git github environment sbom"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
Expand All @@ -147,7 +147,7 @@ jobs:

cve-scan:
needs: save-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: cve-scan
Expand All @@ -162,7 +162,7 @@ jobs:

secret-scan:
needs: save-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: secret-scan
Expand All @@ -179,14 +179,14 @@ jobs:
needs: [ generate-sbom, cve-scan, secret-scan]

if: ${{ github.event_name == 'push' }}
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@b7dc0db866484e2baf164a86ea10b24150d76de0
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: verify
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.4.0-beta/witness_0.4.0-beta_linux_amd64.tar.gz -o witness.tar.gz && \
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
command: |
witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug
80 changes: 0 additions & 80 deletions .github/workflows/witness.yml

This file was deleted.

54 changes: 27 additions & 27 deletions policy.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -142,10 +142,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -193,10 +193,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -244,10 +244,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -298,10 +298,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -352,10 +352,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -403,10 +403,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -454,10 +454,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -505,10 +505,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "b7dc0db866484e2baf164a86ea10b24150d76de0",
"runner_environment": "github-hosted"
}
}
Expand Down
1 change: 1 addition & 0 deletions policy.signed.json

Large diffs are not rendered by default.

0 comments on commit 1e7cc44

Please sign in to comment.