Skip to content

Commit

Permalink
Update to new witness and witness action versions
Browse files Browse the repository at this point in the history
Signed-off-by: John Kjell <john@testifysec.com>
  • Loading branch information
jkjell committed Jun 18, 2024
1 parent c8620d3 commit 7675e35
Show file tree
Hide file tree
Showing 4 changed files with 67 additions and 190 deletions.
66 changes: 33 additions & 33 deletions .github/workflows/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,28 +14,31 @@ on:

jobs:
fmt:
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
attestations: "git github environment"
command: go fmt ./...

vet:
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: vet
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
command: go vet ./...

# --ignore DL3002
lint:
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: lint
pre-command-attestations: "git github environment"
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
pre-command: |
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
chmod +x /usr/local/bin/hadolint
Expand All @@ -45,30 +48,33 @@ jobs:

unit-test:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
command: go test ./... -coverprofile cover.out
artifact-upload-name: cover.out
artifact-upload-path: cover.out

sast:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
pre-command-attestations: "git github environment"
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
pre-command: python3 -m pip install semgrep==1.45.0
command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
artifact-upload-name: semgrep.sarif
artifact-upload-path: semgrep.sarif

build:
needs: [ unit-test, sast ]
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: build
Expand Down Expand Up @@ -109,64 +115,56 @@ jobs:
use: true

- name: Build Image
uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
with:
version: 0.6.0
step: build-image
attestations: "git github environment slsa"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
command: |
/bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ."
outputs:
tags: ${{ steps.meta.outputs.tags }}

save-image:
needs: build-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: save-image
step: save-image
attestations: "git github environment slsa oci"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
command: |
docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
artifact-upload-name: image.tar
artifact-upload-path: image.tar

generate-sbom:
needs: save-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: generate-sbom
attestations: "git github environment"
pre-command-attestations: "git github environment"
attestations: "git github environment sbom"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
command: |
syft packages docker-archive:/tmp/image.tar -o spdx-json --file syft.spdx.json
artifact-upload-name: syft.spdx.json
artifact-upload-path: syft.spdx.json

cve-scan:
needs: save-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: cve-scan
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
command: |
grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif
artifact-upload-name: grype.sarif
artifact-upload-path: grype.sarif
syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json
artifact-upload-name: sbom.cdx.json
artifact-upload-path: sbom.cdx.json

secret-scan:
needs: save-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: secret-scan
pre-command-attestations: "git github environment"
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
Expand All @@ -176,17 +174,19 @@ jobs:
artifact-upload-path: trufflehog.json

verify:
needs: [ generate-sbom, cve-scan, secret-scan]
needs: [ generate-sbom, secret-scan]

if: ${{ github.event_name == 'push' }}
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: verify
pre-command-attestations: "git github environment"
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
artifact-download: image.tar
pre-command: |
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.4.0-beta/witness_0.4.0-beta_linux_amd64.tar.gz -o witness.tar.gz && \
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
command: |
witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug
80 changes: 0 additions & 80 deletions .github/workflows/witness.yml

This file was deleted.

2 changes: 1 addition & 1 deletion policy-signed.json

Large diffs are not rendered by default.

Loading

0 comments on commit 7675e35

Please sign in to comment.