Skip to content

Commit

Permalink
Update to new witness and witness action versions
Browse files Browse the repository at this point in the history
Signed-off-by: John Kjell <john@testifysec.com>
  • Loading branch information
jkjell committed Jun 18, 2024
1 parent c8620d3 commit c75a6d4
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 140 deletions.
57 changes: 24 additions & 33 deletions .github/workflows/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,15 @@ on:

jobs:
fmt:
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
attestations: "git github environment"
command: go fmt ./...

vet:
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: vet
Expand All @@ -31,10 +31,11 @@ jobs:

# --ignore DL3002
lint:
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: lint
pre-command-attestations: "git github environment"
attestations: "git github environment"
pre-command: |
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
Expand All @@ -45,7 +46,7 @@ jobs:

unit-test:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
Expand All @@ -56,10 +57,11 @@ jobs:

sast:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
pre-command-attestations: "git github environment"
attestations: "git github environment"
pre-command: python3 -m pip install semgrep==1.45.0
command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
Expand All @@ -68,7 +70,7 @@ jobs:

build:
needs: [ unit-test, sast ]
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: build
Expand Down Expand Up @@ -109,8 +111,9 @@ jobs:
use: true

- name: Build Image
uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta
uses: testifysec/witness-run-action@85ddab8b46a86b2905a3b547a1806ab264fbb810 # v0.2.0
with:
version: 0.6.0
step: build-image
attestations: "git github environment slsa"
command: |
Expand All @@ -120,10 +123,10 @@ jobs:

save-image:
needs: build-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: save-image
step: save-image
attestations: "git github environment slsa oci"
command: |
docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
Expand All @@ -132,40 +135,27 @@ jobs:

generate-sbom:
needs: save-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: generate-sbom
attestations: "git github environment"
pre-command-attestations: "git github environment"
attestations: "git github environment sbom"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
command: |
syft packages docker-archive:/tmp/image.tar -o spdx-json --file syft.spdx.json
artifact-upload-name: syft.spdx.json
artifact-upload-path: syft.spdx.json

cve-scan:
needs: save-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: cve-scan
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
command: |
grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif
artifact-upload-name: grype.sarif
artifact-upload-path: grype.sarif
syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json
artifact-upload-name: sbom.cdx.json
artifact-upload-path: sbom.cdx.json

secret-scan:
needs: save-image
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: secret-scan
pre-command-attestations: "git github environment"
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
Expand All @@ -176,17 +166,18 @@ jobs:
artifact-upload-path: trufflehog.json

verify:
needs: [ generate-sbom, cve-scan, secret-scan]
needs: [ generate-sbom, secret-scan]

if: ${{ github.event_name == 'push' }}
uses: ./.github/workflows/witness.yml
uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: verify
pre-command-attestations: "git github environment"
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.4.0-beta/witness_0.4.0-beta_linux_amd64.tar.gz -o witness.tar.gz && \
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
command: |
witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug
80 changes: 0 additions & 80 deletions .github/workflows/witness.yml

This file was deleted.

54 changes: 27 additions & 27 deletions policy.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -142,10 +142,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -193,10 +193,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -244,10 +244,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -298,10 +298,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -352,10 +352,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -403,10 +403,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -454,10 +454,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"runner_environment": "github-hosted"
}
}
Expand Down Expand Up @@ -505,10 +505,10 @@
],
"extensions": {
"issuer": "https://token.actions.githubusercontent.com",
"github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"source_repository_uri": "https://github.com/testifysec/swf",
"build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa",
"build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e",
"build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow",
"build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a",
"runner_environment": "github-hosted"
}
}
Expand Down
1 change: 1 addition & 0 deletions policy.signed.json

Large diffs are not rendered by default.

0 comments on commit c75a6d4

Please sign in to comment.