From c75a6d4b6fefa527fe9a1fd53d936425cff3a4b2 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Tue, 18 Jun 2024 00:19:23 -0500 Subject: [PATCH] Update to new witness and witness action versions Signed-off-by: John Kjell --- .github/workflows/pipeline.yml | 57 ++++++++++-------------- .github/workflows/witness.yml | 80 ---------------------------------- policy.json | 54 +++++++++++------------ policy.signed.json | 1 + 4 files changed, 52 insertions(+), 140 deletions(-) delete mode 100644 .github/workflows/witness.yml create mode 100644 policy.signed.json diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 2d0a0ea..8bbdbcb 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -14,7 +14,7 @@ on: jobs: fmt: - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} step: fmt @@ -22,7 +22,7 @@ jobs: command: go fmt ./... vet: - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} step: vet @@ -31,10 +31,11 @@ jobs: # --ignore DL3002 lint: - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} step: lint + pre-command-attestations: "git github environment" attestations: "git github environment" pre-command: | curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \ @@ -45,7 +46,7 @@ jobs: unit-test: needs: [ fmt, vet, lint ] - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} step: unit-test @@ -56,10 +57,11 @@ jobs: sast: needs: [ fmt, vet, lint ] - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} step: sast + pre-command-attestations: "git github environment" attestations: "git github environment" pre-command: python3 -m pip install semgrep==1.45.0 command: semgrep scan --config auto ./ --sarif -o semgrep.sarif @@ -68,7 +70,7 @@ jobs: build: needs: [ unit-test, sast ] - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} step: build @@ -109,8 +111,9 @@ jobs: use: true - name: Build Image - uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta + uses: testifysec/witness-run-action@85ddab8b46a86b2905a3b547a1806ab264fbb810 # v0.2.0 with: + version: 0.6.0 step: build-image attestations: "git github environment slsa" command: | @@ -120,10 +123,10 @@ jobs: save-image: needs: build-image - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} - step: save-image + step: save-image attestations: "git github environment slsa oci" command: | docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar @@ -132,40 +135,27 @@ jobs: generate-sbom: needs: save-image - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} step: generate-sbom - attestations: "git github environment" + pre-command-attestations: "git github environment" + attestations: "git github environment sbom" artifact-download: image.tar pre-command: | curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin command: | - syft packages docker-archive:/tmp/image.tar -o spdx-json --file syft.spdx.json - artifact-upload-name: syft.spdx.json - artifact-upload-path: syft.spdx.json - - cve-scan: - needs: save-image - uses: ./.github/workflows/witness.yml - with: - pull_request: ${{ github.event_name == 'pull_request' }} - step: cve-scan - attestations: "git github environment" - artifact-download: image.tar - pre-command: | - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - command: | - grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif - artifact-upload-name: grype.sarif - artifact-upload-path: grype.sarif + syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json + artifact-upload-name: sbom.cdx.json + artifact-upload-path: sbom.cdx.json secret-scan: needs: save-image - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} step: secret-scan + pre-command-attestations: "git github environment" attestations: "git github environment" artifact-download: image.tar pre-command: | @@ -176,17 +166,18 @@ jobs: artifact-upload-path: trufflehog.json verify: - needs: [ generate-sbom, cve-scan, secret-scan] + needs: [ generate-sbom, secret-scan] if: ${{ github.event_name == 'push' }} - uses: ./.github/workflows/witness.yml + uses: testifysec/witness-run-action/.github/workflows/witness.yml@c5314efabe9739b4f29996bdcd26aa0cc81e336a with: pull_request: ${{ github.event_name == 'pull_request' }} step: verify + pre-command-attestations: "git github environment" attestations: "git github environment" artifact-download: image.tar pre-command: | - curl -sSfL https://github.com/in-toto/witness/releases/download/v0.4.0-beta/witness_0.4.0-beta_linux_amd64.tar.gz -o witness.tar.gz && \ + curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \ tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz command: | witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml deleted file mode 100644 index f41bc50..0000000 --- a/.github/workflows/witness.yml +++ /dev/null @@ -1,80 +0,0 @@ -# Copyright 2023 The Archivista Contributors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -on: - workflow_call: - inputs: - pull_request: - required: true - type: boolean - artifact-download: - required: false - type: string - artifact-upload-name: - required: false - type: string - artifact-upload-path: - required: false - type: string - pre-command: - required: false - type: string - command: - required: true - type: string - step: - required: true - type: string - attestations: - required: true - type: string - -jobs: - witness: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: 1.21.x - - - if: ${{ inputs.artifact-download != '' }} - uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 - with: - name: ${{ inputs.artifact-download }} - path: /tmp - - - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }} - uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta - with: - step: pre-${{ inputs.step }} - attestations: ${{ inputs.attestations }} - command: /bin/sh -c "${{ inputs.pre-command }}" - - if: ${{ inputs.pre-command != '' && inputs.pull_request == true }} - run: ${{ inputs.pre-command }} - - - if: ${{ inputs.pull_request == false }} - uses: testifysec/witness-run-action@9bb3541332161bc8bf76c36bcdaab56b8da8e171 # v0.2.0-beta - with: - step: ${{ inputs.step }} - attestations: ${{ inputs.attestations }} - command: /bin/sh -c "${{ inputs.command }}" - - if: ${{ inputs.pull_request == true }} - run: ${{ inputs.command }} - - - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} - uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 - with: - name: ${{ inputs.artifact-upload-name }} - path: ${{ inputs.artifact-upload-path }} diff --git a/policy.json b/policy.json index 20f8771..f8c7ddf 100644 --- a/policy.json +++ b/policy.json @@ -42,10 +42,10 @@ ], "extensions": { "issuer": "https://token.actions.githubusercontent.com", - "github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "source_repository_uri": "https://github.com/testifysec/swf", - "build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa", - "build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow", + "build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "runner_environment": "github-hosted" } } @@ -142,10 +142,10 @@ ], "extensions": { "issuer": "https://token.actions.githubusercontent.com", - "github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "source_repository_uri": "https://github.com/testifysec/swf", - "build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa", - "build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow", + "build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "runner_environment": "github-hosted" } } @@ -193,10 +193,10 @@ ], "extensions": { "issuer": "https://token.actions.githubusercontent.com", - "github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "source_repository_uri": "https://github.com/testifysec/swf", - "build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa", - "build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow", + "build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "runner_environment": "github-hosted" } } @@ -244,10 +244,10 @@ ], "extensions": { "issuer": "https://token.actions.githubusercontent.com", - "github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "source_repository_uri": "https://github.com/testifysec/swf", - "build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa", - "build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow", + "build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "runner_environment": "github-hosted" } } @@ -298,10 +298,10 @@ ], "extensions": { "issuer": "https://token.actions.githubusercontent.com", - "github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "source_repository_uri": "https://github.com/testifysec/swf", - "build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa", - "build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow", + "build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "runner_environment": "github-hosted" } } @@ -352,10 +352,10 @@ ], "extensions": { "issuer": "https://token.actions.githubusercontent.com", - "github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "source_repository_uri": "https://github.com/testifysec/swf", - "build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa", - "build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow", + "build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "runner_environment": "github-hosted" } } @@ -403,10 +403,10 @@ ], "extensions": { "issuer": "https://token.actions.githubusercontent.com", - "github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "source_repository_uri": "https://github.com/testifysec/swf", - "build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa", - "build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow", + "build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "runner_environment": "github-hosted" } } @@ -454,10 +454,10 @@ ], "extensions": { "issuer": "https://token.actions.githubusercontent.com", - "github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "source_repository_uri": "https://github.com/testifysec/swf", - "build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa", - "build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow", + "build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "runner_environment": "github-hosted" } } @@ -505,10 +505,10 @@ ], "extensions": { "issuer": "https://token.actions.githubusercontent.com", - "github_workflow_sha": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "github_workflow_sha": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "source_repository_uri": "https://github.com/testifysec/swf", - "build_signer_uri": "https://github.com/testifysec/swf/.github/workflows/witness.yml@refs/heads/slsa", - "build_signer_digest": "39f80b4c173e7b023a19d2aeac2686733c67b38e", + "build_signer_uri": "https://github.com/testifysec/witness-run-action/.github/workflows/witness.yml@refs/heads/reusable-workflow", + "build_signer_digest": "c5314efabe9739b4f29996bdcd26aa0cc81e336a", "runner_environment": "github-hosted" } } diff --git a/policy.signed.json b/policy.signed.json new file mode 100644 index 0000000..731dc88 --- /dev/null +++ b/policy.signed.json @@ -0,0 +1 @@ +{"payload":"","payloadType":"https://witness.testifysec.com/policy/v0.1","signatures":[{"keyid":"6516d0812cb5a0d01f7f014f88e04c5d4c2d89a64e788a12950ba950fb43ef45","sig":"tgCyTghesT5We43UwNfc6YmA/uypoVbIqfQS9r3yikEYF9CYnvVx3OIhCWLLmQZHNOT9X1dPcVlM3ZBu2MATHUgyBsxJWVuHpabIHCLoq9VOuqsEmQutY7zmMHAqWPUo35NrmAitzeKC+BIt+PINVEYhjRnFLHS3oDvTNUGplNKOf9C3YZXqN5ooCN/nv8BjvryLdI15e0yDzTcs8blGIgTmtsLJLk3EhTCVT2+eISz76qYjaoeGcr6GNJrr6deHaB081ejV1X4cCSXjUtBLIk9SVPhs5YkyIxeM+KysGa+ScCnTtN5f5++uRpQtCI8gRD0F67kP+NMDEy9/jUkQew=="}]}