Update archivista and workflow #133

Workflow file for this run

.github/workflows/pipeline.yml at 4bb5d0c

	permissions:
	id-token: write # This is required for requesting the JWT
	contents: read # This is required for actions/checkout

	name: pipeline

	on:
	push:
	branches:
	- '*'
	pull_request:
	branches:
	- '*'

	jobs:
	fmt:
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: fmt
	attestations: "git github environment"
	command: go fmt ./...

	vet:
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: vet
	attestations: "git github environment"
	command: go vet ./...

	# --ignore DL3002
	lint:
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: lint
	pre-command-attestations: "git github environment"
	attestations: "git github environment"
	pre-command: \|
	curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
	chmod +x /usr/local/bin/hadolint
	command: hadolint -f sarif Dockerfile > hadolint.sarif
	artifact-upload-name: hadolint.sarif
	artifact-upload-path: hadolint.sarif

	unit-test:
	needs: [ fmt, vet, lint ]
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: unit-test
	attestations: "git github environment"
	command: go test ./... -coverprofile cover.out
	artifact-upload-name: cover.out
	artifact-upload-path: cover.out

	sast:
	needs: [ fmt, vet, lint ]
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: sast
	pre-command-attestations: "git github environment"
	attestations: "git github environment"
	pre-command: python3 -m pip install semgrep==1.45.0
	command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
	artifact-upload-name: semgrep.sarif
	artifact-upload-path: semgrep.sarif

	build:
	needs: [ unit-test, sast ]
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: build
	attestations: "git github environment"
	command: go build -o bin/software main.go

	build-image:
	needs: [ unit-test, sast ]
	runs-on: ubuntu-latest

	permissions:
	packages: write
	id-token: write # This is required for requesting the JWT
	contents: read # This is required for actions/checkout

	steps:
	- name: Tailscale
	uses: tailscale/github-action@v2
	with:
	oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
	oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
	tags: tag:ci

	- uses: actions/checkout@v4.1.1
	- uses: docker/setup-buildx-action@v3.0.0

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: ghcr.io/testifysec/swf/software

	- name: Docker Login
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Setup Buildx
	uses: docker/setup-buildx-action@v3
	with:
	platforms: linux/amd64
	install: true
	use: true

	- name: Build Image
	uses: ./.github/workflows/witness.yml
	with:
	version: 0.6.0
	step: build-image
	attestations: "git github environment oci slsa"
	command: \|
	/bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} -o type=docker,dest=image.tar --push ."

	- name: Upload Artifact
	uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
	with:
	name: image.tar
	path: image.tar

	outputs:
	tags: ${{ steps.meta.outputs.tags }}

	generate-sbom:
	needs: build-image
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: generate-sbom
	pre-command-attestations: "git github environment"
	attestations: "git github environment sbom"
	artifact-download: image.tar
	pre-command: \|
	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| sh -s -- -b /usr/local/bin
	command: \|
	syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json
	artifact-upload-name: sbom.cdx.json
	artifact-upload-path: sbom.cdx.json

	secret-scan:
	needs: build-image
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: secret-scan
	pre-command-attestations: "git github environment"
	attestations: "git github environment"
	artifact-download: image.tar
	pre-command: \|
	curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \| sh -s -- -b /usr/local/bin
	command: \|
	trufflehog docker --image=file:///tmp/image.tar -j > trufflehog.json
	artifact-upload-name: trufflehog.json
	artifact-upload-path: trufflehog.json

	verify:
	needs: [ generate-sbom, secret-scan]

	if: ${{ github.event_name == 'push' }}
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: verify
	pre-command-attestations: "git github environment"
	attestations: "git github environment"
	artifact-download: image.tar
	pre-command: \|
	curl -sSfL https://github.com/jkjell/witness/releases/download/osff-demo/witness -o /tmp/witness && \
	chmod +x /tmp/witness
	command: \|
	/tmp/witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update archivista and workflow #133

Workflow file

Update archivista and workflow #133

Jobs

Run details

Workflow file for this run