fix: use timestamp server #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ "main", "feat/witness-run-action" ] | |
| pull_request: | |
| branches: [ "main", "feat/witness-run-action" ] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Go environment | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.21 | |
| - name: Create directories | |
| run: mkdir -p release/evidence release/attestations release/delivery | |
| - name: Install hadolint | |
| run: curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && chmod +x /usr/local/bin/hadolint | |
| - name: Install semgrep | |
| run: python3 -m pip install semgrep | |
| - name: Test | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: test | |
| enable-archivista: true | |
| enable-sigstore: true | |
| timestamp-servers: https://freetsa.org/tsr" | |
| command: make test | |
| - name: Format | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: fmt | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make fmt | |
| - name: Vet | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: vet | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make vet | |
| - name: Sast | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: sast | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make sast | |
| - name: Lint | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: lint | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make lint | |
| - name: Build | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: build | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make build | |
| - name: Install Docker Build | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Docker build | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: docker-build | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make docker-build | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: image.tar | |
| path: release/delivery/image.tar | |
| scans: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Go environment | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.21 | |
| - name: Create directories | |
| run: mkdir -p release/evidence release/attestations release/delivery | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| path: release/delivery/ | |
| name: image.tar | |
| - name: Install syft | |
| run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Install grype | |
| run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Install trufflehog | |
| run: curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Generate SBOM | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: generate-sbom | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make generate-sbom | |
| - name: Secret Scan | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: secret-scan | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make secret-scan | |
| - name: CVE Scan | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: cve-scan | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make cve-scan | |
| release: | |
| runs-on: ubuntu-latest | |
| needs: verify | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Go environment | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.21 | |
| - name: Create directories | |
| run: mkdir -p release/evidence release/attestations release/delivery | |
| - name: Release | |
| uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 | |
| with: | |
| step: release | |
| timestamp-servers: https://freetsa.org/tsr" | |
| enable-archivista: true | |
| enable-sigstore: true | |
| command: make release | |
| verify: | |
| runs-on: ubuntu-latest | |
| needs: scans | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Go environment | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: 1.21 | |
| - name: Create directories | |
| run: mkdir -p release/evidence release/attestations release/delivery | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: image.tar | |
| path: release/delivery/ | |
| - name: Install witness | |
| run: curl -sSfL https://github.com/testifysec/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz | |
| - name: Verify | |
| run: witness verify -p policy-signed.json -k swfpublic.pem -f ./release/delivery/image.tar --enable-archivista -l debug |