Push built image to ghcr registry #27

Workflow file for this run

.github/workflows/pipeline.yml at d2ee947

	permissions:
	id-token: write # This is required for requesting the JWT
	contents: read # This is required for actions/checkout

	name: pipeline

	on:
	push:
	branches: [ "main", "feat/witness-run-action" ]
	pull_request:
	branches: [ "main", "feat/witness-run-action" ]

	jobs:
	fmt:
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: fmt
	attestations: "git github environment"
	command: go fmt ./...

	vet:
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: vet
	attestations: "git github environment"
	command: go vet ./...

	lint:
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: lint
	attestations: "git github environment"
	pre-command: \|
	curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
	chmod +x /usr/local/bin/hadolint
	command: hadolint -f sarif Dockerfile > hadolint.sarif
	artifact-upload-name: hadolint.sarif
	artifact-upload-path: hadolint.sarif

	unit-test:
	needs: [ fmt, vet, lint ]
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: unit-test
	attestations: "git github environment"
	command: go test ./... -coverprofile cover.out
	artifact-upload-name: cover.out
	artifact-upload-path: cover.out

	sast:
	needs: [ fmt, vet, lint ]
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: sast
	attestations: "git github environment"
	pre-command: python3 -m pip install semgrep==1.45.0
	command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
	artifact-upload-name: semgrep.sarif
	artifact-upload-path: semgrep.sarif

	build:
	needs: [ unit-test, sast ]
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: build
	attestations: "git github environment"
	command: go build -o bin/software main.go

	build-image:
	needs: [ unit-test, sast ]
	runs-on: ubuntu-latest

	permissions:
	packages: write
	id-token: write # This is required for requesting the JWT
	contents: read # This is required for actions/checkout

	steps:
	- uses: actions/checkout@v4.1.1
	- uses: docker/setup-buildx-action@v3.0.0

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: ghcr.io/testifysec/swf/software

	- name: Docker Login
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Setup Buildx
	uses: docker/setup-buildx-action@v3
	with:
	platforms: linux/amd64,linux/arm64
	install: true
	use: true

	- name: Build Image
	uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
	with:
	step: build-image
	attestations: "git github environment oci"
	command: \|
	/bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} --push"
	outputs:
	tags: ${{ steps.meta.outputs.tags }}

	save-image:
	needs: build-image
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: generate-sbom
	attestations: "git github environment"
	command: \|
	docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
	artifact-upload-name: image.tar
	artifact-upload-path: image.tar

	generate-sbom:
	needs: build-image
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: generate-sbom
	attestations: "git github environment"
	artifact-download: image.tar
	pre-command: \|
	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| sh -s -- -b /usr/local/bin
	command: \|
	syft packages docker-archive:/tmp/image.tar -o spdx-json --file syft.spdx.json
	artifact-upload-name: syft.spdx.json
	artifact-upload-path: syft.spdx.json

	cve-scan:
	needs: build-image
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: cve-scan
	attestations: "git github environment"
	artifact-download: image.tar
	pre-command: \|
	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \| sh -s -- -b /usr/local/bin
	command: \|
	grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif
	artifact-upload-name: grype.sarif
	artifact-upload-path: grype.sarif

	secret-scan:
	needs: build-image
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: secret-scan
	attestations: "git github environment"
	artifact-download: image.tar
	pre-command: \|
	curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \| sh -s -- -b /usr/local/bin
	command: \|
	trufflehog docker --image=file:///tmp/image.tar -j > trufflehog.json
	artifact-upload-name: trufflehog.json
	artifact-upload-path: trufflehog.json

	verify:
	needs: [ generate-sbom, cve-scan, secret-scan]

	if: ${{ github.event_name == 'push' }}
	uses: ./.github/workflows/witness.yml
	with:
	pull_request: ${{ github.event_name == 'pull_request' }}
	step: verify
	attestations: "git github environment"
	artifact-download: image.tar
	pre-command: \|
	curl -sSfL https://github.com/testifysec/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \
	tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
	command: \|
	witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Push built image to ghcr registry #27

Workflow file

Push built image to ghcr registry #27

Jobs

Run details

Workflow file for this run