Add policy for PR that doesn't look for merge

Signed-off-by: John Kjell <john@testifysec.com>
testifysec · Oct 1, 2024 · 4c1dde7 · 4c1dde7
1 parent e354f55
commit 4c1dde7
Show file tree

Hide file tree

Showing 3 changed files with 478 additions and 0 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -176,3 +176,20 @@ jobs:
         chmod +x /tmp/witness
       command: |
         /tmp/witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug
+
+  verify-pr:
+    needs: [ generate-sbom, secret-scan]
+
+    if: ${{ github.event_name == 'pull_request' }}
+    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: verify
+      pre-command-attestations: "git github environment"
+      attestations: "git github environment"
+      artifact-download: image.tar
+      pre-command: |
+        curl -sSfL https://github.com/jkjell/witness/releases/download/osff-demo/witness -o /tmp/witness && \
+        chmod +x /tmp/witness
+      command: |
+        /tmp/witness verify -p pr-policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug