diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml deleted file mode 100644 index a7d54d2..0000000 --- a/.github/workflows/cicd.yaml +++ /dev/null @@ -1,216 +0,0 @@ -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - -name: CI/CD Pipeline - -on: - push: - branches: [ "main", "feat/witness-run-action" ] - pull_request: - branches: [ "main", "feat/witness-run-action" ] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Set up Go environment - uses: actions/setup-go@v3 - with: - go-version: 1.21 - - - name: Create directories - run: mkdir -p release/evidence release/attestations release/delivery - - - name: Install hadolint - run: curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && chmod +x /usr/local/bin/hadolint - - - name: Install semgrep - run: python3 -m pip install semgrep - - - name: Test - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: test - enable-archivista: true - enable-sigstore: true - timestamp-servers: https://freetsa.org/tsr - command: make test - - - name: Format - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: fmt - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make fmt - - - name: Vet - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: vet - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make vet - - - name: Sast - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: sast - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make sast - - - name: Lint - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: lint - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make lint - - - name: Build - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: build - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make build - - - name: Install Docker Build - uses: docker/setup-buildx-action@v3 - - - name: Docker build - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: docker-build - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make docker-build - - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: image.tar - path: release/delivery/image.tar - - scans: - runs-on: ubuntu-latest - needs: build - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Set up Go environment - uses: actions/setup-go@v3 - with: - go-version: 1.21 - - - name: Create directories - run: mkdir -p release/evidence release/attestations release/delivery - - - name: Download artifact - uses: actions/download-artifact@v3 - with: - path: release/delivery/ - name: image.tar - - - name: Install syft - run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - - - name: Install grype - run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - - - name: Install trufflehog - run: curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin - - - name: Generate SBOM - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: generate-sbom - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make generate-sbom - - - name: Secret Scan - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: secret-scan - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make secret-scan - - - name: CVE Scan - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: cve-scan - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make cve-scan - - release: - runs-on: ubuntu-latest - needs: verify - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Set up Go environment - uses: actions/setup-go@v3 - with: - go-version: 1.21 - - - name: Create directories - run: mkdir -p release/evidence release/attestations release/delivery - - - name: Release - uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 - with: - step: release - timestamp-servers: https://freetsa.org/tsr - enable-archivista: true - enable-sigstore: true - command: make release - - verify: - runs-on: ubuntu-latest - needs: scans - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Set up Go environment - uses: actions/setup-go@v3 - with: - go-version: 1.21 - - - name: Create directories - run: mkdir -p release/evidence release/attestations release/delivery - - - name: Download artifact - uses: actions/download-artifact@v3 - with: - name: image.tar - path: release/delivery/ - - - name: Install witness - run: curl -sSfL https://github.com/testifysec/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz - - - name: Verify - run: witness verify -p policy-signed.json -k swfpublic.pem -f ./release/delivery/image.tar --enable-archivista -l debug diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml new file mode 100644 index 0000000..574e077 --- /dev/null +++ b/.github/workflows/pipeline.yml @@ -0,0 +1,153 @@ +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +name: pipeline + +on: + push: + branches: [ "main", "feat/witness-run-action" ] + pull_request: + branches: [ "main", "feat/witness-run-action" ] + +jobs: + fmt: + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: + attestations: "github" + command: go fmt ./... + + vet: + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: vet + attestations: "github" + command: go vet ./... + + lint: + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: lint + attestations: "github sarif" + pre-command: | + curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \ + chmod +x /usr/local/bin/hadolint + command: hadolint -f sarif Dockerfile > hadolint.sarif + artifact-upload-name: hadolint.sarif + artifact-upload-path: hadolint.sarif + + unit-test: + needs: [ fmt, vet, lint ] + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: unit-test + attestations: "github" + command: go test ./... -coverprofile cover.out + artifact-upload-name: cover.out + artifact-upload-path: cover.out + + sast: + needs: [ fmt, vet, lint ] + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: sast + attestations: "github, sarif" + pre-command: python3 -m pip install semgrep + command: semgrep scan --config auto ./ --sarif -o semgrep.sarif + artifact-upload-name: semgrep.sarif + artifact-upload-path: semgrep.sarif + + build: + needs: [ unit-test, sast ] + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: build + attestations: "github" + command: go build -o bin/software main.go + + build-image: + needs: [ unit-test, sast ] + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4.1.1 + - uses: docker/setup-buildx-action@v3.0.0 + + - name: Build Image + uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 + with: + step: build-image + attestations: "github oci" + command: | + /bin/sh -c "docker build -t jkjell/software:dev . && docker save jkjell/software:dev > /tmp/image.tar" + + - name: Upload artifacts + uses: actions/upload-artifact@v3 + with: + name: image.tar + path: /tmp/image.tar + + generate-sbom: + needs: build-image + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: generate-sbom + attestations: "github" + artifact-download: image.tar + pre-command: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + command: | + syft packages docker-archive:/tmp/image.tar -o spdx-json --file syft.spdx.json + artifact-upload-name: syft.spdx.json + artifact-upload-path: syft.spdx.json + + cve-scan: + needs: build-image + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: cve-scan + attestations: "github sarif" + artifact-download: image.tar + pre-command: | + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + command: | + grype docker-archive:/tmp/image.tar -o sarif --file grype.sarif + artifact-upload-name: grype.sarif + artifact-upload-path: grype.sarif + + secret-scan: + needs: build-image + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: secret-scan + attestations: "github" + artifact-download: image.tar + pre-command: | + curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin + command: | + trufflehog docker --image=file:///tmp/image.tar -j > trufflehog.json + artifact-upload-name: trufflehog.json + artifact-upload-path: trufflehog.json + + verify: + needs: [ generate-sbom, cve-scan, secret-scan] + uses: ./.github/workflows/witness.yml + with: + pull_request: ${{ github.event_name == 'pull_request' }} + step: verify + attestations: "github" + pre-command: | + curl -sSfL https://github.com/testifysec/witness/releases/download/v0.1.14/witness_0.1.14_linux_amd64.tar.gz -o witness.tar.gz && \ + tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz + command: | + witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista -l debug diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml new file mode 100644 index 0000000..885bdee --- /dev/null +++ b/.github/workflows/witness.yml @@ -0,0 +1,78 @@ +# Copyright 2023 The Archivista Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +on: + workflow_call: + inputs: + pull_request: + required: true + type: boolean + artifact-download: + required: false + type: string + artifact-upload-name: + required: false + type: string + artifact-upload-path: + required: false + type: string + pre-command: + required: false + type: string + command: + required: true + type: string + step: + required: true + type: string + attestations: + required: true + type: string + +jobs: + witness: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4.1.1 + - uses: actions/setup-go@v4.1.0 + with: + go-version: 1.21.x + + - if: ${{ inputs.artifact-download != '' }} + uses: actions/download-artifact@v3.0.0 + with: + name: ${{ inputs.artifact-download }} + path: /tmp + + - if: ${{ inputs.pre-command != '' }} + uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 + with: + step: pre-${{ inputs.step }} + attestations: $${ inputs.attestations }} + command: /bin/sh -c "$${ inputs.pre-command }} + + - if: ${{ inputs.pull_request == false }} + uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 + with: + step: ${{ inputs.step }} + attestations: $${ inputs.attestations }} + command: /bin/sh -c "$${ inputs.command }}" + - if: ${{ inputs.pull_request == true }} + run: ${{ inputs.command }} + + - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}} + uses: actions/upload-artifact@v3.0.0 + with: + name: ${{ inputs.artifact-upload-name }} + path: ${{ inputs.artifact-upload-path }}