This GitHub Action allows you to create an attestation for your CI process using the Witness tool. It supports optional integration with Sigstore for signing and Archivista for attestation storage and distibution.
To use this action, include it in your GitHub workflow YAML file.
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
name: Example Workflow
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v0.1.3
- name: Witness Run
uses: testifysec/witness-run-action@v1
with:
step: build
enable-archivista: false
enable-sigstore: false
command: make buildThis action supports the use of Sigstore and Archivista for creating attestations.
By enabling the option enable-archivista, you create a public record of your
attestations, which can be useful for transparency and compliance.
Sigstore is an open-source platform for securely signing software artifacts. When
the enable-sigstore flag is set to true, this action will use Sigstore for signing
the attestation. This creates a publicly verifiable record of the attestation on
the Sigstore public instance, sigstore.dev
Archivista is a server that stores and retrieves attestations. When the enable-archivista
flag is set to true, this action will use Archivista for storing and retrieving
attestations. By default, the attestations are stored on a public Archivista server,
https://archivista.testifysec.io, making the details publicly accessible. This server
also has no guarantees on data availability or integrity.
By default when using Sigstore, this action utilizes FreeTSA, a free and public
Timestamp Authority (TSA) service, to provide trusted timestamping for your
attestations. Timestamping is a critical aspect of creating non-repudiable and
legally binding attestations. FreeTSA offers a reliable and convenient solution for
timestamping without the need for setting up and managing your own TSA. When using
this action, the timestamp-servers input is set to FreeTSA's service (https://freetsa.org/)
by default, ensuring your attestations are properly timestamped with a trusted and
publicly verifiable source.
If you want to keep the details of your attestations private, you can set up and host your own instances of Archivista and Sigstore. This allows you to manage access control and ensure that only authorized users can view the attestation details.
To use your own instances, set the archivista-server input to the URL of your
Archivista server, and the fulcio input to the address of your Sigstore instance.
Additionally, you'll need to configure the fulcio-oidc-client-id and fulcio-oidc-issuer
inputs to match your Sigstore instance's OIDC configuration.
Please consult the documentation for Archivista and Sigstore on how to set up and host your own instances.
| Name | Description | Required | Default |
|---|---|---|---|
| witness-install-dir | Directory to install the witness tool into. The directory will attempted to be created if it does not exists | No | ./ |
| enable-sigstore | Use Sigstore for attestation. Sets default values for fulcio, fulcio-oidc-client-id, fulcio-oidc-issuer, and timestamp-servers when true | No | true |
| enable-archivista | Use Archivista to store or retrieve attestations | No | true |
| archivista-server | URL of the Archivista server to store or retrieve attestations | No | https://archivista.testifysec.io |
| attestations | Attestations to record, space-separated | No | environment git github |
| certificate | Path to the signing key's certificate | No | |
| fulcio | Fulcio address to sign with | No | |
| fulcio-oidc-client-id | OIDC client ID to use for authentication | No | |
| fulcio-oidc-issuer | OIDC issuer to use for authentication | No | |
| fulcio-token | Raw token to use for authentication | No | |
| intermediates | Intermediates that link trust back to a root of trust in the policy, space-separated | No | |
| key | Path to the signing key | No | |
| outfile | File to which to write signed data. Defaults to stdout | No | |
| product-exclude-glob | Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation. | No | |
| product-include-glob | Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation. | No | * |
| spiffe-socket | Path to the SPIFFE Workload API socket | No | |
| step | Name of the step being run | Yes | |
| timestamp-servers | Timestamp Authority Servers to use when signing envelope, space-separated | No | |
| trace | Enable tracing for the command | No | false |
| workingdir | Directory from which commands will run | No |