[WIP] Test Witness for build attestations #135

colek42 · 2023-04-07T08:57:16Z

Pull request check list

Proper tests/regressions included?
Documentation updated?

Affected functionality

Description of change

Which issue this pull requests fixes

colek42 · 2023-04-07T08:59:22Z

Working test run is viewable here: https://github.com/testifysec/galadriel/actions/runs/4636814805

.github/workflows/release.yml


      - name: Run GoReleaser
-        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
+        uses: testifysec/witness-run-action@main


.github/workflows/release.yml

-          distribution: goreleaser
-          version: latest
-          args: release --rm-dist
+        uses: testifysec/witness-run-action@main


.github/workflows/release.yml

-          distribution: goreleaser
-          version: latest
-          args: release --rm-dist
+        uses: testifysec/witness-run-action@main


.github/workflows/trivy.yml

+          sudo apt-get install trivy -y
+
+      - name: Run Trivy vulnerability scanner with Witness
+        uses: testifysec/witness-run-action@main


.github/workflows/release.yml

+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Build Server
+        uses: testifysec/witness-run-action@main


.github/workflows/release.yml

+          command: ko build --tarball server.tar --tags=ghcr.io/${{ github.repository }}:${{ github.sha }} --platform=all --sbom-dir . ./cmd/server
+
+      - name: Build Harvestor
+        uses: testifysec/witness-run-action@main


.github/workflows/release.yml

+
+      - name: Install KO
+        run: go install github.com/google/ko/cmd/ko@latest
+


.github/workflows/release.yml

+      #     command: goreleaser release --clean --snapshot
+
+      - name: Setup KO
+        uses: imjasonh/[email protected]


.github/workflows/release.yml

+        uses: imjasonh/[email protected]
+
+      - name: Build Server
+        uses: testifysec/[email protected]


.github/workflows/release.yml

-      - name: Generate subject
-        id: hash
+      - name: Build Harvestor
+        uses: testifysec/[email protected]


.github/workflows/release.yml

+      #     command: goreleaser release --clean --snapshot
+
+      - name: Setup KO
+        uses: imjasonh/[email protected]


.github/workflows/release.yml

+      #     command: goreleaser release --clean --snapshot
+
+      - name: Setup KO
+        uses: imjasonh/[email protected]


.github/workflows/release.yml

-      - name: Generate subject
-        id: hash
+      - name: Build Harvestor
+        uses: testifysec/[email protected]


.github/workflows/release.yml

+          command: goreleaser release --clean --snapshot
+
+      - name: Setup KO
+        uses: imjasonh/[email protected]


.github/workflows/trivy.yml

+          sudo apt-get install trivy -y
+
+      - name: Run Trivy vulnerability scanner with Witness
+        uses: testifysec/[email protected]


.github/workflows/release.yml

+          echo "${AUTH_TOKEN}" | ko login ghcr.io --username dummy --password-stdin
+
+      - name: Build Server
+        uses: testifysec/witness-run-action@fix-output


.witness/policy.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----


.witness/policy.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----


.witness/policy.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----


.witness/policy.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----


.witness/policy.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----


Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.2.0 to 3.3.1. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@537aa19...0ad9a09) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

provenance artifact with signature and sboms Signed-off-by: Victor Vieira Barros Leal da Silveira <[email protected]>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@0ad9a09...08e2f20) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: Cole Kennedy <[email protected]>

sonarcloud · 2023-04-25T08:09:20Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

Signed-off-by: Cole Kennedy <[email protected]>

sonarcloud · 2023-08-26T17:10:01Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

colek42 changed the title ~~[WIP[ Test Witness for build attestations~~ [WIP] Test Witness for build attestations Apr 7, 2023

github-advanced-security bot found potential problems Apr 7, 2023

View reviewed changes

github-advanced-security bot found potential problems Apr 10, 2023

View reviewed changes

github-advanced-security bot found potential problems Apr 14, 2023

View reviewed changes

github-advanced-security bot found potential problems Apr 18, 2023

View reviewed changes

dependabot bot and others added 5 commits April 18, 2023 03:46

feat: Introduzing Github workflow to automate build process generating

83b6cbc

provenance artifact with signature and sboms Signed-off-by: Victor Vieira Barros Leal da Silveira <[email protected]>

feat: Updating demo dependencies

407de97

feat: Updating go.sum

ae1cb49

colek42 force-pushed the cole/witness branch 2 times, most recently from 1b04d08 to 69d694c Compare April 18, 2023 08:54

add witness

e6cbf6c

colek42 force-pushed the cole/witness branch from 758da96 to e6cbf6c Compare April 18, 2023 09:15

Cole Kennedy added 2 commits April 19, 2023 11:49

change policy expire

caf2671

touch

368f17a

Cole Kennedy and others added 2 commits April 19, 2023 13:50

test

94fa2ec

Update scorecards.yml

cad3d3d

Signed-off-by: Cole Kennedy <[email protected]>

Victorblsilveira assigned colek42 May 29, 2023

colek42 added 2 commits August 25, 2023 13:25

Update release.yml

5c88d16

Signed-off-by: Cole Kennedy <[email protected]>

Update release.yml

4314ab9

Signed-off-by: Cole Kennedy <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[WIP] Test Witness for build attestations #135

[WIP] Test Witness for build attestations #135

colek42 commented Apr 7, 2023

colek42 commented Apr 7, 2023

sonarcloud bot commented Apr 25, 2023

sonarcloud bot commented Aug 26, 2023


		- name: Install KO
		run: go install github.com/google/ko/cmd/ko@latest

[WIP] Test Witness for build attestations #135

Are you sure you want to change the base?

[WIP] Test Witness for build attestations #135

Conversation

colek42 commented Apr 7, 2023

colek42 commented Apr 7, 2023

sonarcloud bot commented Apr 25, 2023

sonarcloud bot commented Aug 26, 2023