[WIP] Test Witness for build attestations#135
Conversation
colek42
changed the title
|
Working test run is viewable here: https://github.com/testifysec/galadriel/actions/runs/4636814805 |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - name: Run GoReleaser | ||
| id: run-goreleaser | ||
| uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0 | ||
| uses: testifysec/witness-run-action@main |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| distribution: goreleaser | ||
| version: latest | ||
| args: release --rm-dist | ||
| uses: testifysec/witness-run-action@main |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| distribution: goreleaser | ||
| version: latest | ||
| args: release --rm-dist | ||
| uses: testifysec/witness-run-action@main |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| sudo apt-get install trivy -y | ||
|
|
||
| - name: Run Trivy vulnerability scanner with Witness | ||
| uses: testifysec/witness-run-action@main |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | ||
|
|
||
| - name: Build Server | ||
| uses: testifysec/witness-run-action@main |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| command: ko build --tarball server.tar --tags=ghcr.io/${{ github.repository }}:${{ github.sha }} --platform=all --sbom-dir . ./cmd/server | ||
|
|
||
| - name: Build Harvestor | ||
| uses: testifysec/witness-run-action@main |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
|
|
||
| - name: Install KO | ||
| run: go install github.com/google/ko/cmd/ko@latest | ||
|
|
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| # command: goreleaser release --clean --snapshot | ||
|
|
||
| - name: Setup KO | ||
| uses: imjasonh/setup-ko@v0.6 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| uses: imjasonh/setup-ko@v0.6 | ||
|
|
||
| - name: Build Server | ||
| uses: testifysec/witness-run-action@v0.1.1 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| - name: Generate subject | ||
| id: hash | ||
| - name: Build Harvestor | ||
| uses: testifysec/witness-run-action@v0.1.1 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| # command: goreleaser release --clean --snapshot | ||
|
|
||
| - name: Setup KO | ||
| uses: imjasonh/setup-ko@v0.6 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| # command: goreleaser release --clean --snapshot | ||
|
|
||
| - name: Setup KO | ||
| uses: imjasonh/setup-ko@v0.6 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| - name: Generate subject | ||
| id: hash | ||
| - name: Build Harvestor | ||
| uses: testifysec/witness-run-action@v0.1.1 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| command: goreleaser release --clean --snapshot | ||
|
|
||
| - name: Setup KO | ||
| uses: imjasonh/setup-ko@v0.6 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| sudo apt-get install trivy -y | ||
|
|
||
| - name: Run Trivy vulnerability scanner with Witness | ||
| uses: testifysec/witness-run-action@v0.1.1 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| echo "${AUTH_TOKEN}" | ko login ghcr.io --username dummy --password-stdin | ||
|
|
||
| - name: Build Server | ||
| uses: testifysec/witness-run-action@fix-output |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| @@ -0,0 +1,28 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
Check failure
Code scanning / Trivy
Asymmetric Private Key
| @@ -0,0 +1,28 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
Check failure
Code scanning / Trivy
Asymmetric Private Key
| @@ -0,0 +1,28 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
Check failure
Code scanning / Trivy
Asymmetric Private Key
| @@ -0,0 +1,28 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
Check failure
Code scanning / Trivy
Asymmetric Private Key
| @@ -0,0 +1,28 @@ | |||
| -----BEGIN PRIVATE KEY----- | |||
Check failure
Code scanning / Trivy
Asymmetric Private Key
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.2.0 to 3.3.1. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@537aa19...0ad9a09) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
provenance artifact with signature and sboms Signed-off-by: Victor Vieira Barros Leal da Silveira <victorblsilveira@gmail.com>
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.3.1 to 3.4.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@0ad9a09...08e2f20) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
colek42
force-pushed
the
cole/witness
branch
2 times, most recently
from
1b04d08 to
69d694c
Compare
Signed-off-by: Cole Kennedy <colek42@gmail.com>
|
Kudos, SonarCloud Quality Gate passed!
|
Signed-off-by: Cole Kennedy <colek42@gmail.com>
Signed-off-by: Cole Kennedy <colek42@gmail.com>
|
Kudos, SonarCloud Quality Gate passed!
|
4 participants
Pull request check list
Affected functionality
Description of change
Which issue this pull requests fixes