Skip to content

more quotes #163

more quotes

more quotes #163

Workflow file for this run

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
name: pipeline
on:
push:
branches:
- '*'
pull_request:
branches:
- '*'
jobs:
fmt:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
attestations: "git github environment"
command: go fmt ./...
secrets:
ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
vet:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: vet
attestations: "git github environment"
command: go vet ./...
secrets:
ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
# --ignore DL3002
lint:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: lint
pre-command-attestations: "git github environment"
attestations: "git github environment"
pre-command: |
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
chmod +x /usr/local/bin/hadolint
command: hadolint -f sarif Dockerfile > hadolint.sarif
artifact-upload-name: hadolint.sarif
artifact-upload-path: hadolint.sarif
secrets:
ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
unit-test:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
attestations: "git github environment"
command: go test ./... -coverprofile cover.out
artifact-upload-name: cover.out
artifact-upload-path: cover.out
secrets:
ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
sast:
needs: [ fmt, vet, lint ]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
pre-command-attestations: "git github environment"
attestations: "git github environment"
pre-command: python3 -m pip install semgrep==1.45.0
command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
artifact-upload-name: semgrep.sarif
artifact-upload-path: semgrep.sarif
secrets:
ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
build:
needs: [ unit-test, sast ]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: build
attestations: "git github environment"
command: go build -o bin/software main.go
secrets:
ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
build-image:
needs: [ unit-test, sast ]
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
steps:
- uses: actions/checkout@v4.1.1
- uses: docker/setup-buildx-action@v3.0.0
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/testifysec/swf/software
- name: Docker Login
uses: docker/#-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64
install: true
use: true
- name: Save Key
env:
ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
run: echo "$ED_25519_PRIVATE_KEY" > /tmp/private.pem
- name: Build Image
uses: testifysec/witness-run-action@5f0d4d4b85d205ade1147258148e6d9751bbcb91 # v0.2.0
with:
version: 0.6.0
step: build-image
archivista-server: "http://john-minikube-archivista:8082"
attestations: "git github environment oci slsa"
enable-sigstore: false
key: /tmp/private.pem
command: |
/bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} -o type=docker,dest=image.tar --push ."
- name: Upload Artifact
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: image.tar
path: image.tar
outputs:
tags: ${{ steps.meta.outputs.tags }}
generate-sbom:
needs: build-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: generate-sbom
pre-command-attestations: "git github environment"
attestations: "git github environment sbom"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
command: |
syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json
artifact-upload-name: sbom.cdx.json
artifact-upload-path: sbom.cdx.json
secrets:
ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
secret-scan:
needs: build-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: secret-scan
pre-command-attestations: "git github environment"
attestations: "git github environment"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
command: |
trufflehog docker --image=file:///tmp/image.tar -j > trufflehog.json
artifact-upload-name: trufflehog.json
artifact-upload-path: trufflehog.json
secrets:
ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}