Updated workflow for KubeCon demo

Signed-off-by: John Kjell <john@testifysec.com>
testifysec · Nov 13, 2024 · e164558 · e164558
1 parent dc43b0e
commit e164558
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 34 deletions.
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -21,8 +21,7 @@ jobs:
       attestations: "git github environment"
       command: go fmt ./...
     secrets:
-      TS_OAUTH_CLIENT_ID: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-      TS_OAUTH_SECRET: ${{ secrets.TS_OAUTH_SECRET }}
+      ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
 
   vet:
     uses: ./.github/workflows/witness.yml
@@ -32,8 +31,7 @@ jobs:
       attestations: "git github environment"
       command: go vet ./...
     secrets:
-        TS_OAUTH_CLIENT_ID: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-        TS_OAUTH_SECRET: ${{ secrets.TS_OAUTH_SECRET }}
+        ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
 
   # --ignore DL3002    
   lint:
@@ -50,8 +48,7 @@ jobs:
       artifact-upload-name: hadolint.sarif
       artifact-upload-path: hadolint.sarif
     secrets:
-      TS_OAUTH_CLIENT_ID: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-      TS_OAUTH_SECRET: ${{ secrets.TS_OAUTH_SECRET }}
+      ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
 
   unit-test:
     needs: [ fmt, vet, lint ]
@@ -64,8 +61,7 @@ jobs:
       artifact-upload-name: cover.out
       artifact-upload-path: cover.out
     secrets:
-      TS_OAUTH_CLIENT_ID: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-      TS_OAUTH_SECRET: ${{ secrets.TS_OAUTH_SECRET }}
+      ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
 
   sast:
     needs: [ fmt, vet, lint ]
@@ -80,8 +76,7 @@ jobs:
       artifact-upload-name: semgrep.sarif
       artifact-upload-path: semgrep.sarif
     secrets:
-      TS_OAUTH_CLIENT_ID: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-      TS_OAUTH_SECRET: ${{ secrets.TS_OAUTH_SECRET }}
+      ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
 
   build:
     needs: [ unit-test, sast ]
@@ -92,8 +87,7 @@ jobs:
       attestations: "git github environment"
       command: go build -o bin/software main.go 
     secrets:
-      TS_OAUTH_CLIENT_ID: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-      TS_OAUTH_SECRET: ${{ secrets.TS_OAUTH_SECRET }}
+      ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
 
   build-image:
     needs: [ unit-test, sast ]
@@ -105,13 +99,6 @@ jobs:
       contents: read  # This is required for actions/checkout
 
     steps:
-    - name: Tailscale
-      uses: tailscale/github-action@v2
-      with:
-          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
-          tags: tag:ci
-
     - uses: actions/checkout@v4.1.1
     - uses: docker/setup-buildx-action@v3.0.0
 
@@ -135,13 +122,19 @@ jobs:
         install: true
         use: true
 
+    - name: Save Key
+      env:
+        ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
+      run: echo $ED_25519_PRIVATE_KEY > /tmp/private.pem
+
     - name: Build Image
       uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
       with:
         version: 0.6.0
         step: build-image
         archivista-server: "http://john-minikube-archivista:8082"
         attestations: "git github environment oci slsa"
+        key: /tmp/private.pem
         command: |
           /bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} -o type=docker,dest=image.tar --push ."
           
@@ -170,8 +163,7 @@ jobs:
       artifact-upload-name: sbom.cdx.json
       artifact-upload-path: sbom.cdx.json
     secrets:
-        TS_OAUTH_CLIENT_ID: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-        TS_OAUTH_SECRET: ${{ secrets.TS_OAUTH_SECRET }}
+        ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
 
   secret-scan:
     needs: build-image
@@ -189,5 +181,4 @@ jobs:
       artifact-upload-name: trufflehog.json
       artifact-upload-path: trufflehog.json
     secrets:
-      TS_OAUTH_CLIENT_ID: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-      TS_OAUTH_SECRET: ${{ secrets.TS_OAUTH_SECRET }}
+      ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
@@ -44,13 +44,11 @@ on:
                 required: true
                 type: string
             archivista-server:
-                default: "http://john-minikube-archivista:8082"
+                default: "https://archivista.testifysec.io"
                 required: false
                 type: string
         secrets:
-            TS_OAUTH_CLIENT_ID:
-                required: true
-            TS_OAUTH_SECRET:
+            ED_25519_PRIVATE_KEY:
                 required: true
 
 jobs:
@@ -62,26 +60,25 @@ jobs:
             with:
               go-version: 1.21.x
 
-          - name: Tailscale
-            uses: tailscale/github-action@v2
-            with:
-                oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
-                oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
-                tags: tag:ci
-
           - if: ${{ inputs.artifact-download != '' }}
             uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
             with:
               name: ${{ inputs.artifact-download }}
               path: /tmp
 
+          - name: Save Key
+            env:
+              ED_25519_PRIVATE_KEY: ${{ secrets.ED_25519_PRIVATE_KEY }}
+            run: echo $ED_25519_PRIVATE_KEY > /tmp/private.pem
+
           - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
             uses: testifysec/witness-run-action@79320a907f611f2fb40ced8e13c66af988b2d9db # v0.2.2
             with:
               version: 0.6.0
               archivista-server: ${{ inputs.archivista-server }}
               step: pre-${{ inputs.step }}
               attestations: ${{ inputs.pre-command-attestations }}
+              key: /tmp/private.pem
               command: /bin/sh -c "${{ inputs.pre-command }}"
           - if: ${{ inputs.pre-command != '' && inputs.pull_request == true }}
             run: ${{ inputs.pre-command }}
@@ -93,6 +90,7 @@ jobs:
               archivista-server: ${{ inputs.archivista-server }}
               step: ${{ inputs.step }}
               attestations: ${{ inputs.attestations }}
+              key: /tmp/private.pem
               command: /bin/sh -c "${{ inputs.command }}"
           - if: ${{ inputs.pull_request == true }}
             run: ${{ inputs.command }}

diff --git a/public.pem b/public.pem
@@ -0,0 +1,3 @@
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAdbPhtk99MV7oj3kFYvCwyRyBMiBSMEjzu4HpAUFIVfY=
+-----END PUBLIC KEY-----