Skip to content

Commit

Permalink
making some changes
Browse files Browse the repository at this point in the history 
Signed-off-by: chaosinthecrd <[email protected]>
  • Loading branch information
@ChaosInTheCRD
ChaosInTheCRD committed Jan 21, 2025
1 parent cd91063 commit 5348010
Showing 1 changed file with 27 additions and 26 deletions.
53 changes: 27 additions & 26 deletions .github/workflows/pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
command: go fmt ./...

vet:
Expand All @@ -28,7 +28,7 @@ jobs:
pull_request: ${{ github.event_name == 'pull_request' }}
step: vet
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
command: go vet ./...

# --ignore DL3002
Expand All @@ -39,7 +39,7 @@ jobs:
step: lint
pre-command-attestations: "git github environment"
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
pre-command: |
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
chmod +x /usr/local/bin/hadolint
Expand All @@ -54,7 +54,7 @@ jobs:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
command: go test ./... -coverprofile cover.out
artifact-upload-name: cover.out
artifact-upload-path: cover.out
Expand All @@ -67,7 +67,7 @@ jobs:
step: sast
pre-command-attestations: "git github environment"
attestations: "git github environment sarif"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
pre-command: python3 -m pip install semgrep==1.45.0
command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
artifact-upload-name: semgrep.sarif
Expand Down Expand Up @@ -121,7 +121,7 @@ jobs:
version: 0.6.0
step: build-image
attestations: "git github environment slsa"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
command: |
/bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ."
outputs:
Expand All @@ -134,7 +134,7 @@ jobs:
pull_request: ${{ github.event_name == 'pull_request' }}
step: save-image
attestations: "git github environment slsa oci"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
command: |
docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
artifact-upload-name: image.tar
Expand All @@ -148,7 +148,7 @@ jobs:
step: generate-sbom
pre-command-attestations: "git github environment"
attestations: "git github environment sbom"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
Expand All @@ -165,7 +165,7 @@ jobs:
step: secret-scan
pre-command-attestations: "git github environment"
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
Expand All @@ -174,20 +174,21 @@ jobs:
artifact-upload-name: trufflehog.json
artifact-upload-path: trufflehog.json

verify:
needs: [ generate-sbom, secret-scan]

if: ${{ github.event_name == 'push' }}
uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: verify
pre-command-attestations: "git github environment"
attestations: "git github environment"
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
artifact-download: image.tar
pre-command: |
curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
command: |
witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge-api.aws-sandbox-staging.testifysec.dev -l debug
# NOTE: We can't verify from judge anymore as the route is restricted
# verify:
# needs: [ generate-sbom, secret-scan]
#
# if: ${{ github.event_name == 'push' }}
# uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
# with:
# pull_request: ${{ github.event_name == 'pull_request' }}
# step: verify
# pre-command-attestations: "git github environment"
# attestations: "git github environment"
# archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
# artifact-download: image.tar
# pre-command: |
# curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
# tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
# command: |
# witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge.aws-sandbox-staging.testifysec.dev -l debug

0 comments on commit 5348010

Please sign in to comment.