diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 3bcd857..be6f218 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -19,7 +19,7 @@ jobs: pull_request: ${{ github.event_name == 'pull_request' }} step: fmt attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: go fmt ./... vet: @@ -28,7 +28,7 @@ jobs: pull_request: ${{ github.event_name == 'pull_request' }} step: vet attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: go vet ./... # --ignore DL3002 @@ -39,7 +39,7 @@ jobs: step: lint pre-command-attestations: "git github environment" attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" pre-command: | curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \ chmod +x /usr/local/bin/hadolint @@ -54,7 +54,7 @@ jobs: pull_request: ${{ github.event_name == 'pull_request' }} step: unit-test attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: go test ./... -coverprofile cover.out artifact-upload-name: cover.out artifact-upload-path: cover.out @@ -67,7 +67,7 @@ jobs: step: sast pre-command-attestations: "git github environment" attestations: "git github environment sarif" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" pre-command: python3 -m pip install semgrep==1.45.0 command: semgrep scan --config auto ./ --sarif -o semgrep.sarif artifact-upload-name: semgrep.sarif @@ -121,7 +121,7 @@ jobs: version: 0.6.0 step: build-image attestations: "git github environment slsa" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: | /bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ." outputs: @@ -134,7 +134,7 @@ jobs: pull_request: ${{ github.event_name == 'pull_request' }} step: save-image attestations: "git github environment slsa oci" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: | docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar artifact-upload-name: image.tar @@ -148,7 +148,7 @@ jobs: step: generate-sbom pre-command-attestations: "git github environment" attestations: "git github environment sbom" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" artifact-download: image.tar pre-command: | curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin @@ -165,7 +165,7 @@ jobs: step: secret-scan pre-command-attestations: "git github environment" attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" artifact-download: image.tar pre-command: | curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin @@ -174,20 +174,21 @@ jobs: artifact-upload-name: trufflehog.json artifact-upload-path: trufflehog.json - verify: - needs: [ generate-sbom, secret-scan] - - if: ${{ github.event_name == 'push' }} - uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow - with: - pull_request: ${{ github.event_name == 'pull_request' }} - step: verify - pre-command-attestations: "git github environment" - attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" - artifact-download: image.tar - pre-command: | - curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \ - tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz - command: | - witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge-api.aws-sandbox-staging.testifysec.dev -l debug + # NOTE: We can't verify from judge anymore as the route is restricted + # verify: + # needs: [ generate-sbom, secret-scan] + # + # if: ${{ github.event_name == 'push' }} + # uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow + # with: + # pull_request: ${{ github.event_name == 'pull_request' }} + # step: verify + # pre-command-attestations: "git github environment" + # attestations: "git github environment" + # archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" + # artifact-download: image.tar + # pre-command: | + # curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \ + # tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz + # command: | + # witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge.aws-sandbox-staging.testifysec.dev -l debug