Skip to content

Osff demo prod and sandbox #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 30 commits into
base: main
Choose a base branch
from
Open

Osff demo prod and sandbox #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
b88da32
Use new docker buildx with multiple outputs to save image
Sep 30, 2024
3fc03d0
Switch to default archivista
Sep 30, 2024
7732366
Update pipeline - please approve (#9)
Oct 1, 2024
d981a28
Add webhook attestations to policy (#10)
Oct 1, 2024
69875cb
Update to demo version of witness
Oct 1, 2024
cc6d032
Change demo version of witness to be executable
Oct 1, 2024
bc88141
Remove linter rule exclusion (#11)
Oct 1, 2024
e354f55
Update policy for webhook-attestations (#12)
Oct 1, 2024
c94240a
Add policy for PR that doesn't look for merge (#13)
Oct 1, 2024
5d548c3
We really do need root (#14)
Oct 1, 2024
31abed9
🚒 Prod down - disable linting 🚒 (#15)
Oct 1, 2024
dec8c45
Let's make the 🌎 a better place, the right way 🦉⛓🚀 (#16)
Oct 1, 2024
2d7abd0
Revert demo changes to good state (#17)
Oct 1, 2024
59dc59b
Update archivista and workflow
Nov 4, 2024
923f299
point build-image job at correct archivista
Nov 9, 2024
e762c9b
Need to ignore false positive from linter
Nov 10, 2024
7cedc80
Update rules for hadolint
Nov 10, 2024
4d3a62b
Need to ignore false positive from linter
Nov 10, 2024
619e9af
Update rules for hadolint (#21)
Nov 11, 2024
ed193f3
Update to demo environment
Dec 3, 2024
80f2b9d
Use default archivista
Jan 15, 2025
5813a77
Need to run as root
Jan 15, 2025
269de7e
Update witness install dir
Jan 15, 2025
dd4246d
🚒 Prod is down 🚒. Approve ASAP
Jan 15, 2025
1b88da9
Update archivista URL and witness version (#30)
Feb 13, 2025
e875825
chore: update witness-run-action version
kriscoleman Apr 28, 2025
0ffe8de
chore: updates archivista server URL to testifysec prod
kriscoleman Apr 29, 2025
0f6db32
chore: pipeline workflows for dual env
kriscoleman Jun 23, 2025
295f271
chore: updates witness-run-action version
kriscoleman Jun 23, 2025
06b8c6a
chore: workflow to use reusable workflow
kriscoleman Jun 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
188 changes: 188 additions & 0 deletions .github/workflows/pipeline-prod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

name: pipeline-prod

on:
push:
branches:
- '*'
pull_request:
branches:
- '*'

jobs:
fmt:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
archivista-server: 'https://web.platform.testifysec.com'
attestations: 'git github environment'
command: go fmt ./...
secrets:
token: ${{ secrets.witness_api_token }}

vet:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: vet
archivista-server: 'https://web.platform.testifysec.com'
attestations: 'git github environment'
command: go vet ./...
secrets:
token: ${{ secrets.witness_api_token }}

# --ignore DL3002
lint:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: lint
archivista-server: 'https://web.platform.testifysec.com'
pre-command-attestations: 'git github environment'
attestations: 'git github environment'
pre-command: |
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
chmod +x /usr/local/bin/hadolint
command: hadolint -f sarif Dockerfile > hadolint.sarif
artifact-upload-name: hadolint.sarif
artifact-upload-path: hadolint.sarif
secrets:
token: ${{ secrets.witness_api_token }}

unit-test:
needs: [fmt, vet, lint]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
archivista-server: 'https://web.platform.testifysec.com'
attestations: 'git github environment'
command: go test ./... -coverprofile cover.out
artifact-upload-name: cover.out
artifact-upload-path: cover.out
secrets:
token: ${{ secrets.witness_api_token }}

sast:
needs: [fmt, vet, lint]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
archivista-server: 'https://web.platform.testifysec.com'
pre-command-attestations: 'git github environment'
attestations: 'git github environment'
pre-command: python3 -m pip install semgrep==1.45.0
command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
artifact-upload-name: semgrep.sarif
artifact-upload-path: semgrep.sarif
secrets:
token: ${{ secrets.witness_api_token }}

build:
needs: [unit-test, sast]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: build
archivista-server: 'https://web.platform.testifysec.com'
attestations: 'git github environment'
command: go build -o bin/software main.go
secrets:
token: ${{ secrets.witness_api_token }}

build-image:
needs: [unit-test, sast]
runs-on: ubuntu-latest

permissions:
packages: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

steps:
- uses: actions/[email protected]
- uses: docker/[email protected]

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/testifysec/swf/software

- name: Docker Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64
install: true
use: true

- name: Fix Dockerfile
run: sed -i 's/# USER root/USER root/g' Dockerfile

- name: Build Image
uses: testifysec/[email protected]
with:
step: build-image
archivista-server: 'https://web.platform.testifysec.com'
attestations: 'git github environment oci slsa'
command: |
/bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} -o type=docker,dest=image.tar --push ."

- name: Upload Artifact
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: image.tar
path: image.tar

outputs:
tags: ${{ steps.meta.outputs.tags }}

generate-sbom:
needs: build-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: generate-sbom
archivista-server: 'https://web.platform.testifysec.com'
pre-command-attestations: 'git github environment'
attestations: 'git github environment sbom'
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
command: |
syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json
artifact-upload-name: sbom.cdx.json
artifact-upload-path: sbom.cdx.json
secrets:
token: ${{ secrets.witness_api_token }}

secret-scan:
needs: build-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: secret-scan
archivista-server: 'https://web.platform.testifysec.com'
pre-command-attestations: 'git github environment'
attestations: 'git github environment'
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
command: |
trufflehog docker --image=file:///tmp/image.tar -j > trufflehog.json
artifact-upload-name: trufflehog.json
artifact-upload-path: trufflehog.json
secrets:
token: ${{ secrets.witness_api_token }}
188 changes: 188 additions & 0 deletions .github/workflows/pipeline-sandbox.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

name: pipeline-sandbox

on:
push:
branches:
- '*'
pull_request:
branches:
- '*'

jobs:
fmt:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: fmt
archivista-server: 'https://judge.aws-sandbox-staging.testifysec.dev'
attestations: 'git github environment'
command: go fmt ./...
secrets:
token: ${{ secrets.sandbox_witness_api_token }}

vet:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: vet
archivista-server: 'https://judge.aws-sandbox-staging.testifysec.dev'
attestations: 'git github environment'
command: go vet ./...
secrets:
token: ${{ secrets.sandbox_witness_api_token }}

# --ignore DL3002
lint:
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: lint
archivista-server: 'https://judge.aws-sandbox-staging.testifysec.dev'
pre-command-attestations: 'git github environment'
attestations: 'git github environment'
pre-command: |
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
chmod +x /usr/local/bin/hadolint
command: hadolint -f sarif Dockerfile > hadolint.sarif
artifact-upload-name: hadolint.sarif
artifact-upload-path: hadolint.sarif
secrets:
token: ${{ secrets.sandbox_witness_api_token }}

unit-test:
needs: [fmt, vet, lint]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: unit-test
archivista-server: 'https://judge.aws-sandbox-staging.testifysec.dev'
attestations: 'git github environment'
command: go test ./... -coverprofile cover.out
artifact-upload-name: cover.out
artifact-upload-path: cover.out
secrets:
token: ${{ secrets.sandbox_witness_api_token }}

sast:
needs: [fmt, vet, lint]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: sast
archivista-server: 'https://judge.aws-sandbox-staging.testifysec.dev'
pre-command-attestations: 'git github environment'
attestations: 'git github environment'
pre-command: python3 -m pip install semgrep==1.45.0
command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
artifact-upload-name: semgrep.sarif
artifact-upload-path: semgrep.sarif
secrets:
token: ${{ secrets.sandbox_witness_api_token }}

build:
needs: [unit-test, sast]
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: build
archivista-server: 'https://judge.aws-sandbox-staging.testifysec.dev'
attestations: 'git github environment'
command: go build -o bin/software main.go
secrets:
token: ${{ secrets.sandbox_witness_api_token }}

build-image:
needs: [unit-test, sast]
runs-on: ubuntu-latest

permissions:
packages: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

steps:
- uses: actions/[email protected]
- uses: docker/[email protected]

- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/testifysec/swf/software

- name: Docker Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64
install: true
use: true

- name: Fix Dockerfile
run: sed -i 's/# USER root/USER root/g' Dockerfile

- name: Build Image
uses: testifysec/[email protected]
with:
step: build-image
archivista-server: 'https://judge.aws-sandbox-staging.testifysec.dev'
attestations: 'git github environment oci slsa'
command: |
/bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} -o type=docker,dest=image.tar --push ."

- name: Upload Artifact
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: image.tar
path: image.tar

outputs:
tags: ${{ steps.meta.outputs.tags }}

generate-sbom:
needs: build-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: generate-sbom
archivista-server: 'https://judge.aws-sandbox-staging.testifysec.dev'
pre-command-attestations: 'git github environment'
attestations: 'git github environment sbom'
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
command: |
syft packages docker-archive:/tmp/image.tar --source-name=pkg:oci/testifysec/swf -o cyclonedx-json --file sbom.cdx.json
artifact-upload-name: sbom.cdx.json
artifact-upload-path: sbom.cdx.json
secrets:
token: ${{ secrets.sandbox_witness_api_token }}

secret-scan:
needs: build-image
uses: ./.github/workflows/witness.yml
with:
pull_request: ${{ github.event_name == 'pull_request' }}
step: secret-scan
archivista-server: 'https://judge.aws-sandbox-staging.testifysec.dev'
pre-command-attestations: 'git github environment'
attestations: 'git github environment'
artifact-download: image.tar
pre-command: |
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
command: |
trufflehog docker --image=file:///tmp/image.tar -j > trufflehog.json
artifact-upload-name: trufflehog.json
artifact-upload-path: trufflehog.json
secrets:
token: ${{ secrets.sandbox_witness_api_token }}
Loading
Loading