Add Sigstore signing action

Signed-off-by: Marcela Melara <[email protected]>
in-toto · Oct 31, 2023 · cd38563 · cd38563
1 parent b08b909
commit cd38563
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 16 deletions.
diff --git a/.github/actions/scai-gen-sigstore/action.yml b/.github/actions/scai-gen-sigstore/action.yml
@@ -0,0 +1,46 @@
+name: "in-toto Sigstore signer"
+description: "Generates a signed in-toto Attestation using cosign, and uploads it to the public Rekor log"
+inputs:
+  save-signed:
+    description: "Flag indicating whether to save the signed attestation as a local artifact (using actions/upload-artifact). Default is `save-signed=true`."
+    required: false
+    default: 'true'
+  statement-file:
+    description: "The name of the unsigned in-toto Statement file."
+    required: true
+  statement-path:
+    description: "The path to the statement-file. Defaults to GITHUB_WORKSPACE."
+    required: false
+    default: "$GITHUB_WORKSPACE"
+  signed-name:
+    description: "The name of the DSSE formatted signed in-toto Attestation file."
+    required: true
+  path:
+    description: "The directory to place the signed in-toto Attestation."
+    required: false
+    default: "$GITHUB_WORKSPACE/attestations"
+
+outputs:
+  attestation-name:
+    description: "Filename of the generated signed in-toto Attestation"
+    value: ${{ steps.sign.outputs.attestation-name }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Sign and upload in-toto Statement
+      id: sign
+      shell: bash
+      run: |
+        mkdir -p ${{ inputs.path }}
+        scai-gen sigstore -o ${{ inputs.path}}/${{ inputs.signed-name }} ${{ inputs.statement-path }}/${{ inputs.statement-name }}
+        echo "attestation-name=${{ inputs.path }}/${{ inputs.signed-name }}" >> "$GITHUB_OUTPUT"
+
+    - name: Save the signed in-toto Attestation
+      if: ${{ inputs.save-signed == 'true' }}
+      id: upload-signed
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      with:
+        name: ${{ steps.sign.inputs.signed-name }}
+        path: ${{ steps.sign.outputs.attestation-name }}
+        retention-days: 15
diff --git a/.github/workflows/test-e2e-flow.yml b/.github/workflows/test-e2e-flow.yml
@@ -14,8 +14,6 @@ on:
 jobs:
   sbom-slsa-ex:
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write # Needed to sign
     steps:
       - name: Install Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
@@ -62,17 +60,3 @@ jobs:
           subject: "examples/sbom+slsa/metadata/container-img-desc.json"
           attr-assertions: "${{ steps.gen-sbom-assert.outputs.assertion-name }} ${{ steps.gen-slsa-assert.outputs.assertion-name }}"
           report-name: "evidence-collection.scai.json"
-
-      - name: Sign and upload generated SCAI report (Sigstore)
-        id: sign-report
-        shell: bash
-        run: |
-          scai-gen sigstore -o ${{ steps.gen-sbom-slsa-report.outputs.report-name }}.sig ${{ steps.gen-sbom-slsa-report.outputs.report-name }}
-
-      - name: Upload the signed SCAI AttributeReport
-        id: upload-signed-report
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: ${{ steps.gen-sbom-slsa-report.inputs.report-name }}.sig
-          path: ${{ steps.gen-sbom-slsa-report.outputs.report-name }}.sig
-          retention-days: 15
diff --git a/.github/workflows/test-sigstore-integration.yml b/.github/workflows/test-sigstore-integration.yml
@@ -0,0 +1,40 @@
+name: Test Sigstore integration
+on:
+  # Want to trigger these tests whenever the Sigstore command
+  # is modified and PR is closed because of OIDC token access
+  pull_request:
+    paths:
+      - "scai-gen/cmd/sigstore.go"
+    types:
+      - closed
+
+jobs:
+  sigstore:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write # Needed for signing
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
+        with:
+          go-version: 1.20.x
+
+      - name: Checkout updated scai-gen CLI tools
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Setup Env
+        run: |
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+
+      - name: Install scai-gen CLI tools
+        shell: bash
+        run: |
+          go install ./scai-gen
+
+      - name: Sign and upload SCAI report (Sigstore)
+        id: sign-report
+        shell: bash
+        uses: marcelamelara/scai-demos/.github/actions/scai-gen-sigstore@add-scai-reusable-workflows
+        with:
+          statement-file: examples/sbom+slsa/metadata/evidence-collection.scai.json
+          signed-name: evidence-collection.scai.sig.json