From cd38563ac440b560de800629bfe154d896bdbcfc Mon Sep 17 00:00:00 2001
From: Marcela Melara <marcela.melara@intel.com>
Date: Tue, 31 Oct 2023 16:46:52 -0700
Subject: [PATCH] Add Sigstore signing action

Signed-off-by: Marcela Melara <marcela.melara@intel.com>
---
 .github/actions/scai-gen-sigstore/action.yml  | 46 +++++++++++++++++++
 .github/workflows/test-e2e-flow.yml           | 16 -------
 .../workflows/test-sigstore-integration.yml   | 40 ++++++++++++++++
 3 files changed, 86 insertions(+), 16 deletions(-)
 create mode 100644 .github/actions/scai-gen-sigstore/action.yml
 create mode 100644 .github/workflows/test-sigstore-integration.yml

diff --git a/.github/actions/scai-gen-sigstore/action.yml b/.github/actions/scai-gen-sigstore/action.yml
new file mode 100644
index 0000000..60269b2
--- /dev/null
+++ b/.github/actions/scai-gen-sigstore/action.yml
@@ -0,0 +1,46 @@
+name: "in-toto Sigstore signer"
+description: "Generates a signed in-toto Attestation using cosign, and uploads it to the public Rekor log"
+inputs:
+  save-signed:
+    description: "Flag indicating whether to save the signed attestation as a local artifact (using actions/upload-artifact). Default is `save-signed=true`."
+    required: false
+    default: 'true'
+  statement-file:
+    description: "The name of the unsigned in-toto Statement file."
+    required: true
+  statement-path:
+    description: "The path to the statement-file. Defaults to GITHUB_WORKSPACE."
+    required: false
+    default: "$GITHUB_WORKSPACE"
+  signed-name:
+    description: "The name of the DSSE formatted signed in-toto Attestation file."
+    required: true
+  path:
+    description: "The directory to place the signed in-toto Attestation."
+    required: false
+    default: "$GITHUB_WORKSPACE/attestations"
+
+outputs:
+  attestation-name:
+    description: "Filename of the generated signed in-toto Attestation"
+    value: ${{ steps.sign.outputs.attestation-name }}
+    
+runs:
+  using: "composite"
+  steps:
+    - name: Sign and upload in-toto Statement
+      id: sign
+      shell: bash
+      run: |
+        mkdir -p ${{ inputs.path }}
+        scai-gen sigstore -o ${{ inputs.path}}/${{ inputs.signed-name }} ${{ inputs.statement-path }}/${{ inputs.statement-name }}
+        echo "attestation-name=${{ inputs.path }}/${{ inputs.signed-name }}" >> "$GITHUB_OUTPUT"
+
+    - name: Save the signed in-toto Attestation
+      if: ${{ inputs.save-signed == 'true' }}
+      id: upload-signed
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      with:
+        name: ${{ steps.sign.inputs.signed-name }}
+        path: ${{ steps.sign.outputs.attestation-name }}
+        retention-days: 15
diff --git a/.github/workflows/test-e2e-flow.yml b/.github/workflows/test-e2e-flow.yml
index f6c3cfc..836f733 100644
--- a/.github/workflows/test-e2e-flow.yml
+++ b/.github/workflows/test-e2e-flow.yml
@@ -14,8 +14,6 @@ on:
 jobs:
   sbom-slsa-ex:
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write # Needed to sign
     steps:
       - name: Install Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
@@ -62,17 +60,3 @@ jobs:
           subject: "examples/sbom+slsa/metadata/container-img-desc.json"
           attr-assertions: "${{ steps.gen-sbom-assert.outputs.assertion-name }} ${{ steps.gen-slsa-assert.outputs.assertion-name }}"
           report-name: "evidence-collection.scai.json"
-            
-      - name: Sign and upload generated SCAI report (Sigstore)
-        id: sign-report
-        shell: bash
-        run: |
-          scai-gen sigstore -o ${{ steps.gen-sbom-slsa-report.outputs.report-name }}.sig ${{ steps.gen-sbom-slsa-report.outputs.report-name }}
-
-      - name: Upload the signed SCAI AttributeReport
-        id: upload-signed-report
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        with:
-          name: ${{ steps.gen-sbom-slsa-report.inputs.report-name }}.sig
-          path: ${{ steps.gen-sbom-slsa-report.outputs.report-name }}.sig
-          retention-days: 15
diff --git a/.github/workflows/test-sigstore-integration.yml b/.github/workflows/test-sigstore-integration.yml
new file mode 100644
index 0000000..0ce4dd1
--- /dev/null
+++ b/.github/workflows/test-sigstore-integration.yml
@@ -0,0 +1,40 @@
+name: Test Sigstore integration
+on:
+  # Want to trigger these tests whenever the Sigstore command
+  # is modified and PR is closed because of OIDC token access
+  pull_request:
+    paths:
+      - "scai-gen/cmd/sigstore.go"
+    types:
+      - closed
+
+jobs:
+  sigstore:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write # Needed for signing
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
+        with:
+          go-version: 1.20.x
+
+      - name: Checkout updated scai-gen CLI tools
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Setup Env
+        run: |
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+
+      - name: Install scai-gen CLI tools
+        shell: bash
+        run: |
+          go install ./scai-gen
+
+      - name: Sign and upload SCAI report (Sigstore)
+        id: sign-report
+        shell: bash
+        uses: marcelamelara/scai-demos/.github/actions/scai-gen-sigstore@add-scai-reusable-workflows
+        with:
+          statement-file: examples/sbom+slsa/metadata/evidence-collection.scai.json
+          signed-name: evidence-collection.scai.sig.json