Add SCAI reusable actions (KubeCon NA '23 Demo) #13
Conversation
marcelamelara
requested review from
adityasaky,
pxp928 and
SantiagoTorres
as code owners
* Download evidence artifact in assertion generator * Take evidence type as input param * Pass generated intermediate files as step outputs Signed-off-by: Marcela Melara <[email protected]>
Signed-off-by: Marcela Melara <[email protected]>
Signed-off-by: Marcela Melara <[email protected]>
marcelamelara
force-pushed
the
add-scai-reusable-workflows
branch
from
a576262 to
ed74e18
Compare
…GHA) Signed-off-by: Marcela Melara <[email protected]>
Signed-off-by: Marcela Melara <[email protected]>
Signed-off-by: Marcela Melara <[email protected]>
Signed-off-by: Marcela Melara <[email protected]>
marcelamelara
force-pushed
the
add-scai-reusable-workflows
branch
from
cd38563 to
b828f1a
Compare
…cal Actions Signed-off-by: Marcela Melara <[email protected]>
marcelamelara
force-pushed
the
add-scai-reusable-workflows
branch
from
b828f1a to
5eced77
Compare
| shell: bash | ||
| run: | | ||
| mkdir -p ${{ inputs.assertion-path }} | ||
| scai-gen assert -e ${{ steps.gen-rd.outputs.file-rd-name }} -o ${{ inputs.assertion-path }}/${{ inputs.assertion-name }} ${{ inputs.attribute}} |
There was a problem hiding this comment.
Could you use the full flag names instead of the short ones? I think it makes it more readable in this context and possibly more maintainable.
There was a problem hiding this comment.
Thanks! I'll make these changes as part of a follow-up PR that focuses on readability and usability of the demo, so I can unblock testing on the implementer end.
| id: scai-gen-assert | ||
| shell: bash | ||
| run: | | ||
| mkdir -p ${{ inputs.assertion-path }} |
There was a problem hiding this comment.
Possibly out of scope but perhaps the output dir creation should be handled by scai-gen assert so that the action's usable even without mkdir. IDK if mkdir is aliased / supported on Windows, for example.
There was a problem hiding this comment.
This is a good point, and shouldn't be too hard to implement, I hope. What I'll do is merge this PR so I can start testing this with my test build. I have some documentation for the demo in-flight (nothing major) that I think would fit well into a "make the demo more legible/usable" PR.
|
|
||
| // Add certificate to envelope. This is needed for | ||
| // Rekor compatibility. | ||
| signedAttWithCert, err := envelope.AddCertToEnvelope(signedAtt, k.Cert) |
There was a problem hiding this comment.
This is technically not part of the DSSE spec. I don't want to block this PR on this but this is another data point for us to get secure-systems-lab/dsse#61 merged and implemented.
|
Sounds good, I'm fine with this being merged now. |
This PR adds GitHub Actions for running the Go
scai-gentools through GHA workflows. This PR also adds a new (experimental) commandscai-gen sigstorefor Sigstore integration (cosign signing and Rekor upload) via GHA. The primary use of these Actions is as part of the in-toto KubeCon NA '23 demo. The demo implementation lives here.