Merge branch 'main' into env-obfuscate

.github/workflows/codeql.yml

@@ -50,15 +50,15 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: 1.21.x
+          go-version: 1.23.x
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,7 +68,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -81,6 +81,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -22,6 +22,6 @@ jobs:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0

.github/workflows/fossa.yml

@@ -20,7 +20,7 @@ jobs:
       steps:
         - if: ${{ env.FOSSA_API_KEY != '' }}
           name: "Checkout Code"
-          uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         - if: ${{ env.FOSSA_API_KEY != '' }}
           name: "Run FOSSA Scan"
           uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0

.github/workflows/golangci-lint.yml

@@ -20,9 +20,9 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           version: latest
           args: --timeout=3m

.github/workflows/release.yml

@@ -94,15 +94,15 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: 1.21.x
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+          go-version: 1.23.x
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: |
             ~/go/pkg/mod
@@ -119,10 +119,10 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
       - name: Install syft
-        uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
+        uses: anchore/sbom-action/download-syft@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6
 
       - name: Download GoReleaser
         run: go install github.com/goreleaser/[email protected]

.github/workflows/scorecard.yml

@@ -43,7 +43,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
@@ -67,14 +67,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # tag=v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d # tag=v3.26.7
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # tag=v3.27.0
         with:
           sarif_file: results.sarif

.github/workflows/verify-docgen.yml

@@ -13,8 +13,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: "1.21.x"
+          go-version: "1.23.x"
       - run: ./docgen/verify.sh

.github/workflows/verify-licence.yml

@@ -12,10 +12,10 @@ jobs:
     name: license boilerplate check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: "1.21.x"
+          go-version: "1.23.x"
       - name: Install addlicense
         run: go install github.com/google/[email protected]
       - name: Check license headers

.github/workflows/witness.yml

@@ -50,10 +50,10 @@ jobs:
           contents: read
           id-token: write
         steps:
-          - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-          - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+          - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+          - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
             with:
-              go-version: 1.21.x
+              go-version: 1.23.x
 
           - if: ${{ inputs.artifact-download != '' }}
             uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -80,7 +80,7 @@ jobs:
             run: ${{ inputs.command }}
 
           - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
-            uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+            uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
             with:
               name: ${{ inputs.artifact-upload-name }}
               path: ${{ inputs.artifact-upload-path }}

.goreleaser.yaml

@@ -23,9 +23,12 @@ source:
   enabled: true
 signs:
   - cmd: cosign
+    certificate: '${artifact}.pem'
+    signature: '${artifact}.sig'
     args:
       - "sign-blob"
       - "--output-signature=${signature}"
+      - '--output-certificate=${certificate}'
       - "${artifact}"
       - "--yes" # needed on cosign 2.0.0+
     artifacts: all

Makefile

@@ -8,9 +8,12 @@ BUILDFLAGS := -trimpath
 clean: ## Clean the binary directory
 	rm -rf $(BINDIR)
 
-build:
+build: ## Build the binary
 	CGO_ENABLED=0 go build $(BUILDFLAGS) -o $(BINDIR)/$(BINNAME) ./main.go
 
+build-goreleaser: ## Build the binary using goreleaser
+	goreleaser build --snapshot --clean
+
 vet: ## Run go vet
 	go vet ./...
 

cmd/root.go

@@ -17,6 +17,8 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"runtime"
+	"runtime/pprof"
 
 	"github.com/in-toto/go-witness/log"
 	_ "github.com/in-toto/go-witness/signer/kms/aws"
@@ -25,7 +27,10 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var ro = &options.RootOptions{}
+var (
+	ro             = &options.RootOptions{}
+	cpuProfileFile *os.File
+)
 
 func New() *cobra.Command {
 	cmd := &cobra.Command{
@@ -46,6 +51,7 @@ func New() *cobra.Command {
 	cmd.AddCommand(versionCmd())
 	cmd.AddCommand(AttestorsCmd())
 	cobra.OnInitialize(func() { preRoot(cmd, ro, logger) })
+	cobra.OnFinalize((func() { postRoot(ro, logger) }))
 	return cmd
 }
 
@@ -64,6 +70,40 @@ func preRoot(cmd *cobra.Command, ro *options.RootOptions, logger *logrusLogger)
 	if err := initConfig(cmd, ro); err != nil {
 		logger.l.Fatal(err)
 	}
+
+	var err error
+	if len(ro.CpuProfileFile) > 0 {
+		cpuProfileFile, err = os.Create(ro.CpuProfileFile)
+		if err != nil {
+			logger.l.Fatalf("could not create CPU profile: %v", err)
+		}
+
+		if err = pprof.StartCPUProfile(cpuProfileFile); err != nil {
+			logger.l.Fatalf("could not start CPU profile: %v", err)
+		}
+	}
+}
+
+func postRoot(ro *options.RootOptions, logger *logrusLogger) {
+	if cpuProfileFile != nil {
+		pprof.StopCPUProfile()
+		if err := cpuProfileFile.Close(); err != nil {
+			logger.l.Fatalf("could not close cpu profile file: %v", err)
+		}
+	}
+
+	if len(ro.MemProfileFile) > 0 {
+		memProfileFile, err := os.Create(ro.MemProfileFile)
+		if err != nil {
+			logger.l.Fatalf("could not create memory profile file: %v", err)
+		}
+
+		defer memProfileFile.Close()
+		runtime.GC()
+		if err := pprof.WriteHeapProfile(memProfileFile); err != nil {
+			logger.l.Fatalf("could not write memory profile: %v", err)
+		}
+	}
 }
 
 func loadOutfile(outFilePath string) (*os.File, error) {

docs-website/yarn.lock

@@ -4713,9 +4713,9 @@ http-parser-js@>=0.5.1:
   integrity sha512-SGeBX54F94Wgu5RH3X5jsDtf4eHyRogWX1XGT3b4HuW3tQPM4AaBzoUji/4AAJNXCEOWZ5O0DgZmJw1947gD5Q==
 
 http-proxy-middleware@^2.0.3:
-  version "2.0.6"
-  resolved "https://registry.yarnpkg.com/http-proxy-middleware/-/http-proxy-middleware-2.0.6.tgz#e1a4dd6979572c7ab5a4e4b55095d1f32a74963f"
-  integrity sha512-ya/UeJ6HVBYxrgYotAZo1KvPWlgB48kUJLDePFeneHsVujFaW5WNj2NgWCAE//B1Dl02BIfYlpNgBy8Kf8Rjmw==
+  version "2.0.7"
+  resolved "https://registry.yarnpkg.com/http-proxy-middleware/-/http-proxy-middleware-2.0.7.tgz#915f236d92ae98ef48278a95dedf17e991936ec6"
+  integrity sha512-fgVY8AV7qU7z/MmXJ/rxwbrtQH4jBQ9m7kp3llF0liB7glmFeVZFBepQb32T3y8n8k2+AEYuMPCpinYW+/CuRA==
   dependencies:
     "@types/http-proxy" "^1.17.8"
     http-proxy "^1.18.1"

docs/commands.md

@@ -19,8 +19,10 @@ Get information about all the available attestors in Witness
 ### Options inherited from parent commands
 
 ```
-  -c, --config string      Path to the witness config file (default ".witness.yaml")
-  -l, --log-level string   Level of logging to output (debug, info, warn, error) (default "info")
+  -c, --config string                   Path to the witness config file (default ".witness.yaml")
+      --debug-cpu-profile-file string   Path to store the CPU profile. Profiling will be enabled if this is non-empty
+      --debug-mem-profile-file string   Path to store the Memory profile. Profiling will be enabled if this is non-empty
+  -l, --log-level string                Level of logging to output (debug, info, warn, error) (default "info")
 ```
 
 ### SEE ALSO
@@ -88,8 +90,10 @@ witness run [cmd] [flags]
 ### Options inherited from parent commands
 
 ```
-  -c, --config string      Path to the witness config file (default ".witness.yaml")
-  -l, --log-level string   Level of logging to output (debug, info, warn, error) (default "info")
+  -c, --config string                   Path to the witness config file (default ".witness.yaml")
+      --debug-cpu-profile-file string   Path to store the CPU profile. Profiling will be enabled if this is non-empty
+      --debug-mem-profile-file string   Path to store the Memory profile. Profiling will be enabled if this is non-empty
+  -l, --log-level string                Level of logging to output (debug, info, warn, error) (default "info")
 ```
 
 ### SEE ALSO
@@ -148,8 +152,10 @@ witness sign [file] [flags]
 ### Options inherited from parent commands
 
 ```
-  -c, --config string      Path to the witness config file (default ".witness.yaml")
-  -l, --log-level string   Level of logging to output (debug, info, warn, error) (default "info")
+  -c, --config string                   Path to the witness config file (default ".witness.yaml")
+      --debug-cpu-profile-file string   Path to store the CPU profile. Profiling will be enabled if this is non-empty
+      --debug-mem-profile-file string   Path to store the Memory profile. Profiling will be enabled if this is non-empty
+  -l, --log-level string                Level of logging to output (debug, info, warn, error) (default "info")
 ```
 
 ### SEE ALSO
@@ -208,8 +214,10 @@ witness verify [flags]
 ### Options inherited from parent commands
 
 ```
-  -c, --config string      Path to the witness config file (default ".witness.yaml")
-  -l, --log-level string   Level of logging to output (debug, info, warn, error) (default "info")
+  -c, --config string                   Path to the witness config file (default ".witness.yaml")
+      --debug-cpu-profile-file string   Path to store the CPU profile. Profiling will be enabled if this is non-empty
+      --debug-mem-profile-file string   Path to store the Memory profile. Profiling will be enabled if this is non-empty
+  -l, --log-level string                Level of logging to output (debug, info, warn, error) (default "info")
 ```
 
 ### SEE ALSO
@@ -237,8 +245,10 @@ witness version [flags]
 ### Options inherited from parent commands
 
 ```
-  -c, --config string      Path to the witness config file (default ".witness.yaml")
-  -l, --log-level string   Level of logging to output (debug, info, warn, error) (default "info")
+  -c, --config string                   Path to the witness config file (default ".witness.yaml")
+      --debug-cpu-profile-file string   Path to store the CPU profile. Profiling will be enabled if this is non-empty
+      --debug-mem-profile-file string   Path to store the Memory profile. Profiling will be enabled if this is non-empty
+  -l, --log-level string                Level of logging to output (debug, info, warn, error) (default "info")
 ```
 
 ### SEE ALSO