Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update witness.yml with workingdir input #16

Open
wants to merge 3 commits into
base: reusable-workflow
Choose a base branch
from
+1,222 −1,022
Open

chore: update witness.yml with workingdir input #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
88f2233
fix: ncc is required to build
kriscoleman Jan 15, 2025
d5390fb
feat: add working directory input to workflow
kriscoleman Jan 15, 2025
561c84b
chore: update witness action version in reusable workflow to latest a…
kriscoleman Jan 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
151 changes: 79 additions & 72 deletions .github/workflows/witness.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,80 +13,87 @@
# limitations under the License.

on:
workflow_call:
inputs:
pull_request:
required: true
type: boolean
artifact-download:
required: false
type: string
artifact-upload-name:
required: false
type: string
artifact-upload-path:
required: false
type: string
pre-command:
required: false
type: string
pre-command-attestations:
default: "environment git github"
required: false
type: string
command:
required: true
type: string
step:
required: true
type: string
attestations:
required: true
type: string
archivista-server:
default: "https://archivista.testifysec.io"
required: false
type: string

workflow_call:
inputs:
pull_request:
required: true
type: boolean
artifact-download:
required: false
type: string
artifact-upload-name:
required: false
type: string
artifact-upload-path:
required: false
type: string
pre-command:
required: false
type: string
pre-command-attestations:
default: 'environment git github'
required: false
type: string
command:
required: true
type: string
step:
required: true
type: string
attestations:
required: true
type: string
archivista-server:
default: 'https://archivista.testifysec.io'
required: false
type: string
workingdir:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh @jkjell I also had to add workingdir here, it was missing here too

required: false
type: string

jobs:
witness:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: 1.21.x
witness:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: 1.21.x

- if: ${{ inputs.artifact-download != '' }}
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
with:
name: ${{ inputs.artifact-download }}
path: /tmp
- if: ${{ inputs.artifact-download != '' }}
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
with:
name: ${{ inputs.artifact-download }}
path: /tmp

- if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
uses: testifysec/witness-run-action@79320a907f611f2fb40ced8e13c66af988b2d9db # v0.2.2
with:
version: 0.6.0
archivista-server: ${{ inputs.archivista-server }}
step: pre-${{ inputs.step }}
attestations: ${{ inputs.pre-command-attestations }}
command: /bin/sh -c "${{ inputs.pre-command }}"
- if: ${{ inputs.pre-command != '' && inputs.pull_request == true }}
run: ${{ inputs.pre-command }}
- if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
uses: testifysec/witness-run-action@d5390fbc672f38705ca5fe57c219abd0471cfa2d
with:
version: 0.6.0
archivista-server: ${{ inputs.archivista-server }}
step: pre-${{ inputs.step }}
attestations: ${{ inputs.pre-command-attestations }}
workingdir: ${{ inputs.workingdir }}
command: /bin/sh -c "${{ inputs.pre-command }}"
- if: ${{ inputs.pre-command != '' && inputs.pull_request == true }}
run: ${{ inputs.pre-command }}
working-directory: ${{ inputs.workingdir }}

- if: ${{ inputs.pull_request == false }}
uses: testifysec/witness-run-action@79320a907f611f2fb40ced8e13c66af988b2d9db # v0.2.2
with:
version: 0.6.0
archivista-server: ${{ inputs.archivista-server }}
step: ${{ inputs.step }}
attestations: ${{ inputs.attestations }}
command: /bin/sh -c "${{ inputs.command }}"
- if: ${{ inputs.pull_request == true }}
run: ${{ inputs.command }}
- if: ${{ inputs.pull_request == false }}
uses: testifysec/witness-run-action@d5390fbc672f38705ca5fe57c219abd0471cfa2d
with:
version: 0.6.0
archivista-server: ${{ inputs.archivista-server }}
step: ${{ inputs.step }}
attestations: ${{ inputs.attestations }}
workingdir: ${{ inputs.workingdir }}
command: /bin/sh -c "${{ inputs.command }}"
- if: ${{ inputs.pull_request == true }}
run: ${{ inputs.command }}
working-directory: ${{ inputs.workingdir }}

- if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: ${{ inputs.artifact-upload-name }}
path: ${{ inputs.artifact-upload-path }}
- if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: ${{ inputs.artifact-upload-name }}
path: ${{ inputs.artifact-upload-path }}
73 changes: 36 additions & 37 deletions action.yml
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was anything actually changed in this file other than whitespace/formatting?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the default value ./ from witness-install-dir because it was already being handled in code.
I also changed how it was being handled so now it works with or without workingdir, you can see this being handled in index.js

Original file line number Diff line number Diff line change
@@ -1,95 +1,94 @@
name: witness-run
description: "Creates Attestation of CI Process with Witness"
description: 'Creates Attestation of CI Process with Witness'
inputs:
witness-install-dir:
description: "Directory to install witness in. The directory will be created if it does not exist"
description: 'Directory to install witness in. The directory will be created if it does not exist'
required: false
default: "./"
archivista-server:
description: "URL of the Archivista server to store or retrieve attestations"
description: 'URL of the Archivista server to store or retrieve attestations'
required: false
default: "https://archivista.testifysec.io"
default: 'https://archivista.testifysec.io'
attestations:
description: "Attestations to record"
description: 'Attestations to record'
required: false
default: "environment git github"
default: 'environment git github'
attestor-link-export:
description: "Export the attestor link predicate in its own attestation"
description: 'Export the attestor link predicate in its own attestation'
required: false
default: "false"
default: 'false'
attestor-maven-pom-path:
description: "Path to the Maven POM file"
description: 'Path to the Maven POM file'
required: false
attestor-sbom-export:
description: "Export the SBOM predicate in its own attestation"
description: 'Export the SBOM predicate in its own attestation'
required: false
default: "false"
default: 'false'
attestor-slsa-export:
description: "Export the SLSA predicate in its own attestation"
description: 'Export the SLSA predicate in its own attestation'
required: false
default: "false"
default: 'false'
enable-sigstore:
description: 'Use Sigstore for attestation'
required: false
default: "true"
default: 'true'
command:
description: "command to run"
description: 'command to run'
required: true
certificate:
description: "Path to the signing key's certificate"
required: false
enable-archivista:
description: "Use Archivista to store or retrieve attestations"
description: 'Use Archivista to store or retrieve attestations'
required: false
default: "true"
default: 'true'
fulcio:
description: "Fulcio address to sign with"
description: 'Fulcio address to sign with'
required: false
fulcio-oidc-client-id:
description: "OIDC client ID to use for authentication"
description: 'OIDC client ID to use for authentication'
required: false
fulcio-oidc-issuer:
description: "OIDC issuer to use for authentication"
description: 'OIDC issuer to use for authentication'
required: false
fulcio-token:
description: "Raw token to use for authentication"
description: 'Raw token to use for authentication'
required: false
intermediates:
description: "Intermediates that link trust back to a root of trust in the policy"
description: 'Intermediates that link trust back to a root of trust in the policy'
required: false
key:
description: "Path to the signing key"
description: 'Path to the signing key'
required: false
outfile:
description: "File to which to write signed data. Defaults to stdout"
description: 'File to which to write signed data. Defaults to stdout'
required: false
product-exclude-glob:
description: "Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation."
description: 'Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation.'
required: false
product-include-glob:
description: "Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation."
description: 'Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation.'
required: false
spiffe-socket:
description: "Path to the SPIFFE Workload API socket"
description: 'Path to the SPIFFE Workload API socket'
required: false
step:
description: "Name of the step being run"
description: 'Name of the step being run'
required: true
timestamp-servers:
description: "Timestamp Authority Servers to use when signing envelope"
description: 'Timestamp Authority Servers to use when signing envelope'
required: false
trace:
description: "Enable tracing for the command"
description: 'Enable tracing for the command'
required: false
default: "false"
default: 'false'
version:
description: "Version of Witness CLI"
description: 'Version of Witness CLI'
required: false
default: "0.6.0"
default: '0.6.0'
workingdir:
description: "Directory from which commands will run"
description: 'Directory from which commands will run'
required: false

runs:
using: "node20"
main: "dist/index.js"
using: 'node20'
main: 'dist/index.js'
Loading
Loading