Add support for direct command execution with witness

Author: cole-rgb

.github/workflows/test.yml

@@ -5,6 +5,10 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+    
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
 
 jobs:
   test-basic:
@@ -85,4 +89,105 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: attestation-files
-          path: ./multi-attestation.json
+          path: ./multi-attestation.json
+          
+  test-sigstore-archivista:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '16'
+
+      - name: Install dependencies
+        run: npm ci
+      
+      - name: Test with Sigstore and Archivista
+        id: sigstore-attestation
+        uses: ./
+        with:
+          # Action to run
+          action-ref: "actions/hello-world-javascript-action@main"
+          input-who-to-greet: "Sigstore"
+          
+          # Witness configuration
+          step: test-sigstore
+          attestations: "environment git github slsa"
+          attestor-slsa-export: "true"
+          enable-sigstore: "true"
+          enable-archivista: "true"
+          outfile: "./sigstore-attestation.json"
+      
+      - name: Check GitOID output
+        run: |
+          if [[ -n "${{ steps.sigstore-attestation.outputs.git_oid }}" ]]; then
+            echo "GitOID: ${{ steps.sigstore-attestation.outputs.git_oid }}"
+            echo "Attestation succeeded with Sigstore and Archivista"
+          else
+            echo "No GitOID returned - this might be expected in PR builds without proper credentials"
+          fi
+          
+      - name: Check attestation file
+        run: |
+          if [[ -f "./sigstore-attestation.json" ]]; then
+            echo "Sigstore attestation created successfully"
+            jq . "./sigstore-attestation.json" | head -n 20
+          else
+            echo "Sigstore attestation file not found!"
+            exit 1
+          fi
+      
+      - name: Upload sigstore attestation as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sigstore-attestation
+          path: ./sigstore-attestation.json
+          
+  test-direct-command:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '16'
+
+      - name: Install dependencies
+        run: npm ci
+      
+      - name: Test direct command
+        id: direct-command
+        uses: ./
+        with:
+          # Direct command to run
+          command: "echo hello > hello.txt"
+          
+          # Witness configuration
+          step: "direct-command"
+          attestations: "command environment"
+          outfile: "./direct-command.json"
+      
+      - name: Check command output
+        run: |
+          if [ -f "hello.txt" ]; then
+            echo "Command output:"
+            cat hello.txt
+          else
+            echo "Command output file not found!"
+            exit 1
+          fi
+          
+      - name: Check attestation file
+        run: |
+          if [[ -f "./direct-command.json" ]]; then
+            echo "Direct command attestation created successfully"
+            jq . "./direct-command.json" | head -n 20
+          else
+            echo "Direct command attestation file not found!"
+            exit 1
+          fi

README.md

@@ -4,6 +4,8 @@ A GitHub Action that downloads and executes another GitHub Action with Witness a
 
 ## Usage
 
+### Running a GitHub Action with Witness Attestation
+
 ```yaml
 name: Example Workflow
 on: [push, pull_request]
@@ -30,6 +32,32 @@ jobs:
           archivista-server: "https://archivista.example.com"
 ```
 
+### Running a Direct Command with Witness Attestation
+
+```yaml
+name: Example Workflow
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      
+      - name: Run Command with Witness Attestation
+        id: command-attestation
+        uses: testifysec/action-wrapper@v4
+        with:
+          # Command to run
+          command: "echo hello > hello.txt"
+          
+          # Witness configuration
+          step: "command-step"
+          attestations: "command environment git"
+          enable-sigstore: "true"
+```
+
 ## How It Works
 
 This action combines the functionality of a GitHub Action wrapper with Witness attestation:
@@ -49,11 +77,14 @@ This action combines the functionality of a GitHub Action wrapper with Witness a
 
 ## Inputs
 
-### Action Reference
+### Action or Command
 
 | Input | Description | Required | Default |
 |-------|-------------|----------|---------|
-| `action-ref` | Reference to the nested action (e.g., owner/repo@ref) | Yes | |
+| `action-ref` | Reference to the nested action (e.g., owner/repo@ref) | No¹ | |
+| `command` | Command to run with Witness (use this or action-ref) | No¹ | |
+
+¹ Either `action-ref` or `command` must be provided
 
 ### Witness Installation
 

action.yml

@@ -1,10 +1,13 @@
 name: "TestifySec Action Wrapper with Witness"
 description: "Downloads and executes another GitHub Action with Witness attestation"
 inputs:
-  # Action Reference
+  # Action or Command
   action-ref:
     description: "Reference to the nested action (e.g., owner/repo@ref)"
-    required: true
+    required: false
+  command:
+    description: "Command to run with Witness (use this or action-ref)"
+    required: false
 
   # Witness Installation
   witness-version: