test staging cilock #20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: test staging cilock | |
| on: | |
| workflow_dispatch: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| env: | |
| STAGING_URL: https://platform.aws-sandbox-staging.testifysec.dev | |
| jobs: | |
| cilock-cli: | |
| name: Attested CI Pipeline | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.24" | |
| - name: install tools | |
| run: | | |
| # cilock | |
| curl -sSL "https://github.com/aflock-ai/rookery/releases/download/v0.0.1-test/cilock-v0.0.1-test-linux-amd64.tar.gz" | tar xz | |
| chmod +x cilock-linux-amd64 | |
| sudo mv cilock-linux-amd64 /usr/local/bin/cilock | |
| # syft for SBOM generation | |
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| # gosec for SARIF output | |
| go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| - name: get oidc token | |
| id: oidc | |
| uses: actions/github-script@v7 | |
| with: | |
| script: return await core.getIDToken("sigstore") | |
| result-encoding: string | |
| # Step 1: Lint with secret scanning | |
| - name: lint | |
| run: | | |
| cilock run --step lint \ | |
| -a environment \ | |
| -a git \ | |
| -a github \ | |
| -a secretscan \ | |
| --signer-fulcio-url "$STAGING_URL" \ | |
| --signer-fulcio-use-http \ | |
| --signer-fulcio-token "${{ steps.oidc.outputs.result }}" \ | |
| --signer-fulcio-oidc-client-id sigstore \ | |
| --signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --timestamp-servers "$STAGING_URL/api/v1/timestamp" \ | |
| --enable-archivista \ | |
| --archivista-server "$STAGING_URL/archivista" \ | |
| --archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \ | |
| -- echo "lint passed" | |
| - name: refresh oidc token for sast | |
| id: oidc_sast | |
| uses: actions/github-script@v7 | |
| with: | |
| script: return await core.getIDToken("sigstore") | |
| result-encoding: string | |
| # Step 2: SAST scan — gosec runs INSIDE cilock so SARIF file is a product | |
| - name: sast-scan | |
| run: | | |
| cilock run --step sast-scan \ | |
| -a environment \ | |
| -a git \ | |
| -a github \ | |
| -a sarif \ | |
| --attestor-product-include-glob "*.sarif" \ | |
| --signer-fulcio-url "$STAGING_URL" \ | |
| --signer-fulcio-use-http \ | |
| --signer-fulcio-token "${{ steps.oidc_sast.outputs.result }}" \ | |
| --signer-fulcio-oidc-client-id sigstore \ | |
| --signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --timestamp-servers "$STAGING_URL/api/v1/timestamp" \ | |
| --enable-archivista \ | |
| --archivista-server "$STAGING_URL/archivista" \ | |
| --archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \ | |
| -- bash -c "gosec -fmt sarif -out gosec-results.sarif ./... || true" | |
| - name: refresh oidc token for test | |
| id: oidc_test | |
| uses: actions/github-script@v7 | |
| with: | |
| script: return await core.getIDToken("sigstore") | |
| result-encoding: string | |
| # Step 3: Test | |
| - name: test | |
| run: | | |
| cilock run --step test \ | |
| -a environment \ | |
| -a git \ | |
| -a github \ | |
| --signer-fulcio-url "$STAGING_URL" \ | |
| --signer-fulcio-use-http \ | |
| --signer-fulcio-token "${{ steps.oidc_test.outputs.result }}" \ | |
| --signer-fulcio-oidc-client-id sigstore \ | |
| --signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --timestamp-servers "$STAGING_URL/api/v1/timestamp" \ | |
| --enable-archivista \ | |
| --archivista-server "$STAGING_URL/archivista" \ | |
| --archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \ | |
| -- go test -count=1 ./... | |
| - name: refresh oidc token for build | |
| id: oidc_build | |
| uses: actions/github-script@v7 | |
| with: | |
| script: return await core.getIDToken("sigstore") | |
| result-encoding: string | |
| # Step 4: Build binary + SBOM — syft runs INSIDE cilock so SBOM is a product | |
| - name: build | |
| run: | | |
| cilock run --step build \ | |
| -a environment \ | |
| -a git \ | |
| -a github \ | |
| -a sbom \ | |
| --attestor-product-include-glob "bin/*" \ | |
| --signer-fulcio-url "$STAGING_URL" \ | |
| --signer-fulcio-use-http \ | |
| --signer-fulcio-token "${{ steps.oidc_build.outputs.result }}" \ | |
| --signer-fulcio-oidc-client-id sigstore \ | |
| --signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --timestamp-servers "$STAGING_URL/api/v1/timestamp" \ | |
| --enable-archivista \ | |
| --archivista-server "$STAGING_URL/archivista" \ | |
| --archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \ | |
| -- bash -c "CGO_ENABLED=0 go build -o bin/dropbox-clone ./cmd/api && syft bin/dropbox-clone -o cyclonedx-json=sbom.cdx.json" | |
| - name: refresh oidc token for docker | |
| id: oidc_docker | |
| uses: actions/github-script@v7 | |
| with: | |
| script: return await core.getIDToken("sigstore") | |
| result-encoding: string | |
| # Step 5: Docker build with container attestation | |
| - name: docker-build | |
| run: | | |
| cilock run --step docker-build \ | |
| -a environment \ | |
| -a git \ | |
| -a github \ | |
| -a docker \ | |
| --signer-fulcio-url "$STAGING_URL" \ | |
| --signer-fulcio-use-http \ | |
| --signer-fulcio-token "${{ steps.oidc_docker.outputs.result }}" \ | |
| --signer-fulcio-oidc-client-id sigstore \ | |
| --signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --timestamp-servers "$STAGING_URL/api/v1/timestamp" \ | |
| --enable-archivista \ | |
| --archivista-server "$STAGING_URL/archivista" \ | |
| --archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \ | |
| -- docker build -t dropbox-clone:test . |