Skip to content

test staging cilock #20

test staging cilock

test staging cilock #20

name: test staging cilock
on:
workflow_dispatch:
permissions:
id-token: write
contents: read
env:
STAGING_URL: https://platform.aws-sandbox-staging.testifysec.dev
jobs:
cilock-cli:
name: Attested CI Pipeline
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.24"
- name: install tools
run: |
# cilock
curl -sSL "https://github.com/aflock-ai/rookery/releases/download/v0.0.1-test/cilock-v0.0.1-test-linux-amd64.tar.gz" | tar xz
chmod +x cilock-linux-amd64
sudo mv cilock-linux-amd64 /usr/local/bin/cilock
# syft for SBOM generation
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# gosec for SARIF output
go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: get oidc token
id: oidc
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 1: Lint with secret scanning
- name: lint
run: |
cilock run --step lint \
-a environment \
-a git \
-a github \
-a secretscan \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- echo "lint passed"
- name: refresh oidc token for sast
id: oidc_sast
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 2: SAST scan — gosec runs INSIDE cilock so SARIF file is a product
- name: sast-scan
run: |
cilock run --step sast-scan \
-a environment \
-a git \
-a github \
-a sarif \
--attestor-product-include-glob "*.sarif" \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc_sast.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- bash -c "gosec -fmt sarif -out gosec-results.sarif ./... || true"
- name: refresh oidc token for test
id: oidc_test
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 3: Test
- name: test
run: |
cilock run --step test \
-a environment \
-a git \
-a github \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc_test.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- go test -count=1 ./...
- name: refresh oidc token for build
id: oidc_build
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 4: Build binary + SBOM — syft runs INSIDE cilock so SBOM is a product
- name: build
run: |
cilock run --step build \
-a environment \
-a git \
-a github \
-a sbom \
--attestor-product-include-glob "bin/*" \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc_build.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- bash -c "CGO_ENABLED=0 go build -o bin/dropbox-clone ./cmd/api && syft bin/dropbox-clone -o cyclonedx-json=sbom.cdx.json"
- name: refresh oidc token for docker
id: oidc_docker
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 5: Docker build with container attestation
- name: docker-build
run: |
cilock run --step docker-build \
-a environment \
-a git \
-a github \
-a docker \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc_docker.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- docker build -t dropbox-clone:test .