-
Notifications
You must be signed in to change notification settings - Fork 5
165 lines (149 loc) · 6.21 KB
/
Copy pathtest-staging-cilock.yaml
File metadata and controls
165 lines (149 loc) · 6.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
name: test staging cilock
on:
workflow_dispatch:
permissions:
id-token: write
contents: read
env:
STAGING_URL: https://platform.aws-sandbox-staging.testifysec.dev
jobs:
cilock-cli:
name: Attested CI Pipeline
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.24"
- name: install tools
run: |
# cilock
curl -sSL "https://github.com/aflock-ai/rookery/releases/download/v0.0.1-test/cilock-v0.0.1-test-linux-amd64.tar.gz" | tar xz
chmod +x cilock-linux-amd64
sudo mv cilock-linux-amd64 /usr/local/bin/cilock
# syft for SBOM generation
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# gosec for SARIF output
go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: get oidc token
id: oidc
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 1: Lint with secret scanning
- name: lint
run: |
cilock run --step lint \
-a environment \
-a git \
-a github \
-a secretscan \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- echo "lint passed"
- name: refresh oidc token for sast
id: oidc_sast
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 2: SAST scan — gosec runs INSIDE cilock so SARIF file is a product
- name: sast-scan
run: |
cilock run --step sast-scan \
-a environment \
-a git \
-a github \
-a sarif \
--attestor-product-include-glob "*.sarif" \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc_sast.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- bash -c "gosec -fmt sarif -out gosec-results.sarif ./... || true"
- name: refresh oidc token for test
id: oidc_test
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 3: Test
- name: test
run: |
cilock run --step test \
-a environment \
-a git \
-a github \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc_test.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- go test -count=1 ./...
- name: refresh oidc token for build
id: oidc_build
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 4: Build binary + SBOM — syft runs INSIDE cilock so SBOM is a product
- name: build
run: |
cilock run --step build \
-a environment \
-a git \
-a github \
-a sbom \
--attestor-product-include-glob "bin/*" \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc_build.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- bash -c "CGO_ENABLED=0 go build -o bin/dropbox-clone ./cmd/api && syft bin/dropbox-clone -o cyclonedx-json=sbom.cdx.json"
- name: refresh oidc token for docker
id: oidc_docker
uses: actions/github-script@v7
with:
script: return await core.getIDToken("sigstore")
result-encoding: string
# Step 5: Docker build with container attestation
- name: docker-build
run: |
cilock run --step docker-build \
-a environment \
-a git \
-a github \
-a docker \
--signer-fulcio-url "$STAGING_URL" \
--signer-fulcio-use-http \
--signer-fulcio-token "${{ steps.oidc_docker.outputs.result }}" \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://token.actions.githubusercontent.com \
--timestamp-servers "$STAGING_URL/api/v1/timestamp" \
--enable-archivista \
--archivista-server "$STAGING_URL/archivista" \
--archivista-headers "Authorization: ${{ secrets.TESTIFYSEC_STAGING_API_KEY }}" \
-- docker build -t dropbox-clone:test .