-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add gittuf workflows Signed-off-by: Aditya Sirish <[email protected]> * Make key path a variable Signed-off-by: Aditya Sirish <[email protected]> --------- Signed-off-by: Aditya Sirish <[email protected]>
- Loading branch information
1 parent
1489aac
commit 2639fa7
Showing
3 changed files
with
98 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| name: Record change to main branch | ||
| on: | ||
| push: | ||
| branches: | ||
| - 'main' | ||
| jobs: | ||
| create-rsl-entry: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| steps: | ||
| - name: Install gittuf | ||
| uses: gittuf/gittuf-installer@8ce8fbd070477ec72678151e82b82c3d866d9fcd | ||
| with: | ||
| gittuf-version: main | ||
| - name: Install gitsign | ||
| uses: actions-go/go-install@0607b3e7a61b8f1b55e1169a884804d084db73af | ||
| with: | ||
| module: github.com/sigstore/gitsign@main | ||
| - name: Checkout repository | ||
| uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Update RSL | ||
| env: | ||
| KEY: ${{ secrets.KEY }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| git config --global commit.gpgsign true # Sign all commits | ||
| git config --global gpg.x509.program gitsign # Use gitsign for signing | ||
| git config --global gpg.format x509 # gitsign expects x509 args | ||
| git config --global user.name "${{ github.workflow }}" | ||
| git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
| gittuf_key_path="/tmp/gittuf-key" | ||
| echo "$KEY" > $gittuf_key_path | ||
| git fetch origin refs/gittuf/reference-state-log:refs/gittuf/reference-state-log refs/gittuf/attestations:refs/gittuf/attestations | ||
| GITTUF_DEV=1 gittuf dev attest-github --signing-key $gittuf_key_path --repository ${{ github.repository }} --commit ${{ github.sha }} --base-branch "main" | ||
| gittuf rsl record main | ||
| git push origin refs/gittuf/reference-state-log:refs/gittuf/reference-state-log refs/gittuf/attestations:refs/gittuf/attestations |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| name: Record change to non-main branch | ||
| on: | ||
| push: | ||
| branches-ignore: | ||
| - 'main' | ||
| jobs: | ||
| create-rsl-entry: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| id-token: write | ||
| steps: | ||
| - name: Install gittuf | ||
| uses: gittuf/gittuf-installer@8ce8fbd070477ec72678151e82b82c3d866d9fcd | ||
| with: | ||
| gittuf-version: main | ||
| - name: Install gitsign | ||
| uses: actions-go/go-install@0607b3e7a61b8f1b55e1169a884804d084db73af | ||
| with: | ||
| module: github.com/sigstore/gitsign@main | ||
| - name: Checkout repository | ||
| uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Update RSL | ||
| run: | | ||
| git config --global commit.gpgsign true # Sign all commits | ||
| git config --global gpg.x509.program gitsign # Use gitsign for signing | ||
| git config --global gpg.format x509 # gitsign expects x509 args | ||
| git config --global user.name "${{ github.workflow }}" | ||
| git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
| git fetch origin refs/gittuf/reference-state-log:refs/gittuf/reference-state-log | ||
| gittuf rsl record ${{ github.ref }} | ||
| git push origin refs/gittuf/reference-state-log:refs/gittuf/reference-state-log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| name: gittuf Verification | ||
| on: | ||
| workflow_run: | ||
| workflows: ["Record change to main branch"] | ||
| branches: [main] | ||
| types: | ||
| - completed | ||
| jobs: | ||
| gittuf-verify: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Install gittuf | ||
| uses: gittuf/gittuf-installer@8ce8fbd070477ec72678151e82b82c3d866d9fcd | ||
| with: | ||
| gittuf-version: main | ||
| - name: Checkout and verify repository | ||
| run: | | ||
| gittuf clone https://github.com/${{ github.repository }} | ||
| cd attestation-verifier | ||
| gittuf verify-ref main --verbose |