From 2639fa7597441fbc49ee0cb50c6b64b17fcd6fc6 Mon Sep 17 00:00:00 2001
From: Aditya Sirish <8928778+adityasaky@users.noreply.github.com>
Date: Tue, 30 Apr 2024 07:55:31 -0700
Subject: [PATCH] Add gittuf workflows (#31)

* Add gittuf workflows

Signed-off-by: Aditya Sirish <aditya@saky.in>

* Make key path a variable

Signed-off-by: Aditya Sirish <aditya@saky.in>

---------

Signed-off-by: Aditya Sirish <aditya@saky.in>
---
 .github/workflows/gittuf-rsl-main.yml     | 43 +++++++++++++++++++++++
 .github/workflows/gittuf-rsl-non-main.yml | 35 ++++++++++++++++++
 .github/workflows/gittuf-verify.yml       | 20 +++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 .github/workflows/gittuf-rsl-main.yml
 create mode 100644 .github/workflows/gittuf-rsl-non-main.yml
 create mode 100644 .github/workflows/gittuf-verify.yml

diff --git a/.github/workflows/gittuf-rsl-main.yml b/.github/workflows/gittuf-rsl-main.yml
new file mode 100644
index 0000000..29fd8e4
--- /dev/null
+++ b/.github/workflows/gittuf-rsl-main.yml
@@ -0,0 +1,43 @@
+name: Record change to main branch
+on:
+  push:
+    branches:
+      - 'main'
+jobs:
+  create-rsl-entry:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Install gittuf
+        uses: gittuf/gittuf-installer@8ce8fbd070477ec72678151e82b82c3d866d9fcd
+        with:
+          gittuf-version: main
+      - name: Install gitsign
+        uses: actions-go/go-install@0607b3e7a61b8f1b55e1169a884804d084db73af
+        with:
+          module: github.com/sigstore/gitsign@main
+      - name: Checkout repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+        with:
+          fetch-depth: 0
+      - name: Update RSL
+        env:
+          KEY: ${{ secrets.KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git config --global commit.gpgsign true       # Sign all commits
+          git config --global gpg.x509.program gitsign  # Use gitsign for signing
+          git config --global gpg.format x509           # gitsign expects x509 args
+          git config --global user.name "${{ github.workflow }}"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          gittuf_key_path="/tmp/gittuf-key"
+
+          echo "$KEY" > $gittuf_key_path
+
+          git fetch origin refs/gittuf/reference-state-log:refs/gittuf/reference-state-log refs/gittuf/attestations:refs/gittuf/attestations
+          GITTUF_DEV=1 gittuf dev attest-github --signing-key $gittuf_key_path --repository ${{ github.repository }} --commit ${{ github.sha }} --base-branch "main"
+          gittuf rsl record main
+          git push origin refs/gittuf/reference-state-log:refs/gittuf/reference-state-log refs/gittuf/attestations:refs/gittuf/attestations
diff --git a/.github/workflows/gittuf-rsl-non-main.yml b/.github/workflows/gittuf-rsl-non-main.yml
new file mode 100644
index 0000000..ee4da76
--- /dev/null
+++ b/.github/workflows/gittuf-rsl-non-main.yml
@@ -0,0 +1,35 @@
+name: Record change to non-main branch
+on:
+  push:
+    branches-ignore:
+      - 'main'
+jobs:
+  create-rsl-entry:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - name: Install gittuf
+        uses: gittuf/gittuf-installer@8ce8fbd070477ec72678151e82b82c3d866d9fcd
+        with:
+          gittuf-version: main
+      - name: Install gitsign
+        uses: actions-go/go-install@0607b3e7a61b8f1b55e1169a884804d084db73af
+        with:
+          module: github.com/sigstore/gitsign@main
+      - name: Checkout repository
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+        with:
+          fetch-depth: 0
+      - name: Update RSL
+        run: |
+          git config --global commit.gpgsign true       # Sign all commits
+          git config --global gpg.x509.program gitsign  # Use gitsign for signing
+          git config --global gpg.format x509           # gitsign expects x509 args
+          git config --global user.name "${{ github.workflow }}"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          git fetch origin refs/gittuf/reference-state-log:refs/gittuf/reference-state-log
+          gittuf rsl record ${{ github.ref }}
+          git push origin refs/gittuf/reference-state-log:refs/gittuf/reference-state-log
diff --git a/.github/workflows/gittuf-verify.yml b/.github/workflows/gittuf-verify.yml
new file mode 100644
index 0000000..a7d0aef
--- /dev/null
+++ b/.github/workflows/gittuf-verify.yml
@@ -0,0 +1,20 @@
+name: gittuf Verification
+on:
+  workflow_run:
+    workflows: ["Record change to main branch"]
+    branches: [main]
+    types:
+      - completed
+jobs:
+  gittuf-verify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install gittuf
+        uses: gittuf/gittuf-installer@8ce8fbd070477ec72678151e82b82c3d866d9fcd
+        with:
+          gittuf-version: main
+      - name: Checkout and verify repository
+        run: |
+          gittuf clone https://github.com/${{ github.repository }}
+          cd attestation-verifier
+          gittuf verify-ref main --verbose