Skip to content

Commit

Permalink
subtree(witness-run-action): Merge pull request in-toto#71 from testi…
Browse files Browse the repository at this point in the history 
…fysec/subtree/issue70-add-witness-run-action

in-toto#70 
Subtree/issue70-add-witness-run-action
  • Loading branch information
@kriscoleman
kriscoleman authored Jul 11, 2023
2 parents 183f55a + 344911b commit 5030338
Show file tree
Hide file tree
Showing 713 changed files with 121,859 additions and 40 deletions.
17 changes: 9 additions & 8 deletions .commitlintrc.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,19 +18,20 @@ rules:
- 2
- always
- [
'build',
'chore',
'docs',
'feat',
'fix',
'merge',
'ops',
'perf',
'refactor',
'style',
'revert',
'spike',
'story',
'style',
'subtree',
'test',
'build',
'ops',
'docs',
'chore',
'merge',
'spike',
'revert',
'wip'
]
22 changes: 12 additions & 10 deletions README.subtrees.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,19 @@ The public open source code has been added to the project as [Git Subtrees](http

## List of our subtrees

- <name-of-subtree> <path-to-subtree> <name-of-remote>
- `subtrees/archivista` `archivista/` `archivista`
- `subtrees/go-witness` `go-witness/` `go-witness`
- `subtrees/witness` `witness/` `witness`
| path-to-subtree | name-of-subtree | name-of-remote |
| ----------------------------- | -------------------- | -------------------- |
| `subtrees/archivista` | `archivista` | `archivista` |
| `subtrees/go-witness` | `go-witness` | `go-witness` |
| `subtrees/witness` | `witness` | `witness` |
| `subtrees/witness-run-action` | `witness-run-action` | `witness-run-action` |

## Getting Started

Assuming you have already gotten started with the root readme.md, then you can do the following:
Assuming you have already gotten started with the root readme.md, then you can do the following:

1. `npm run remotes:add-all` this is a one time script to add all of our remotes. You'll only need to run it one time initially, and anytime we add more remote subtrees.
1. `npm run remotes:fetch-all` will fetch all the remote subtrees.
1. `npm run remotes:add:all` this is a one time script to add all of our remotes. You'll only need to run it one time initially, and anytime we add more remote subtrees.
1. `npm run remotes:fetch:all` will fetch all the remote subtrees.

From there you can add more subtrees, update subtree subfolders, and/or update subtree parent repositories.

Expand All @@ -28,12 +30,12 @@ Review the scripts in our root `package.json` for helper scripts related to subt

You should add subtrees as remotes for easier management.

1. `git remote add -f <name-of-your-subtree> https://github.com/testifysec/some-great-open-source-project.git` with the name of your subtree and the https or ssh link to the git project
1. `git subtree add --prefix <path-to-your-subtree> <name-of-your-subtree> main --squash` will create an initial commit for your subtree into the monorepo project.
1. `git remote add -f <name-of-your-subtree> https://github.com/testifysec/some-great-open-source-project.git` with the name of your subtree and the https or ssh link to the git project. You can add this as a script in our root `package.json` to help other devs out!
1. `git subtree add --prefix <path-to-your-subtree> <name-of-your-subtree> main --squash` will create an initial commit for your subtree into the monorepo project. This should be a one-time command. Be careful to keep any subtree work completely seperate from any other commits.

## Updating a subtree with upstream changes

So, some awesome soul decided to help us out and contributed open source changes to one of our subtrees!
So, some awesome soul decided to help us out and contributed open source changes to one of our subtrees!

Now what?

Expand Down
31 changes: 17 additions & 14 deletions git-conventional-commits.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,21 @@
---
convention:
commitTypes:
- build
- chore
- docs
- feat
- fix
- merge
- ops
- perf
- refactor
- style
- revert
- spike
- story
- style
- subtree
- test
- build
- ops
- docs
- chore
- merge
- spike
- revert
commitScopes: []
releaseTagGlobPattern: v[0-9]*.[0-9]*.[0-9]*
changelog:
Expand All @@ -23,20 +24,22 @@ changelog:
- docs
- feat
- fix
- merge
- perf
- story
- merge
- subtree
includeInvalidCommits: true
commitIgnoreRegexPattern: "^WIP "
commitIgnoreRegexPattern: "^wip "
headlines:
breakingChange: BREAKING CHANGES
chore: Chores
docs: Documentation
feat: Features
fix: Bug Fixes
perf: Performance Improvements
merge: Merges
chore: Chores
docs: Documentation
perf: Performance Improvements
story: Stories
breakingChange: BREAKING CHANGES
subtree: Subtrees
## GitHub - note, subtree commit links will point to monorepo and may not be the commit link we want in the changelog.
commitUrl: https://github.com/testifysec/judge/commit/%commit%
commitRangeUrl: https://github.com/testify/judge/compare/%from%...%to%?diff=split
Expand Down
20 changes: 12 additions & 8 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,23 +10,27 @@
"pre-commit": "npm run pre-commit -w web",
"pre-push": "npx prepush-if-changed",
"prepare": "husky install",
"remotes:add-all": "npm run remotes:add-archivista & npm run remotes:add-go-witness & npm run remotes:add-witness",
"remotes:add-archivista": "git remote add -f archivista https://github.com/testifysec/archivista.git",
"remotes:add-go-witness": "git remote add -f go-witness https://github.com/testifysec/go-witness.git",
"remotes:add-witness": "git remote add -f witness https://github.com/testifysec/witness.git",
"remotes:add:all": "npm run remotes:add-archivista & npm run remotes:add-go-witness & npm run remotes:add-witness & npm run remotes:add-witness-run-action",
"remotes:add:archivista": "git remote add -f archivista https://github.com/testifysec/archivista.git",
"remotes:add:go-witness": "git remote add -f go-witness https://github.com/testifysec/go-witness.git",
"remotes:add:witness": "git remote add -f witness https://github.com/testifysec/witness.git",
"remotes:add:witness-run-action": "git remote add -f witness-run-action https://github.com/testifysec/witness-run-action",
"start:web:remote-proxy": "npm run start:remote-proxy -w web",
"start:web": "npm start -w web",
"start": "cd dev && make deps && tmux has-session -t mysession 2>/dev/null || tmux new-session -d -s mysession 'make up' && tmux split-window -h 'minikube tunnel' && tmux select-layout even-horizontal && tmux attach-session -d -t mysession",
"subtrees:fetch:all": "npm run subtrees:fetch:archivista & npm run subtrees:fetch:go-witness & npm run subtrees:fetch:witness",
"subtrees:fetch:all": "npm run subtrees:fetch:archivista & npm run subtrees:fetch:go-witness & npm run subtrees:fetch:witness & npm run subtrees:fetch:witness-run-action",
"subtrees:fetch:archivista": "git fetch archivista main",
"subtrees:fetch:go-witness": "git fetch go-witness main",
"subtrees:fetch:witness": "git fetch witness main",
"subtrees:fetch:witness-run-action": "git fetch witness-run-action main",
"subtrees:pull:archivista": "git subtree pull --prefix subtrees/archivista/ archivista main --squash",
"subtrees:pull:go-witness": "git subtree pull --prefix subtrees/go-witness/ go-witness main --squash",
"subtrees:pull:witness": "git subtree pull --prefix subtrees/witness/ witness main --squash",
"subtress:push:archivista": "git subtree push --prefix subtrees/archivista/ archivista main",
"subtress:push:go-witness": "git subtree push --prefix subtrees/go-witness/ go-witness main",
"subtress:push:witness": "git subtree push --prefix subtrees/witness/ witness main",
"subtrees:pull:witness-run-action": "git subtree pull --prefix subtrees/witness-run-action/ witness-run-action main --squash",
"subtress:push:archivista": "git subtree push --prefix subtrees/archivista/ archivista $(git rev-parse --abbrev-ref HEAD)",
"subtress:push:go-witness": "git subtree push --prefix subtrees/go-witness/ go-witness $(git rev-parse --abbrev-ref HEAD)",
"subtress:push:witness": "git subtree push --prefix subtrees/witness/ witness $(git rev-parse --abbrev-ref HEAD)",
"subtress:push:witness-run-action": "git subtree push --prefix subtrees/witness-run-action/ witness-run-action $(git rev-parse --abbrev-ref HEAD)",
"test:archivista": "cd subtrees/archivista && go test ./... && cd ../..",
"test:go-witness": "cd subtrees/go-witness && go test ./... && cd ../..",
"test:go": "npm run test:archivista && npm run test:go-witness && npm run test:judge-api && npm run test:witness",
Expand Down
32 changes: 32 additions & 0 deletions subtrees/witness-run-action/.github/workflows/test_action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
name: Test Action
on:
push:
branches:
- '*'

jobs:
test-action:
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v2

- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: 16

- name: Install dependencies
run: npm ci

- name: Run your action with sigstore and Archivista
uses: ./ # Replace this with the path to your action if different
with:
step: test
command: echo hello > hello.txt
enable-sigstore: true
enable-archivista: true
81 changes: 81 additions & 0 deletions subtrees/witness-run-action/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# Witness Run-Action

# Witness Run GitHub Action

This GitHub Action allows you to create an attestation for your CI process using the Witness tool. It supports optional integration with Sigstore for signing and Archivista for attestation storage and distibution.

## Usage

To use this action, include it in your GitHub workflow YAML file.

### Example

```yaml
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

name: Example Workflow
on: [push, pull_request]

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2

- name: Witness Run
uses: testifysec/[email protected]
with:
step: test
use-archivista: true
use-sigstore: true
command: touch hello.txt
```
## Using Sigstore and Archivista Flags
This action supports the use of Sigstore and Archivista for creating attestations. By enabling these options, you create a public record of your attestations, which can be useful for transparency and compliance.
### Sigstore
Sigstore is an open-source platform for securely signing software artifacts. When the use-sigstore flag is set to true, this action will use Sigstore for signing the attestation. This creates a publicly verifiable record of the attestation on the Sigstore public instance, sigstore.dev
### Archivista
Archivista is a server that stores and retrieves attestations. When the enable-archivista flag is set to true, this action will use Archivista for storing and retrieving attestations. By default, the attestations are stored on a public Archivista server, archivista.testifysec.io, making the details publicly accessible. This server also has no guarantees on data availability or itegrity.
### TimeStamping
By default when using Sigstore, this action utilizes FreeTSA, a free and public Timestamp Authority (TSA) service, to provide trusted timestamping for your attestations. Timestamping is a critical aspect of creating non-repudiable and legally binding attestations. FreeTSA offers a reliable and convenient solution for timestamping without the need for setting up and managing your own TSA. When using this action, the timestamp-servers input is set to FreeTSA's service (https://freetsa.org/) by default, ensuring your attestations are properly timestamped with a trusted and publicly verifiable source.
### Privacy Considerations
If you want to keep the details of your attestations private, you can set up and host your own instances of Archivista and Sigstore. This allows you to manage access control and ensure that only authorized users can view the attestation details.
To use your own instances, set the archivista-server input to the URL of your Archivista server, and the fulcio input to the address of your Sigstore instance. Additionally, you'll need to configure the fulcio-oidc-client-id and fulcio-oidc-issuer inputs to match your Sigstore instance's OIDC configuration.
Please consult the documentation for Archivista and Sigstore on how to set up and host your own instances.
### Inputs
| Name | Description | Required | Default |
| ------------------------ | ---------------------------------------------------------------------------------------------------- | -------- | ------------------------------------- |
| enable-sigstore | Use Sigstore for attestation. Sets default values for fulcio, fulcio-oidc-client-id, fulcio-oidc-issuer, and timestamp-servers when true | No | true |
| enable-archivista | Use Archivista to store or retrieve attestations | No | true | true |
| archivista-server | URL of the Archivista server to store or retrieve attestations | No | <https://archivista.testifysec.io> |
| attestations | Attestations to record, space-separated | No | environment git github |
| certificate | Path to the signing key's certificate | No | |
| fulcio | Fulcio address to sign with | No | |
| fulcio-oidc-client-id | OIDC client ID to use for authentication | No | |
| fulcio-oidc-issuer | OIDC issuer to use for authentication | No | |
| fulcio-token | Raw token to use for authentication | No | |
| intermediates | Intermediates that link trust back to a root of trust in the policy, space-separated | No | |
| key | Path to the signing key | No | |
| outfile | File to which to write signed data. Defaults to stdout | No | |
| product-exclude-glob | Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation. | No | |
| product-include-glob | Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation. | No | * |
| spiffe-socket | Path to the SPIFFE Workload API socket | No | |
| step | Name of the step being run | Yes | |
| timestamp-servers | Timestamp Authority Servers to use when signing envelope, space-separated | No | |
| trace | Enable tracing for the command | No | false |
| workingdir | Directory from which commands will run | No | |
72 changes: 72 additions & 0 deletions subtrees/witness-run-action/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: witness-run
description: "Creates Attestation of CI Process with Witness"
inputs:
archivista-server:
description: "URL of the Archivista server to store or retrieve attestations"
required: false
default: "https://archivista.testifysec.io"
attestations:
description: "Attestations to record"
required: false
default: "environment git github"
enable-sigstore:
description: 'Use Sigstore for attestation'
required: false
default: "true"
command:
description: "command to run"
required: true
certificate:
description: "Path to the signing key's certificate"
required: false
enable-archivista:
description: "Use Archivista to store or retrieve attestations"
required: false
default: "true"
fulcio:
description: "Fulcio address to sign with"
required: false
fulcio-oidc-client-id:
description: "OIDC client ID to use for authentication"
required: false
fulcio-oidc-issuer:
description: "OIDC issuer to use for authentication"
required: false
fulcio-token:
description: "Raw token to use for authentication"
required: false
intermediates:
description: "Intermediates that link trust back to a root of trust in the policy"
required: false
key:
description: "Path to the signing key"
required: false
outfile:
description: "File to which to write signed data. Defaults to stdout"
required: false
product-exclude-glob:
description: "Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation."
required: false
product-include-glob:
description: "Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation."
required: false
spiffe-socket:
description: "Path to the SPIFFE Workload API socket"
required: false
step:
description: "Name of the step being run"
required: true
timestamp-servers:
description: "Timestamp Authority Servers to use when signing envelope"
required: false
trace:
description: "Enable tracing for the command"
required: false
default: "false"
workingdir:
description: "Directory from which commands will run"
required: false

runs:
using: "node16"
main: "index.js"
42 changes: 42 additions & 0 deletions subtrees/witness-run-action/ci/download-compress-witness.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#!/bin/bash

if [ "$#" -ne 1 ]; then
echo "Usage: $0 <version>"
exit 1
fi

version=${1#v} # Remove 'v' prefix if present
url="https://github.com/testifysec/witness/releases/download/v${version}/witness_${version}_linux_amd64.tar.gz"

echo "Downloading Witness binary (version: ${version})..."
curl -L -o witness.tar.gz "${url}"

echo "Extracting Witness binary..."
tar -xzf witness.tar.gz

# Check if UPX is installed, and if not, install it
if ! command -v upx &> /dev/null; then
echo "UPX not found, installing..."

if [[ "$OSTYPE" == "linux-gnu"* ]]; then
# Linux
sudo apt-get update && sudo apt-get install -y upx
elif [[ "$OSTYPE" == "darwin"* ]]; then
# macOS
if ! command -v brew &> /dev/null; then
echo "Homebrew not found, please install Homebrew to continue."
exit 1
fi

brew install upx
else
echo "Unsupported operating system: $OSTYPE"
exit 1
fi
fi


echo "Compressing Witness binary using UPX..."
upx --best --ultra-brute witness

echo "Witness binary has been compressed successfully."
Loading

0 comments on commit 5030338

Please sign in to comment.