Run CI workflow on branch push

.github/workflows/main.yml

@@ -2,8 +2,6 @@ name: Main - Attests to https://app.kosli.com
 
 on:
   push:
-    branches:
-      - main
 
 env:
   KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }}           # false
@@ -58,6 +56,7 @@ jobs:
 
 
   pull-request:
+    if: ${{ github.ref == 'refs/heads/main' }}
     needs: []
     runs-on: ubuntu-latest
     permissions:
@@ -70,13 +69,11 @@ jobs:
           fetch-depth: 1
 
       - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
       - name: Attest pull-request evidence to Kosli
-        if: ${{ github.ref == 'refs/heads/main' }}
         run:
           kosli attest pullrequest github
             --github-token=${{ secrets.GITHUB_TOKEN }}
@@ -110,6 +107,43 @@ jobs:
             --name=runner.lint
 
 
+  snyk-code-scan:
+    runs-on: ubuntu-latest
+    needs: []
+    env:
+      SARIF_FILENAME: snyk.code.scan.json
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+
+      - name: Run Snyk code scan
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run:
+          snyk code test
+            --sarif
+            --sarif-file-output="${SARIF_FILENAME}"
+            --policy-path=.snyk
+            .
+
+      - name: Setup Kosli CLI
+        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
+        uses: kosli-dev/setup-cli-action@v2
+        with:
+          version: ${{ vars.KOSLI_CLI_VERSION }}
+
+      - name: Attest evidence to Kosli
+        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
+        run:
+          kosli attest snyk
+            --name=runner.snyk-code-scan 
+            --scan-results="${SARIF_FILENAME}"
+
+
   build-image:
     runs-on: ubuntu-latest
     needs: [setup]
@@ -161,6 +195,12 @@ jobs:
           path: ${{ env.IMAGE_TAR_FILENAME }}
           key: ${{ env.IMAGE_NAME }}
 
+      - name: Make Artifact fingerprint available to following jobs
+        id: variables
+        run: |
+          FINGERPRINT=$(echo ${{ steps.docker_build.outputs.digest }} | sed 's/.*://')          
+          echo "artifact_digest=${FINGERPRINT}" >> ${GITHUB_OUTPUT}
+
       - name: Setup Kosli CLI
         if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
@@ -174,12 +214,6 @@ jobs:
             --artifact-type=docker          
             --name=runner
 
-      - name: Make Artifact fingerprint available to following jobs
-        id: variables
-        run: |
-          FINGERPRINT=$(kosli fingerprint "${{ env.IMAGE_NAME }}" --artifact-type=docker)          
-          echo "artifact_digest=${FINGERPRINT}" >> ${GITHUB_OUTPUT}
-
 
   unit-tests:
     runs-on: ubuntu-latest
@@ -319,7 +353,7 @@ jobs:
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
-      - name: Attest Snyk container scan results to Kosli
+      - name: Attest evidence to Kosli
         if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
         env:
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
@@ -329,57 +363,17 @@ jobs:
             --scan-results="${SARIF_FILENAME}"
 
 
-  snyk-code-scan:
-    runs-on: ubuntu-latest
-    needs: [setup, build-image]
-    env:
-      SARIF_FILENAME: snyk.code.scan.json
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 1
-
-      - name: Setup Snyk
-        uses: snyk/actions/setup@master
-
-      - name: Run Snyk code scan
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run:
-          snyk code test
-            --sarif
-            --sarif-file-output="${SARIF_FILENAME}"
-            --policy-path=.snyk
-            .
-
-      - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        uses: kosli-dev/setup-cli-action@v2
-        with:
-          version: ${{ vars.KOSLI_CLI_VERSION }}
-
-      - name: Attest Snyk code scan results to Kosli
-        if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }}
-        env:
-          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
-        run:
-          kosli attest snyk
-            --name=runner.snyk-code-scan 
-            --scan-results="${SARIF_FILENAME}"
-
-
   sdlc-control-gate:
+    if: ${{ github.ref == 'refs/heads/main' }}
     runs-on: ubuntu-latest
     needs: [setup, build-image, pull-request, lint, unit-tests, integration-tests, snyk-container-scan, snyk-code-scan]
     steps:
       - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
       - name: Kosli SDLC gate to short-circuit the workflow
-        if: ${{ github.ref == 'refs/heads/main' }}
         env:
           IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
@@ -399,13 +393,11 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
       - name: Attest approval of deployment to Kosli
-        if: ${{ github.ref == 'refs/heads/main' }}
         env:
           IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}
@@ -436,13 +428,11 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Kosli CLI
-        if: ${{ github.ref == 'refs/heads/main' }}
         uses: kosli-dev/setup-cli-action@v2
         with:
           version: ${{ vars.KOSLI_CLI_VERSION }}
 
       - name: Attest approval of deployment to Kosli
-        if: ${{ github.ref == 'refs/heads/main' }}
         env:
           IMAGE_NAME:        ${{ needs.setup.outputs.image_name }}
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.artifact_digest }}

README.md

@@ -4,7 +4,9 @@
 - An http service (rack based) for running `cyber-dojo.sh` inside a docker container for at most 20 seconds and returning `[stdout,stderr,status,timed_out,colour]`
 - A [Kosli CI flow](https://app.kosli.com/cyber-dojo/flows/runner-ci/trails/) 
   deploying, with Continuous Compliance, to [staging](https://app.kosli.com/cyber-dojo/environments/aws-beta/snapshots/) and [production](https://app.kosli.com/cyber-dojo/environments/aws-prod/snapshots/) AWS environments.
-
+- Demonstrates a [Kosli](https://www.kosli.com/) instrumented [GitHub CI workflow](https://app.kosli.com/cyber-dojo/flows/runner-ci/trails/) 
+  deploying, with Continuous Compliance, to [staging](https://app.kosli.com/cyber-dojo/environments/aws-beta/snapshots/) and [production](https://app.kosli.com/cyber-dojo/environments/aws-prod/snapshots/) AWS environments.
+- Uses patterns from https://www.kosli.com/blog/using-kosli-attest-in-github-action-workflows-some-tips/
 
 ***
 API