Add dependabot config, reusable witness workflow, and update pipeline

Signed-off-by: John Kjell <[email protected]>
in-toto · Nov 15, 2023 · 08d1c37 · 08d1c37
1 parent 5c92286
commit 08d1c37
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 44 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,28 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+    ignore:
+      - dependency-name: "*"
+        update-types:
+        - "version-update:semver-major"
+        - "version-update:semver-minor"
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,49 +18,30 @@ permissions:
 name: release
 on: [push, pull_request]
 jobs:
-  test:
-    strategy:
-      matrix:
-        go-version: [ 1.19.x ]
-        os: [ ubuntu-latest ]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ matrix.go-version }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - uses: actions/cache@v2
-        with:
-         path: |
-           ~/go/pkg/mod
-           ~/.cache/go-build
-         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-         restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Format Unix
-        run: test -z $(go fmt ./...)
-      - name: Install GoKart
-        run: go install github.com/praetorian-inc/gokart@latest
+  fmt:
+    uses: ./.github/workflows/witness.yml
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: fmt
+      attestations: "git github environment"
+      command: go fmt ./...
 
-      - name: Static Analysis
-        uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
-        with:
-          step: static-analysis
-          attestations: "github sarif"
-          command: gokart scan . -o sarif-results.json -s
+  sast:
+    needs: [fmt]
+    uses: ./.github/workflows/witness.yml
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: sast
+      attestations: "git github environment"
+      command: go vet ./...
 
-      - name: Test
-        uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
-        with: 
-          step: "test"
-          attestations: "github"
-          command: go test -v -coverprofile=profile.cov -covermode=atomic ./...
-
-      - name: Send coverage
-        env:
-          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          GO111MODULE=off go get github.com/mattn/goveralls
-          $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+  unit-test:
+    needs: [fmt]
+    uses: ./.github/workflows/witness.yml
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: unit-test
+      attestations: "git github environment"
+      command: go test -v -coverprofile=profile.cov -covermode=atomic ./...
+      artifact-upload-name: profile.cov
+      artifact-upload-path: profile.cov
diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
@@ -0,0 +1,80 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+on:
+    workflow_call:
+        inputs:
+            pull_request: 
+                required: true
+                type: boolean
+            artifact-download:
+                required: false
+                type: string
+            artifact-upload-name:
+                required: false
+                type: string
+            artifact-upload-path:
+                required: false
+                type: string
+            pre-command:
+                required: false
+                type: string
+            command:
+                required: true
+                type: string
+            step:
+                required: true
+                type: string
+            attestations:
+                required: true
+                type: string
+
+jobs:
+    witness:
+        runs-on: ubuntu-latest
+        steps:
+          - uses: actions/checkout@v4
+          - uses: actions/setup-go@v4
+            with:
+              go-version: 1.21.x
+
+          - if: ${{ inputs.artifact-download != '' }}
+            uses: actions/download-artifact@v3
+            with:
+              name: ${{ inputs.artifact-download }}
+              path: /tmp
+
+          - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
+            uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
+            with:
+              step: pre-${{ inputs.step }}
+              attestations: ${{ inputs.attestations }}
+              command: /bin/sh -c "${{ inputs.pre-command }}"
+          - if: ${{ inputs.pre-command != '' && inputs.pull_request == true }}
+            run: ${{ inputs.pre-command }}
+
+          - if: ${{ inputs.pull_request == false }}
+            uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
+            with:
+              step: ${{ inputs.step }}
+              attestations: ${{ inputs.attestations }}
+              command: /bin/sh -c "${{ inputs.command }}"
+          - if: ${{ inputs.pull_request == true }}
+            run: ${{ inputs.command }}
+
+          - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
+            uses: actions/upload-artifact@v3
+            with:
+              name: ${{ inputs.artifact-upload-name }}
+              path: ${{ inputs.artifact-upload-path }}