Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Link & SLSA attestor #381

Merged
merged 35 commits into from
May 10, 2024
Merged

Link & SLSA attestor #381

merged 35 commits into from
May 10, 2024

Conversation

jkjell
Copy link
Member

@jkjell jkjell commented Feb 5, 2024
edited
Loading

What this PR does / why we need it

Add a SLSA & Link Attestor with an option to export them to their own attestations.

Acceptance Criteria Met

  • Docs changes if needed
  • Testing changes if needed
  • All workflow checks passing (automatically enforced)
  • All review conversations resolved (automatically enforced)
  • DCO Sign-off

Special notes for your reviewer:

ChaosInTheCRD
ChaosInTheCRD reviewed Feb 5, 2024
View reviewed changes
docs/commands.md Outdated Show resolved Hide resolved
@netlify Netlify
Copy link

netlify bot commented Mar 22, 2024
edited
Loading

Deploy Preview for witness-project ready!

Name Link
🔨 Latest commit bd1efde
🔍 Latest deploy log https://app.netlify.com/sites/witness-project/deploys/663d30d38156d00009ee1037
😎 Deploy Preview https://deploy-preview-381--witness-project.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@jkjell jkjell marked this pull request as ready for review April 8, 2024 02:24
@ChaosInTheCRD ChaosInTheCRD changed the title Link attestor Link & SLSA attestor Apr 8, 2024
@jkjell jkjell force-pushed the link-attestor branch 2 times, most recently from b496d98 to d93dd87 Compare April 19, 2024 22:06
jkjell and others added 21 commits May 9, 2024 14:37
@jkjell
Handle multiple results from run
cadd809 
Signed-off-by: John Kjell <[email protected]>
@jkjell
Rename exportRun and add better file naming
7f3fade 
Signed-off-by: John Kjell <[email protected]>
@jkjell
Run make docgen
a281b86 
Signed-off-by: John Kjell <[email protected]>
@jkjell
Update go version in actions and point go.mod to WIP go-witness
b8df3d2 
Signed-off-by: John Kjell <[email protected]>
@jkjell
Add explicit setup-go action for workflows and change attestation fil…
aeaa710 
…e output to backwards compatible

Signed-off-by: John Kjell <[email protected]>
@jkjell
Add back license scanning badge (#377)
898f1d3 
Signed-off-by: John Kjell <[email protected]>
@dependabot @ChaosInTheCRD @jkjell
chore: bump github/codeql-action from 3.23.2 to 3.24.0 (#378)
eddb6fa 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.2 to 3.24.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@b7bf0a3...e8893c5)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Meadows <[email protected]>
Signed-off-by: John Kjell <[email protected]>
@dependabot @ChaosInTheCRD @jkjell
chore: bump step-security/harden-runner from 2.6.1 to 2.7.0 (#379)
f66b23f 
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.6.1 to 2.7.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@eb238b5...63c24ba)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Meadows <[email protected]>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#380)
9bbdd77 
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.3.0 to 3.4.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@9614fae...e1523de)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump actions/download-artifact from 4.1.1 to 4.1.2 (#382)
b9457d5 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.1.1 to 4.1.2.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@6b208ae...eaceaf8)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump actions/upload-artifact from 4.3.0 to 4.3.1 (#383)
51ba5ba 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.0 to 4.3.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@26f96df...5d5d22a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@jkjell
Add Tom as a Witness maintainer (#385)
34a321d 
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump testifysec/witness-run-action from 0.1.3 to 0.1.5 (#389)
6d3e4cd 
Bumps [testifysec/witness-run-action](https://github.com/testifysec/witness-run-action) from 0.1.3 to 0.1.5.
- [Release notes](https://github.com/testifysec/witness-run-action/releases)
- [Commits](testifysec/witness-run-action@40aa4ef...2ae7f93)

---
updated-dependencies:
- dependency-name: testifysec/witness-run-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#387)
a655347 
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@3a91952...3cfe3a4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump fossas/fossa-action from 1.3.1 to 1.3.3 (#390)
0ed61ec 
Bumps [fossas/fossa-action](https://github.com/fossas/fossa-action) from 1.3.1 to 1.3.3.
- [Release notes](https://github.com/fossas/fossa-action/releases)
- [Commits](fossas/fossa-action@f61a4c0...47ef11b)

---
updated-dependencies:
- dependency-name: fossas/fossa-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump github/codeql-action from 3.24.0 to 3.24.3 (#391)
7aa235b 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.0 to 3.24.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@e8893c5...3796146)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump actions/dependency-review-action from 4.0.0 to 4.1.1 (#392)
acd9a18 
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.0.0 to 4.1.1.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@4901385...fd07d42)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump actions/dependency-review-action from 4.1.1 to 4.1.3 (#395)
4ac175e 
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.1.1 to 4.1.3.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@fd07d42...9129d7d)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump github/codeql-action from 3.24.3 to 3.24.5 (#396)
76970fe 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.3 to 3.24.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@3796146...47b3d88)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump actions/cache from 4.0.0 to 4.0.1 (#401)
288d8ea 
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump github/codeql-action from 3.24.5 to 3.24.6 (#400)
7ba330a 
Signed-off-by: John Kjell <[email protected]>
dependabot bot and others added 12 commits May 9, 2024 14:38
@dependabot @jkjell
chore: bump actions/download-artifact from 4.1.2 to 4.1.4 (#399)
6b163ec 
Signed-off-by: John Kjell <[email protected]>
@mikhailswift @jkjell
fix: run e2e test script as part of workflows (#397)
f1b310f 
* fix: run e2e test script as part of workflows
---------
Signed-off-by: Mikhail Swift <[email protected]>
Co-authored-by: John Kjell <[email protected]>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump github/codeql-action from 3.24.6 to 3.24.8 (#415)
2fa6166 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.6 to 3.24.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@8a470fd...05963f4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump docker/login-action from 3.0.0 to 3.1.0 (#413)
ffcaa83 
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@343f7c4...e92390c)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump github/codeql-action from 3.24.8 to 3.24.9 (#419)
75da05f 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.8 to 3.24.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@05963f4...1b1aada)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump actions/dependency-review-action from 4.1.3 to 4.2.4 (#420)
f1617cb 
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.1.3 to 4.2.4.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9129d7d...733dd5d)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump actions/cache from 4.0.1 to 4.0.2 (#421)
32a12e8 
Bumps [actions/cache](https://github.com/actions/cache) from 4.0.1 to 4.0.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@ab5e6d0...0c45773)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@jkjell @ChaosInTheCRD
Update dependabot.yml (#405)
fc695ef 
Change to group dependency updates per ecosystem (GHA, go-mod)

Signed-off-by: John Kjell <[email protected]>
Co-authored-by: Tom Meadows <[email protected]>
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump the all-gha group with 1 update (#426)
80c02b9 
Bumps the all-gha group with 1 update: [actions/dependency-review-action](https://github.com/actions/dependency-review-action).

Updates `actions/dependency-review-action` from 4.2.4 to 4.2.5
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@733dd5d...5bbc3ba)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-gha
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@jkjell @ChaosInTheCRD
Update GHA triggers to fine tune for code changes vs other updates (#406
fc59d7e 
)

Signed-off-by: John Kjell <[email protected]>
Co-authored-by: Tom Meadows <[email protected]>
Signed-off-by: John Kjell <[email protected]>
@jkjell
make docgen update
537ee51 
Signed-off-by: John Kjell <[email protected]>
@dependabot @jkjell
chore: bump the all-gha group with 2 updates (#431)
43e74f3 
Bumps the all-gha group with 2 updates: [github/codeql-action](https://github.com/github/codeql-action) and [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).

Updates `github/codeql-action` from 3.24.9 to 3.24.10
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@1b1aada...4355270)

Updates `sigstore/cosign-installer` from 3.4.0 to 3.5.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@e1523de...59acb62)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all-gha
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-gha
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: John Kjell <[email protected]>
@jkjell jkjell merged commit fc48494 into main May 10, 2024
17 checks passed
@jkjell jkjell deleted the link-attestor branch May 10, 2024 12:35
@jkjell jkjell mentioned this pull request Jul 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChaosInTheCRD ChaosInTheCRD ChaosInTheCRD approved these changes

@mikhailswift mikhailswift Awaiting requested review from mikhailswift

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jkjell @ChaosInTheCRD @mikhailswift