Skip to content

Commit

Permalink
merge to main
Browse files Browse the repository at this point in the history
Signed-off-by: Bob Callaway <[email protected]>
  • Loading branch information
bobcallaway committed Sep 25, 2023
2 parents 8dcd664 + ed1fa70 commit df1d3f7
Show file tree
Hide file tree
Showing 219 changed files with 15,217 additions and 3,494 deletions.
12 changes: 6 additions & 6 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,23 +34,23 @@ jobs:
contents: read

steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2

- name: Extract version of Go to use
run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV

- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GOVERSION }}

- name: deps
run: sudo apt-get update && sudo apt-get install -yq libpcsclite-dev

- uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6

- name: Set up Cloud SDK
uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d # v1.0.0
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-rekor'
service_account: '[email protected]'
Expand All @@ -61,4 +61,4 @@ jobs:
- name: container
run: KO_PREFIX=gcr.io/projectsigstore/rekor/ci/rekor make sign-keyless-ci
env:
COSIGN_EXPERIMENTAL: true
COSIGN_YES: true
8 changes: 4 additions & 4 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,16 +42,16 @@ jobs:
language: [ 'go' ]
steps:
- name: Checkout repository
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
with:
languages: ${{ matrix.language }}

- name: Autobuild
uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
11 changes: 0 additions & 11 deletions .github/workflows/cosign.key

This file was deleted.

57 changes: 30 additions & 27 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ permissions:

jobs:
build:
runs-on: ubuntu-20.04
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Extract version of Go to use
run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GOVERSION }}

Expand All @@ -47,23 +47,23 @@ jobs:
- name: Test
run: go test -v -coverprofile=coverage.txt -covermode=atomic ./...
- name: Upload Coverage Report
uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
flags: unittests
- name: Ensure no files were modified as a result of the build
run: git update-index --refresh && git diff-index --quiet HEAD -- || git diff --exit-code

container-build:
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Extract version of Go to use
run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GOVERSION }}

- uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6

- name: container
run: |
Expand All @@ -73,16 +73,18 @@ jobs:
docker run --rm $(cat redisImagerefs) --version
e2e:
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
needs: build

steps:
- name: download minisign
run: sudo add-apt-repository ppa:dysfunctionalprogramming/minisign && sudo apt-get update && sudo apt-get install minisign
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
# run: sudo add-apt-repository ppa:dysfunctionalprogramming/minisign && sudo apt-get update && sudo apt-get install minisign
run: sudo add-apt-repository ppa:savoury1/minisign && sudo apt-get update && sudo apt-get install minisign

- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Extract version of Go to use
run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GOVERSION }}
- name: install gocovmerge
Expand All @@ -93,82 +95,83 @@ jobs:
- name: Refactor-e2e # this will a WIP to move all the tests to respective packages
run: ./e2e-test.sh
- name: Upload logs if they exist
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
if: failure()
with:
name: E2E Docker Compose logs
path: /tmp/docker-compose.log
- name: Upload Coverage Report
uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # v3.1.1
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
files: /tmp/rekor-merged.cov,/tmp/pkg-rekor-merged.cov
flags: e2etests

sharding-e2e:
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
needs: build

steps:
- name: download minisign
run: sudo add-apt-repository ppa:dysfunctionalprogramming/minisign && sudo apt-get update && sudo apt-get install minisign
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
# run: sudo add-apt-repository ppa:dysfunctionalprogramming/minisign && sudo apt-get update && sudo apt-get install minisign
run: sudo add-apt-repository ppa:savoury1/minisign && sudo apt-get update && sudo apt-get install minisign
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Docker Build
run: docker-compose build
- name: Extract version of Go to use
run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GOVERSION }}

- name: Sharding Test
run: ./tests/sharding-e2e-test.sh
- name: Upload logs if they exist
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
if: failure()
with:
name: Sharding E2E Docker Compose logs
path: /tmp/docker-compose.log

issue-872-e2e:
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
needs: build

steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Docker Build
run: docker-compose build
- name: Extract version of Go to use
run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GOVERSION }}

- name: Test for Attestation begin returned that was previously persisted in tlog
run: ./tests/issue-872-e2e-test.sh
- name: Upload logs if they exist
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
if: failure()
with:
name: Docker Compose logs
path: /tmp/*docker-compose.log

harness:
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Create git branch
run: git switch -c harness-test-branch
- name: Extract version of Go to use
run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GOVERSION }}

- name: Run test harness
run: ./tests/rekor-harness.sh
- name: Upload logs if they exist
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
if: failure()
with:
name: E2E Docker Compose logs
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/milestone.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
statuses: none

steps:
- uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
- uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
with:
script: |
if (!context.payload.pull_request.merged) {
Expand Down
50 changes: 11 additions & 39 deletions .github/workflows/scorecard_action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,50 +10,22 @@ on:
- main
- 'release-**'

# Declare default permissions as read only.
permissions: read-all
# Declare default permissions as none.
permissions: {}

jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
name: Scorecard analysis
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
actions: read
contents: read
# Needed to publish results and get a badge (see publish_results below).
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with:
persist-credentials: false
uses: sigstore/community/.github/workflows/reusable-scorecard.yml@d0c95c8803672313d0bf72e1a44021be5b583c24 # main
# (Optional) Disable publish results:
# with:
# publish_results: false

- name: "Run analysis"
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
with:
results_file: results.sarif
results_format: sarif
# Read-only PAT token. To create it,
# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Publish the results for public repositories to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`, regardless
# of the value entered here.
publish_results: true

# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.37
with:
sarif_file: results.sarif
# (Optional) Enable Branch-Protection check:
secrets:
scorecard_token: ${{ secrets.SCORECARD_TOKEN }}
67 changes: 31 additions & 36 deletions .github/workflows/validate-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,50 +22,45 @@ on:
- 'release-**'
pull_request:

permissions: {}

jobs:
validate-release-job:
check-signature:
runs-on: ubuntu-latest
container:
image: gcr.io/projectsigstore/cosign:v2.2.0@sha256:280b47054876d415f66a279e666e35157cae6881f3538599710290c70bb75369

permissions:
actions: none
checks: none
contents: none
deployments: none
issues: none
packages: none
pull-requests: none
repository-projects: none
security-events: none
statuses: none
steps:
- name: Check Signature
run: |
cosign verify ghcr.io/gythialy/golang-cross:v1.21.1-0@sha256:7864d898e45db9d749f14180051edb46ff61bf42914e3b8ecddec5a36813aa6c \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.1-0"
env:
TUF_ROOT: /tmp

env:
CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.19.4-0@sha256:53ee894818ac14377996a6fe7c8fe6156d018a20f82aaf69f2519fc45d897bec
COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.13.1@sha256:fd5b09be23ef1027e1bdd490ce78dcc65d2b15902e1f4ba8e04f3b4019cc1057
validate-release-job:
runs-on: ubuntu-latest
needs:
- check-signature
container:
image: ghcr.io/gythialy/golang-cross:v1.21.1-0@sha256:7864d898e45db9d749f14180051edb46ff61bf42914e3b8ecddec5a36813aa6c

steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Extract version of Go to use
run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | cut -d '@' -f 1 | cut -d ':' -f 2 | uniq)" >> $GITHUB_ENV
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: ${{ env.GOVERSION }}

- uses: anchore/sbom-action/download-syft@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1
- name: Install GoReleaser
uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
with:
install-only: true
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

- name: Check Signature
run: |
docker run --rm \
-e COSIGN_EXPERIMENTAL=true \
-e TUF_ROOT=/tmp \
$COSIGN_IMAGE \
verify \
$CROSS_BUILDER_IMAGE
# Error: fatal: detected dubious ownership in repository at '/__w/rekor/rekor'
# To add an exception for this directory, call:
# git config --system --add safe.directory /__w/rekor/rekor
# Reason: Recent versions of git require the .git folder to be owned
# by the same user (see https://github.blog/2022-04-12-git-security-vulnerability-announced/).
# Related
# - https://github.com/actions/runner/issues/2033
# - https://github.com/actions/checkout/issues/1048
# - https://github.com/actions/runner-images/issues/6775
- run: git config --system --add safe.directory /__w/rekor/rekor

- name: snaphot
- name: goreleaser snapshot
run: make snapshot
env:
PROJECT_ID: honk-fake-project
Expand Down
Loading

0 comments on commit df1d3f7

Please sign in to comment.