feat: keyless signing support #236
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Verify Pull Request | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| # Cancel any in-flight jobs for the same pull request so there is only one job active at a time. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| verify: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
| - name: Run Cimon | |
| uses: ./ | |
| with: | |
| client-id: ${{ secrets.CIMON_CLIENT_ID }} | |
| secret: ${{ secrets.CIMON_SECRET }} | |
| prevent: true | |
| allowed-hosts: > | |
| cycode.com | |
| registry.npmjs.org | |
| report-process-tree: true | |
| fail-on-error: true | |
| - name: Test | |
| run: | | |
| curl -I https://api.github.com | |
| curl -I https://cycode.com | |
| wget --quiet --timeout 1 https://registry.npmjs.org || true | |
| verify-provenance: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
| - name: Create Private Key | |
| run: | | |
| openssl genrsa -out private-key.pem 3072 | |
| - name: Run Cimon | |
| uses: ./attest | |
| with: | |
| client-id: ${{ secrets.CIMON_CLIENT_ID }} | |
| secret: ${{ secrets.CIMON_SECRET }} | |
| subjects: NDgyY2U4YzhmN2U4NjdkYTNhM2MwNWE5YWVlNjM3NzAzZTE3NDcwZWQxY2Y4ODJhOWU1YjQwNWU4ZjgyNjE5ZCAgYXJ0aWZhY3QxCjg5Y2ZjNjk1NGU4OGIyZjkyYTdjMjg3OWQ5ZWIwODVjNDJmM2M3MDY1ZDAxMmE1MDY2ZjQ1MGRiZTU5YjJjMDAgIGFydGlmYWN0Mgo= | |
| sign-key: private-key.pem | |
| report-job-summary: true | |
| report-artifact: true | |
| fail-on-error: true | |
| verify-provenance-image-ref: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
| - name: Create Private Key | |
| run: | | |
| openssl genrsa -out private-key.pem 3072 | |
| - name: Run Cimon | |
| uses: ./attest | |
| with: | |
| client-id: ${{ secrets.CIMON_CLIENT_ID }} | |
| secret: ${{ secrets.CIMON_SECRET }} | |
| subjects: 'cycodelabs/cimon@sha256:ad4ab84178621f359a5ec1ba9eff8ba46626d8d1999416646b6aaa96bfcbf802' | |
| sign-key: private-key.pem | |
| report-job-summary: true | |
| report-artifact: true | |
| fail-on-error: true | |
| verify-agent-and-attest: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
| - name: Run Cimon Agent | |
| uses: ./ | |
| with: | |
| client-id: ${{ secrets.CIMON_CLIENT_ID }} | |
| secret: ${{ secrets.CIMON_SECRET }} | |
| report-process-tree: true | |
| fail-on-error: true | |
| - name: Create Artifact | |
| run: | | |
| echo artifact > artifact.txt | |
| - name: Run Cimon Attest | |
| uses: ./attest | |
| with: | |
| client-id: ${{ secrets.CIMON_CLIENT_ID }} | |
| secret: ${{ secrets.CIMON_SECRET }} | |
| subjects: artifact.txt | |
| report-job-summary: true | |
| fail-on-error: true | |
| - name: Test | |
| run: | | |
| curl -I https://api.github.com | |
| curl -I https://cycode.com | |
| wget --quiet --timeout 1 https://registry.npmjs.org || true |