Skip to content

ci: tests: build: Generate OpenVEX and submit to SCITT #73

ci: tests: build: Generate OpenVEX and submit to SCITT

ci: tests: build: Generate OpenVEX and submit to SCITT #73

Workflow file for this run

name: Tests
on:
push:
paths-ignore:
- .github/workflows/release.yml
pull_request:
paths-ignore:
- .github/workflows/release.yml
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version:
- "3.10"
steps:
- uses: actions/checkout@v2
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v2
with:
python-version: ${{ matrix.python-version }}
- name: Get pip cache
id: pip-cache
run: |
python -c "from pip._internal.locations import USER_CACHE_DIR; print('::set-output name=dir::' + USER_CACHE_DIR)"
- name: pip cache
uses: actions/cache@v1
with:
path: ${{ steps.pip-cache.outputs.dir }}
key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.cfg') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install dev dependencies
run: |
pip install -U pip setuptools wheel
pip install -U https://github.com/scitt-community/scitt-api-emulator/archive/e89a60584fa717382f279ae24b8a1a93d458bb4d.zip
pip install -e .[dev]
python -m pip freeze
- name: Build
run: |
python -m build .
- name: Generate SBOM
id: generate-sbom
uses: pdxjohnny/sbom4python@github-action
with:
python-version: ${{ matrix.python-version }}
module-name: httptest
output-directory: sbom
- name: in-toto attestation for cyclonedx SBOM
id: in-toto-cyclonedx
env:
MODULE_NAME: httptest
run: |
echo "attestation<<GITHUB_OUTPUT_EOF" >> $GITHUB_OUTPUT
(python -m json.tool --sort-keys | tee -a $GITHUB_OUTPUT) <<EOF
{
"_type": "https://in-toto.io/Statement/v0.1",
"subject": [
{
"name": "$(cd dist/ && echo *.tar.gz)",
"digest": {"sha256": "$(cd dist/ && sha256sum $(echo *.tar.gz) | awk '{print $1}')"}
},
{
"name": "$(cd dist/ && echo *.whl)",
"digest": {"sha256": "$(cd dist/ && sha256sum $(echo *.whl) | awk '{print $1}')"}
}
],
"predicateType": "https://cyclonedx.org/bom/v1.4",
"predicate": $(cat "${MODULE_NAME}-py${{ matrix.python-version }}.json")
}
EOF
echo "GITHUB_OUTPUT_EOF" >> $GITHUB_OUTPUT
- name: Checkout public-keys branch
uses: actions/checkout@v4
with:
ref: public-keys
path: public-keys
- name: Generate keypair to sign SCITT statement
id: scitt-gen-keypair
run: |
ssh-keygen -q -f ssh-private -t ecdsa -b 384 -N '' -I "$(date -Iseconds)" <<<y
cat ssh-private | python -c 'import sys; from cryptography.hazmat.primitives import serialization; print(serialization.load_ssh_private_key(sys.stdin.buffer.read(), password=None).private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()).decode().rstrip())' > private-key.pem
cat ssh-private.pub | tee -a public-keys/authorized_keys
rm -v ssh-private
- name: Push new public key
env:
GH_TOKEN: ${{ github.token }}
run: |
set -xe
cd public-keys
gh auth setup-git
git config --global --add safe.directory "${PWD}"
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
git add -A
# If no delta clean exit
git commit -sm "Snapshot" || exit 0
git push -uf origin "HEAD:public-keys"
# Wait for propagation
set +e
found=1
while [ ${found} -eq 1 ]; do
curl -vfL https://raw.githubusercontent.com/pdxjohnny/httptest/public-keys/authorized_keys | tee authorized_keys
grep "$(cat ../ssh-private.pub)" authorized_keys
found=$?
done
- name: Submit SBOM to SCITT
id: scitt-submit-sbom
uses: pdxjohnny/scitt-api-emulator@github-action
with:
issuer: did:web:raw.githubusercontent.com:pdxjohnny:httptest:public-keys:authorized_keys
subject: pkg:github/${{ github.repository }}@${{ github.sha }}
payload: ${{ steps.in-toto-cyclonedx.outputs.attestation }}
private-key-pem: private-key.pem
scitt-url: https://scitt.unstable.chadig.com
- name: Create Pull Request
if: ${{ steps.generate-sbom.outputs.changed }}
uses: peter-evans/create-pull-request@v5.0.2
with:
commit-message: "chore: update SBOM for Python ${{ matrix.python-version }}"
title: "chore: update SBOM for Python ${{ matrix.python-version }}"
branch: chore-sbom-py${{ matrix.python-version }}
delete-branch: true
author: GitHub Actions <actions@github.com>
add-paths: sbom
- name: Install vexctl
uses: openvex/setup-vexctl@main
- uses: openvex/generate-vex@31b415924ea0d72ed5f2640f1dee59dea6c2770b
name: Run vexctl
id: vexctl
with:
product: pkg:github/${{ github.repository }}@${{ github.sha }}
- name: Submit SBOM to SCITT
id: scitt-submit-openvex
uses: pdxjohnny/scitt-api-emulator@github-action
with:
issuer: did:web:raw.githubusercontent.com:pdxjohnny:httptest:public-keys:authorized_keys
subject: pkg:github/${{ github.repository }}@${{ github.sha }}
payload: ${{ steps.vexctl.outputs.openvex }}
private-key-pem: private-key.pem
scitt-url: https://scitt.unstable.chadig.com
- name: Remove private key used in keypair to sign SCITT statement
run: |
rm -v private-key.pem
unittest:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- macos-latest
- windows-latest
python-version:
- "3.10"
- "3.11"
- "3.12"
steps:
- uses: actions/checkout@v2
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v2
with:
python-version: ${{ matrix.python-version }}
- name: Get pip cache
id: pip-cache
run: |
python -c "from pip._internal.locations import USER_CACHE_DIR; print('::set-output name=dir::' + USER_CACHE_DIR)"
- name: pip cache
uses: actions/cache@v1
with:
path: ${{ steps.pip-cache.outputs.dir }}
key: ${{ runner.os }}-pip-${{ hashFiles('**/setup.cfg') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install dev dependencies
run: |
pip install -U pip setuptools wheel
pip install -e .[dev]
python -m pip freeze
- name: Test without coverage
if: ${{ matrix.python-version != '3.10' }}
run: |
python -m unittest discover -v
- name: Coverage Test
if: ${{ matrix.python-version == '3.10' && matrix.os == 'ubuntu-latest' }}
run: |
python -m coverage run -m unittest discover -v
python -m coverage report -m
- name: Upload coverage to codecov
if: ${{ matrix.python-version == '3.10' && matrix.os == 'ubuntu-latest' }}
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
run: |
pip install -U codecov
codecov