From 79320a907f611f2fb40ced8e13c66af988b2d9db Mon Sep 17 00:00:00 2001
From: John Kjell <john@testifysec.com>
Date: Mon, 5 Aug 2024 13:51:40 -0500
Subject: [PATCH] Reusable workflow (#14)

* Reusable witness workflow
* Fix various minor bugs.
---------

Signed-off-by: John Kjell <john@testifysec.com>
---
 .github/workflows/witness.yml | 92 +++++++++++++++++++++++++++++++++++
 action.yml                    |  2 +-
 dist/index.js                 |  5 +-
 index.js                      |  5 +-
 4 files changed, 101 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/witness.yml

diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml
new file mode 100644
index 0000000..460ccce
--- /dev/null
+++ b/.github/workflows/witness.yml
@@ -0,0 +1,92 @@
+# Copyright 2023 The Archivista Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+on:
+    workflow_call:
+        inputs:
+            pull_request: 
+                required: true
+                type: boolean
+            artifact-download:
+                required: false
+                type: string
+            artifact-upload-name:
+                required: false
+                type: string
+            artifact-upload-path:
+                required: false
+                type: string
+            pre-command:
+                required: false
+                type: string
+            pre-command-attestations:
+                default: "environment git github"
+                required: false
+                type: string
+            command:
+                required: true
+                type: string
+            step:
+                required: true
+                type: string
+            attestations:
+                required: true
+                type: string
+            archivista-server:
+                default: "https://archivista.testifysec.io"
+                required: false
+                type: string
+            
+jobs:
+    witness:
+        runs-on: ubuntu-latest
+        steps:
+          - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+          - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+            with:
+              go-version: 1.21.x
+
+          - if: ${{ inputs.artifact-download != '' }}
+            uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+            with:
+              name: ${{ inputs.artifact-download }}
+              path: /tmp
+
+          - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
+            uses: testifysec/witness-run-action@f77c0a5b024ed206a6d2e7426611e4306af4dd66 # v0.2.1
+            with:
+              version: 0.6.0
+              archivista-server: ${{ inputs.archivista-server }}
+              step: pre-${{ inputs.step }}
+              attestations: ${{ inputs.pre-command-attestations }}
+              command: /bin/sh -c "${{ inputs.pre-command }}"
+          - if: ${{ inputs.pre-command != '' && inputs.pull_request == true }}
+            run: ${{ inputs.pre-command }}
+
+          - if: ${{ inputs.pull_request == false }}
+            uses: testifysec/witness-run-action@f77c0a5b024ed206a6d2e7426611e4306af4dd66 # v0.2.1
+            with:
+              version: 0.6.0
+              archivista-server: ${{ inputs.archivista-server }}
+              step: ${{ inputs.step }}
+              attestations: ${{ inputs.attestations }}
+              command: /bin/sh -c "${{ inputs.command }}"
+          - if: ${{ inputs.pull_request == true }}
+            run: ${{ inputs.command }}
+
+          - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
+            uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
+            with:
+              name: ${{ inputs.artifact-upload-name }}
+              path: ${{ inputs.artifact-upload-path }}
diff --git a/action.yml b/action.yml
index ffbc40e..efa706f 100644
--- a/action.yml
+++ b/action.yml
@@ -85,7 +85,7 @@ inputs:
   version:
     description: "Version of Witness CLI"
     required: false
-    default: "0.5.2"
+    default: "0.6.0"
   workingdir:
     description: "Directory from which commands will run"
     required: false
diff --git a/dist/index.js b/dist/index.js
index e6fdb54..6f62aaf 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -30537,7 +30537,6 @@ async function run() {
   }
 
   core.addPath(witnessPath);
-  await exec.exec("ls", "-la");
 
   const step = core.getInput("step");
   const archivistaServer = core.getInput("archivista-server");
@@ -30551,6 +30550,9 @@ async function run() {
   const intermediates = core.getInput("intermediates").split(" ");
   const key = core.getInput("key");
   let outfile = core.getInput("outfile");
+  outfile = outfile
+    ? outfile
+    : path.join(os.tmpdir(), step + "-attestation.json");
   const productExcludeGlob = core.getInput("product-exclude-glob");
   const productIncludeGlob = core.getInput("product-include-glob");
   const spiffeSocket = core.getInput("spiffe-socket");
@@ -30592,6 +30594,7 @@ async function run() {
 
   if (certificate) cmd.push(`--certificate=${certificate}`);
   if (enableArchivista) cmd.push(`--enable-archivista=${enableArchivista}`);
+  if (archivistaServer) cmd.push(`--archivista-server=${archivistaServer}`);
   if (fulcio) cmd.push(`--signer-fulcio-url=${fulcio}`);
   if (fulcioOidcClientId) cmd.push(`--signer-fulcio-oidc-client-id=${fulcioOidcClientId}`);
   if (fulcioOidcIssuer) cmd.push(`--signer-fulcio-oidc-issuer=${fulcioOidcIssuer}`);
diff --git a/index.js b/index.js
index a8bffea..acaad17 100644
--- a/index.js
+++ b/index.js
@@ -64,7 +64,6 @@ async function run() {
   }
 
   core.addPath(witnessPath);
-  await exec.exec("ls", "-la");
 
   const step = core.getInput("step");
   const archivistaServer = core.getInput("archivista-server");
@@ -78,6 +77,9 @@ async function run() {
   const intermediates = core.getInput("intermediates").split(" ");
   const key = core.getInput("key");
   let outfile = core.getInput("outfile");
+  outfile = outfile
+    ? outfile
+    : path.join(os.tmpdir(), step + "-attestation.json");
   const productExcludeGlob = core.getInput("product-exclude-glob");
   const productIncludeGlob = core.getInput("product-include-glob");
   const spiffeSocket = core.getInput("spiffe-socket");
@@ -119,6 +121,7 @@ async function run() {
 
   if (certificate) cmd.push(`--certificate=${certificate}`);
   if (enableArchivista) cmd.push(`--enable-archivista=${enableArchivista}`);
+  if (archivistaServer) cmd.push(`--archivista-server=${archivistaServer}`);
   if (fulcio) cmd.push(`--signer-fulcio-url=${fulcio}`);
   if (fulcioOidcClientId) cmd.push(`--signer-fulcio-oidc-client-id=${fulcioOidcClientId}`);
   if (fulcioOidcIssuer) cmd.push(`--signer-fulcio-oidc-issuer=${fulcioOidcIssuer}`);