chore(deps): Bump github/codeql-action from 3.27.0 to 3.27.1 (#1692) #3680
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Copyright 2022 The Sigstore Authors. | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
name: Verify examples using policy-tester | |
on: | |
workflow_dispatch: | |
push: | |
branches: ['main', 'release-*'] | |
pull_request: | |
jobs: | |
verify: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: read | |
env: | |
GOPATH: ${{ github.workspace }} | |
COSIGN_YES: "true" | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
path: ./src/github.com/${{ github.repository }} | |
fetch-depth: 0 | |
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: './src/github.com/${{ github.repository }}/go.mod' | |
check-latest: true | |
- name: Build the policy-tester CLI | |
working-directory: ./src/github.com/${{ github.repository }} | |
run: | | |
make policy-tester | |
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da | |
- name: Setup local registry | |
run: | | |
docker run -d --restart=always \ | |
--name registry.local \ | |
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \ | |
-p 5000:5000 \ | |
registry:2 | |
- name: Example (custom-key-attestation-sbom-spdxjson) | |
working-directory: ./src/github.com/${{ github.repository }}/examples | |
run: | | |
REF="localhost:5000/examples/custom-key-attestation-sbom-spdxjson" | |
# Push an image | |
docker pull alpine | |
docker tag alpine "${REF}" | |
docker push "${REF}" | |
# Attach attestation to image | |
cosign attest --yes --type spdxjson \ | |
--predicate sboms/example.spdx.json \ | |
--key keys/cosign.key \ | |
"${REF}" | |
# Verify the attestation | |
cosign verify-attestation \ | |
--type spdxjson \ | |
--key keys/cosign.pub \ | |
"${REF}" | |
# Ensure the image satisfies the policy | |
../policy-tester \ | |
--policy policies/custom-key-attestation-sbom-spdxjson.yaml \ | |
--image "${REF}" | |
# Make sure we can't run Jobs, exercise metadata CIP matching. | |
- name: Example (verify CIP level typemeta policy failure) | |
working-directory: ./src/github.com/${{ github.repository }} | |
run: | | |
REF="ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d" | |
# Ensure the image does not satisfy the policy | |
if ./policy-tester \ | |
--policy examples/policies/allow-only-pods.yaml \ | |
--image "${REF}" \ | |
--resource test/testdata/resources/job.yaml ; then | |
echo Failed to block Job from running | |
exit 1 | |
fi | |
# Make sure we can't run Pods, exercise metadata CIP matching. | |
- name: Example (verify CIP level typemeta policy success) | |
working-directory: ./src/github.com/${{ github.repository }} | |
run: | | |
REF="ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d" | |
# Ensure the image satisfies the policy | |
./policy-tester \ | |
--policy examples/policies/allow-only-pods.yaml \ | |
--image "${REF}" \ | |
--resource test/testdata/resources/pod.yaml | |
# This example requires public Fulcio, only run on push to main | |
- if: ${{ github.event_name == 'push' }} | |
name: Example (keyless-attestation-sbom-spdxjson) | |
working-directory: ./src/github.com/${{ github.repository }}/examples | |
run: | | |
REF="localhost:5000/examples/keyless-attestation-sbom-spdxjson" | |
# Push an image | |
docker pull alpine | |
docker tag alpine "${REF}" | |
docker push "${REF}" | |
# Attach attestation to image | |
cosign attest --yes --type spdxjson \ | |
--predicate sboms/example.spdx.json \ | |
"${REF}" | |
# Ensure the image satisfies the policy | |
../policy-tester \ | |
--policy policies/keyless-attestation-sbom-spdxjson.yaml \ | |
--image "${REF}" | |
# This example requires public Fulcio, only run on push to main | |
- if: ${{ github.event_name == 'push' }} | |
name: Example (signed-by-github-actions) | |
working-directory: ./src/github.com/${{ github.repository }}/examples | |
run: | | |
REF="localhost:5000/examples/signed-by-github-actions" | |
# Push an image | |
docker pull alpine | |
docker tag alpine "${REF}" | |
docker push "${REF}" | |
# Sign image | |
cosign sign "${REF}" | |
# Ensure the image satisfies the policy | |
../policy-tester \ | |
--policy policies/signed-by-github-actions.yaml \ | |
--image "${REF}" |