Skip to content

Fix shadowed trustedroot (#178) #295

Fix shadowed trustedroot (#178)

Fix shadowed trustedroot (#178) #295

#
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Verify examples using policy-tester
on:
workflow_dispatch:
push:
branches: ['main', 'release']
pull_request:
jobs:
verify:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
env:
GOPATH: ${{ github.workspace }}
COSIGN_YES: "true"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: ./src/github.com/${{ github.repository }}
fetch-depth: 0
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version-file: './src/github.com/${{ github.repository }}/go.mod'
check-latest: true
- name: Build the policy-tester CLI
working-directory: ./src/github.com/${{ github.repository }}
run: |
make policy-tester
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
- name: Setup local registry
run: |
docker run -d --restart=always \
--name registry.local \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-p 5000:5000 \
registry:2
- name: Example (custom-key-attestation-sbom-spdxjson)
working-directory: ./src/github.com/${{ github.repository }}/examples
run: |
REF="localhost:5000/examples/custom-key-attestation-sbom-spdxjson"
# Push an image
docker pull alpine
docker tag alpine "${REF}"
docker push "${REF}"
# Attach attestation to image
cosign attest --yes --type spdxjson \
--predicate sboms/example.spdx.json \
--key keys/cosign.key \
"${REF}"
# Verify the attestation
cosign verify-attestation \
--type spdxjson \
--key keys/cosign.pub \
"${REF}"
# Ensure the image satisfies the policy
../policy-tester \
--policy policies/custom-key-attestation-sbom-spdxjson.yaml \
--image "${REF}"
# Make sure we can't run Jobs, exercise metadata CIP matching.
- name: Example (verify CIP level typemeta policy failure)
working-directory: ./src/github.com/${{ github.repository }}
run: |
REF="ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d"
# Ensure the image does not satisfy the policy
if ./policy-tester \
--policy examples/policies/allow-only-pods.yaml \
--image "${REF}" \
--resource test/testdata/resources/job.yaml ; then
echo Failed to block Job from running
exit 1
fi
# Make sure we can't run Pods, exercise metadata CIP matching.
- name: Example (verify CIP level typemeta policy success)
working-directory: ./src/github.com/${{ github.repository }}
run: |
REF="ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d"
# Ensure the image satisfies the policy
./policy-tester \
--policy examples/policies/allow-only-pods.yaml \
--image "${REF}" \
--resource test/testdata/resources/pod.yaml
# This example requires public Fulcio, only run on push to main
- if: ${{ github.event_name == 'push' }}
name: Example (keyless-attestation-sbom-spdxjson)
working-directory: ./src/github.com/${{ github.repository }}/examples
run: |
REF="localhost:5000/examples/keyless-attestation-sbom-spdxjson"
# Push an image
docker pull alpine
docker tag alpine "${REF}"
docker push "${REF}"
# Attach attestation to image
cosign attest --yes --type spdxjson \
--predicate sboms/example.spdx.json \
"${REF}"
# Ensure the image satisfies the policy
../policy-tester \
--policy policies/keyless-attestation-sbom-spdxjson.yaml \
--image "${REF}"
# This example requires public Fulcio, only run on push to main
- if: ${{ github.event_name == 'push' }}
name: Example (signed-by-github-actions)
working-directory: ./src/github.com/${{ github.repository }}/examples
run: |
REF="localhost:5000/examples/signed-by-github-actions"
# Push an image
docker pull alpine
docker tag alpine "${REF}"
docker push "${REF}"
# Sign image
cosign sign "${REF}"
# Ensure the image satisfies the policy
../policy-tester \
--policy policies/signed-by-github-actions.yaml \
--image "${REF}"