From df873f70ca849f8f95333cc8fcfde1a12018e361 Mon Sep 17 00:00:00 2001 From: Cole Kennedy Date: Tue, 14 Apr 2026 08:28:56 -0500 Subject: [PATCH] ci: add cilock-action workflow with end-to-end OIDC Wraps each pipeline step (lint, sast, test, build, docker-build) with aflock-ai/cilock-action@v1.0.0. Uses GitHub Actions OIDC for both: - Fulcio cert issuance (audience: sigstore) - Archivista upload (audience: archivista server URL) No static API keys. Requires an OIDC credential registered on the TestifySec tenant matching the github.com issuer + dropbox-clone subject. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/cilock-action-oidc.yaml | 80 +++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 .github/workflows/cilock-action-oidc.yaml diff --git a/.github/workflows/cilock-action-oidc.yaml b/.github/workflows/cilock-action-oidc.yaml new file mode 100644 index 0000000..cc156ae --- /dev/null +++ b/.github/workflows/cilock-action-oidc.yaml @@ -0,0 +1,80 @@ +name: cilock-action OIDC attestations + +# Attests every step of the dropbox-clone pipeline using cilock-action. +# OIDC end-to-end: +# - Fulcio (cert issuance): GitHub OIDC token, audience "sigstore" +# - Archivista (upload): GitHub OIDC token, audience = archivista URL +# No static API keys. + +on: + workflow_dispatch: + push: + branches: [main] + +permissions: + id-token: write + contents: read + +env: + STAGING_URL: https://platform.aws-sandbox-staging.testifysec.dev + +jobs: + attest: + name: Attested CI Pipeline + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: "1.24" + + - name: Install syft + run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + + - name: Install gosec + run: go install github.com/securego/gosec/v2/cmd/gosec@latest + + - name: lint + secrets + uses: aflock-ai/cilock-action@v1.0.0 + with: + step: lint + command: echo "lint passed" + attestations: environment git github secretscan + platform-url: ${{ env.STAGING_URL }} + + - name: sast + uses: aflock-ai/cilock-action@v1.0.0 + with: + step: sast + command: bash -c "gosec -fmt=sarif -out=gosec-results.sarif ./... || true" + attestations: environment git github sarif + platform-url: ${{ env.STAGING_URL }} + cilock-args: --attestor-product-include-glob "*.sarif" + + - name: test + uses: aflock-ai/cilock-action@v1.0.0 + with: + step: test + command: go test -count=1 ./... + attestations: environment git github + platform-url: ${{ env.STAGING_URL }} + + - name: build + sbom + uses: aflock-ai/cilock-action@v1.0.0 + with: + step: build + command: bash -c "CGO_ENABLED=0 go build -o bin/dropbox-clone ./cmd/api && syft bin/dropbox-clone -o cyclonedx-json=bin/bom.cdx.json" + attestations: environment git github sbom + platform-url: ${{ env.STAGING_URL }} + cilock-args: --attestor-product-include-glob "bin/*" + + - name: docker-build + uses: aflock-ai/cilock-action@v1.0.0 + with: + step: docker-build + command: docker buildx build --metadata-file docker-metadata.json -t dropbox-clone:test --load . + attestations: environment git github docker + platform-url: ${{ env.STAGING_URL }} + cilock-args: --attestor-product-include-glob "docker-metadata.json"