Added attestation of approval

ToreMerkely · ToreMerkely · commit 59a5b997a911 · 2025-04-15T10:02:01.000+02:00
diff --git a/.github/workflows/build-deploy-backend.yml b/.github/workflows/build-deploy-backend.yml
@@ -210,7 +210,7 @@ jobs:
     secrets: inherit
 
   get-approver-for-production:
-    needs: deploy-production
+    needs: [setup, deploy-production]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -221,4 +221,14 @@ jobs:
         with:
           gh-audit-log-reader-token: ${{ secrets.READ_AUDIT_LOG }}
 
-
+      - name: Report approval to kosli
+        run: |
+          source scripts/lib-jira.sh
+
+          kosli attest custom \
+            --type=approval-github-workflow \
+            --name release-approval \
+            --flow ${{ env.KOSLI_FLOW }} \
+            --trail ${{ needs.setup.outputs.kosli-trail }} \
+            --attestation-data ${{ steps.get-approver.outputs.approval-json-file }} \
+            --annotate Approver="${{ steps.get-approver.outputs.approver }}"
diff --git a/.github/workflows/setup-kosli.yml b/.github/workflows/setup-kosli.yml
@@ -33,19 +33,11 @@ jobs:
             --template-file kosli-flow-templates/backend-template.yml
 
 
-#      ### Custom attestation types ###
-#      - name: Create veracode-scan-executed attestation type
-#        run:
-#          kosli create attestation-type veracode-scan-executed
-#              --description "Attest that veracode scan was executed"
-#              --schema custom-attestation-types/veracode-scan-schema.json
-#              --jq '.scan_status == "SUCCESS"'
-#
-#      - name: Create veracode-scan-vulnerability-summary attestation type
-#        run:
-#          kosli create attestation-type veracode-scan-vulnerability-summary
-#              --description "Attest that veracode scan has no vulnerabilities"
-#              --schema custom-attestation-types/veracode-scan-schema.json
-#              --jq '.scan_status == "SUCCESS"'
-#              --jq 'all(.severity_summary[]; . == 0)'
-#              --jq 'all(.gob_summary[]; . == 0)'
+      ### Custom attestation types ###
+      - name: Create approval-github-workflow attestation type
+        run:
+          kosli create attestation-type approval-github-workflow
+              --description "Approval from GitHub workflow"
+              --schema custom-attestation-types/approval-github-workflow.yml
+              --jq '.action == "workflows.approve_workflow_job"'
+              --jq '.actor != ""'
