Added attest of approval to kosli (#27)

ToreMerkely · web-flow · commit 8b63356d0215 · 2025-04-15T10:06:06.000+02:00
* Added attestation of approval

* Added custom type schema
diff --git a/.github/workflows/build-deploy-backend.yml b/.github/workflows/build-deploy-backend.yml
@@ -139,7 +139,6 @@ jobs:
       - name: Debug
         run: |
           echo "### Approval Actor for stage: ${{ steps.get-approver.outputs.approver }}" >> $GITHUB_STEP_SUMMARY
-          cat ${{ steps.get-approver.outputs.approval-json-file }} >>  $GITHUB_STEP_SUMMARY
 
   semver-tag:
     needs: [build,deploy-stage]
@@ -210,7 +209,7 @@ jobs:
     secrets: inherit
 
   get-approver-for-production:
-    needs: deploy-production
+    needs: [setup, deploy-production]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -221,4 +220,14 @@ jobs:
         with:
           gh-audit-log-reader-token: ${{ secrets.READ_AUDIT_LOG }}
 
-
+      - name: Report approval to kosli
+        run: |
+          kosli attest custom \
+            --type=approval-github-workflow \
+            --name release-approval \
+            --flow ${{ env.KOSLI_FLOW }} \
+            --trail ${{ needs.setup.outputs.kosli-trail }} \
+            --attestation-data ${{ steps.get-approver.outputs.approval-json-file }} \
+            --annotate Approver="${{ steps.get-approver.outputs.approver }}"
+
+          echo "### Approval Actor for production: ${{ steps.get-approver.outputs.approver }}" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/setup-kosli.yml b/.github/workflows/setup-kosli.yml
@@ -33,19 +33,11 @@ jobs:
             --template-file kosli-flow-templates/backend-template.yml
 
 
-#      ### Custom attestation types ###
-#      - name: Create veracode-scan-executed attestation type
-#        run:
-#          kosli create attestation-type veracode-scan-executed
-#              --description "Attest that veracode scan was executed"
-#              --schema custom-attestation-types/veracode-scan-schema.json
-#              --jq '.scan_status == "SUCCESS"'
-#
-#      - name: Create veracode-scan-vulnerability-summary attestation type
-#        run:
-#          kosli create attestation-type veracode-scan-vulnerability-summary
-#              --description "Attest that veracode scan has no vulnerabilities"
-#              --schema custom-attestation-types/veracode-scan-schema.json
-#              --jq '.scan_status == "SUCCESS"'
-#              --jq 'all(.severity_summary[]; . == 0)'
-#              --jq 'all(.gob_summary[]; . == 0)'
+      ### Custom attestation types ###
+      - name: Create approval-github-workflow attestation type
+        run:
+          kosli create attestation-type approval-github-workflow
+              --description "Approval from GitHub workflow"
+              --schema custom-attestation-types/approval-github-workflow.yml
+              --jq '.action == "workflows.approve_workflow_job"'
+              --jq '.actor != ""'
diff --git a/custom-attestation-types/approval-github-workflow.yml b/custom-attestation-types/approval-github-workflow.yml
@@ -0,0 +1,88 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "GitHub Audit Log Approval Entry",
+  "type": "object",
+  "properties": {
+    "@timestamp": {
+      "type": "integer",
+      "description": "Timestamp in milliseconds since epoch"
+    },
+    "_document_id": {
+      "type": "string"
+    },
+    "action": {
+      "type": "string",
+      "enum": ["workflows.approve_workflow_job"]
+    },
+    "actor": {
+      "type": "string"
+    },
+    "actor_id": {
+      "type": "integer"
+    },
+    "actor_is_bot": {
+      "type": "boolean"
+    },
+    "business": {
+      "type": "string"
+    },
+    "business_id": {
+      "type": "integer"
+    },
+    "created_at": {
+      "type": "integer",
+      "description": "Timestamp in milliseconds since epoch"
+    },
+    "operation_type": {
+      "type": "string",
+      "enum": ["modify"]
+    },
+    "org": {
+      "type": "string"
+    },
+    "org_id": {
+      "type": "integer"
+    },
+    "public_repo": {
+      "type": "boolean"
+    },
+    "repo": {
+      "type": "string"
+    },
+    "repo_id": {
+      "type": "integer"
+    },
+    "request_access_security_header": {
+      "type": ["string", "null"]
+    },
+    "run_number": {
+      "type": "integer"
+    },
+    "user_agent": {
+      "type": "string"
+    },
+    "workflow_run_id": {
+      "type": "integer"
+    }
+  },
+  "required": [
+    "@timestamp",
+    "_document_id",
+    "action",
+    "actor",
+    "actor_id",
+    "actor_is_bot",
+    "business",
+    "business_id",
+    "created_at",
+    "operation_type",
+    "org",
+    "org_id",
+    "public_repo",
+    "repo",
+    "repo_id",
+    "run_number",
+    "user_agent",
+    "workflow_run_id"
+  ]
+}
