Add Witness build workflow with Sigstore signing#1
Merged
Conversation
Move permissions to workflow level to ensure they apply to all events 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Use the latest stable release version 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Put command on single line to avoid parsing issues with multi-line YAML 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Build only for linux/amd64 to reduce build time 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Configure witness attestors including: - commandrun: captures the docker buildx command - material: tracks input files - product: tracks output files (including metadata.json) - docker: parses buildx metadata for image attestation - slsa: creates SLSA provenance from all attestors - environment: captures build environment - git: includes git repository info - github: includes GitHub Actions context - secretscan: scans for exposed secrets in the codebase 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Change 'attestors' to 'attestations' (correct parameter name) - Add attestor-slsa-export to export SLSA predicate - Include all attestations: commandrun, material, product, docker, slsa, environment, git, github, secretscan 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove commandrun, material, and product from attestations list as they are internal and run automatically. Keep only the additional attestations: - docker: parses buildx metadata - slsa: creates SLSA provenance - environment: captures build environment - git: repository information - github: GitHub Actions context - secretscan: security scanning 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Updated attestations to include only: - docker: parses buildx metadata - slsa: creates SLSA provenance - git: repository information - github: GitHub Actions context - secretscan: security scanning 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Display Docker build metadata from buildx output - Show container image digest and size - Add GraphQL query examples for Archivista API: - Find attestations by image name - Get SLSA provenance - View all attestation types - Queries can be run at https://archivista.testifysec.io/query 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Fixed GraphQL query syntax based on actual Archivista schema - Query subjects by nameContains instead of name._eq - Use proper edge/node structure for connections - Query dsses with gitoidSha256 and payloadType fields - Add search by GitOID example 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Display Docker build output with image digest - Add summary of all attestations captured - Show SLSA provenance preview if available - Better formatting with emojis for readability - Document what each attestation type contains Based on inspection of actual attestations from Archivista 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Find all container images built from repository - Find builds by GitHub actor - Get full attestation bundle by GitOID with variables - Find attestations for specific Docker image digest - Find all SLSA provenance attestations - Add local attestation analysis examples with jq All queries tested against live Archivista API 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add clickable links that open queries directly in Archivista's query UI - URL-encoded queries automatically populate the GraphQL explorer - Links for all major query types: - Container images by repository - Builds by GitHub actor - Attestation bundle by GitOID (with variables) - Docker image by digest (with variables) - SLSA provenance attestations - Keeps query examples visible with syntax highlighting 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Fixed GitHub builds query to use correct field structure - Fixed Docker image query to use hasSubjectDigestsWith - Changed Docker digest query to search by image reference - All queries tested and verified against live Archivista API - Simplified summary to focus on Witness and Archivista capabilities 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Changed first query from container images to recent attestations with GitOIDs - Modified GitHub builds query to search witness-demo attestations by predicate - Simplified Docker query and added note about getting GitOID from other queries - All queries now properly return GitOID for attestation download 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
…ncluded - Updated all queries to use proper nested filter structure (hasStatementWith, hasSubjectsWith) - Changed from searching 'witness-demo' to 'ghcr.io/testifysec/witness-demo' for container attestations - Added attestationCollections field to show collection names - Fixed SLSA query to use predicateHasPrefix filter - Removed subjects-only query as it doesn't return GitOIDs - Added subjects pagination (first: N) to queries that include subjects - All queries now properly return gitoidSha256 for attestation download 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
- Removed 'Find recent attestations with GitOIDs' query - Removed 'Get full attestation bundle by GitOID' query - Keep only specific queries for witness-demo images and SLSA attestations 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
- Changed title to 'Get recent witness-demo attestations' - Query now filters by subjects containing 'ghcr.io/testifysec/witness-demo' - Reduced result limit from 10 to 5 for recent attestations - Removed attestationCollections field from query 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
- Use AND query to find SLSA attestations with docker-metadata.json subject - These are SLSA attestations created by witness for Docker builds - Changed from nameContains to exact name match for docker-metadata.json - Reduced result limit to 5 for better performance - Updated title to clarify these are witness-demo build attestations 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
🤖 Generated with Claude Code