Update bin/never_alone/setup_attestation_type.sh #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Init Kosli | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| flow_name: | ||
| required: true | ||
| type: string | ||
| trail_name: | ||
| required: true | ||
| type: string | ||
| flow_template_file: | ||
| required: true | ||
| type: string | ||
| kosli_org: | ||
| required: true | ||
| type: string | ||
| checkout_ref: | ||
| required: false | ||
| type: string | ||
| default: '' | ||
| report_to_kosli: | ||
| required: false | ||
| type: string | ||
| default: 'none' | ||
| secrets: | ||
| kosli_api_token: | ||
| required: true | ||
| pr_github_token: | ||
| required: false | ||
| jobs: | ||
| init-kosli: | ||
| name: Init Kosli | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: write | ||
| pull-requests: read | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | ||
| with: | ||
| egress-policy: audit | ||
| - uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 | ||
| ref: ${{ inputs.checkout_ref || github.sha }} | ||
| - name: setup-kosli-cli | ||
| uses: kosli-dev/setup-cli-action@v5 | ||
| with: | ||
| version: | ||
| ${{ vars.KOSLI_CLI_VERSION }} | ||
| - uses: haya14busa/action-cond@v1 | ||
| id: description | ||
| with: | ||
| cond: ${{ inputs.flow_name == 'cli-release' }} | ||
| if_true: "CLI release process" | ||
| if_false: "CLI main branch changes" | ||
| - name: Update Kosli Flow | ||
| if: ${{ inputs.report_to_kosli != 'none' }} | ||
| env: | ||
| KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }} | ||
| run: kosli create flow ${{inputs.flow_name}} | ||
| --description "${{ steps.description.outputs.value }}" | ||
| --template-file ${{inputs.flow_template_file}} | ||
| --org ${{inputs.kosli_org}} | ||
| - name: Init Kosli Trail | ||
| if: ${{ inputs.report_to_kosli != 'none' }} | ||
| env: | ||
| KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }} | ||
| run: kosli begin trail ${{inputs.trail_name}} | ||
| --flow ${{inputs.flow_name}} | ||
| --org ${{inputs.kosli_org}} | ||
| - name: Report pull-request attestation to Kosli | ||
| if: ${{ inputs.report_to_kosli == 'all' }} | ||
| env: | ||
| KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }} | ||
| run: kosli attest pullrequest github | ||
| --flow ${{inputs.flow_name}} | ||
| --trail ${{inputs.trail_name}} | ||
| --name pr | ||
| --github-token ${{ secrets.pr_github_token }} | ||
| --org ${{inputs.kosli_org}} | ||
| - name: Evaluate trails for four-eyes to Kosli | ||
| if: ${{ inputs.report_to_kosli == 'all' }} | ||
| env: | ||
| KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }} | ||
| run: kosli evaluate trails ${{inputs.trail_name}} \ | ||
| --policy "./bin/never_alone/four-eyes-policy.rego" \ | ||
| --show-input \ | ||
| --flow ${{inputs.flow_name}} \ | ||
| --org ${{inputs.kosli_org}} \ | ||
| --no-assert \ | ||
| --params '{"attestation_name": "pr"}' \ | ||
| --output json > "4eyes-eval-${{inputs.trail_name}}.json" || echo '{"allow":false,"violations":["evaluate command failed"]}' > "4eyes-eval-${{inputs.trail_name}}.json" | ||
| - name: Report four-eyes attestation to Kosli | ||
| if: ${{ inputs.report_to_kosli == 'all' }} | ||
| env: | ||
| KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }} | ||
| run: kosli attest custom \ | ||
| --type "four-eyes-result" \ | ||
| --name "four-eyes-result" \ | ||
| --attestation-data "4eyes-eval-${{inputs.trail_name}}.json" \ | ||
| --attachments "./bin/never_alone/four-eyes-policy.rego" \ | ||
| --trail ${{inputs.trail_name}} \ | ||
| --flow ${{inputs.flow_name}} \ | ||
| --org ${{inputs.kosli_org}} | ||
| - name: Report never-alone attestation to Kosli | ||
| if: ${{ inputs.report_to_kosli == 'all' }} | ||
| env: | ||
| KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }} | ||
| KOSLI_ORG: ${{ inputs.kosli_org }} | ||
| GH_TOKEN: ${{ github.token }} | ||
| run: | | ||
| USER_DATA_FILENAME=never-alone-user-data.json | ||
| ./bin/never_alone/get_commit_and_pr_info.sh -c ${GITHUB_SHA} -o ${USER_DATA_FILENAME} | ||
| PR_URL=$(cat ${USER_DATA_FILENAME} | jq -r '.pullRequest.url // empty') | ||
| if [ -n "$PR_URL" ]; then | ||
| PR_ANNOTATE_ARG="--annotate pull_request=$PR_URL" | ||
| else | ||
| PR_ANNOTATE_ARG="" | ||
| fi | ||
| kosli attest generic \ | ||
| --org=${{inputs.kosli_org}} \ | ||
| --flow=${{inputs.flow_name}} \ | ||
| --trail=${{inputs.trail_name}} \ | ||
| --name=never-alone-data \ | ||
| --compliant=true \ | ||
| --user-data="${USER_DATA_FILENAME}" \ | ||
| ${PR_ANNOTATE_ARG} | ||
