cli/.github/workflows/init_kosli.yml at a2bbee32b30ea457a4876b5d7370710455308f4f · kosli-dev/cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Init Kosli

on:
    workflow_call:
        inputs:
          flow_name:
            required: true
            type: string
          trail_name:
            required: true
            type: string
          flow_template_file:
            required: true
            type: string
          kosli_org:
            required: true
            type: string
          checkout_ref:
            required: false
            type: string
            default: ''
          report_to_kosli:
            required: false
            type: string
            default: 'none'
        secrets:
            kosli_api_token:
                required: true
            pr_github_token:
                required: false

jobs:
    init-kosli:
        name: Init Kosli
        runs-on: ubuntu-latest
        permissions:
            id-token: write
            contents: write
            pull-requests: read
        steps:

        - name: Harden Runner
          uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
          with:
            egress-policy: audit

        - uses: actions/checkout@v6
          with:
            fetch-depth: 0
            ref: ${{ inputs.checkout_ref || github.sha }}

        - name: setup-kosli-cli
          uses: kosli-dev/setup-cli-action@v5
          with:
            version:
                ${{ vars.KOSLI_CLI_VERSION }}

        - uses: haya14busa/action-cond@v1
          id: description
          with:
            cond: ${{ inputs.flow_name == 'cli-release' }}
            if_true: "CLI release process"
            if_false: "CLI main branch changes"

        - name: Update Kosli Flow
          if: ${{ inputs.report_to_kosli != 'none' }}
          env:
            KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
          run: kosli create flow ${{inputs.flow_name}}
                --description "${{ steps.description.outputs.value }}"
                --template-file ${{inputs.flow_template_file}}
                --org ${{inputs.kosli_org}}

        - name: Init Kosli Trail
          if: ${{ inputs.report_to_kosli != 'none' }}
          env:
            KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
          run: kosli begin trail ${{inputs.trail_name}}
                --flow ${{inputs.flow_name}}
                --org ${{inputs.kosli_org}}

        - name: Report pull-request attestation to Kosli
          if: ${{ inputs.report_to_kosli == 'all' }}
          env:
            KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
          run: kosli attest pullrequest github
                --flow ${{inputs.flow_name}}
                --trail ${{inputs.trail_name}}
                --name pr
                --github-token ${{ secrets.pr_github_token }}
                --org ${{inputs.kosli_org}}

        - name: Evaluate trails for four-eyes to Kosli
          if: ${{ inputs.report_to_kosli == 'all' }}
          env:
            KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
          run: |
            kosli evaluate trails ${{inputs.trail_name}} \
              --policy "./bin/never_alone/four-eyes-policy.rego" \
              --show-input \
              --flow ${{inputs.flow_name}} \
              --org ${{inputs.kosli_org}} \
              --no-assert \
              --params '{"attestation_name": "pr"}' \
              --output json > "4eyes-eval-${{inputs.trail_name}}.json" || echo '{"allow":false,"violations":["evaluate command failed"]}' > "4eyes-eval-${{inputs.trail_name}}.json"

        - name: Report four-eyes attestation to Kosli
          if: ${{ inputs.report_to_kosli == 'all' }}
          env:
            KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
          run: |
            kosli attest custom \
              --type "four-eyes-result" \
              --name "four-eyes-result" \
              --attestation-data "4eyes-eval-${{inputs.trail_name}}.json" \
              --attachments "./bin/never_alone/four-eyes-policy.rego" \
              --trail ${{inputs.trail_name}} \
              --flow ${{inputs.flow_name}} \
              --org ${{inputs.kosli_org}}

        - name: Report never-alone attestation to Kosli
          if: ${{ inputs.report_to_kosli == 'all' }}
          env:
            KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
            KOSLI_ORG: ${{ inputs.kosli_org }}
            GH_TOKEN: ${{ github.token }}
          run: |
            USER_DATA_FILENAME=never-alone-user-data.json
            ./bin/never_alone/get_commit_and_pr_info.sh -c ${GITHUB_SHA} -o ${USER_DATA_FILENAME}

            PR_URL=$(cat ${USER_DATA_FILENAME} | jq -r '.pullRequest.url // empty')
            if [ -n "$PR_URL" ]; then
                PR_ANNOTATE_ARG="--annotate pull_request=$PR_URL"
            else
                PR_ANNOTATE_ARG=""
            fi

            kosli attest generic \
              --org=${{inputs.kosli_org}} \
              --flow=${{inputs.flow_name}} \
              --trail=${{inputs.trail_name}} \
              --name=never-alone-data \
              --compliant=true \
              --user-data="${USER_DATA_FILENAME}" \
              ${PR_ANNOTATE_ARG}