CI: switch to reporting in a Kosli trail

.github/workflows/main.yml

@@ -20,7 +20,7 @@ jobs:
 
   build-test-push:
     needs: [pre-build]
-    uses: cyber-dojo/reusable-actions-workflows/.github/workflows/kosli_build_test_push.yml@v0.0.6
+    uses: cyber-dojo/reusable-actions-workflows/.github/workflows/kosli_build_test_push.yml@v0.0.11
     secrets:
       KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
       KOSLI_API_TOKEN_STAGING: ${{ secrets.KOSLI_API_TOKEN_STAGING }}
@@ -38,7 +38,7 @@ jobs:
 
   deploy-staging:
     needs: [pre-build, build-test-push]
-    uses: cyber-dojo/reusable-actions-workflows/.github/workflows/kosli_deploy.yml@v0.0.6
+    uses: cyber-dojo/reusable-actions-workflows/.github/workflows/kosli_deploy.yml@v0.0.11
     secrets:
       KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
       KOSLI_API_TOKEN_STAGING: ${{ secrets.KOSLI_API_TOKEN_STAGING }}
@@ -55,7 +55,7 @@ jobs:
 
   deploy-prod:
     needs: [pre-build, build-test-push]
-    uses: cyber-dojo/reusable-actions-workflows/.github/workflows/kosli_deploy.yml@v0.0.6
+    uses: cyber-dojo/reusable-actions-workflows/.github/workflows/kosli_deploy.yml@v0.0.11
     secrets:
       KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
       KOSLI_API_TOKEN_STAGING: ${{ secrets.KOSLI_API_TOKEN_STAGING }}

.kosli.yml

@@ -0,0 +1,8 @@
+version: 1
+
+trail:
+  artifacts:
+    - name: languages-start-points
+      attestations:
+        - name: snyk-scan
+          type: snyk

build_test_publish.sh

@@ -65,8 +65,8 @@ on_ci()
 }
 
 # - - - - - - - - - - - - - - - - - - - - - - - -
-on_ci_kosli_create_flow
+on_ci_kosli_begin_trail
 build_test_tag
-on_ci_kosli_report_artifact
-on_ci_kosli_report_snyk_scan_evidence
+on_ci_kosli_attest_artifact
+on_ci_kosli_attest_snyk_scan_evidence
 on_ci_kosli_assert_artifact # Return non-zero for non-compliant artifact

sh/kosli.sh

@@ -2,7 +2,9 @@
 
 # ROOT_DIR must be set
 
-export KOSLI_FLOW=languages-start-points
+export KOSLI_ORG=cyber-dojo
+export KOSLI_FLOW=languages-start-points-ci
+export KOSLI_TRAIL="${GITHUB_SHA}"
 
 # KOSLI_ORG is set in CI
 # KOSLI_API_TOKEN is set in CI
@@ -12,7 +14,7 @@ export KOSLI_FLOW=languages-start-points
 # SNYK_TOKEN is set in CI
 
 # - - - - - - - - - - - - - - - - - - -
-kosli_create_flow()
+kosli_begin_trail()
 {
   local -r hostname="${1}"
   local -r api_token="${2}"
@@ -21,21 +23,26 @@ kosli_create_flow()
     --description="Language+TestFramework choices" \
     --host="${hostname}" \
     --api-token="${api_token}" \
-    --template=artifact,snyk-scan \
+    --template-file="$(repo_root)/.kosli.yml" \
     --visibility=public
+
+  kosli begin trail "${KOSLI_TRAIL}" \
+    --host="${hostname}" \
+    --api-token="${api_token}"
 }
 
 # - - - - - - - - - - - - - - - - - - -
-kosli_report_artifact()
+kosli_attest_artifact()
 {
   local -r hostname="${1}"
   local -r api_token="${2}"
 
-  kosli report artifact "$(artifact_name)" \
+  kosli attest artifact "$(artifact_name)" \
       --artifact-type docker \
       --host "${hostname}" \
       --api-token="${api_token}" \
-      --repo-root="$(root_dir)"
+      --name=languages-start-points \
+      --repo-root="$(repo_root)"
 }
 
 # - - - - - - - - - - - - - - - - - - -
@@ -51,48 +58,29 @@ kosli_assert_artifact()
 }
 
 # - - - - - - - - - - - - - - - - - - -
-kosli_report_snyk()
+kosli_attest_snyk()
 {
   local -r hostname="${1}"
   local -r api_token="${2}"
 
-  kosli report evidence artifact snyk "$(artifact_name)" \
+  kosli attest snyk "$(artifact_name)" \
       --artifact-type=docker \
       --host="${hostname}" \
       --api-token="${api_token}" \
-      --name=snyk-scan \
-      --scan-results="$(root_dir)/snyk.json"
-}
-
-# - - - - - - - - - - - - - - - - - - -
-kosli_expect_deployment()
-{
-  local -r environment="${1}"
-  local -r hostname="${2}"
-  local -r api_token="${3}"
-
-  # In .github/workflows/main.yml deployment is its own job
-  # and the image must be present to get its sha256 fingerprint.
-  docker pull "$(artifact_name)"
-
-  kosli expect deployment "$(artifact_name)" \
-    --artifact-type=docker \
-    --description="Deployed to ${environment} in Github Actions pipeline" \
-    --environment="${environment}" \
-    --host="${hostname}" \
-    --api-token="${api_token}"
+      --name=languages-start-points.snyk-scan \
+      --scan-results="$(repo_root)/snyk.json"
 }
 
 # - - - - - - - - - - - - - - - - - - -
 artifact_name()
 {
-  source "$(root_dir)/sh/echo_versioner_env_vars.sh"
+  source "$(repo_root)/sh/echo_versioner_env_vars.sh"
   export $(echo_versioner_env_vars)
   echo "${CYBER_DOJO_LANGUAGES_START_POINTS_IMAGE}:${CYBER_DOJO_LANGUAGES_START_POINTS_TAG}"
 }
 
 # - - - - - - - - - - - - - - - - - - -
-root_dir()
+repo_root()
 {
   git rev-parse --show-toplevel
 }
@@ -104,37 +92,37 @@ on_ci()
 }
 
 # - - - - - - - - - - - - - - - - - - -
-on_ci_kosli_create_flow()
+on_ci_kosli_begin_trail()
 {
   if on_ci; then
-    kosli_create_flow "${KOSLI_HOST_STAGING}"    "${KOSLI_API_TOKEN_STAGING}"
-    kosli_create_flow "${KOSLI_HOST_PRODUCTION}" "${KOSLI_API_TOKEN}"
+    kosli_begin_trail "${KOSLI_HOST_STAGING}"    "${KOSLI_API_TOKEN_STAGING}"
+    kosli_begin_trail "${KOSLI_HOST_PRODUCTION}" "${KOSLI_API_TOKEN}"
   fi
 }
 
 # - - - - - - - - - - - - - - - - - - -
-on_ci_kosli_report_artifact()
+on_ci_kosli_attest_artifact()
 {
   if on_ci; then
     docker push "$(image_name):latest"
     docker push "$(image_name):$(git_commit_tag)"
-    kosli_report_artifact "${KOSLI_HOST_STAGING}"    "${KOSLI_API_TOKEN_STAGING}"
-    kosli_report_artifact "${KOSLI_HOST_PRODUCTION}" "${KOSLI_API_TOKEN}"
+    kosli_attest_artifact "${KOSLI_HOST_STAGING}"    "${KOSLI_API_TOKEN_STAGING}"
+    kosli_attest_artifact "${KOSLI_HOST_PRODUCTION}" "${KOSLI_API_TOKEN}"
   fi
 }
 
 # - - - - - - - - - - - - - - - - - - -
-on_ci_kosli_report_snyk_scan_evidence()
+on_ci_kosli_attest_snyk_scan_evidence()
 {
   if on_ci; then
     set +e
     snyk container test "$(artifact_name)" \
-      --json-file-output="$(root_dir)/snyk.json" \
-      --policy-path="$(root_dir)/.snyk"
+      --json-file-output="$(repo_root)/snyk.json" \
+      --policy-path="$(repo_root)/.snyk"
     set -e
 
-    kosli_report_snyk "${KOSLI_HOST_STAGING}"    "${KOSLI_API_TOKEN_STAGING}"
-    kosli_report_snyk "${KOSLI_HOST_PRODUCTION}" "${KOSLI_API_TOKEN}"
+    kosli_attest_snyk "${KOSLI_HOST_STAGING}"    "${KOSLI_API_TOKEN_STAGING}"
+    kosli_attest_snyk "${KOSLI_HOST_PRODUCTION}" "${KOSLI_API_TOKEN}"
   fi
 }