From 81bdfceb96602f5a764e77be760469c710342fa1 Mon Sep 17 00:00:00 2001 From: Kairo Araujo Date: Mon, 4 Dec 2023 22:24:38 +0100 Subject: [PATCH] Improve gha (#318) * fix: github organization name Fix the github organization name to in-toto. Signed-off-by: Kairo de Araujo * pin GHA full-length commit SHA It's a good practice to pin the GitHub Actions with full-length commit sha as described in the "Security hardening for GitHub Actions". https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions I noticed that dependabot also checks weekly with updates. It will maintain the updates using the hash. Signed-off-by: Kairo de Araujo * fixup! pin GHA full-length commit SHA * fixup! pin GHA full-length commit SHA --------- Signed-off-by: Kairo de Araujo Co-authored-by: Kairo de Araujo Co-authored-by: John Kjell --- .github/workflows/release.yml | 2 +- .github/workflows/witness.yml | 4 ++-- .goreleaser.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9d29ed88..501d4e55 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest needs: [sast, unit-test] if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') - + steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 750dca81..ae8102ba 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -15,7 +15,7 @@ on: workflow_call: inputs: - pull_request: + pull_request: required: true type: boolean artifact-download: @@ -39,7 +39,7 @@ on: attestations: required: true type: string - + jobs: witness: runs-on: ubuntu-latest diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 97e3cbd8..28d21c17 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -4,7 +4,7 @@ builds: - "-s -w" - "-extldflags=-zrelro" - "-extldflags=-znow" - - "-extldflags -w -X 'github.com/testifysec/witness/cmd.Version={{.Tag}}-{{.ShortCommit}}'" + - "-extldflags -w -X 'github.com/in-toto/witness/cmd.Version={{.Tag}}-{{.ShortCommit}}'" env: - "CGO_ENABLED=0" - "GO111MODULE=on" @@ -40,7 +40,7 @@ release: github: owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}" kos: - - repository: ghcr.io/testifysec/witness + - repository: ghcr.io/in-toto/witness tags: - '{{.Version}}' bare: true