in-toto-run action

October 31, 2022 ยท View on GitHub

This is a wrapper for the in-toto-run command. It is intended to be used by developers to wrap the commands that are performed as part of their software supply chain. The wrapper will record metadata for the passed command.

Example Usage


on: [push]
permissions:
  id-token: write # This is required for requesting the JWT
  contents: read  # This is required for actions/checkout
jobs:
  test:
    runs-on: ubuntu-latest
    name: test intoto-run
    steps:
      - uses: actions/checkout@v2
      - uses: testifysec/intoto-run-action@main
        name: intoto run command
        with:
          step-name: 'test'
          private-key: | 
            -----BEGIN PRIVATE KEY-----
            MC4CAQAwBQYDK2VwBCIEIOl8ZskJnvzzBzudkifLO9EPu8Nuy9+eo8ryIZ7cVbwF
            -----END PRIVATE KEY-----
          command: touch test.txt
          products: 'test.txt'
          exclude: "node_modules/"
      - name: show-attestation
        run: cat $RUNNER_TEMP/meta/*.link

Roadmap

  • Add support for multiple commands
  • Intgration with Fulcio for signing attestations
  • Upload link meta-data to Archivist

Contributing

Contributions are welcome! Please see our contributing guidelines.