test create evidence

.github/workflows/docker-publish.yml

@@ -9,8 +9,8 @@ on:
       - main
 
 env:
-  REGISTRY: 192.168.1.2:8082
-  IMAGE_NAME: my-docker-local/sigs
+  REGISTRY: evidencetrial.jfrog.io
+  IMAGE_NAME: misha-docker-docker-local/sigs
 
 jobs:
   build-and-push:
@@ -34,8 +34,8 @@ jobs:
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: admin
-          password: password
+          username: ${{ secrets.user }}
+          password: ${{ secrets.password }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
@@ -53,16 +53,23 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           # Enable provenance and SBOM generation
           provenance: true
           sbom: true
 
       - name: Generate artifact attestation
-        if: github.event_name != 'pull_request'
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          subject-name: ${{ env.IMAGE_NAME }}/pr-1/list.manifest.json
+          subject-digest: sha256:31aee6a749e3a739be317bddcb145a2f9ffec98b8c357410862c9694b6a3df31
+
+      - name: Create evidence from attestation
+        run: |
+          ./create_evidence.sh
+
+
+
+

Dockerfile

@@ -1,5 +1,5 @@
 # Use the official lightweight Alpine image as the base
-FROM golang:alpine AS builder
+FROM evidencetrial.jfrog.io/misha-docker-docker/golang:alpine AS builder
 
 
 # Set the working directory inside the container
@@ -18,7 +18,8 @@ COPY src/ ./src/
 RUN go build -o main ./src/cmd/main.go
 
 # Use a minimal runtime image
-FROM alpine:latest
+FROM evidencetrial.jfrog.io/misha-docker-docker/alpine:latest
+
 
 # Set the working directory inside the runtime container
 WORKDIR /app

buildkitd.toml

@@ -1,9 +1,4 @@
 insecure-entitlements = ["security.insecure"]
-[registry."192.168.50.113:8082"]
-  http = true
 
-[registry."10.1.27.21:8082"]
-  http = true
-
-[registry."10.1.66.83:8082"]
-  http = true
+[registry."evidencetrial.jfrog.io"]
+  insecure = true

create_evidence.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Folder where the runner temp files are stored
+RUNNER_TEMP=${RUNNER_TEMP:-""}
+
+if [[ -z "$RUNNER_TEMP" ]]; then
+    echo "::warning RUNNER_TEMP environment variable is not set. Skipping evidence creation."
+    exit 0
+fi
+
+ATTESTATION_PATHS_FILE="$RUNNER_TEMP/created_attestation_paths.txt"
+
+# Check if attestation paths file exists
+if [[ ! -f "$ATTESTATION_PATHS_FILE" ]]; then
+    echo "::info No attestation paths file found. Skipping evidence creation. Searched for: $ATTESTATION_PATHS_FILE."
+    exit 0
+fi
+
+echo "::info Reading attestation paths file: $ATTESTATION_PATHS_FILE"
+
+while IFS= read -r FILE_PATH || [[ -n "$FILE_PATH" ]]; do
+    # Trim whitespaces
+    FILE_PATH=$(echo "$FILE_PATH" | xargs)
+
+    if [[ -z "$FILE_PATH" ]]; then
+        continue
+    fi
+    ./jf evd create --sigstore-bundle $FILE_PATH
+done < "$ATTESTATION_PATHS_FILE"