Merge branch 'main' into gitlab-golang-version

.github/workflows/codeql.yml

@@ -45,20 +45,20 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
 
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: 1.23.x
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,7 +68,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -81,6 +81,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
         with:
           egress-policy: audit
 
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/fossa.yml

@@ -23,6 +23,6 @@ jobs:
           uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         - if: ${{ env.FOSSA_API_KEY != '' }}
           name: "Run FOSSA Scan"
-          uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0
+          uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
           with:
             api-key: ${{ env.FOSSA_API_KEY }}

.github/workflows/golangci-lint.yml

@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+        uses: golangci/golangci-lint-action@2e788936b09dd82dc280e845628a40d2ba6b204c # v6.3.1
         with:
           version: latest
           args: --timeout=3m

.github/workflows/release.yml

@@ -99,10 +99,10 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: 1.23.x
-      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: |
             ~/go/pkg/mod
@@ -119,10 +119,10 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
 
       - name: Install syft
-        uses: anchore/sbom-action/download-syft@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6
+        uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
 
       - name: Download GoReleaser
         run: go install github.com/goreleaser/[email protected]
@@ -133,6 +133,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
         with:
+          witness-install-dir: /usr/local/bin
           step: "build"
           attestations: "github"
           command: goreleaser release --clean

.github/workflows/scorecard.yml

@@ -67,14 +67,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # tag=v4.6.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # tag=v3.27.0
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # tag=v3.28.9
         with:
           sarif_file: results.sarif

.github/workflows/verify-docgen.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: "1.23.x"
       - run: ./docgen/verify.sh

.github/workflows/verify-licence.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:
           go-version: "1.23.x"
       - name: Install addlicense

.github/workflows/witness.yml

@@ -51,7 +51,7 @@ jobs:
           id-token: write
         steps:
           - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-          - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+          - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
             with:
               go-version: 1.23.x
 
@@ -64,6 +64,7 @@ jobs:
           - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
             uses: testifysec/witness-run-action@79320a907f611f2fb40ced8e13c66af988b2d9db
             with:
+              witness-install-dir: /usr/local/bin
               step: pre-${{ inputs.step }}
               attestations: ${{ inputs.attestations }}
               command: /bin/sh -c "${{ inputs.pre-command }}"
@@ -73,14 +74,15 @@ jobs:
           - if: ${{ inputs.pull_request == false }}
             uses: testifysec/witness-run-action@79320a907f611f2fb40ced8e13c66af988b2d9db
             with:
+              witness-install-dir: /usr/local/bin
               step: ${{ inputs.step }}
               attestations: ${{ inputs.attestations }}
               command: /bin/sh -c "${{ inputs.command }}"
           - if: ${{ inputs.pull_request == true }}
             run: ${{ inputs.command }}
 
           - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
-            uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+            uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
             with:
               name: ${{ inputs.artifact-upload-name }}
               path: ${{ inputs.artifact-upload-path }}

GOVERNANCE.md

@@ -0,0 +1,8 @@
+As a sub-project of in-toto, this repository is subject to the governance by the in-toto steering committee.
+
+This repository is also subject to the in-toto and CNCF code of conduct.
+
+For more details, please reference the in-toto community repository:
+
+- [GOVERNANCE.md](https://github.com/in-toto/community/blob/main/GOVERNANCE.md)
+- [CODE_OF_CONDUCT.md](https://github.com/in-toto/community/blob/main/CODE-OF-CONDUCT.md)

INSTALL.md

@@ -0,0 +1,39 @@
+# Install Witness manually and verify
+
+> [!NOTE]
+> Please use release v0.7.0 or higher, as prior releases were created to
+> test the release workflow.
+
+This repository provides pre-built binaries that are signed and published using
+[GoReleaser](https://goreleaser.com/). The signature for these binaries are generated using [Sigstore](https://sigstore.dev/),
+using the release workflow's identity. Make sure you have [cosign] installed on
+your system, then you will be able to securely download and verify the gittuf
+release:
+
+## Unix-like operating systems
+
+```sh
+# Modify these values as necessary.
+# One of: amd64, arm64
+ARCH=amd64
+# One of: linux, darwin, freebsd
+OS=linux
+# See https://github.com/in-toto/witness/releases for the latest version
+VERSION=0.7.0
+cd $(mktemp -d)
+
+curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH}
+curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH}.sig
+curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH}.pem
+
+cosign verify-blob \
+    --certificate witness_${VERSION}_${OS}_${ARCH}.pem \
+    --signature witness_${VERSION}_${OS}_${ARCH}.sig \
+    --certificate-identity https://github.com/in-toto/witness/.github/workflows/release.yml@refs/tags/v${VERSION} \
+    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+    witness_${VERSION}_${OS}_${ARCH}
+
+sudo install witness_${VERSION}_${OS}_${ARCH} /usr/local/bin/witness
+cd -
+witness version
+```

README.md

@@ -49,6 +49,8 @@ latest release:
 bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
 ```
 
+If you want install it manually and verify its integrity follow the instructions in the [INSTALL.md](./INSTALL.md).
+
 ### Tutorials
 Check out our Tutorials:
 

cmd/run.go

@@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"fmt"
 
+	"github.com/gobwas/glob"
 	witness "github.com/in-toto/go-witness"
 	"github.com/in-toto/go-witness/archivista"
 	"github.com/in-toto/go-witness/attestation"
@@ -127,11 +128,18 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string, signers .
 		roHashes = append(roHashes, cryptoutil.DigestValue{Hash: hash, GitOID: false})
 	}
 
+	for _, dirHashGlobItem := range ro.DirHashGlobs {
+		_, err := glob.Compile(dirHashGlobItem)
+		if err != nil {
+			return fmt.Errorf("failed to compile glob: %v", err)	
+		}
+	}
+
 	results, err := witness.RunWithExports(
 		ro.StepName,
 		witness.RunWithSigners(signers...),
 		witness.RunWithAttestors(attestors),
-		witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir), attestation.WithHashes(roHashes)),
+		witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir), attestation.WithHashes(roHashes), attestation.WithDirHashGlob(ro.DirHashGlobs)),
 		witness.RunWithTimestampers(timestampers...),
 	)
 	if err != nil {

cmd/verify.go

@@ -162,6 +162,15 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 	}
 
 	subjects := []cryptoutil.DigestSet{}
+	if len(vo.ArtifactDirectoryPath) > 0 {
+		artifactDigestSet, err := cryptoutil.CalculateDigestSetFromDir(vo.ArtifactDirectoryPath, []cryptoutil.DigestValue{{Hash: crypto.SHA256, GitOID: false}})
+		if err != nil {
+			return fmt.Errorf("failed to calculate dir digest: %w", err)
+		}
+
+		subjects = append(subjects, artifactDigestSet)
+	}
+
 	if len(vo.ArtifactFilePath) > 0 {
 		artifactDigestSet, err := cryptoutil.CalculateDigestSetFromFile(vo.ArtifactFilePath, []cryptoutil.DigestValue{{Hash: crypto.SHA256, GitOID: false}})
 		if err != nil {

cmd/verify_test.go

@@ -32,6 +32,7 @@ import (
 	"github.com/in-toto/go-witness/attestation/commandrun"
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/go-witness/policy"
 	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/go-witness/signer/file"
@@ -208,6 +209,9 @@ func TestRunVerifyCA(t *testing.T) {
 }
 
 func TestRunVerifyKeyPair(t *testing.T) {
+	logger := newLogger()
+	log.SetLogger(logger)
+
 	policy, funcPriv := makepolicyRSAPub(t)
 	signedPolicy, pub := signPolicyRSA(t, policy)
 	workingDir := t.TempDir()

docs-website/package.json

@@ -41,6 +41,6 @@
     ]
   },
   "engines": {
-    "node": ">=18.0"
+    "node": ">=20.0"
   }
 }