chore: update witness.yml with workingdir input (#16)

* fix: ncc is required to build

* feat: add working directory input to workflow

Added a new 'workingdir' input to the GitHub Actions workflow. This allows for specifying the working directory when running commands. The changes include:
- Added 'workingdir' as an optional input in the workflow_call section.
- Updated testifysec/witness-run-action usage to include 'workingdir'.
- Set 'working-directory' for run commands when pull_request is true.
This enhancement provides more flexibility in configuring workflows, especially when dealing with projects that have complex structures or require specific execution contexts.

* chore: update witness action version in reusable workflow to latest attempt

.github/workflows/witness.yml

@@ -13,80 +13,87 @@
 # limitations under the License.
 
 on:
-    workflow_call:
-        inputs:
-            pull_request: 
-                required: true
-                type: boolean
-            artifact-download:
-                required: false
-                type: string
-            artifact-upload-name:
-                required: false
-                type: string
-            artifact-upload-path:
-                required: false
-                type: string
-            pre-command:
-                required: false
-                type: string
-            pre-command-attestations:
-                default: "environment git github"
-                required: false
-                type: string
-            command:
-                required: true
-                type: string
-            step:
-                required: true
-                type: string
-            attestations:
-                required: true
-                type: string
-            archivista-server:
-                default: "https://archivista.testifysec.io"
-                required: false
-                type: string
-
+  workflow_call:
+    inputs:
+      pull_request:
+        required: true
+        type: boolean
+      artifact-download:
+        required: false
+        type: string
+      artifact-upload-name:
+        required: false
+        type: string
+      artifact-upload-path:
+        required: false
+        type: string
+      pre-command:
+        required: false
+        type: string
+      pre-command-attestations:
+        default: 'environment git github'
+        required: false
+        type: string
+      command:
+        required: true
+        type: string
+      step:
+        required: true
+        type: string
+      attestations:
+        required: true
+        type: string
+      archivista-server:
+        default: 'https://archivista.testifysec.io'
+        required: false
+        type: string
+      workingdir:
+        required: false
+        type: string
+
 jobs:
-    witness:
-        runs-on: ubuntu-latest
-        steps:
-          - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-          - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
-            with:
-              go-version: 1.21.x
+  witness:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: 1.21.x
 
-          - if: ${{ inputs.artifact-download != '' }}
-            uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
-            with:
-              name: ${{ inputs.artifact-download }}
-              path: /tmp
+      - if: ${{ inputs.artifact-download != '' }}
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+        with:
+          name: ${{ inputs.artifact-download }}
+          path: /tmp
 
-          - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
-            uses: testifysec/witness-run-action@79320a907f611f2fb40ced8e13c66af988b2d9db # v0.2.2
-            with:
-              version: 0.6.0
-              archivista-server: ${{ inputs.archivista-server }}
-              step: pre-${{ inputs.step }}
-              attestations: ${{ inputs.pre-command-attestations }}
-              command: /bin/sh -c "${{ inputs.pre-command }}"
-          - if: ${{ inputs.pre-command != '' && inputs.pull_request == true }}
-            run: ${{ inputs.pre-command }}
+      - if: ${{ inputs.pre-command != '' && inputs.pull_request == false }}
+        uses: testifysec/witness-run-action@d5390fbc672f38705ca5fe57c219abd0471cfa2d
+        with:
+          version: 0.6.0
+          archivista-server: ${{ inputs.archivista-server }}
+          step: pre-${{ inputs.step }}
+          attestations: ${{ inputs.pre-command-attestations }}
+          workingdir: ${{ inputs.workingdir }}
+          command: /bin/sh -c "${{ inputs.pre-command }}"
+      - if: ${{ inputs.pre-command != '' && inputs.pull_request == true }}
+        run: ${{ inputs.pre-command }}
+        working-directory: ${{ inputs.workingdir }}
 
-          - if: ${{ inputs.pull_request == false }}
-            uses: testifysec/witness-run-action@79320a907f611f2fb40ced8e13c66af988b2d9db # v0.2.2
-            with:
-              version: 0.6.0
-              archivista-server: ${{ inputs.archivista-server }}
-              step: ${{ inputs.step }}
-              attestations: ${{ inputs.attestations }}
-              command: /bin/sh -c "${{ inputs.command }}"
-          - if: ${{ inputs.pull_request == true }}
-            run: ${{ inputs.command }}
+      - if: ${{ inputs.pull_request == false }}
+        uses: testifysec/witness-run-action@d5390fbc672f38705ca5fe57c219abd0471cfa2d
+        with:
+          version: 0.6.0
+          archivista-server: ${{ inputs.archivista-server }}
+          step: ${{ inputs.step }}
+          attestations: ${{ inputs.attestations }}
+          workingdir: ${{ inputs.workingdir }}
+          command: /bin/sh -c "${{ inputs.command }}"
+      - if: ${{ inputs.pull_request == true }}
+        run: ${{ inputs.command }}
+        working-directory: ${{ inputs.workingdir }}
 
-          - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
-            uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
-            with:
-              name: ${{ inputs.artifact-upload-name }}
-              path: ${{ inputs.artifact-upload-path }}
+      - if: ${{ inputs.artifact-upload-path != '' && inputs.artifact-upload-name != ''}}
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
+        with:
+          name: ${{ inputs.artifact-upload-name }}
+          path: ${{ inputs.artifact-upload-path }}

action.yml

@@ -1,95 +1,94 @@
 name: witness-run
-description: "Creates Attestation of CI Process with Witness"
+description: 'Creates Attestation of CI Process with Witness'
 inputs:
   witness-install-dir:
-    description: "Directory to install witness in. The directory will be created if it does not exist"
+    description: 'Directory to install witness in. The directory will be created if it does not exist'
     required: false
-    default: "./"
   archivista-server:
-    description: "URL of the Archivista server to store or retrieve attestations"
+    description: 'URL of the Archivista server to store or retrieve attestations'
     required: false
-    default: "https://archivista.testifysec.io"
+    default: 'https://archivista.testifysec.io'
   attestations:
-    description: "Attestations to record"
+    description: 'Attestations to record'
     required: false
-    default: "environment git github"
+    default: 'environment git github'
   attestor-link-export:
-    description: "Export the attestor link predicate in its own attestation"
+    description: 'Export the attestor link predicate in its own attestation'
     required: false
-    default: "false"
+    default: 'false'
   attestor-maven-pom-path:
-    description: "Path to the Maven POM file"
+    description: 'Path to the Maven POM file'
     required: false
   attestor-sbom-export:
-    description: "Export the SBOM predicate in its own attestation"
+    description: 'Export the SBOM predicate in its own attestation'
     required: false
-    default: "false"
+    default: 'false'
   attestor-slsa-export:
-    description: "Export the SLSA predicate in its own attestation"
+    description: 'Export the SLSA predicate in its own attestation'
     required: false
-    default: "false"
+    default: 'false'
   enable-sigstore:
     description: 'Use Sigstore for attestation'
     required: false
-    default: "true"
+    default: 'true'
   command:
-    description: "command to run"
+    description: 'command to run'
     required: true
   certificate:
     description: "Path to the signing key's certificate"
     required: false
   enable-archivista:
-    description: "Use Archivista to store or retrieve attestations"
+    description: 'Use Archivista to store or retrieve attestations'
     required: false
-    default: "true"
+    default: 'true'
   fulcio:
-    description: "Fulcio address to sign with"
+    description: 'Fulcio address to sign with'
     required: false
   fulcio-oidc-client-id:
-    description: "OIDC client ID to use for authentication"
+    description: 'OIDC client ID to use for authentication'
     required: false
   fulcio-oidc-issuer:
-    description: "OIDC issuer to use for authentication"
+    description: 'OIDC issuer to use for authentication'
     required: false
   fulcio-token:
-    description: "Raw token to use for authentication"
+    description: 'Raw token to use for authentication'
     required: false
   intermediates:
-    description: "Intermediates that link trust back to a root of trust in the policy"
+    description: 'Intermediates that link trust back to a root of trust in the policy'
     required: false
   key:
-    description: "Path to the signing key"
+    description: 'Path to the signing key'
     required: false
   outfile:
-    description: "File to which to write signed data. Defaults to stdout"
+    description: 'File to which to write signed data. Defaults to stdout'
     required: false
   product-exclude-glob:
-    description: "Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation."
+    description: 'Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation.'
     required: false
   product-include-glob:
-    description: "Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation."
+    description: 'Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation.'
     required: false
   spiffe-socket:
-    description: "Path to the SPIFFE Workload API socket"
+    description: 'Path to the SPIFFE Workload API socket'
     required: false
   step:
-    description: "Name of the step being run"
+    description: 'Name of the step being run'
     required: true
   timestamp-servers:
-    description: "Timestamp Authority Servers to use when signing envelope"
+    description: 'Timestamp Authority Servers to use when signing envelope'
     required: false
   trace:
-    description: "Enable tracing for the command"
+    description: 'Enable tracing for the command'
     required: false
-    default: "false"
+    default: 'false'
   version:
-    description: "Version of Witness CLI"
+    description: 'Version of Witness CLI'
     required: false
-    default: "0.6.0"
+    default: '0.6.0'
   workingdir:
-    description: "Directory from which commands will run"
+    description: 'Directory from which commands will run'
     required: false
 
 runs:
-  using: "node20"
-  main: "dist/index.js"
+  using: 'node20'
+  main: 'dist/index.js'