Evidence-Gated CI Demo #14

Workflow file for this run

.github/workflows/evidence-gated-ci.yml at 4c0b6a6

	name: Evidence-Gated CI Demo
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	security-events: write # Required for uploading code scanning
	attestations: write
	contents: read
	on:
	push:
	paths:
	- 'demos/showcases/evidence-gated-ci/**'
	pull_request:
	paths:
	- 'demos/showcases/evidence-gated-ci/**'
	workflow_dispatch:

	jobs:
	build-evidence-and-gate:
	runs-on: ubuntu-latest
	env:
	DOCKER_BUILD_SUMMARY: false
	DOCKER_BUILD_RECORD_UPLOAD: false
	JFROG_CLI_LOG_LEVEL: DEBUG
	defaults:
	run:
	working-directory: demos/showcases/evidence-gated-ci
	steps:
	- uses: actions/checkout@v4

	- name: Setup JFrog CLI
	id: setup-jfrog
	uses: jfrog/setup-jfrog-cli@v4
	env:
	JF_URL: https://${{ vars.JF_URL }}/
	with:
	oidc-provider-name: jfrog-github-oidc

	- uses: actions/setup-node@v4
	with:
	node-version: 20

	- name: Install dependencies
	working-directory: demos/showcases/evidence-gated-ci/app
	run: npm ci

	- name: Generate SBOM
	run: bash scripts/gen-sbom.sh

	- name: Run policy gate
	run: bash scripts/gate.sh

	# Bundle evidence even if gate fails (so you can show forensic output)
	- name: Bundle evidence
	if: always()
	run: bash scripts/bundle-evidence.sh

	- name: Write signing key from secret
	if: always()
	run: \|
	mkdir -p keys
	echo "${{ secrets.EVIDENCE_SIGNING_PRIVATE_KEY }}" > keys/private.pem
	chmod 600 keys/private.pem

	- name: Sign evidence bundle
	if: always()
	run: bash scripts/sign-evidence.sh

	- name: Verify signature
	if: always()
	run: bash scripts/verify-evidence.sh

	- name: Upload evidence artifacts
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: evidence
	path: demos/showcases/evidence-gated-ci/evidence/

	- name: Generate Summary Report
	if: always()
	run: bash scripts/generate-summary.sh

	# Docker Build and Push
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Login to JFrog Docker Registry
	uses: docker/login-action@v3
	with:
	registry: ${{ vars.JF_URL }}
	username: ${{ steps.setup-jfrog.outputs.oidc-user }}
	password: ${{ steps.setup-jfrog.outputs.oidc-token }}

	- name: Build and Push Docker Image
	uses: docker/build-push-action@v6
	with:
	context: demos/showcases/evidence-gated-ci/app
	file: demos/showcases/evidence-gated-ci/app/Dockerfile
	push: true
	tags: ${{ vars.JF_URL }}/devrel-docker/evidenced-app:v${{ github.run_number }}
	platforms: linux/amd64,linux/arm64

	- name: Set Signing Evidence on Docker
	run: \|
	# Create signing evidence JSON file
	SIGNING_ACTOR="${{ github.actor }}"
	SIGNING_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
	echo "{
	\"actor\": \"${SIGNING_ACTOR}\",
	\"date\": \"${SIGNING_DATE}\"
	}" > sign.json

	# Attach evidence using JFrog CLI
	jf evd create \
	--package-name ${{ vars.JF_URL }}/devrel-docker/evidenced-app:latest \
	--package-version "v${{ github.run_number }}" \
	--package-repo-name devrel-docker \
	--key "${{ secrets.EVIDENCE_SIGNING_PRIVATE_KEY }}" \
	--key-alias devrel-demo-keys-alias \
	--predicate ./sign.json \
	--predicate-type https://jfrog.com/evidence/signature/v1

	jf evd create \
	--package-name ${{ vars.JF_URL }}/devrel-docker/evidenced-app:latest \
	--package-version "v${{ github.run_number }}" \
	--package-repo-name devrel-docker \
	--key "${{ secrets.EVIDENCE_SIGNING_PRIVATE_KEY }}" \
	--key-alias devrel-demo-keys-alias \
	--predicate ./evidence/sbom.json \
	--predicate-type https://jfrog.com/evidence/signature/v1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Evidence-Gated CI Demo #14

Workflow file

Evidence-Gated CI Demo #14

Uh oh!

Workflow file for this run