Squashed 'subtrees/go-witness/' changes from cd0c222..0b28c0f

0b28c0f Adding support for using timestamp authority and CA certificates for verifying policy (in-toto#124)
43a586f Adding support for supplying POM on Maven Attestor (in-toto#129)
61576e0 Adding function to add a single attestor (in-toto#128)
404b654 chore: bump actions/download-artifact from 4.1.0 to 4.1.1 (in-toto#127)
8937af7 chore: bump actions/upload-artifact from 4.0.0 to 4.1.0 (in-toto#126)
a54b4c0 fix: added oidc redirect url option for fulcio (in-toto#76)
0aaf29b chore: bump github/codeql-action from 3.22.12 to 3.23.0 (in-toto#122)
4354822 chore: bump actions/dependency-review-action from 3.1.4 to 3.1.5 (in-toto#123)
90c26c3 chore: bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (in-toto#121)
9875fcc Update SECURITY-INSIGHTS.yml with additional information (in-toto#108)
3088442 chore: bump k8s.io/apimachinery from 0.26.11 to 0.26.12 (in-toto#116)
6ab0399 chore: bump actions/download-artifact from 4.0.0 to 4.1.0 (in-toto#117)
c5246d4 chore: bump github/codeql-action from 3.22.11 to 3.22.12 (in-toto#118)
a39d484 chore: bump github.com/go-git/go-git/v5 from 5.5.2 to 5.11.0 (in-toto#119)
c28d93f chore: bump golang.org/x/crypto from 0.14.0 to 0.17.0 (in-toto#115)
603cfa9 chore: bump actions/upload-artifact from 3.1.3 to 4.0.0 (in-toto#111)
84bdf2a chore: bump actions/download-artifact from 3.0.2 to 4.0.0 (in-toto#112)
9465ff4 chore: bump github/codeql-action from 2.22.9 to 3.22.11 (in-toto#110)
cfee7c9 Create SECURITY.md (in-toto#107)
6094e21 Point to v0.2.0 of archivista (in-toto#105)
00081b0 Fixing bug introduced in logs - warning and debug logs not printing (in-toto#103)
5b5647c WIP: Migrating Go module to in-toto (in-toto#101)
c555ac6 Adding go test command to Makefile (in-toto#96)
737eed8 Updating README (in-toto#97)
70efbcf Improving `--signer-fulcio-token` flag to accept both path and raw token string (in-toto#82)
b11e25f chore: bump github/codeql-action from 2.22.8 to 2.22.9 (in-toto#90)
1ec7071 chore: bump actions/dependency-review-action from 2.5.1 to 3.1.4 (in-toto#91)
765aa2b chore: bump actions/checkout from 3.6.0 to 4.1.1 (in-toto#92)
9243257 chore: bump actions/setup-go from 4.1.0 to 5.0.0 (in-toto#93)
19d2725 chore: bump ossf/scorecard-action from 2.0.6 to 2.3.1 (in-toto#89)
a10252c Don't run FOSSA Scan on PR from fork (in-toto#95)
bec608e Changes to improve CLOMonitor Score (in-toto#88)
3328596 Fix pre-commit violations (in-toto#87)
eac781c [StepSecurity] Apply security best practices (in-toto#86)
1d30fe2 Refactoring error messages to use %w formatting directive and fix logging issue (in-toto#85)
7ec4004 Update README.md
2bdd1c6 chore: bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1
3e86283 chore: bump github.com/open-policy-agent/opa from 0.49.1 to 0.49.2
86c8967 chore: bump github.com/mattn/go-isatty from 0.0.17 to 0.0.20
5f74d75 chore: bump k8s.io/apimachinery from 0.26.10 to 0.26.11
9a2cff0 chore: bump github.com/stretchr/testify from 1.8.2 to 1.8.4
40c7ed5 chore: bump github.com/sigstore/sigstore from 1.5.1 to 1.5.2
4ddd1b4 chore: bump k8s.io/apimachinery from 0.26.1 to 0.26.10
e927252 chore: bump go.step.sm/crypto from 0.25.0 to 0.25.2
4273fcf chore: bump github.com/spiffe/go-spiffe/v2 from 2.1.2 to 2.1.6
c5bac1b chore: bump github.com/aws/aws-sdk-go from 1.44.207 to 1.44.334
044ab95 chore: bump actions/setup-go from 2 to 4
46ff412 chore: bump actions/checkout from 2 to 4
78ca945 Improve DigestSet logic and JSON marshalling
c487391 Changed to pointer receiver  when both were mixed
08d1c37 Add dependabot config, reusable witness workflow, and update pipeline
5c92286 Add maintainers file (in-toto#64)
69cb3ee chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.56.3 (in-toto#60)
5e567f0 chore(deps): bump golang.org/x/net from 0.7.0 to 0.17.0 (in-toto#54)
03cf3f0 chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 (in-toto#44)
4f01b96 Add support for controller-gen deepcopy of policy package structs. This will be required for archivista data provider controllers (in-toto#53)

git-subtree-dir: subtrees/go-witness
git-subtree-split: 0b28c0f52c40cdac5e3a15151ca360d965929086

Author: nkane

.clomonitor.yml

@@ -0,0 +1,21 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+
+# Checks exemptions
+exemptions:
+  - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions)
+    reason: "Project is a library and does not create an artifact" # Justification of this exemption (mandatory, it will be displayed on the UI)

.github/dependabot.yml

@@ -0,0 +1,42 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+    ignore:
+      - dependency-name: "*"
+        update-types:
+        - "version-update:semver-major"
+        - "version-update:semver-minor"
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"

.github/workflows/codeql.yml

@@ -0,0 +1,92 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+        # CodeQL supports [ $supported-codeql-languages ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,41 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5

.github/workflows/fossa.yml

@@ -0,0 +1,28 @@
+name: "Fossa Scan"
+
+on:
+    push:
+      branches: ["main"]
+    pull_request:
+      # The branches below must be a subset of the branches above
+      branches: ["main"]
+    schedule:
+      - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+    fossa-scan:
+      env: 
+        FOSSA_API_KEY: ${{ secrets.fossaApiKey }}
+      runs-on: ubuntu-latest
+      steps:
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Checkout Code"
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Run FOSSA Scan"
+          uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+          with:
+            api-key: ${{ env.FOSSA_API_KEY }}

.github/workflows/golangci-lint.yml

@@ -29,12 +29,17 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: "go.mod"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
         with:
           version: latest
           args: --timeout=3m

.github/workflows/release.yml

@@ -12,55 +12,46 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
 name: release
 on: [push, pull_request]
-jobs:
-  test:
-    strategy:
-      matrix:
-        go-version: [ 1.19.x ]
-        os: [ ubuntu-latest ]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ matrix.go-version }}
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - uses: actions/cache@v2
-        with:
-         path: |
-           ~/go/pkg/mod
-           ~/.cache/go-build
-         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-         restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Format Unix
-        run: test -z $(go fmt ./...)
-      - name: Install GoKart
-        run: go install github.com/praetorian-inc/gokart@latest
 
-      - name: Static Analysis
-        uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
-        with:
-          step: static-analysis
-          attestations: "github sarif"
-          command: gokart scan . -o sarif-results.json -s
+permissions:
+  contents: read
+
+jobs:
+  fmt:
+    uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: fmt
+      attestations: "git github environment"
+      command: go fmt ./...
 
-      - name: Test
-        uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934
-        with: 
-          step: "test"
-          attestations: "github"
-          command: go test -v -coverprofile=profile.cov -covermode=atomic ./...
+  sast:
+    needs: [fmt]
+    uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: sast
+      attestations: "git github environment"
+      command: go vet ./...
 
-      - name: Send coverage
-        env:
-          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          GO111MODULE=off go get github.com/mattn/goveralls
-          $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+  unit-test:
+    needs: [fmt]
+    uses: ./.github/workflows/witness.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read
+    with:
+      pull_request: ${{ github.event_name == 'pull_request' }}
+      step: unit-test
+      attestations: "git github environment"
+      command: go test -v -coverprofile=profile.cov -covermode=atomic ./...
+      artifact-upload-name: profile.cov
+      artifact-upload-path: profile.cov