Skip to content

testifysec/witness-wrapper

BranchesTags

Repository files navigation

Witness Wrapper Action

A GitHub Action that wraps commands with Witness to create software supply chain attestations. Works out of the box with TestifySec Platform.

Quick Start

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write  # Required for Sigstore signing
      contents: read
    env:
      TESTIFYSEC_API_KEY: ${{ secrets.TESTIFYSEC_API_KEY }}
    steps:
      - uses: actions/checkout@v4

      - name: Build with attestation
        uses: testifysec/witness-wrapper@v0.3
        with:
          step: build
          command: npm run build

That's it! The action automatically:

  • Downloads the latest Witness CLI
  • Signs attestations using Sigstore (keyless)
  • Uploads attestations to TestifySec Platform

Configuration

Required Inputs

Input Description
step Name of the build step (e.g., build, test, deploy)
command Command to run (or use action-ref to wrap another action)

Authentication

Set TESTIFYSEC_API_KEY once at the job level:

jobs:
  build:
    env:
      TESTIFYSEC_API_KEY: ${{ secrets.TESTIFYSEC_API_KEY }}

Optional Inputs

Input Default Description
attestations environment git github Space-separated list of attestors
enable-archivista true Upload attestations to Archivista
enable-sigstore true Use Sigstore keyless signing
outfile - Save attestation to a local file
key - Path to signing key (instead of Sigstore)

Platform Defaults

All TestifySec Platform URLs are preconfigured:

  • Archivista: https://web.platform.testifysec.com
  • Fulcio: https://fulcio.platform.testifysec.com
  • TSA: https://tsa.platform.testifysec.com/api/v1/timestamp

Examples

Build and Test Pipeline

jobs:
  ci:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    env:
      TESTIFYSEC_API_KEY: ${{ secrets.TESTIFYSEC_API_KEY }}
    steps:
      - uses: actions/checkout@v4

      - name: Install dependencies
        uses: testifysec/witness-wrapper@v0.3
        with:
          step: install
          command: npm ci

      - name: Run tests
        uses: testifysec/witness-wrapper@v0.3
        with:
          step: test
          command: npm test

      - name: Build
        uses: testifysec/witness-wrapper@v0.3
        with:
          step: build
          command: npm run build

Wrap Another Action

- name: Setup Node with attestation
  uses: testifysec/witness-wrapper@v0.3
  with:
    step: setup-node
    action-ref: actions/setup-node@v4
    input-node-version: '20'

Save Attestation Locally (No Upload)

- name: Build with local attestation
  uses: testifysec/witness-wrapper@v0.3
  with:
    step: build
    command: make build
    enable-archivista: false
    enable-sigstore: false
    key: ${{ secrets.SIGNING_KEY_PATH }}
    outfile: build-attestation.json

Development

npm install
npm run build
npm test

License

Apache 2.0

About

Lightweight Witness wrapper action

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v0.3.0 Latest
Dec 19, 2025
+ 2 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages