Squashed 'subtrees/witness/' changes from be20100..06031da

06031da Checking attestors for duplicates (in-toto#361)
1a9b5a2 Initial attempt at PR and Issue templates (in-toto#351)
83ca942 chore: bump actions/download-artifact from 4.1.0 to 4.1.1 (in-toto#358)
63cc5d8 chore: bump github/codeql-action from 3.22.12 to 3.23.0 (in-toto#357)
70e0b09 chore: bump actions/upload-artifact from 4.0.0 to 4.1.0 (in-toto#356)
d2471e6 chore: bump actions/cache from 3.3.2 to 3.3.3 (in-toto#355)
f2e2a6f Update cloudflare/circl due to dependabot failure (in-toto#352)
abce18b Add cosign install
15d9014 Add signing to goreleaser and Best Practices badge to readme.
93768db Pin dependencies and restrict permissions
494d44a Add Security MD files an add FOSSA scan badge
b9e38d5 Add FOSSA license scanning
617e15a chore: bump actions/dependency-review-action from 3.1.4 to 3.1.5 (in-toto#349)
2c590bb Update go-git to resolve vulnerability (in-toto#346)
88881fa chore: bump actions/download-artifact from 4.0.0 to 4.1.0 (in-toto#342)
ea67d31 chore: bump github/codeql-action from 3.22.11 to 3.22.12 (in-toto#343)
b8f36d6 chore: bump actions/upload-artifact from 3.1.3 to 4.0.0 (in-toto#337)
34563ab chore: bump github/codeql-action from 2.22.9 to 3.22.11 (in-toto#336)
46b168d chore: bump actions/download-artifact from 3.0.2 to 4.0.0 (in-toto#335)
b36c96d Bumping Go version for goreleaser (in-toto#333)
c06555d Migrating to the use of in-toto/go-witness module (in-toto#331)
c0f5843 Migrating go module (in-toto#328)
937eab8 Adding the contributing.md from archivista (in-toto#327)
f0c8f43 Adding help to Makefile and updating `make test` target (in-toto#325)
71856fd chore: bump actions/dependency-review-action from 2.5.1 to 3.1.4 (in-toto#324)
709ad35 chore: bump github/codeql-action from 2.22.8 to 2.22.9 (in-toto#323)
684fd6a chore: bump actions/setup-go from 4.1.0 to 5.0.0 (in-toto#322)
a823f58 chore: bump actions/checkout from 3.6.0 to 4.1.1 (in-toto#321)
862d8c4 chore: bump actions/upload-artifact from 3.0.0 to 3.1.3 (in-toto#320)
b19afc8 Fix initial pre-commit violations (in-toto#319)
a56715e Refactoring error messages to use `%w` formatting directive and fix logging issue (in-toto#314)
0bca967 feat: add algo hash list for digest calc in config (in-toto#292)
81bdfce Improve gha (in-toto#318)
f65b232 [StepSecurity] Apply security best practices (in-toto#316)
bcf7ecf Update README.md - fixing quickstart url
8dde14c docs: correct sign policy file command in README.md
752b9e0 chore: bump github/codeql-action from 2.22.7 to 2.22.8
15bec9e chore: bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1
0363ee3 chore: bump actions/setup-go from 2 to 4
a412c18 chore: bump actions/cache from 2 to 3
e7a6f44 chore: bump github/codeql-action from 2.22.6 to 2.22.7
932ff1e chore: bump actions/checkout from 2 to 4 (in-toto#301)
5e56558 chore: bump github.com/stretchr/testify from 1.8.1 to 1.8.4 (in-toto#305)
f49ff8e chore: bump github.com/sirupsen/logrus from 1.9.0 to 1.9.3 (in-toto#304)
873f55c chore: bump golangci/golangci-lint-action from 2 to 3 (in-toto#303)
1880baa chore: bump ossf/scorecard-action from 2.1.3 to 2.3.1 (in-toto#302)
9380cbe chore: bump github/codeql-action from 1.0.26 to 2.22.6 (in-toto#300)
21cb944 chore: bump docker/login-action from 2 to 3 (in-toto#299)
2219a76 fix: updating urls to `in-toto` from `testifysec` and `-L` to the curl for version (in-toto#297)
b3d7207 Add dependabot config and add reusable workflow for calling witness (in-toto#298)
5beb113 Add maintainers file
602dc48 chore(deps): bump google.golang.org/grpc from 1.53.0 to 1.56.3
edef808 docs: Update key to signer-file-key-path in getting starter .witness.yaml
8e9d798 fix: dev/Dockerfile.go-builder to reduce vulnerabilities
27f68b9 chore(deps): bump golang.org/x/net from 0.7.0 to 0.17.0

git-subtree-dir: subtrees/witness
git-subtree-split: 06031da4459ee4aea13ee83c59f9dee8171133ff

.clomonitor.yml

@@ -0,0 +1,21 @@
+# Copyright 2023 The Witness Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+
+# Checks exemptions
+exemptions:
+  - check: artifacthub_badge # Check identifier (see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions)
+    reason: "Project is a CLI tool and is not one of the support types for Artifact Hub" # Justification of this exemption (mandatory, it will be displayed on the UI)

.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,26 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: '[Bug]: '
+labels: ['bug', triage']
+assignees: ''
+---
+
+**What steps did you take and what happened:**
+
+[A clear and concise description of what the bug is.]
+
+**What did you expect to happen:**
+
+[Expected outcome listed here.]
+
+**Anything else you would like to add:**
+
+[Miscellaneous information that will assist in solving the issue.]
+
+**Environment:**
+
+- Witness version:
+- Architecture:
+- Attestors used:
+- Archivista version:

.github/ISSUE_TEMPLATE/feature-request.md

@@ -0,0 +1,36 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: '[Feat]: '
+labels: ['feature', 'triage']
+assignees: ''
+
+---
+
+**Describe the solution you'd like:**
+
+[A clear and concise description of what you want to happen.]
+
+**User value:**
+
+[Why will this feature be valuable to you? Why will this be valuable to others?]
+
+**Expected behavior:**
+
+[What would you like to see happen]
+
+**Proposed solution:**
+
+[If you're able, describe possible solution workflow]
+
+**Anything else you would like to add:**
+
+[Miscellaneous information that will assist in solving the issue.]
+
+**Testing changes required:**
+
+[List possible testing changes required, if none please explain, if unsure assignee will assist]
+
+**Documentation changes required:**
+
+[List possible documentation changes required, if none please explain, if unsure assignee will assist]

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,19 @@
+## What this PR does / why we need it
+
+Description
+
+## Which issue(s) this PR fixes (optional)
+
+(optional, using `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when the PR gets merged)*
+
+Fixes #
+
+## Acceptance Criteria Met
+
+- [ ] Docs changes if needed
+- [ ] Testing changes if needed
+- [ ] All workflow checks passing (automatically enforced)
+- [ ] All review conversations resolved (automatically enforced)
+- [ ] [DCO Sign-off](https://github.com/apps/dco)
+
+**Special notes for your reviewer**:

.github/dependabot.yml

@@ -0,0 +1,28 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "chore"
+    ignore:
+      - dependency-name: "*"
+        update-types:
+        - "version-update:semver-major"
+        - "version-update:semver-minor"
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"

.github/workflows/codeql.yml

@@ -0,0 +1,78 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+        # CodeQL supports [ $supported-codeql-languages ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5

.github/workflows/fossa.yml

@@ -0,0 +1,28 @@
+name: "Fossa Scan"
+
+on:
+    push:
+      branches: ["main"]
+    pull_request:
+      # The branches below must be a subset of the branches above
+      branches: ["main"]
+    schedule:
+      - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+    fossa-scan:
+      env:
+        FOSSA_API_KEY: ${{ secrets.fossaApiKey }}
+      runs-on: ubuntu-latest
+      steps:
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Checkout Code"
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        - if: ${{ env.FOSSA_API_KEY != '' }}
+          name: "Run FOSSA Scan"
+          uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
+          with:
+            api-key: ${{ env.FOSSA_API_KEY }}

.github/workflows/golangci-lint.yml

@@ -15,9 +15,9 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
         with:
           version: latest
           args: --timeout=3m