Refactor rekor-monitor workflow

.github/workflows/main.yml

@@ -88,8 +88,6 @@ jobs:
         with:
           go-version-file: './go.mod'
           check-latest: true
-      - name: run e2e test
-        run: ./pkg/test/e2e/e2e_test.sh
-      - name: run identity monitor test
-        run: ./pkg/test/identity_workflow/identity_workflow_e2e_test.sh
+      - name: run Rekor end-to-end test
+        run: ./pkg/test/rekor_e2e/rekor_monitor_e2e_test.sh
 

.github/workflows/reusable_monitoring.yml

@@ -12,10 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# NOTE: This GHA should not be run concurrently.
-
-# TODO: Write identities to issues when found
-
 name: Rekor Monitoring Template
 
 on:
@@ -30,9 +26,14 @@ on:
         required: false
         type: number
         default: 14
-      identities:
-        description: 'multiline yaml of certificate subjects and issuers, key subjects, and fingerprints. For certificates, if no issuers are specified, match any OIDC provider'
+      once:
+        description: 'whether to run the identity monitor once or periodically'
+        default: true
         required: false
+        type: boolean
+      config:
+        description: 'multiline yaml of configuration settings for identity monitor run'
+        required: true
         type: string
 
 permissions:
@@ -54,6 +55,10 @@ jobs:
       - name: Detect the repository and ref
         id: detect
         uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
+    # NOTE: This GHA should not be run concurrently.
+    concurrency:
+      group: rekor-consistency-check
+      cancel-in-progress: true
 
   monitor:
     runs-on: ubuntu-latest
@@ -76,7 +81,7 @@ jobs:
         run: cat ${{ env.LOG_FILE }}
         # Skip on first run
         continue-on-error: true
-      - run: go run ./cmd/rekor_consistency --file ${{ env.LOG_FILE }} --once --monitored-values "${{ inputs.identities }}" --user-agent "${{ format('{0}/{1}/{2}', needs.detect-workflow.outputs.repository, needs.detect-workflow.outputs.ref, github.run_id) }}"
+      - run: go run ./cmd/rekor_monitor --config ${{ inputs.config }} --file ${{ env.LOG_FILE }} --once=${{ inputs.once }} --user-agent "${{ format('{0}/{1}/{2}', needs.detect-workflow.outputs.repository, needs.detect-workflow.outputs.ref, github.run_id) }}"
       - name: Upload checkpoint
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:

README.md

@@ -3,9 +3,13 @@
 Rekor Log Monitor provides an easy-to-use monitor to verify log consistency,
 that the log is immutability and append-only. Monitoring is critical to
 the transparency log ecosystem, as logs are tamper-evident but not tamper-proof.
+Rekor Log Monitor also provides a monitor to search for identities within a log,
+and send a list of found identities via various notification platforms.
+
+## Consistency check
 
 To run, create a GitHub Actions workflow that uses the
-[reusable monitoring workflow](https://github.com/sigstore/rekor-monitor/blob/main/.github/workflows/reusable_monitoring.yml).
+[consistency check workflow](https://github.com/sigstore/rekor-monitor/blob/main/.github/workflows/consistency_check.yml).
 It is recommended to run the log monitor every hour for optimal performance.
 
 Example workflow:
@@ -46,6 +50,10 @@ Please read [this](https://github.com/google/re2/wiki/Syntax) for syntax referen
 Note: The log monitor only starts monitoring from the latest checkpoint. If you want to search previous
 entries, you will need to query the log.
 
+To run, create a GitHub Actions workflow that uses the
+[identity monitoring workflow](https://github.com/sigstore/rekor-monitor/blob/main/.github/workflows/identity_monitor.yml).
+It is recommended to run the log monitor every hour for optimal performance.
+
 Example workflow below:
 
 ```
@@ -66,26 +74,27 @@ jobs:
     with:
       file_issue: true # Strongly recommended: Files an issue on monitoring failure
       artifact_retention_days: 14 # Optional, default is 14: Must be longer than the cron job frequency
-      identities: |
-        certIdentities:
-          - certSubject: user@domain\.com
-          - certSubject: otheruser@domain\.com
-            issuers:
-              - https://accounts\.google\.com
-              - https://github\.com/login
-          - certSubject: https://github\.com/actions/starter-workflows/blob/main/\.github/workflows/lint\.yaml@.*
-            issuers:
-              - https://token\.actions\.githubusercontent\.com
-        subjects:
-          - subject@domain\.com
-        fingerprints:
-          - A0B1C2D3E4F5
-        fulcioExtensions:
-          build-config-uri:
-            - https://example.com/owner/repository/build-config.yml
-        customExtensions:
-          - objectIdentifier: 1.3.6.1.4.1.57264.1.9
-            extensionValues: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+      config: |
+        monitoredValues: |
+          certIdentities:
+            - certSubject: user@domain\.com
+            - certSubject: otheruser@domain\.com
+              issuers:
+                - https://accounts\.google\.com
+                - https://github\.com/login
+            - certSubject: https://github\.com/actions/starter-workflows/blob/main/\.github/workflows/lint\.yaml@.*
+              issuers:
+                - https://token\.actions\.githubusercontent\.com
+          subjects:
+            - subject@domain\.com
+          fingerprints:
+            - A0B1C2D3E4F5
+          fulcioExtensions:
+            build-config-uri:
+              - https://example.com/owner/repository/build-config.yml
+          customExtensions:
+            - objectIdentifier: 1.3.6.1.4.1.57264.1.9
+              extensionValues: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/[email protected]
 ```
 
 In this example, the monitor will log: