From 0619c27c976019d6f0c93afcd4b4030bb564222e Mon Sep 17 00:00:00 2001
From: Lucas TESSON <lucastesson@protonmail.com>
Date: Tue, 29 Oct 2024 18:13:42 +0100
Subject: [PATCH] chore: split release and Docker builds on tag, add SBOM in
 Docker images and document security features

---
 .github/workflows/docker.yaml  | 59 ++++++++++++++++++++++++++++++++++
 .github/workflows/release.yaml |  6 ----
 .goreleaser.yaml               | 10 ------
 README.md                      | 37 +++++++++++++++++++++
 4 files changed, 96 insertions(+), 16 deletions(-)
 create mode 100644 .github/workflows/docker.yaml

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
new file mode 100644
index 0000000..d4fba12
--- /dev/null
+++ b/.github/workflows/docker.yaml
@@ -0,0 +1,59 @@
+name: Build Docker images
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      digest: ${{ steps.build.outputs.digest }}
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ github.repository }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        id: build
+        with:
+          push: true
+          sbom: true # may not produce SBOM in manifest if the image has no filesystem (e.g. "FROM scratch")
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  # This step calls the container workflow to generate provenance and push it to
+  # the container registry.
+  provenance:
+    needs: [docker]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ${{ github.repository }}
+      digest: ${{ needs.docker.outputs.digest }}
+    secrets:
+      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 1aa3003..27d2a14 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -29,12 +29,6 @@ jobs:
       - name: Install Syft
         uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Run GoReleaser
         id: run-goreleaser
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index cfdc9bd..a27750d 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -16,16 +16,6 @@ builds:
       - amd64
     binary: "{{ .ProjectName }}"
 
-dockers:
-  - image_templates:
-      - "ctferio/{{ .ProjectName }}:latest"
-      - "ctferio/{{ .ProjectName }}:{{ .Tag }}"
-    build_flag_templates:
-      - "--label=org.opencontainers.image.created={{ .Date }}"
-      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
-      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - "--label=org.opencontainers.image.version={{ .Version }}"
-
 changelog:
   sort: asc
   filters:
diff --git a/README.md b/README.md
index a214199..ba732b9 100644
--- a/README.md
+++ b/README.md
@@ -88,3 +88,40 @@ steps:
         from_secret: ADMIN_PASSWORD
       # ... and so on (non-mandatory attributes)
 ```
+
+## Security
+
+### Signature and Attestations
+
+For deployment purposes (and especially in the deployment case of Kubernetes), you may want to ensure the integrity of what you run.
+
+The release assets are SLSA 3 and can be verified using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) using the following.
+
+```bash
+slsa-verifier verify-artifact "<path/to/release_artifact>"  \
+  --provenance-path "<path/to/release_intoto_attestation>"  \
+  --source-uri "github.com/ctfer-io/ctfd-setup" \
+  --source-tag "<tag>"
+```
+
+The Docker image is SLSA 3 and can be verified using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) using the following.
+
+```bash
+slsa-verifier slsa-verifier verify-image "ctferio/ctfd-setup:<tag>@sha256:<digest>" \
+    --source-uri "github.com/ctfer-io/ctfd-setup" \
+    --source-tag "<tag>"
+```
+
+Alternatives exist, like [Kyverno](https://kyverno.io/) for a Kubernetes-based deployment.
+
+### SBOMs
+
+A SBOM for the whole repository is generated on each release and can be found in the assets of it.
+They are signed as SLSA 3 assets. Refer to [Signature and Attestations](#signature-and-attestations) to verify their integrity.
+
+A SBOM is generated for the Docker image in its manifest, and can be inspected using the following.
+
+```bash
+docker buildx imagetools inspect "ctferio/ctfd-setup:<tag>" \
+    --format "{{ json .SBOM.SPDX }}"
+```