Skip to content

Commit

Permalink
Merge pull request #55 from janfuhrer/ci/fix-publish-workflow
Browse files Browse the repository at this point in the history 
ci: add go setup for ko-publish job
  • Loading branch information
@janfuhrer
janfuhrer authored May 9, 2024
2 parents 09e5faa + fd7662a commit 56444a9
Show file tree
Hide file tree
Showing 8 changed files with 161 additions and 92 deletions.
6 changes: 5 additions & 1 deletion .github/actions/publish-image/action.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,11 @@ runs:
env:
COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
run: |
cosign attach sbom --sbom ./${{ inputs.sbom-name }}-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
cosign attest --yes \
--predicate ./${{ inputs.sbom-name }}-bom.cdx.json \
--type cyclonedx \
--oidc-provider github-actions \
${{ steps.ko-publish.outputs.digest }}
- shell: bash
id: digest
run: |
Expand Down
31 changes: 30 additions & 1 deletion .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,11 @@ jobs:
with:
persist-credentials: false
fetch-depth: 0
- name: Setup go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version-file: 'go.mod'
check-latest: true
- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Publish podsalsa
Expand Down Expand Up @@ -171,7 +176,7 @@ jobs:
- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Verify image
- name: Verify provenance of image
env:
IMAGE: ghcr.io/${{ github.repository_owner }}/podsalsa
DIGEST: ${{ needs.ko-publish.outputs.digest }}
Expand All @@ -183,3 +188,27 @@ jobs:
--certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
--policy policy.cue \
$IMAGE@$DIGEST
- name: Verify signature of image
env:
IMAGE: ghcr.io/${{ github.repository_owner }}/podsalsa
DIGEST: ${{ needs.ko-publish.outputs.digest }}
REPOSITORY: ${{ github.repository_owner }}
run: |
COSIGN_REPOSITORY=ghcr.io/$REPOSITORY/signatures cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/janfuhrer/podsalsa/.github/workflows/release.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+(-rc.[0-9]+)?$' \
$IMAGE@$DIGEST
- name: Verify sbom of image
env:
IMAGE: ghcr.io/${{ github.repository_owner }}/podsalsa
DIGEST: ${{ needs.ko-publish.outputs.digest }}
REPOSITORY: ${{ github.repository_owner }}
run: |
COSIGN_REPOSITORY=ghcr.io/$REPOSITORY/sbom cosign verify-attestation \
--type cyclonedx \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/janfuhrer/podsalsa/.github/workflows/release.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+(-rc.[0-9]+)?$' \
--policy policy-sbom.cue \
$IMAGE@$DIGEST
40 changes: 2 additions & 38 deletions .goreleaser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ builds:
archives:
- format: tar.gz
name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
name_template: '{{ .ProjectName }}_v{{ .Version }}_{{ .Os }}_{{ .Arch }}'
# use zip for windows archives
format_overrides:
- goos: windows
Expand Down Expand Up @@ -67,7 +67,7 @@ release:
**Docker Images**
- `ghcr.io/janfuhrer/{{ .ProjectName }}:{{ .Version }}`
- `ghcr.io/janfuhrer/{{ .ProjectName }}:latest`
{{ if not .Prerelease }}- `ghcr.io/janfuhrer/{{ .ProjectName }}:latest`{{ end }}
# github changelog for new release
changelog:
Expand All @@ -78,39 +78,3 @@ changelog:
- '^test:'
- '^rebase:'
- Merge pull request

## Since we are building the ko images with a own build step, we don't build them with goreleaser
# kos:
# - id: podsalsa
# build: podsalsa
# repository: ghcr.io/janfuhrer/podsalsa
# tags:
# - '{{.Tag}}'
# - '{{ if not .Prerelease }}latest{{ end }}'
# # use default base image
# base_image: cgr.dev/chainguard/static
# labels:
# org.opencontainers.image.created: '{{ .Date }}'
# org.opencontainers.image.authors: "[email protected]"
# org.opencontainers.image.url: "https://github.com/janfuhrer/podsalsa"
# org.opencontainers.image.documentation: "https://github.com/janfuhrer/podsalsa"
# org.opencontainers.image.source: "https://github.com/janfuhrer/podsalsa"
# org.opencontainers.image.version: '{{ .Tag }}'
# org.opencontainers.image.revision: '{{ .Commit }}'
# org.opencontainers.image.vendor: "janfuhrer"
# org.opencontainers.image.licenses: "Apache-2.0"
# org.opencontainers.image.title: "Podsalsa"
# org.opencontainers.image.description: "Sample application to demonstrate supply chain security."
# org.opencontainers.image.base.name: "cgr.dev/chainguard/static"
# # use the docker tag without anything additional
# bare: true
# preserve_import_paths: false
# sbom: cyclonedx # or spdx
# platforms:
# # possible values: all, linux/s390x, linux/arm64, linux/arm/v7, linux/ppc64le, linux/amd64
# - linux/arm64
# - linux/arm/v7
# - linux/amd64
# # set for reproducible builds
# creation_time: '{{ .CommitTimestamp }}'
# ko_data_creation_time: '{{.CommitTimestamp}}'
4 changes: 2 additions & 2 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ LABELS := "--image-label=org.opencontainers.image.created=$(BUILD_DATE),$\
ko-build-local: ko
@echo Building Podsalsa $(KO_TAGS) for $(KO_PLATFORM) >&2
@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REPOSITORY) \
$(KO) build ./ --bare --tags=$(KO_TAGS) $(LABELS) --push=false --local --platform=$(KO_PLATFORM)
$(KO) build ./ --bare --tags=$(KO_TAGS) $(LABELS) --push=false --local --platform=$(KO_PLATFORM) --sbom=none

# Ko publish image
.PHONY: ko-login
Expand All @@ -87,7 +87,7 @@ ko-login: ko
.PHONY: ko-publish-podsalsa
ko-publish-podsalsa: ko-login
@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REPOSITORY) \
$(KO) build ./ --bare --tags=$(KO_TAGS) $(LABELS)
$(KO) build ./ --bare --tags=$(KO_TAGS) $(LABELS) --sbom=none

###########
# Helpers #
Expand Down
8 changes: 8 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,14 @@ Each release of the application includes Go-binary archives, checksums file, SBO

The release workflow creates provenance for its builds using the [SLSA standard](https://slsa.dev), which conforms to the [Level 3 specification](https://slsa.dev/spec/v1.0/levels#build-l3). Each artifact can be verified using the `slsa-verifier` or `cosign` tool.

| Artifact | Description | Verification |
| ------------------ | -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| Go-binary archives | Multi-architecture and platform Go-binary archives | [SLSA-Provenance](./SECURITY.md#verify-provenance-of-release-artifacts) |
| Checksums file | Checksums file of the Go-binary archives | [Cosign signature](./SECURITY.md#verify-signature-of-checksum-file) |
| SBOMs | SBOMs of the Go-binary archives | [SLSA-Provenance](./SECURITY.md#go-binary-archives) |
| Container images | Multi-architecture container images | [SLSA-Provenance](./SECURITY.md#verify-provenance-of-container-images) & [Cosign Signature](./SECURITY.md#verify-signature-of-container-image) |
| SBOMs | SBOMs of the container images | [SLSA-Provenance](./SECURITY.md#container-images) |

## Documentation

All the used workflows, security best practices and verification of the artifacts are documented in the following files:
Expand Down
Loading

0 comments on commit 56444a9

Please sign in to comment.