ci: improve release workflow

.github/workflows/README.md

@@ -5,16 +5,15 @@
 Following workflows are implemented in the repository.
 [SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) is used to store the results for an analysis of code scanning tools in the Security tab of the repository.
 
-| Workflow                                           | Jobs                | Trigger                                | SARIF upload | Description                                                                                      |
-| :------------------------------------------------- | :------------------ | :------------------------------------- | :----------- | ------------------------------------------------------------------------------------------------ |
+| Workflow                                         | Jobs                | Trigger                                | SARIF upload | Description                                                                                      |
+| :----------------------------------------------- | :------------------ | :------------------------------------- | :----------- | ------------------------------------------------------------------------------------------------ |
 | [codeql.yml](./codeql.yml)                       | `analyze`           | push/pr to `main`, cron: `00 13 * * 1` | yes          | Semantic code analysis                                                                           |
 | [dependency-review.yml](./dependency-review.yml) | `dependency-review` | pr to `main`                           | -            | Check pull request for vulnerabilities in dependencies or invalid licenses are being introduced. |
 | [fossa.yml](./fossa.yml)                         | `analyze`           | push/pr on `*`                         | -            | FOSSA analysis                                                                                   |
 | [golangci-lint.yml](./golangci-lint.yml)         | `lint`              | push/pr on `*`                         | -            | Lint Go Code                                                                                     |
 | [gosec.yml](./gosec.yml)                         | `analyze`           | push/pr on `*`                         | -            | Inspects source code for security problems in Go code                                            |
 | [osv-scan.yml](./osv-scan.yml)                   | `analyze`           | push/pr to `main`, cron: `30 13 * * 1` | yes          | Scanning for vulnerabilites in dependencies                                                      |
-| [release.yml](./release.yml)                     | `args`              | push tag `v*`                          | -            | Get variables for go build                                                                       |
-|                                                    | `go-release`        | push tag `v*`                          | -            | Release the go-binaries for multiple platforms                                                   |
+| [release.yml](./release.yml)                     | `...`               | push tag `v*`                          | -            | Create release with go binaries and docker container                                             |
 | [scorecard.yml](./scorecard.yml)                 | `analyze`           | push to `main`, cron: `00 14 * * 1`    | yes          | Create OpenSSF analysis and create project score                                                 |
 
 ## CodeQL
@@ -61,11 +60,15 @@ Action: https://github.com/google/osv-scanner-action
 
 [OSV-Scan](https://osv.dev/) is a vulnerability database and triage infrastructure for open-source projects. The [OSV-Scanner](https://google.github.io/osv-scanner/) finds vulnerabilities in dependencies of an project and uploads the results to the Security tab of the repository.
 
-## Go-Release
+## Release
 
-Action: https://github.com/slsa-framework/slsa-github-generator/tree/v1.10.0
+### Go Release
 
-The release workflow generates the go binaries with SLSA Build Level 3 provenance and uploads them to the release page. The workflow also creates a release draft with the changelog and the binaries attached which can be published by the user.  
+TODO 
+
+### Container Release
+
+TODO
 
 ## Scorecards
 

.github/workflows/codeql.yml

@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: '00 13 * * 1'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 

.github/workflows/dependency-review.yml

@@ -4,6 +4,10 @@ on:
   pull_request:
     branches: [ "main" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 

.github/workflows/fossa.yml

@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [ "*" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/golangci-lint.yml

@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [ "*" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
@@ -18,8 +22,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: '1.22'
-          cache: false
+          go-version-file: 'go.mod'
       - name: golangci-lint
         uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
         with:

.github/workflows/gosec.yml

@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [ "*" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/osv-scan.yml

@@ -8,6 +8,10 @@ on:
   pull_request:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/release.yml

@@ -5,6 +5,10 @@ on:
     tags:
       - "v*"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
   goreleaser:
     outputs:
@@ -22,10 +26,11 @@ jobs:
         with:
           persist-credentials: false
           fetch-depth: 0
+      # update goreportcard
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: '1.22'
+          go-version-file: 'go.mod'
           check-latest: true
       - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
@@ -139,7 +144,7 @@ jobs:
           DIGEST: ${{ needs.goreleaser.outputs.digest }}
         run: |
           cosign verify-attestation \
-             --type slsaprovenance \
-             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-             --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
-             $IMAGE@$DIGEST
+            --type slsaprovenance \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
+            $IMAGE@$DIGEST

.github/workflows/scorecard.yml

@@ -11,6 +11,10 @@ on:
   push:
     branches: [ "main" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions: read-all
 
 jobs:

.gitignore

@@ -26,5 +26,8 @@ bin/
 # docker buildx attestation directory
 out/
 
+# ko sbom directory
+sbom/
+
 # local binary
 podsalsa

.goreleaser.yml

@@ -1,5 +1,15 @@
+project_name: podsalsa
+
+before:
+  hooks:
+    - go mod tidy
+
 builds:
-  - env:
+  - id: podsalsa
+    binary: '{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}'
+    # set for reproducible builds
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    env:
       - CGO_ENABLED=0
     goarch:
       - amd64
@@ -20,50 +30,71 @@ builds:
           -X main.BuildTime={{ .Date }}
 
 kos:
-  - repository: ghcr.io/janfuhrer/podsalsa
+  - id: podsalsa
+    build: podsalsa
+    repository: ghcr.io/janfuhrer/podsalsa
     tags:
       - '{{.Tag}}'
       - '{{ if not .Prerelease }}latest{{ end }}'
+    # use default base image
+    base_image: cgr.dev/chainguard/static
+    labels:
+      org.opencontainers.image.created: '{{ .Date }}'
+      org.opencontainers.image.authors: "[email protected]"
+      org.opencontainers.image.url: "https://github.com/janfuhrer/podsalsa"
+      org.opencontainers.image.documentation: "https://github.com/janfuhrer/podsalsa"
+      org.opencontainers.image.source: "https://github.com/janfuhrer/podsalsa"
+      org.opencontainers.image.version: '{{ .Tag }}'
+      org.opencontainers.image.revision: '{{ .Commit }}'
+      org.opencontainers.image.vendor: "janfuhrer"
+      org.opencontainers.image.licenses: "Apache-2.0"
+      org.opencontainers.image.title: "Podsalsa"
+      org.opencontainers.image.description: "Sample application to demonstrate supply chain security."
+      org.opencontainers.image.base.name: "cgr.dev/chainguard/static"
+    # use the docker tag without anything additional
     bare: true
     preserve_import_paths: false
-    sbom: spdx
+    sbom: cyclonedx # or spdx
     platforms:
+      # linux/amd64 and linux/arm64
       - all
-    flags:
-      - -trimpath
-      - -tags="netgo"
-    ldflags:
-      - >-
-          -s
-          -w
-          -X main.Version={{ .Tag }}
-          -X main.Commit={{ .Commit }}
-          -X main.BuildTime={{ .Date }}
+    # set for reproducible builds
+    creation_time: '{{ .CommitTimestamp }}'
+    ko_data_creation_time: '{{.CommitTimestamp}}'
 
 archives:
   - format: tar.gz
-    # this name template makes the OS and Arch compatible with the results of uname.
-    name_template: >-
-      {{ .ProjectName }}_
-      {{- title .Os }}_
-      {{- if eq .Arch "amd64" }}x86_64
-      {{- else if eq .Arch "386" }}i386
-      {{- else }}{{ .Arch }}{{ end }}
-      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    name_template: '{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}'
     # use zip for windows archives
     format_overrides:
     - goos: windows
       format: zip
+
+# create sboms for the archives
+sboms:
+  - artifacts: archive
+
+# create checksum file for the archives
 checksum:
   name_template: 'checksums.txt'
+  algorithm: sha256
+
+# sign the artifacts
+#signs:
+#  - artifacts: checksum
+#docker_signs:
+#  - artifacts: manifests
+
+# local build
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
+
+# github changelog for new release
 changelog:
   sort: asc
   use: github
   filters:
     exclude:
       - '^test:'
-      - '^chore:'
       - '^rebase:'
       - Merge pull request

Makefile

@@ -1,21 +1,10 @@
 NAME := podsalsa
-DOCKER_REPOSITORY := janfuhrer
-DOCKER_IMAGE_NAME := $(DOCKER_REPOSITORY)/$(NAME)
 BUILD_DATE := $(shell date -Iseconds)
-VERSION := $(shell cat .version)
+VERSION := $(shell git describe --tags --abbrev=0 2>/dev/null || git rev-parse --short HEAD)-local
 # Adds "-dirty" suffix if there are uncommitted changes in the git repository
 COMMIT_REF:=$(shell git describe --dirty --always)
-EXTRA_FLAGS ?=
 
-# Base Docker build command
-DOCKER_BUILDX_BASE = docker buildx build \
-	--build-arg "BUILD_DATE=$(BUILD_DATE)" \
-	--build-arg "VERSION=$(VERSION)" \
-	--build-arg "COMMIT_REF=$(COMMIT_REF)" \
-	-t $(DOCKER_IMAGE_NAME):$(VERSION) \
-	$(EXTRA_FLAGS) .
-
-.PHONY: go-tidy go-build docker-build docker-build-with-provenance
+.PHONY: go-tidy go-build container-build
 
 go-tidy:
 	go mod tidy -compat=1.22
@@ -25,15 +14,6 @@ go-build:
 	go build -o $(NAME) -trimpath -tags="netgo" -ldflags "-s -w -X main.Version=$(VERSION) -X main.Commit=$(COMMIT_REF) -X main.BuildTime=$(BUILD_DATE)" main.go
 	@echo "Go build completed."
 
-docker-build: EXTRA_FLAGS =
-docker-build:
-	$(DOCKER_BUILDX_BASE)
-	@echo "Docker build completed."
-
-# IMPORTANT: enable "containerd image store" in Docker Desktop settings
-#            to use "--sbom" and "--provenance" flags
-#            https://docs.docker.com/desktop/containerd/
-docker-build-with-provenance: EXTRA_FLAGS = --sbom=true --provenance=true --output type=local,dest=out
-docker-build-with-provenance:
-	$(DOCKER_BUILDX_BASE)
-	@echo "Docker build with SBOM and provenance completed."
+container-build:
+	ko build -L -B --sbom cyclonedx --sbom-dir sbom .
+	@echo "Local container build completed. SBOM files are in the sbom directory."

README.md

@@ -2,7 +2,7 @@
 
 [![license](https://img.shields.io/github/license/janfuhrer/podsalsa)](https://github.com/janfuhrer/podsalsa/blob/main/LICENSE)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/janfuhrer/podsalsa/badge)](https://securityscorecards.dev/viewer/?uri=github.com/janfuhrer/podsalsa)
-[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8791/badge)](https://www.bestpractices.dev/projects/8791)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8791/badge?&kill_cache=1)](https://www.bestpractices.dev/projects/8791)
 [![release](https://img.shields.io/github/v/release/janfuhrer/podsalsa)](https://github.com/janfuhrer/podsalsa/releases)
 [![go-version](https://img.shields.io/github/go-mod/go-version/janfuhrer/podsalsa)](https://github.com/janfuhrer/podsalsa/blob/main/go.mod)
 [![Go Report Card](https://goreportcard.com/badge/github.com/janfuhrer/podsalsa)](https://goreportcard.com/report/github.com/janfuhrer/podsalsa)