diff --git a/.github/workflows/attestation.yml b/.github/workflows/attestation.yml new file mode 100644 index 00000000..365896f5 --- /dev/null +++ b/.github/workflows/attestation.yml @@ -0,0 +1,146 @@ +name: Sign attestation files + +on: + workflow_call: + inputs: + image-digest: + type: string + required: true + +jobs: + sbom: + name: Generate SBOM, sign and attach them to OCI image + strategy: + matrix: + arch: [amd64, arm64] + + permissions: + packages: write + id-token: write + + runs-on: ubuntu-latest + steps: + - name: Install cosign + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + + - name: Install the crane command + uses: kubewarden/github-actions/crane-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5 + + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Find platform digest + shell: bash + run: | + set -e + DIGEST=$(crane digest \ + --platform "linux/${{ matrix.arch }}" \ + ghcr.io/${{ github.repository_owner }}/policy-server@${{ inputs.image-digest }}) + echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" + + - name: Find attestation digest + run: | + set -e + DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ inputs.image-digest }} \ + | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest' + ) + echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV" + + - name: Sign attestation manifest + run: | + cosign sign --yes \ + ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} + + cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server*" \ + ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} + + - name: Find provenance manifest digest + run: | + set -e + DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \ + jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest') + echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV" + + - name: Sign provenance manifest + run: | + cosign sign --yes \ + ghcr.io/${{github.repository_owner}}/policy-server@${{ env.PROVENANCE_DIGEST}} + + cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server*" \ + ghcr.io/${{github.repository_owner}}/policy-server@${{ env.PROVENANCE_DIGEST}} + + - name: Find SBOM manifest layers digest + run: | + set -e + DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \ + jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")') + echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" + + - name: Sign SBOM layers + run: | + for sbom_digest in "${{ env.SBOM_DIGEST }}"; do + cosign sign --yes \ + ghcr.io/${{github.repository_owner}}/policy-server@$sbom_digest + done + + - name: Verifying SBOM layers + run: | + for sbom_digest in "${{ env.SBOM_DIGEST }}"; do + cosign verify \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server*" \ + ghcr.io/${{github.repository_owner}}/policy-server@$sbom_digest + done + + - name: Download provenance and SBOM files + run: | + set -e + crane blob ghcr.io/${{github.repository_owner}}/policy-server@${{ env.PROVENANCE_DIGEST}} > policy-server-attestation-${{ matrix.arch }}-provenance.json + + for sbom_digest in "${{ env.SBOM_DIGEST }}"; do + crane blob ghcr.io/${{github.repository_owner}}/policy-server@$sbom_digest > policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json + done + + - name: Sign provenance and SBOM files + run: | + cosign sign-blob --yes \ + --bundle policy-server-attestation-${{ matrix.arch }}-provenance-cosign.bundle \ + policy-server-attestation-${{ matrix.arch }}-provenance.json + + for sbom_digest in "${{ env.SBOM_DIGEST }}"; do + cosign sign-blob --yes \ + --bundle policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}-cosign.bundle \ + policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json + done + + + - name: Verify provenance and SBOM signatures + run: | + cosign verify-blob \ + --bundle policy-server-attestation-${{ matrix.arch }}-provenance-cosign.bundle \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server*" \ + policy-server-attestation-${{ matrix.arch }}-provenance.json + + for sbom_digest in "${{ env.SBOM_DIGEST }}"; do + cosign verify-blob \ + --bundle policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}-cosign.bundle \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/policy-server*" \ + policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json + done + + + - name: Upload SBOMs as artifacts + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + name: attestation-${{ matrix.arch }} + path: policy-server-attestation-${{ matrix.arch }}* diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml index b9535ad5..765a2273 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/container-build.yml @@ -32,7 +32,7 @@ jobs: sbom: needs: build - uses: ./.github/workflows/sbom.yml + uses: ./.github/workflows/attestation.yml permissions: packages: write id-token: write diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml index 8613cd7e..3b017cac 100644 --- a/.github/workflows/container-image.yml +++ b/.github/workflows/container-image.yml @@ -8,47 +8,18 @@ on: value: ${{ jobs.build.outputs.digest }} jobs: - cross-build: - name: Cross compile policy-server binary - runs-on: ubuntu-latest - - strategy: - matrix: - targetarch: - - aarch64 - - x86_64 - - steps: - - name: Checkout code - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - - - name: Setup rust toolchain - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 - with: - toolchain: stable - target: ${{matrix.targetarch}}-unknown-linux-musl - override: true - - - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 - with: - use-cross: true - command: build - args: --release --target ${{matrix.targetarch}}-unknown-linux-musl - - - name: Upload policy-server binary - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: policy-server-${{ matrix.targetarch }} - path: | - target/${{ matrix.targetarch }}-unknown-linux-musl/release/policy-server - build: name: Build container image permissions: packages: write - needs: - - cross-build runs-on: ubuntu-latest + strategy: + matrix: + targetarch: + # - aarch64 + # - x86_64 + - linux/amd64 + - linux/arm64 outputs: repository: ${{ steps.setoutput.outputs.repository }} tag: ${{ steps.setoutput.outputs.tag }} @@ -57,10 +28,13 @@ jobs: steps: - name: Checkout code uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 + - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + - name: Set up Docker Buildx uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 + - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: @@ -68,44 +42,35 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - # Download the policy-server artifacts we've built inside of the previous job - - name: Download policy-server-x86_64 artifact - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: policy-server-x86_64 - path: artifacts-x86_64 - - name: Download policy-server-aarch64 artifact - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: policy-server-aarch64 - path: artifacts-aarch64 - - name: Move binaries to project root - run: | - mv artifacts-x86_64/policy-server policy-server-x86_64 - mv artifacts-aarch64/policy-server policy-server-aarch64 - - name: Retrieve tag name (main branch) if: ${{ startsWith(github.ref, 'refs/heads/main') }} run: | echo TAG_NAME=latest >> $GITHUB_ENV + - name: Retrieve tag name (feat branch) if: ${{ startsWith(github.ref, 'refs/heads/feat') }} run: | echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV + - name: Retrieve tag name (tag) if: ${{ startsWith(github.ref, 'refs/tags/') }} run: | echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV + - name: Push and push container image id: build-image uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . - file: ./Dockerfile.github - platforms: linux/amd64, linux/arm64 + file: ./Dockerfile + # platforms: linux/amd64, linux/arm64 + platforms: ${{matrix.targetarch}} push: true + sbom: true + provenance: mode=max tags: | ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }} + - id: setoutput name: Set output parameters run: | diff --git a/Dockerfile b/Dockerfile index edc5e005..578fbac3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,8 @@ +# scan build context for SBOM +ARG BUILDKIT_SBOM_SCAN_CONTEXT=true +# scan intermediate stages for SBOM +ARG BUILDKIT_SBOM_SCAN_STAGE=true + FROM rust:1.80-alpine AS build WORKDIR /usr/src @@ -6,6 +11,9 @@ RUN apk add --no-cache musl-dev make RUN mkdir /usr/src/policy-server WORKDIR /usr/src/policy-server COPY ./ ./ +RUN rustup toolchain install stable-$(arch)-unknown-linux-musl +RUN rustup target add --toolchain stable $(arch)-unknown-linux-musl +# RUN cargo build --release --target $(arch)-unknown-linux-musl RUN cargo install --target $(arch)-unknown-linux-musl --path . FROM alpine AS cfg