diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 00000000..506a8b60 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,34 @@ +name: Build images +permissions: {} + +on: + push: + branches: + - '*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + build-images: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: build-images + - name: ko build + run: VERSION=${{ github.ref_name }} REPOSITORY=${GITHUB_REPOSITORY} make ko-build-all + - name: Trivy Scan Image + uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' \ No newline at end of file diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 00000000..ed7d8d0c --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,69 @@ +name: Publish images +permissions: {} + +on: + push: + tags: + - "v*" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + publish-images: + runs-on: ubuntu-latest + permissions: + packages: write + id-token: write + outputs: + capsule-digest: ${{ steps.publish-capsule.outputs.digest }} + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: publish-images + - name: Run Trivy vulnerability (Repo) + uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - name: Install Cosign + uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + - name: Publish Capsule + id: publish-capsule + uses: oliverbaehler/github-actions/ko-publish-image@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1 + with: + makefile-target: ko-publish-capsule + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: capsule + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./ + env: + REPOSITORY: ${{ github.repository }} + generate-capsule-provenance: + needs: publish-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + with: + image: ghcr.io/${{ github.repository_owner }}/capsule + digest: "${{ needs.publish-images.outputs.capsule-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.ko.yaml b/.ko.yaml new file mode 100644 index 00000000..9f61007b --- /dev/null +++ b/.ko.yaml @@ -0,0 +1,8 @@ +defaultPlatforms: +- linux/arm64 +- linux/amd64 +builds: +- id: capsule + main: ./ + ldflags: + - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' \ No newline at end of file