Merge pull request #128 from uselagoon/attest

fix: attest build artefacts
uselagoon · Jun 7, 2024 · b5b3d10 · b5b3d10
2 parents 54088a3 + c6cfbb9
commit b5b3d10
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 45 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -19,6 +19,7 @@ jobs:
  go-version: stable
  - run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
  - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+ id: goreleaser
  with:
  version: latest
  args: build --clean --debug --single-target --snapshot
@@ -46,3 +47,21 @@ jobs:
  file: Dockerfile
  build-args: BINARY=lagoon-opensearch-sync
  context: dist/lagoon-opensearch-sync_linux_amd64_v1
+ check-tag:
+ permissions:
+ contents: read
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ with:
+ fetch-depth: 0
+ - id: ccv
+ uses: smlx/ccv@c5f6769c943c082c4e8d8ccf2ec4b6f5f517e1f2 # v0.7.3
+ with:
+ write-tag: false
+ - run: |
+ echo "new-tag=$NEW_TAG"
+ echo "new-tag-version=$NEW_TAG_VERSION"
+ env:
+ NEW_TAG: ${{steps.ccv.outputs.new-tag}}
+ NEW_TAG_VERSION: ${{steps.ccv.outputs.new-tag-version}}
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
@@ -23,7 +23,7 @@ jobs:
  uses: vladopajic/go-test-coverage@1079cd4e58dda229c04ffdb6324fc3756b8542ff # v2.10.1
  with:
  profile: cover.out
- local-prefix: github.com/uselagoon/lagoon-opensearch-sync
+ local-prefix: github.com/${{ github.repository }}
  git-token: ${{ secrets.GITHUB_TOKEN }}
  # orphan branch for storing badges
  git-branch: badges
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -35,6 +35,6 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- - uses: docker://rhysd/actionlint:latest@sha256:2eb91a78b5a19140be099c7b4262d298c2567f2a9f27e10ed2a4323c5bcface8
+ - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0
  with:
  args: -color
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,40 +11,24 @@ jobs:
  contents: write
  runs-on: ubuntu-latest
  outputs:
- new-tag: ${{ steps.bump-tag.outputs.new }}
- new-tag-version: ${{ steps.bump-tag.outputs.new_tag_version }}
+ new-tag: ${{ steps.ccv.outputs.new-tag }}
  steps:
  - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
  with:
  fetch-depth: 0
- - name: Configure git
- run: |
- git config --global user.name "$GITHUB_ACTOR"
- git config --global user.email "[email protected]"
- - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
- with:
- go-version: stable
- - name: Install ccv
- run: >
- curl -sSL https://github.com/smlx/ccv/releases/download/v0.3.2/ccv_0.3.2_linux_amd64.tar.gz
- | sudo tar -xz -C /usr/local/bin ccv
  - name: Bump tag if necessary
- id: bump-tag
- run: |
- if [ -z "$(git tag -l "$(ccv)")" ]; then
- git tag "$(ccv)"
- git push --tags
- echo "new=true" >> "$GITHUB_OUTPUT"
- echo "new_tag_version=$(git tag --points-at HEAD)" >> "$GITHUB_OUTPUT"
- fi
+ id: ccv
+ uses: smlx/ccv@c5f6769c943c082c4e8d8ccf2ec4b6f5f517e1f2 # v0.7.3
  release-build:
  permissions:
  # create release
  contents: write
- # push docker images to regsitry
+ # push docker images to registry
  packages: write
  # use OIDC token for signing
  id-token: write
+ # required by attest-build-provenance
+ attestations: write
  needs: release-tag
  if: needs.release-tag.outputs.new-tag == 'true'
  runs-on: ubuntu-latest
@@ -63,7 +47,6 @@ jobs:
  password: ${{ secrets.GITHUB_TOKEN }}
  - name: Set up environment
  run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
- - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
  - uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
  id: sbom
  env:
@@ -73,9 +56,27 @@ jobs:
  env:
  GITHUB_SBOM_PATH: ${{ steps.sbom.outputs.fileName }}
  - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+ id: goreleaser
  with:
  version: latest
  args: release --clean
  env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  GITHUB_SBOM_PATH: ./sbom.spdx.json
+ # parse artifacts to the format required for image attestation
+ - run: |
+ echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
+ echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
+ id: image_metadata
+ env:
+ ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}}
+ # attest archives
+ - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+ with:
+ subject-path: "dist/*.tar.gz"
+ # attest images
+ - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+ with:
+ subject-digest: ${{steps.image_metadata.outputs.digest}}
+ subject-name: ${{steps.image_metadata.outputs.name}}
+ push-to-registry: true
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -22,18 +22,6 @@ builds:
 changelog:
  use: github-native
 
-signs:
-- cmd: cosign
- signature: "${artifact}.sig"
- certificate: "${artifact}.pem"
- args:
- - "sign-blob"
- - "--output-signature=${signature}"
- - "--output-certificate=${certificate}"
- - "${artifact}"
- - "--yes"
- artifacts: checksum
-
 dockers:
 - ids:
  - lagoon-opensearch-sync
@@ -63,14 +51,6 @@ docker_manifests:
  - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-amd64"
  - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-arm64v8"
 
-docker_signs:
-- args:
- - "sign"
- - "${artifact}@${digest}"
- - "--yes"
- artifacts: all
- output: true
-
 release:
  extra_files:
  - glob: "{{ .Env.GITHUB_SBOM_PATH }}"