test #12

Workflow file for this run

.github/workflows/release.yaml at da5b125

	name: Release

	on: push


	permissions:
	contents: read
	packages: read

	jobs:
	release:
	permissions:
	contents: write
	runs-on: ubuntu-20.04
	outputs:
	container_tags: ${{ steps.container_info.outputs.container_tags }}
	container_info: ${{ steps.container_info.outputs.container_info }}
	env:
	DOCKER_CLI_EXPERIMENTAL: "enabled"
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
	with:
	fetch-depth: 0
	- name: Get tag
	run: \|
	previous_tag=$(git tag --sort=v:refname \| tail -2 \| head -1)
	echo "previous_tag=${previous_tag}" >> $GITHUB_ENV
	- uses: heinrichreimer/github-changelog-generator-action@6653241a44afb59146f719f322005de49a5c3b38
	with:
	token: ${{ secrets.CHANGELOG_GH_TOKEN }}
	project: k8gb
	sinceTag: ${{ env.previous_tag }}
	output: changes
	pullRequests: true
	author: true
	issues: true
	issuesWoLabels: true
	prWoLabels: true
	compareLink: true
	filterByMilestone: true
	unreleased: true
	- name: Install Cosign
	uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # renovate: tag=v3.3.0
	with:
	cosign-release: 'v1.12.1'
	- name: Install Syft
	uses: anchore/sbom-action/download-syft@b5042e9d19d8b32849779bfe17673ff84aec702d # renovate: tag=v0.12.0
	- name: Install signing key
	run: \|
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
	- name: Set up Go
	uses: actions/setup-go@dd84a9531a6f8e72c321f2aa3b9048ed359670e4
	with:
	go-version: 1.19.1
	- name: Login to Dockerhub
	uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779
	with:
	username: ${{ secrets.DOCKER_USER }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	- name: Run GoReleaser
	uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # renovate: tag=v4.2.0
	with:
	version: v1.7.0
	args: release --rm-dist --release-notes=changes
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Get container info
	id: container_info
	run: \|
	function digest_tags {
	while IFS= read -r line ; do
	jq -n "{digest: \"$line\", tags: \$ARGS.positional}" --args $(docker inspect docker.io/absaoss/k8gb@$line --format '{{ join .RepoTags "\n" }}' \| sed 's/.*://' \| awk '!_[$0]++')
	done <<< "$(docker manifest inspect docker.io/absaoss/k8gb:${{ github.ref_name }} \| grep digest \| cut -d '"' -f 4)"
	}
	CONTAINER_INFO="$(digest_tags \| jq --slurp . -c)"
	CONTAINER_DIGEST="$(echo ${CONTAINER_INFO} \| jq --raw-output '.[0].digest')"
	CONTAINER_TAGS=$(echo ${CONTAINER_INFO} \| jq --raw-output '[.[].tags[]] \| join(" ")')
	set \| grep 'CONTAINER_'
	echo "container_info=$CONTAINER_INFO" >> $GITHUB_ENV
	echo "container_tags=$CONTAINER_TAGS" >> $GITHUB_ENV
	echo "container_info=$CONTAINER_INFO" >> $GITHUB_OUTPUT
	echo "container_tags=$CONTAINER_TAGS" >> $GITHUB_OUTPUT
	- name: Cleanup signing keys
	if: ${{ always() }}
	run: rm -f cosign.key

	sbom:
	name: sbom
	needs: [release]
	runs-on: ubuntu-20.04
	env:
	TAGS: "${{ needs.release.outputs.container_tags }}"

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Install cosign
	uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # renovate: tag=v2.7.0
	with:
	cosign-release: 'v1.12.1'

	- name: Install Syft
	uses: anchore/sbom-action/download-syft@b5042e9d19d8b32849779bfe17673ff84aec702d # renovate: tag=v0.12.0
	- name: Login to Dockerhub
	uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779
	with:
	username: ${{ secrets.DOCKER_USER }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	- name: Attach SBOM
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	run: \|
	echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
	for t in `echo ${TAGS}`; do
	cosign verify --key cosign.pub docker.io/absaoss/k8gb:${t}
	syft docker.io/absaoss/k8gb:${t} -o spdx-json > sbom-spdx.json
	cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key docker.io/absaoss/k8gb:${t}
	cosign verify-attestation -o verified-sbom-spdx.json --type spdx --key cosign.pub docker.io/absaoss/k8gb:${t}
	done
	- name: Clean up
	if: ${{ always() }}
	run: \|
	rm -f cosign.key

	provenance:
	name: provenance
	needs: [release]
	runs-on: ubuntu-20.04
	permissions:
	contents: write
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Generate provenance for Release
	uses: philips-labs/slsa-provenance-action@37037a07a9316d7d379b3c7574f50e1f43d088b8
	id: provenance-step
	with:
	command: generate
	subcommand: github-release
	arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

	- name: Check if uploading provenance failed
	if: ${{ always() }}
	run: \|
	[ "x${{steps.provenance-step.outcome}}" == "xfailure" ] && echo ":x: Uploading provenance for release failed, make sure to delete all the previous releases in GitHub web api before releasing." > "$GITHUB_STEP_SUMMARY" \|\| true

	- name: Install cosign
	uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # renovate: tag=v2.7.0
	with:
	cosign-release: 'v1.12.1'

	- name: Sign provenance
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	SIGNATURE: provenance.att.sig
	run: \|
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
	cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
	cat "${SIGNATURE}"
	curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
	curl_args+=(-H "Accept: application/vnd.github.v3+json")
	release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" \| jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" \| jq -r '.[0].id')"
	echo "Upload ${SIGNATURE} to release with id ${release_id}…"
	curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
	curl "${curl_args[@]}" \
	--data-binary @"${SIGNATURE}" \
	"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"

	container-provenance:
	name: container-provenance
	needs: [release]
	runs-on: ubuntu-20.04
	permissions:
	contents: write

	strategy:
	matrix:
	container: ${{ fromJSON(needs.release.outputs.container_info) }}

	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Install cosign
	uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # renovate: tag=v2.7.0
	with:
	cosign-release: 'v1.12.1'

	- name: Generate provenance for container image
	uses: philips-labs/slsa-provenance-action@37037a07a9316d7d379b3c7574f50e1f43d088b8
	with:
	command: generate
	subcommand: container
	arguments: --repository docker.io/absaoss/k8gb --output-path provenance.att --digest ${{ matrix.container.digest }} --tags ${{ join(matrix.container.tags, ',') }} }}
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

	- name: Get slsa-provenance predicate
	run: \|
	cat provenance.att \| jq .predicate > provenance-predicate.att
	- name: Login to Dockerhub
	uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779
	with:
	username: ${{ secrets.DOCKER_USER }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	- name: Attach provenance to image
	run: \|
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
	cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key docker.io/absaoss/k8gb@${{ matrix.container.digest }}
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

	- name: Verify attestation
	run: \|
	echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
	cosign verify-attestation --key cosign.pub --type slsaprovenance docker.io/absaoss/k8gb@${{ matrix.container.digest }}
	- name: Cleanup
	if: ${{ always() }}
	run: \|
	rm -f cosign.key

	slsa-summary:
	name: Release Summary
	needs: [sbom, provenance, container-provenance, release]
	runs-on: ubuntu-20.04
	env:
	TAGS: "${{ needs.release.outputs.container_tags }}"
	CONTAINER_INFO: "${{ needs.release.outputs.container_info }}"
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
	with:
	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

	- name: Make summary for the release pipeline
	run: \|
	{
	echo "# :seedling: Release Summary"
	echo "- version: [${{ github.ref_name }}](https://github.com/${GITHUB_REPOSITORY}/tree/${{ github.ref_name }})"
	echo '- git sha: [`'$(echo ${GITHUB_SHA} \| cut -c1-8)'`](https://github.com/'${GITHUB_REPOSITORY}'/commit/'${GITHUB_SHA}')'
	echo '- SCM: [:octocat:`'${GITHUB_REPOSITORY}'`](https://github.com/'${GITHUB_REPOSITORY}')'
	echo "- self reference: [action run #${{ github.run_id }}](https://github.com/${GITHUB_REPOSITORY}/actions/runs/${{ github.run_id }})"
	echo "- release page: [${{ github.ref_name }}](https://github.com/${GITHUB_REPOSITORY}/releases/tag/${{ github.ref_name }})"
	echo "- this github workflow (code): [ci.yaml](https://github.com/${GITHUB_REPOSITORY}/blob/${GITHUB_SHA}/.github/workflows/release.yaml)"
	echo "- container images at dockerhub: [docker.io/absaoss/k8gb](https://hub.docker.com/r/absaoss/k8gb/tags)"
	echo ""
	echo "## :closed_lock_with_key: Secure Software Supply Chain"
	echo ""
	} >> "$GITHUB_STEP_SUMMARY"
	repo="docker.io/absaoss/k8gb"
	for tag in `echo ${TAGS}`; do
	img="${repo}:${tag}"
	digest=$(echo $CONTAINER_INFO \| jq "map(select(.tags[] \| contains(\"${tag}\"))) \| .[].digest")
	{
	echo '### Container image `'${img}'`'
	echo ':lock: Image is signed. You can verify it with the following command:'
	echo '```bash'
	echo "cosign verify --key cosign.pub ${img}"
	echo '```'
	echo ":scroll: SBOM file is attested. You can verify it with the following command:"
	echo '```bash'
	echo "cosign verify-attestation --key cosign.pub --type spdx ${img} \\"
	echo " \| jq '.payload \|= @base64d \| .payload \| fromjson \| select( .predicateType==\"https://spdx.dev/Document\" ) \| .predicate.Data \| fromjson \| .'"
	echo '```'
	echo ":green_book: SLSA Provenance file is attested. You can verify it with the following command:"
	echo '```bash'
	echo "cosign verify-attestation --key cosign.pub --type slsaprovenance ${repo}@${digest} \\"
	echo " \| jq '.payload \|= @base64d \| .payload \| fromjson \| select(.predicateType==\"https://slsa.dev/provenance/v0.2\" ) \| .'"
	echo '```'
	echo "---"
	} >> "$GITHUB_STEP_SUMMARY"
	done
	{
	echo "NOTE"
	echo
	echo 'Instead of using `--key cosign.pub` that requires having the public key locally present, you can alternatively use:'
	echo '```bash'
	echo "cosign verify --key https://raw.githubusercontent.com/${GITHUB_REPOSITORY}/blob/${{ github.ref_name }}/cosign.pub \${image}"
	echo '```'
	echo
	echo "---"
	} >> "$GITHUB_STEP_SUMMARY"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test #12

Workflow file

test #12

Jobs

Run details

Workflow file for this run