test #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: push | |
permissions: | |
contents: read | |
packages: read | |
jobs: | |
release: | |
permissions: | |
contents: write | |
runs-on: ubuntu-20.04 | |
outputs: | |
container_tags: ${{ steps.container_info.outputs.container_tags }} | |
container_info: ${{ steps.container_info.outputs.container_info }} | |
env: | |
DOCKER_CLI_EXPERIMENTAL: "enabled" | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 | |
with: | |
fetch-depth: 0 | |
- name: Get tag | |
run: | | |
previous_tag=$(git tag --sort=v:refname | tail -2 | head -1) | |
echo "previous_tag=${previous_tag}" >> $GITHUB_ENV | |
- uses: heinrichreimer/github-changelog-generator-action@6653241a44afb59146f719f322005de49a5c3b38 | |
with: | |
token: ${{ secrets.CHANGELOG_GH_TOKEN }} | |
project: k8gb | |
sinceTag: ${{ env.previous_tag }} | |
output: changes | |
pullRequests: true | |
author: true | |
issues: true | |
issuesWoLabels: true | |
prWoLabels: true | |
compareLink: true | |
filterByMilestone: true | |
unreleased: true | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # renovate: tag=v3.3.0 | |
with: | |
cosign-release: 'v1.12.1' | |
- name: Install Syft | |
uses: anchore/sbom-action/download-syft@b5042e9d19d8b32849779bfe17673ff84aec702d # renovate: tag=v0.12.0 | |
- name: Install signing key | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
- name: Set up Go | |
uses: actions/setup-go@dd84a9531a6f8e72c321f2aa3b9048ed359670e4 | |
with: | |
go-version: 1.19.1 | |
- name: Login to Dockerhub | |
uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779 | |
with: | |
username: ${{ secrets.DOCKER_USER }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Run GoReleaser | |
uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # renovate: tag=v4.2.0 | |
with: | |
version: v1.7.0 | |
args: release --rm-dist --release-notes=changes | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Get container info | |
id: container_info | |
run: | | |
function digest_tags { | |
while IFS= read -r line ; do | |
jq -n "{digest: \"$line\", tags: \$ARGS.positional}" --args $(docker inspect docker.io/absaoss/k8gb@$line --format '{{ join .RepoTags "\n" }}' | sed 's/.*://' | awk '!_[$0]++') | |
done <<< "$(docker manifest inspect docker.io/absaoss/k8gb:${{ github.ref_name }} | grep digest | cut -d '"' -f 4)" | |
} | |
CONTAINER_INFO="$(digest_tags | jq --slurp . -c)" | |
CONTAINER_DIGEST="$(echo ${CONTAINER_INFO} | jq --raw-output '.[0].digest')" | |
CONTAINER_TAGS=$(echo ${CONTAINER_INFO} | jq --raw-output '[.[].tags[]] | join(" ")') | |
set | grep 'CONTAINER_' | |
echo "container_info=$CONTAINER_INFO" >> $GITHUB_ENV | |
echo "container_tags=$CONTAINER_TAGS" >> $GITHUB_ENV | |
echo "container_info=$CONTAINER_INFO" >> $GITHUB_OUTPUT | |
echo "container_tags=$CONTAINER_TAGS" >> $GITHUB_OUTPUT | |
- name: Cleanup signing keys | |
if: ${{ always() }} | |
run: rm -f cosign.key | |
sbom: | |
name: sbom | |
needs: [release] | |
runs-on: ubuntu-20.04 | |
env: | |
TAGS: "${{ needs.release.outputs.container_tags }}" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Install cosign | |
uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # renovate: tag=v2.7.0 | |
with: | |
cosign-release: 'v1.12.1' | |
- name: Install Syft | |
uses: anchore/sbom-action/download-syft@b5042e9d19d8b32849779bfe17673ff84aec702d # renovate: tag=v0.12.0 | |
- name: Login to Dockerhub | |
uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779 | |
with: | |
username: ${{ secrets.DOCKER_USER }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Attach SBOM | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
run: | | |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
for t in `echo ${TAGS}`; do | |
cosign verify --key cosign.pub docker.io/absaoss/k8gb:${t} | |
syft docker.io/absaoss/k8gb:${t} -o spdx-json > sbom-spdx.json | |
cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key docker.io/absaoss/k8gb:${t} | |
cosign verify-attestation -o verified-sbom-spdx.json --type spdx --key cosign.pub docker.io/absaoss/k8gb:${t} | |
done | |
- name: Clean up | |
if: ${{ always() }} | |
run: | | |
rm -f cosign.key | |
provenance: | |
name: provenance | |
needs: [release] | |
runs-on: ubuntu-20.04 | |
permissions: | |
contents: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Generate provenance for Release | |
uses: philips-labs/slsa-provenance-action@37037a07a9316d7d379b3c7574f50e1f43d088b8 | |
id: provenance-step | |
with: | |
command: generate | |
subcommand: github-release | |
arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }} | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Check if uploading provenance failed | |
if: ${{ always() }} | |
run: | | |
[ "x${{steps.provenance-step.outcome}}" == "xfailure" ] && echo ":x: Uploading provenance for release failed, make sure to delete all the previous releases in GitHub web api before releasing." > "$GITHUB_STEP_SUMMARY" || true | |
- name: Install cosign | |
uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # renovate: tag=v2.7.0 | |
with: | |
cosign-release: 'v1.12.1' | |
- name: Sign provenance | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
SIGNATURE: provenance.att.sig | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att | |
cat "${SIGNATURE}" | |
curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}") | |
curl_args+=(-H "Accept: application/vnd.github.v3+json") | |
release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')" | |
echo "Upload ${SIGNATURE} to release with id ${release_id}…" | |
curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")") | |
curl "${curl_args[@]}" \ | |
--data-binary @"${SIGNATURE}" \ | |
"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}" | |
container-provenance: | |
name: container-provenance | |
needs: [release] | |
runs-on: ubuntu-20.04 | |
permissions: | |
contents: write | |
strategy: | |
matrix: | |
container: ${{ fromJSON(needs.release.outputs.container_info) }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Install cosign | |
uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # renovate: tag=v2.7.0 | |
with: | |
cosign-release: 'v1.12.1' | |
- name: Generate provenance for container image | |
uses: philips-labs/slsa-provenance-action@37037a07a9316d7d379b3c7574f50e1f43d088b8 | |
with: | |
command: generate | |
subcommand: container | |
arguments: --repository docker.io/absaoss/k8gb --output-path provenance.att --digest ${{ matrix.container.digest }} --tags ${{ join(matrix.container.tags, ',') }} }} | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Get slsa-provenance predicate | |
run: | | |
cat provenance.att | jq .predicate > provenance-predicate.att | |
- name: Login to Dockerhub | |
uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779 | |
with: | |
username: ${{ secrets.DOCKER_USER }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Attach provenance to image | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key docker.io/absaoss/k8gb@${{ matrix.container.digest }} | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Verify attestation | |
run: | | |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub | |
cosign verify-attestation --key cosign.pub --type slsaprovenance docker.io/absaoss/k8gb@${{ matrix.container.digest }} | |
- name: Cleanup | |
if: ${{ always() }} | |
run: | | |
rm -f cosign.key | |
slsa-summary: | |
name: Release Summary | |
needs: [sbom, provenance, container-provenance, release] | |
runs-on: ubuntu-20.04 | |
env: | |
TAGS: "${{ needs.release.outputs.container_tags }}" | |
CONTAINER_INFO: "${{ needs.release.outputs.container_info }}" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Make summary for the release pipeline | |
run: | | |
{ | |
echo "# :seedling: Release Summary" | |
echo "- version: [${{ github.ref_name }}](https://github.com/${GITHUB_REPOSITORY}/tree/${{ github.ref_name }})" | |
echo '- git sha: [`'$(echo ${GITHUB_SHA} | cut -c1-8)'`](https://github.com/'${GITHUB_REPOSITORY}'/commit/'${GITHUB_SHA}')' | |
echo '- SCM: [:octocat:`'${GITHUB_REPOSITORY}'`](https://github.com/'${GITHUB_REPOSITORY}')' | |
echo "- self reference: [action run #${{ github.run_id }}](https://github.com/${GITHUB_REPOSITORY}/actions/runs/${{ github.run_id }})" | |
echo "- release page: [${{ github.ref_name }}](https://github.com/${GITHUB_REPOSITORY}/releases/tag/${{ github.ref_name }})" | |
echo "- this github workflow (code): [ci.yaml](https://github.com/${GITHUB_REPOSITORY}/blob/${GITHUB_SHA}/.github/workflows/release.yaml)" | |
echo "- container images at dockerhub: [docker.io/absaoss/k8gb](https://hub.docker.com/r/absaoss/k8gb/tags)" | |
echo "" | |
echo "## :closed_lock_with_key: Secure Software Supply Chain" | |
echo "" | |
} >> "$GITHUB_STEP_SUMMARY" | |
repo="docker.io/absaoss/k8gb" | |
for tag in `echo ${TAGS}`; do | |
img="${repo}:${tag}" | |
digest=$(echo $CONTAINER_INFO | jq "map(select(.tags[] | contains(\"${tag}\"))) | .[].digest") | |
{ | |
echo '### Container image `'${img}'`' | |
echo ':lock: Image is signed. You can verify it with the following command:' | |
echo '```bash' | |
echo "cosign verify --key cosign.pub ${img}" | |
echo '```' | |
echo ":scroll: SBOM file is attested. You can verify it with the following command:" | |
echo '```bash' | |
echo "cosign verify-attestation --key cosign.pub --type spdx ${img} \\" | |
echo " | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType==\"https://spdx.dev/Document\" ) | .predicate.Data | fromjson | .'" | |
echo '```' | |
echo ":green_book: SLSA Provenance file is attested. You can verify it with the following command:" | |
echo '```bash' | |
echo "cosign verify-attestation --key cosign.pub --type slsaprovenance ${repo}@${digest} \\" | |
echo " | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType==\"https://slsa.dev/provenance/v0.2\" ) | .'" | |
echo '```' | |
echo "---" | |
} >> "$GITHUB_STEP_SUMMARY" | |
done | |
{ | |
echo "**NOTE**" | |
echo | |
echo 'Instead of using `--key cosign.pub` that requires having the public key locally present, you can alternatively use:' | |
echo '```bash' | |
echo "cosign verify --key https://raw.githubusercontent.com/${GITHUB_REPOSITORY}/blob/${{ github.ref_name }}/cosign.pub \${image}" | |
echo '```' | |
echo | |
echo "---" | |
} >> "$GITHUB_STEP_SUMMARY" |