forked from k8gb-io/k8gb
-
Notifications
You must be signed in to change notification settings - Fork 0
300 lines (277 loc) · 13 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
name: Release
on: push
permissions:
contents: read
packages: read
jobs:
release:
permissions:
contents: write
runs-on: ubuntu-20.04
outputs:
container_tags: ${{ steps.container_info.outputs.container_tags }}
container_info: ${{ steps.container_info.outputs.container_info }}
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222
with:
fetch-depth: 0
- name: Get tag
run: |
previous_tag=$(git tag --sort=v:refname | tail -2 | head -1)
echo "previous_tag=${previous_tag}" >> $GITHUB_ENV
- uses: heinrichreimer/github-changelog-generator-action@6653241a44afb59146f719f322005de49a5c3b38
with:
token: ${{ secrets.CHANGELOG_GH_TOKEN }}
project: k8gb
sinceTag: ${{ env.previous_tag }}
output: changes
pullRequests: true
author: true
issues: true
issuesWoLabels: true
prWoLabels: true
compareLink: true
filterByMilestone: true
unreleased: true
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # renovate: tag=v3.3.0
with:
cosign-release: 'v1.12.1'
- name: Install Syft
uses: anchore/sbom-action/download-syft@b5042e9d19d8b32849779bfe17673ff84aec702d # renovate: tag=v0.12.0
- name: Install signing key
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
- name: Set up Go
uses: actions/setup-go@dd84a9531a6f8e72c321f2aa3b9048ed359670e4
with:
go-version: 1.19.1
- name: Login to Dockerhub
uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # renovate: tag=v4.2.0
with:
version: v1.7.0
args: release --rm-dist --release-notes=changes
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Get container info
id: container_info
run: |
function digest_tags {
while IFS= read -r line ; do
jq -n "{digest: \"$line\", tags: \$ARGS.positional}" --args $(docker inspect docker.io/absaoss/k8gb@$line --format '{{ join .RepoTags "\n" }}' | sed 's/.*://' | awk '!_[$0]++')
done <<< "$(docker manifest inspect docker.io/absaoss/k8gb:${{ github.ref_name }} | grep digest | cut -d '"' -f 4)"
}
CONTAINER_INFO="$(digest_tags | jq --slurp . -c)"
CONTAINER_DIGEST="$(echo ${CONTAINER_INFO} | jq --raw-output '.[0].digest')"
CONTAINER_TAGS=$(echo ${CONTAINER_INFO} | jq --raw-output '[.[].tags[]] | join(" ")')
set | grep 'CONTAINER_'
echo "container_info=$CONTAINER_INFO" >> $GITHUB_ENV
echo "container_tags=$CONTAINER_TAGS" >> $GITHUB_ENV
echo "container_info=$CONTAINER_INFO" >> $GITHUB_OUTPUT
echo "container_tags=$CONTAINER_TAGS" >> $GITHUB_OUTPUT
- name: Cleanup signing keys
if: ${{ always() }}
run: rm -f cosign.key
sbom:
name: sbom
needs: [release]
runs-on: ubuntu-20.04
env:
TAGS: "${{ needs.release.outputs.container_tags }}"
steps:
- name: Harden Runner
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install cosign
uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # renovate: tag=v2.7.0
with:
cosign-release: 'v1.12.1'
- name: Install Syft
uses: anchore/sbom-action/download-syft@b5042e9d19d8b32849779bfe17673ff84aec702d # renovate: tag=v0.12.0
- name: Login to Dockerhub
uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Attach SBOM
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
for t in `echo ${TAGS}`; do
cosign verify --key cosign.pub docker.io/absaoss/k8gb:${t}
syft docker.io/absaoss/k8gb:${t} -o spdx-json > sbom-spdx.json
cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key docker.io/absaoss/k8gb:${t}
cosign verify-attestation -o verified-sbom-spdx.json --type spdx --key cosign.pub docker.io/absaoss/k8gb:${t}
done
- name: Clean up
if: ${{ always() }}
run: |
rm -f cosign.key
provenance:
name: provenance
needs: [release]
runs-on: ubuntu-20.04
permissions:
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Generate provenance for Release
uses: philips-labs/slsa-provenance-action@37037a07a9316d7d379b3c7574f50e1f43d088b8
id: provenance-step
with:
command: generate
subcommand: github-release
arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Check if uploading provenance failed
if: ${{ always() }}
run: |
[ "x${{steps.provenance-step.outcome}}" == "xfailure" ] && echo ":x: Uploading provenance for release failed, make sure to delete all the previous releases in GitHub web api before releasing." > "$GITHUB_STEP_SUMMARY" || true
- name: Install cosign
uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # renovate: tag=v2.7.0
with:
cosign-release: 'v1.12.1'
- name: Sign provenance
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
SIGNATURE: provenance.att.sig
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
cat "${SIGNATURE}"
curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
curl_args+=(-H "Accept: application/vnd.github.v3+json")
release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')"
echo "Upload ${SIGNATURE} to release with id ${release_id}…"
curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
curl "${curl_args[@]}" \
--data-binary @"${SIGNATURE}" \
"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
container-provenance:
name: container-provenance
needs: [release]
runs-on: ubuntu-20.04
permissions:
contents: write
strategy:
matrix:
container: ${{ fromJSON(needs.release.outputs.container_info) }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install cosign
uses: sigstore/cosign-installer@ced07f21fb1da67979f539bbc6304c16c0677e76 # renovate: tag=v2.7.0
with:
cosign-release: 'v1.12.1'
- name: Generate provenance for container image
uses: philips-labs/slsa-provenance-action@37037a07a9316d7d379b3c7574f50e1f43d088b8
with:
command: generate
subcommand: container
arguments: --repository docker.io/absaoss/k8gb --output-path provenance.att --digest ${{ matrix.container.digest }} --tags ${{ join(matrix.container.tags, ',') }} }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Get slsa-provenance predicate
run: |
cat provenance.att | jq .predicate > provenance-predicate.att
- name: Login to Dockerhub
uses: docker/login-action@40891eba8c2bcd1309b07ba8b11232f313e86779
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Attach provenance to image
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key docker.io/absaoss/k8gb@${{ matrix.container.digest }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Verify attestation
run: |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
cosign verify-attestation --key cosign.pub --type slsaprovenance docker.io/absaoss/k8gb@${{ matrix.container.digest }}
- name: Cleanup
if: ${{ always() }}
run: |
rm -f cosign.key
slsa-summary:
name: Release Summary
needs: [sbom, provenance, container-provenance, release]
runs-on: ubuntu-20.04
env:
TAGS: "${{ needs.release.outputs.container_tags }}"
CONTAINER_INFO: "${{ needs.release.outputs.container_info }}"
steps:
- name: Harden Runner
uses: step-security/harden-runner@f8b229487278099721572481264761b1d4fdd530
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Make summary for the release pipeline
run: |
{
echo "# :seedling: Release Summary"
echo "- version: [${{ github.ref_name }}](https://github.com/${GITHUB_REPOSITORY}/tree/${{ github.ref_name }})"
echo '- git sha: [`'$(echo ${GITHUB_SHA} | cut -c1-8)'`](https://github.com/'${GITHUB_REPOSITORY}'/commit/'${GITHUB_SHA}')'
echo '- SCM: [:octocat:`'${GITHUB_REPOSITORY}'`](https://github.com/'${GITHUB_REPOSITORY}')'
echo "- self reference: [action run #${{ github.run_id }}](https://github.com/${GITHUB_REPOSITORY}/actions/runs/${{ github.run_id }})"
echo "- release page: [${{ github.ref_name }}](https://github.com/${GITHUB_REPOSITORY}/releases/tag/${{ github.ref_name }})"
echo "- this github workflow (code): [ci.yaml](https://github.com/${GITHUB_REPOSITORY}/blob/${GITHUB_SHA}/.github/workflows/release.yaml)"
echo "- container images at dockerhub: [docker.io/absaoss/k8gb](https://hub.docker.com/r/absaoss/k8gb/tags)"
echo ""
echo "## :closed_lock_with_key: Secure Software Supply Chain"
echo ""
} >> "$GITHUB_STEP_SUMMARY"
repo="docker.io/absaoss/k8gb"
for tag in `echo ${TAGS}`; do
img="${repo}:${tag}"
digest=$(echo $CONTAINER_INFO | jq "map(select(.tags[] | contains(\"${tag}\"))) | .[].digest")
{
echo '### Container image `'${img}'`'
echo ':lock: Image is signed. You can verify it with the following command:'
echo '```bash'
echo "cosign verify --key cosign.pub ${img}"
echo '```'
echo ":scroll: SBOM file is attested. You can verify it with the following command:"
echo '```bash'
echo "cosign verify-attestation --key cosign.pub --type spdx ${img} \\"
echo " | jq '.payload |= @base64d | .payload | fromjson | select( .predicateType==\"https://spdx.dev/Document\" ) | .predicate.Data | fromjson | .'"
echo '```'
echo ":green_book: SLSA Provenance file is attested. You can verify it with the following command:"
echo '```bash'
echo "cosign verify-attestation --key cosign.pub --type slsaprovenance ${repo}@${digest} \\"
echo " | jq '.payload |= @base64d | .payload | fromjson | select(.predicateType==\"https://slsa.dev/provenance/v0.2\" ) | .'"
echo '```'
echo "---"
} >> "$GITHUB_STEP_SUMMARY"
done
{
echo "**NOTE**"
echo
echo 'Instead of using `--key cosign.pub` that requires having the public key locally present, you can alternatively use:'
echo '```bash'
echo "cosign verify --key https://raw.githubusercontent.com/${GITHUB_REPOSITORY}/blob/${{ github.ref_name }}/cosign.pub \${image}"
echo '```'
echo
echo "---"
} >> "$GITHUB_STEP_SUMMARY"