diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d50671f9..0a450a38 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,55 +1,44 @@ name: Continuous integration - on: push: pull_request: - types: [ opened, reopened, synchronize ] + types: [opened, reopened, synchronize] workflow_dispatch: - jobs: build: name: Build runs-on: ubuntu-20.04 - permissions: contents: write # tests create releases packages: read - steps: - name: Checkout - uses: actions/checkout@v3.2.0 - + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3.2.0 - name: Set up Go - uses: actions/setup-go@v3.5.0 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3.5.0 with: go-version-file: go.mod check-latest: true cache: true - - name: Get dependencies run: make download - - name: Lint run: | result="$(make lint)" echo "$result" [ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0 - - name: Build run: make build - - name: Test env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: make test-race - - name: Coverage env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" run: make coverage-out - - name: Upload Code Coverage - uses: codecov/codecov-action@v3.1.1 + uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # ratchet:codecov/codecov-action@v3.1.1 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.out @@ -57,7 +46,6 @@ jobs: name: codecov-umbrella fail_ci_if_error: true verbose: true - release: name: release needs: [build] @@ -65,36 +53,29 @@ jobs: container_digest: ${{ steps.container_info.outputs.container_digest }} container_tags: ${{ steps.container_info.outputs.container_tags }} container_repos: ${{ steps.container_info.outputs.container_repos }} - runs-on: ubuntu-20.04 - steps: - name: Checkout - uses: actions/checkout@v3.2.0 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3.2.0 with: fetch-depth: 0 - - name: Set up Go - uses: actions/setup-go@v3.5.0 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3.5.0 with: go-version-file: ./go.mod check-latest: true cache: true - - name: Install cosign - uses: sigstore/cosign-installer@v2.8.1 + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # ratchet:sigstore/cosign-installer@v2.8.1 with: cosign-release: 'v1.13.1' - - name: Install Syft - uses: anchore/sbom-action/download-syft@v0.13.1 - + uses: anchore/sbom-action/download-syft@06e109483e6aa305a2b2395eabae554e51530e1d # ratchet:anchore/sbom-action/download-syft@v0.13.1 - name: Login to Container registries if: startsWith(github.ref, 'refs/tags/') run: | echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io - - name: Set release variables id: release-vars run: | @@ -107,13 +88,11 @@ jobs: echo "::set-output name=GIT_HASH::$GIT_HASH" fi rm -f /tmp/spiffe-vault-release-vars.env - - name: Install signing key run: | echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key - - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }} - uses: goreleaser/goreleaser-action@v4 + uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # ratchet:goreleaser/goreleaser-action@v4 with: version: latest args: release --rm-dist ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }} ${{ ((startsWith(github.ref, 'refs/tags/') && endsWith(github.ref, '-draft')) && '-f .goreleaser.draft.yml') || '' }} @@ -122,7 +101,6 @@ jobs: LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }} GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - - name: Get container info id: container_info if: startsWith(github.ref, 'refs/tags/') @@ -131,17 +109,14 @@ jobs: echo "::set-output name=container_digest::$CONTAINER_DIGEST" echo "::set-output name=container_tags::$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" echo "::set-output name=container_repos::$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" - - name: Logout from Container registries if: ${{ always() }} run: | docker logout docker logout ghcr.io - - name: Cleanup signing keys if: ${{ always() }} run: rm -f cosign.key - sbom: name: sbom needs: [release] @@ -149,25 +124,20 @@ jobs: runs-on: ubuntu-20.04 env: TAGS: "${{ needs.release.outputs.container_tags }}" - strategy: matrix: repo: ${{ fromJSON(needs.release.outputs.container_repos) }} - steps: - name: Install cosign - uses: sigstore/cosign-installer@v2.8.1 + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # ratchet:sigstore/cosign-installer@v2.8.1 with: cosign-release: 'v1.13.1' - - name: Install Syft - uses: anchore/sbom-action/download-syft@v0.13.1 - + uses: anchore/sbom-action/download-syft@06e109483e6aa305a2b2395eabae554e51530e1d # ratchet:anchore/sbom-action/download-syft@v0.13.1 - name: Login to Container registries run: | echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io - - name: Attach SBOM env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} @@ -181,35 +151,30 @@ jobs: cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ${{ matrix.repo }}:${t} cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${{ matrix.repo }}:${t} done - - name: Clean up & Logout from Container registries if: ${{ always() }} run: | docker logout docker logout ghcr.io rm -f cosign.key - provenance: name: provenance needs: [release] if: startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-20.04 - steps: - name: Generate provenance for Release - uses: philips-labs/slsa-provenance-action@v0.8.0 + uses: philips-labs/slsa-provenance-action@752766b8a3b1ebd09d599e163eeec8fa39e677aa # ratchet:philips-labs/slsa-provenance-action@v0.8.0 with: command: generate subcommand: github-release arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }} env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - name: Install cosign - uses: sigstore/cosign-installer@v2.8.1 + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # ratchet:sigstore/cosign-installer@v2.8.1 with: cosign-release: 'v1.13.1' - - name: Sign provenance run: | echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key @@ -229,54 +194,45 @@ jobs: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} SIGNATURE: provenance.att.sig - container-provenance: name: container-provenance needs: [release] if: startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-20.04 - strategy: matrix: repo: ${{ fromJSON(needs.release.outputs.container_repos) }} - steps: - name: Install cosign - uses: sigstore/cosign-installer@v2.8.1 + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # ratchet:sigstore/cosign-installer@v2.8.1 with: cosign-release: 'v1.13.1' - - name: Generate provenance for ${{ matrix.repo }} - uses: philips-labs/slsa-provenance-action@v0.8.0 + uses: philips-labs/slsa-provenance-action@752766b8a3b1ebd09d599e163eeec8fa39e677aa # ratchet:philips-labs/slsa-provenance-action@v0.8.0 with: command: generate subcommand: container arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }} env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - name: Get slsa-provenance predicate run: | cat provenance.att | jq .predicate > provenance-predicate.att - - name: Login to Container registries if: startsWith(github.ref, 'refs/tags/') run: | echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io - - name: Attach provenance to image run: | echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - - name: Verify attestation run: | echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} - - name: Logout from Container registries if: ${{ always() }} run: | diff --git a/.github/workflows/example-local.yaml b/.github/workflows/example-local.yaml index 1006078d..a977db34 100644 --- a/.github/workflows/example-local.yaml +++ b/.github/workflows/example-local.yaml @@ -1,5 +1,4 @@ name: Create a provenance - on: workflow_dispatch: inputs: @@ -9,7 +8,6 @@ on: car_input: description: 'Car to input in the artifact text file' required: false - jobs: build: name: Build artifact @@ -17,26 +15,21 @@ jobs: steps: # traditionally you would build your code here and generate an artifact - name: Create first artifact - run: echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt - + run: echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt - name: Create second artifact - run: echo "audi, tesla, bmw" > cars.txt - + run: echo "audi, tesla, bmw" > cars.txt - name: Input workflow ingredient - if: ${{ github.event.inputs.ingredient_input != '' }} + if: ${{ github.event.inputs.ingredient_input != '' }} run: | echo ", ${{github.event.inputs.ingredient_input}}" >> salsa.txt - - name: Input workflow cars - if: ${{ github.event.inputs.car_input != '' }} + if: ${{ github.event.inputs.car_input != '' }} run: | echo ", ${{github.event.inputs.car_input}}" >> cars.txt - - name: Upload artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 with: path: '*.txt' - generate-provenance: needs: build name: Generate build provenance @@ -44,23 +37,19 @@ jobs: steps: # checkout only required to run local action (defined in this repo) - name: Checkout - uses: actions/checkout@v3.2.0 - + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3.2.0 - name: Download build artifact - uses: actions/download-artifact@v3.0.1 - + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3.0.1 - name: Generate some extra materials (this usually happens as part of the build process) run: | echo '[{"uri": "pkg:deb/debian/stunnel4@5.50-3?arch=amd64", "digest": {"sha256": "e1731ae217fcbc64d4c00d707dcead45c828c5f762bcf8cc56d87de511e096fa"}}]' > extra-materials.json - - name: Generate provenance # use action in the root directory uses: ./ with: artifact_path: artifact/ extra_materials: extra-materials.json - - name: Upload provenance - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 with: path: provenance.json diff --git a/.github/workflows/example-publish.yaml b/.github/workflows/example-publish.yaml index 10c3f9af..95070a47 100644 --- a/.github/workflows/example-publish.yaml +++ b/.github/workflows/example-publish.yaml @@ -1,8 +1,6 @@ name: Create a provenance from marketplace - on: workflow_dispatch: - jobs: build: name: Build artifact @@ -10,29 +8,25 @@ jobs: steps: # traditionally you would build your code here and generate an artifact - name: Create artifact - run: echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt - + run: echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt - name: Upload artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 with: path: salsa.txt - generate-provenance: needs: build name: Generate build provenance runs-on: ubuntu-latest steps: - name: Download build artifact - uses: actions/download-artifact@v3.0.1 - + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3.0.1 - name: Generate provenance - uses: philips-labs/slsa-provenance-action@v0.8.0 + uses: philips-labs/slsa-provenance-action@752766b8a3b1ebd09d599e163eeec8fa39e677aa # ratchet:philips-labs/slsa-provenance-action@v0.8.0 with: command: generate subcommand: files arguments: --artifact-path artifact/ --output-path provenance.json - - name: Upload provenance - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 with: path: provenance.json