From d4a2a981a0f20bc8b407b0df935b86ca19bc4334 Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 20 Dec 2022 10:14:12 +0100 Subject: [PATCH 1/2] Limit workflow job permissions to bare minimum This allows to narrow down workflow permissions in GitHub settings See https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs and https://docs.github.com/en/actions/security-guides/automatic-token-authentication\#permissions-for-the-github_token Signed-off-by: Marco Franssen --- .github/workflows/depsreview.yaml | 7 +-- .github/workflows/nightly_build.yaml | 8 ++-- .github/workflows/pr_build.yaml | 56 ++++++++++++++++++++++++ .github/workflows/release_build.yaml | 65 ++++++++++++++++++++++++++++ 4 files changed, 130 insertions(+), 6 deletions(-) diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml index da99d0c548..58da4b9ddd 100644 --- a/.github/workflows/depsreview.yaml +++ b/.github/workflows/depsreview.yaml @@ -1,12 +1,13 @@ name: 'Dependency Review' on: [pull_request] -permissions: - contents: read - jobs: dependency-review: runs-on: ubuntu-latest + + permissions: + contents: read + steps: - name: 'Checkout Repository' uses: actions/checkout@v3 diff --git a/.github/workflows/nightly_build.yaml b/.github/workflows/nightly_build.yaml index e253eab737..7eddbd6b6d 100644 --- a/.github/workflows/nightly_build.yaml +++ b/.github/workflows/nightly_build.yaml @@ -4,9 +4,6 @@ on: # Random minute number to avoid GH scheduler stampede - cron: '37 21 * * *' workflow_dispatch: {} -permissions: - contents: read - packages: write env: NIGHTLY: true @@ -14,6 +11,11 @@ env: jobs: build-and-publish-images: runs-on: ubuntu-20.04 + + permissions: + contents: read + packages: write + steps: - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index 5fb102c376..4bed964df6 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -11,6 +11,10 @@ jobs: cache-deps: name: cache-deps (linux) runs-on: ubuntu-20.04 + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -30,6 +34,10 @@ jobs: name: lint (linux) runs-on: ubuntu-20.04 needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -64,6 +72,10 @@ jobs: OS: [ubuntu-20.04, macos-latest] runs-on: ${{ matrix.OS }} needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -83,6 +95,10 @@ jobs: name: unit-test (linux with race detection) runs-on: ubuntu-20.04 needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -102,6 +118,10 @@ jobs: name: artifacts (linux) runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -133,6 +153,10 @@ jobs: name: images (linux) runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -166,6 +190,10 @@ jobs: name: images (windows) runs-on: windows-2022 needs: artifact-windows + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -189,6 +217,10 @@ jobs: scratch-images: runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -222,6 +254,10 @@ jobs: name: integration (linux) runs-on: ubuntu-20.04 needs: [cache-deps, images, scratch-images] + + permissions: + contents: read + strategy: fail-fast: false matrix: @@ -278,6 +314,10 @@ jobs: name: integration (windows) runs-on: windows-2022 needs: images-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -325,6 +365,10 @@ jobs: cache-deps-windows: name: cache-deps (windows) runs-on: windows-2022 + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -344,6 +388,10 @@ jobs: name: lint (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -387,6 +435,10 @@ jobs: name: unit-test (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -419,6 +471,10 @@ jobs: name: artifact (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index a6016e84e3..447c8e7bce 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -9,6 +9,10 @@ jobs: cache-deps: name: cache-deps (linux) runs-on: ubuntu-20.04 + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -28,6 +32,10 @@ jobs: name: lint (linux) runs-on: ubuntu-20.04 needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -62,6 +70,10 @@ jobs: OS: [ubuntu-20.04, macos-latest] runs-on: ${{ matrix.OS }} needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -81,6 +93,10 @@ jobs: name: unit-test (linux with race detection) runs-on: ubuntu-20.04 needs: cache-deps + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -100,6 +116,10 @@ jobs: name: artifacts (linux) runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -131,6 +151,10 @@ jobs: name: images (linux) runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -164,6 +188,10 @@ jobs: name: images (windows) runs-on: windows-2022 needs: artifact-windows + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -187,6 +215,10 @@ jobs: scratch-images: runs-on: ubuntu-20.04 needs: [cache-deps] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -220,6 +252,10 @@ jobs: name: integration (linux) runs-on: ubuntu-20.04 needs: [cache-deps, images, scratch-images] + + permissions: + contents: read + strategy: fail-fast: false matrix: @@ -287,6 +323,10 @@ jobs: name: integration (windows) runs-on: windows-2022 needs: images-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -334,6 +374,10 @@ jobs: cache-deps-windows: name: cache-deps (windows) runs-on: windows-2022 + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -353,6 +397,10 @@ jobs: name: lint (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -396,6 +444,10 @@ jobs: name: unit-test (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -428,6 +480,10 @@ jobs: name: artifact (windows) runs-on: windows-2022 needs: cache-deps-windows + + permissions: + contents: read + defaults: run: shell: msys2 {0} @@ -478,6 +534,10 @@ jobs: runs-on: ubuntu-20.04 needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifact-windows, integration-windows] + + permissions: + contents: read + steps: - name: Checkout uses: actions/checkout@v3 @@ -501,6 +561,11 @@ jobs: publish-images: runs-on: ubuntu-20.04 needs: [lint, unit-test, unit-test-race-detector, artifacts, integration] + + permissions: + contents: read + packages: write + steps: - name: Checkout uses: actions/checkout@v3 From 23769bfa394a4b1144b459c5f82ceb4870e5545c Mon Sep 17 00:00:00 2001 From: Marco Franssen Date: Tue, 20 Dec 2022 10:34:32 +0100 Subject: [PATCH 2/2] Add container signing using Sigstore keyless Signed-off-by: Marco Franssen --- .github/workflows/nightly_build.yaml | 8 ++++++++ .github/workflows/release_build.yaml | 8 ++++++++ .github/workflows/scripts/push-images.sh | 4 ++++ 3 files changed, 20 insertions(+) diff --git a/.github/workflows/nightly_build.yaml b/.github/workflows/nightly_build.yaml index 7eddbd6b6d..046421a9f9 100644 --- a/.github/workflows/nightly_build.yaml +++ b/.github/workflows/nightly_build.yaml @@ -14,11 +14,19 @@ jobs: permissions: contents: read + id-token: write packages: write + env: + COSIGN_EXPERIMENTAL: 1 + steps: - name: Checkout uses: actions/checkout@v3 + - name: Install cosign + uses: sigstore/cosign-installer@v2.8.1 + with: + cosign-release: v1.13.1 - name: Build images run: make images scratch-images - name: Log in to GCR diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index 447c8e7bce..79c31dec2b 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -564,11 +564,19 @@ jobs: permissions: contents: read + id-token: write packages: write + env: + COSIGN_EXPERIMENTAL: 1 + steps: - name: Checkout uses: actions/checkout@v3 + - name: Install cosign + uses: sigstore/cosign-installer@v2.8.1 + with: + cosign-release: v1.13.1 - name: Download archived images uses: actions/download-artifact@v3 with: diff --git a/.github/workflows/scripts/push-images.sh b/.github/workflows/scripts/push-images.sh index 4e9ba19150..4a326c1e06 100755 --- a/.github/workflows/scripts/push-images.sh +++ b/.github/workflows/scripts/push-images.sh @@ -63,4 +63,8 @@ for img in "${OCI_IMAGES[@]}"; do image_to_push="${registry}/${img}:${version}" docker tag "${image_variant}:latest-local" "${image_to_push}" docker push "${image_to_push}" + + image_digest="$(docker inspect "${image_to_push}" --format '{{ index .RepoDigests 0 }}' | awk -F '@' '{ print $2 }')" + + cosign sign "${registry}/${img}@${image_digest}" done