From 2df82108096a45114ac53c825fb3fd68b8744d63 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Wed, 21 Jun 2023 18:02:00 +0300 Subject: [PATCH] Add SLSA3 generators to release workflow Generate SLSA level 3 provenance attestations for the controller release assets and for the multi-arch container images. Signed-off-by: Stefan Prodan --- .github/workflows/release.yml | 85 +++++++++++++++++++++++++++++------ .goreleaser.yaml | 19 +++++++- 2 files changed, 89 insertions(+), 15 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 57eb4cb1..7ead2499 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,16 +11,22 @@ on: required: true permissions: - contents: write # needed to write releases - id-token: write # needed for keyless signing - packages: write # needed for ghcr access + contents: read env: CONTROLLER: ${{ github.event.repository.name }} jobs: - build-push: + release: + outputs: + hashes: ${{ steps.slsa.outputs.hashes }} + image_url: ${{ steps.slsa.outputs.image_url }} + image_digest: ${{ steps.slsa.outputs.image_digest }} runs-on: ubuntu-latest + permissions: + contents: write # for creating the GitHub release. + id-token: write # for creating OIDC tokens for signing. + packages: write # for pushing and signing container images. steps: - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -61,6 +67,7 @@ jobs: tags: | type=raw,value=${{ steps.prep.outputs.VERSION }} - name: Publish images + id: build-push uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: sbom: true @@ -72,32 +79,82 @@ jobs: platforms: linux/amd64,linux/arm/v7,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - name: Check images - run: | - docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5 - name: Sign images env: COSIGN_EXPERIMENTAL: 1 run: | - cosign sign --yes fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} + cosign sign --yes fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }} + cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }} - name: Generate release artifacts if: startsWith(github.ref, 'refs/tags/v') run: | mkdir -p config/release kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml - echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md - uses: anchore/sbom-action/download-syft@4d571ad1038a9cc29d676154ef265ab8f9027042 # v0.14.2 - name: Create release and SBOM + id: run-goreleaser if: startsWith(github.ref, 'refs/tags/v') uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: version: latest - args: release --release-notes=config/release/notes.md --rm-dist --skip-validate + args: release --clean --skip-validate env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Generate SLSA metadata + id: slsa + env: + ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" + run: | + hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) + echo "hashes=$hashes" >> $GITHUB_OUTPUT + + image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} + echo "image_url=$image_url" >> $GITHUB_OUTPUT + + image_digest=${{ steps.build-push.outputs.digest }} + echo "image_digest=$image_digest" >> $GITHUB_OUTPUT + + release-provenance: + needs: [release] + permissions: + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + contents: write # for uploading attestations to GitHub releases. + if: startsWith(github.ref, 'refs/tags/v') + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0 + with: + provenance-name: "provenance.intoto.jsonl" + base64-subjects: "${{ needs.release.outputs.hashes }}" + upload-assets: true + + dockerhub-provenance: + needs: [release] + permissions: + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + packages: write # for uploading attestations. + if: startsWith(github.ref, 'refs/tags/v') + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0 + with: + image: ${{ needs.release.outputs.image_url }} + digest: ${{ needs.release.outputs.image_digest }} + registry-username: fluxcdbot + secrets: + registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} + + ghcr-provenance: + needs: [release] + permissions: + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + packages: write # for uploading attestations. + if: startsWith(github.ref, 'refs/tags/v') + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0 + with: + image: ghcr.io/${{ needs.release.outputs.image_url }} + digest: ${{ needs.release.outputs.image_digest }} + registry-username: fluxcdbot + secrets: + registry-password: ${{ secrets.GHCR_TOKEN }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 3caed0b0..09609572 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -4,9 +4,26 @@ builds: - skip: true release: - prerelease: "true" extra_files: - glob: config/release/*.yaml + prerelease: "auto" + header: | + ## Changelog + + [{{.Tag}} changelog](https://github.com/fluxcd/{{.ProjectName}}/blob/{{.Tag}}/CHANGELOG.md) + footer: | + ## Container images + + - `docker.io/fluxcd/{{.ProjectName}}:{{.Tag}}` + - `ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}}` + + Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`. + + The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC. + To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/). + +changelog: + skip: true checksum: extra_files: