Skip to content

Bump cosign to v2.2.3 #1409

Bump cosign to v2.2.3

Bump cosign to v2.2.3 #1409

Workflow file for this run

name: Continuous integration
on:
push:
pull_request:
types: [ opened, reopened, synchronize ]
workflow_dispatch:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
permissions:
contents: write # tests create releases
packages: read
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/[email protected]
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # ratchet:actions/[email protected]
with:
go-version-file: go.mod
check-latest: true
cache: true
- name: Get dependencies
run: make download
- name: Lint
run: |
result="$(make lint)"
echo "$result"
[ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0
- name: Build
run: make build
- name: Test
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
run: make test-race
- name: Coverage
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
run: make coverage-out
- name: Upload Code Coverage
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # ratchet:codecov/[email protected]
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.out
flags: unittests
name: codecov-umbrella
fail_ci_if_error: true
verbose: true
release:
name: release
needs: [build]
permissions:
contents: write
packages: write
id-token: write
outputs:
container_digest: ${{ steps.container_info.outputs.container_digest }}
container_tags: ${{ steps.container_info.outputs.container_tags }}
container_repos: ${{ steps.container_info.outputs.container_repos }}
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/[email protected]
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # ratchet:actions/[email protected]
with:
go-version-file: ./go.mod
check-latest: true
cache: true
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # ratchet:sigstore/[email protected]
with:
cosign-release: 'v2.2.3'
- name: Install Syft
uses: anchore/sbom-action/download-syft@719133684c7d294116626d1344fe64f0d2ff3e9e # ratchet:anchore/sbom-action/[email protected]
- name: Login to Container registries
if: startsWith(github.ref, 'refs/tags/')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io
- name: Set release variables
id: release-vars
run: |
make release-vars > /tmp/spiffe-vault-release-vars.env
source /tmp/spiffe-vault-release-vars.env
if [[ -n "$LDFLAGS" ]]; then
echo "LDFLAGS=$LDFLAGS" >> $GITHUB_OUTPUT
fi
if [[ -n "$GIT_HASH" ]]; then
echo "GIT_HASH=$GIT_HASH" >> $GITHUB_OUTPUT
fi
rm -f /tmp/spiffe-vault-release-vars.env
- name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # ratchet:goreleaser/goreleaser-action@v4
with:
version: latest
args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }} ${{ ((startsWith(github.ref, 'refs/tags/') && endsWith(github.ref, '-draft')) && '-f .goreleaser.draft.yml') || '' }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Get container info
id: container_info
if: startsWith(github.ref, 'refs/tags/')
run: |
export CONTAINER_DIGEST="$(make container-digest GITHUB_REF=${{ github.ref_name }})"
echo "container_digest=$CONTAINER_DIGEST" >> $GITHUB_OUTPUT
echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >> $GITHUB_OUTPUT
echo "container_repos=$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" >> $GITHUB_OUTPUT
- name: Logout from Container registries
if: ${{ always() }}
run: |
docker logout
docker logout ghcr.io
sbom:
name: sbom
needs: [release]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-20.04
env:
TAGS: "${{ needs.release.outputs.container_tags }}"
strategy:
matrix:
repo: ${{ fromJSON(needs.release.outputs.container_repos) }}
steps:
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # ratchet:sigstore/[email protected]
with:
cosign-release: 'v2.2.3'
- name: Install Syft
uses: anchore/sbom-action/download-syft@719133684c7d294116626d1344fe64f0d2ff3e9e # ratchet:anchore/sbom-action/[email protected]
- name: Login to Container registries
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io
- name: Attach SBOM
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
run: |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
IFS=,
for t in ${TAGS}; do
cosign verify --key cosign.pub ${{ matrix.repo }}:${t}
syft ${{ matrix.repo }}:${t} -o spdx-json > sbom-spdx.json
cosign attest --predicate sbom-spdx.json --type spdx --yes --key env://COSIGN_PRIVATE_KEY ${{ matrix.repo }}:${t}
cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${{ matrix.repo }}:${t}
done
- name: Clean up & Logout from Container registries
if: ${{ always() }}
run: |
docker logout
docker logout ghcr.io
provenance:
name: provenance
needs: [release]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-20.04
steps:
- name: Generate provenance for Release
uses: philips-labs/slsa-provenance-action@6b2fd198d38ba72fb3cc08fbc52da2ebaef2efad # ratchet:philips-labs/[email protected]
with:
command: generate
subcommand: github-release
arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # ratchet:sigstore/[email protected]
with:
cosign-release: 'v2.2.3'
- name: Sign provenance
run: |
cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature "${SIGNATURE}" provenance.att
cat "${SIGNATURE}"
curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
curl_args+=(-H "Accept: application/vnd.github.v3+json")
release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')"
echo "Upload ${SIGNATURE} to release with id ${release_id}…"
curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
curl "${curl_args[@]}" \
--data-binary @"${SIGNATURE}" \
"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
SIGNATURE: provenance.att.sig
container-provenance:
name: container-provenance
needs: [release]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-20.04
strategy:
matrix:
repo: ${{ fromJSON(needs.release.outputs.container_repos) }}
steps:
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # ratchet:sigstore/[email protected]
with:
cosign-release: 'v2.2.3'
- name: Generate provenance for ${{ matrix.repo }}
uses: philips-labs/slsa-provenance-action@6b2fd198d38ba72fb3cc08fbc52da2ebaef2efad # ratchet:philips-labs/[email protected]
with:
command: generate
subcommand: container
arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Get slsa-provenance predicate
run: |
cat provenance.att | jq .predicate > provenance-predicate.att
- name: Login to Container registries
if: startsWith(github.ref, 'refs/tags/')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io
- name: Attach provenance to image
run: |
cosign attest --predicate provenance-predicate.att --type slsaprovenance --yes --key env://COSIGN_PRIVATE_KEY ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
- name: Verify attestation
run: |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
- name: Logout from Container registries
if: ${{ always() }}
run: |
docker logout
docker logout ghcr.io