-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Dependabot is also capable of pinning to future tag releases and will maintain the comment that descibes the shasum. dependabot/dependabot-core#4691 Signed-off-by: Marco Franssen <[email protected]>
- Loading branch information
1 parent
903776f
commit ec4088e
Showing
3 changed files
with
28 additions
and
89 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,100 +1,81 @@ | ||
| name: Continuous integration | ||
|
|
||
| on: | ||
| push: | ||
| pull_request: | ||
| types: [ opened, reopened, synchronize ] | ||
| types: [opened, reopened, synchronize] | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build | ||
| runs-on: ubuntu-20.04 | ||
|
|
||
| permissions: | ||
| contents: write # tests create releases | ||
| packages: read | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/[email protected] | ||
|
|
||
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/[email protected] | ||
| - name: Set up Go | ||
| uses: actions/[email protected] | ||
| uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3.5.0 | ||
| with: | ||
| go-version-file: go.mod | ||
| check-latest: true | ||
| cache: true | ||
|
|
||
| - name: Get dependencies | ||
| run: make download | ||
|
|
||
| - name: Lint | ||
| run: | | ||
| result="$(make lint)" | ||
| echo "$result" | ||
| [ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0 | ||
| - name: Build | ||
| run: make build | ||
|
|
||
| - name: Test | ||
| env: | ||
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
| run: make test-race | ||
|
|
||
| - name: Coverage | ||
| env: | ||
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
| run: make coverage-out | ||
|
|
||
| - name: Upload Code Coverage | ||
| uses: codecov/[email protected] | ||
| uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # ratchet:codecov/codecov-action@v3.1.1 | ||
| with: | ||
| token: ${{ secrets.CODECOV_TOKEN }} | ||
| files: ./coverage.out | ||
| flags: unittests | ||
| name: codecov-umbrella | ||
| fail_ci_if_error: true | ||
| verbose: true | ||
|
|
||
| release: | ||
| name: release | ||
| needs: [build] | ||
| outputs: | ||
| container_digest: ${{ steps.container_info.outputs.container_digest }} | ||
| container_tags: ${{ steps.container_info.outputs.container_tags }} | ||
| container_repos: ${{ steps.container_info.outputs.container_repos }} | ||
|
|
||
| runs-on: ubuntu-20.04 | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/[email protected] | ||
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3.2.0 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Set up Go | ||
| uses: actions/[email protected] | ||
| uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3.5.0 | ||
| with: | ||
| go-version-file: ./go.mod | ||
| check-latest: true | ||
| cache: true | ||
|
|
||
| - name: Install cosign | ||
| uses: sigstore/[email protected] | ||
| uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # ratchet:sigstore/cosign-installer@v2.8.1 | ||
| with: | ||
| cosign-release: 'v1.13.1' | ||
|
|
||
| - name: Install Syft | ||
| uses: anchore/sbom-action/[email protected] | ||
|
|
||
| uses: anchore/sbom-action/download-syft@06e109483e6aa305a2b2395eabae554e51530e1d # ratchet:anchore/sbom-action/[email protected] | ||
| - name: Login to Container registries | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| run: | | ||
| echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin | ||
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | ||
| - name: Set release variables | ||
| id: release-vars | ||
| run: | | ||
|
|
@@ -107,13 +88,11 @@ jobs: | |
| echo "::set-output name=GIT_HASH::$GIT_HASH" | ||
| fi | ||
| rm -f /tmp/spiffe-vault-release-vars.env | ||
| - name: Install signing key | ||
| run: | | ||
| echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | ||
| - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }} | ||
| uses: goreleaser/goreleaser-action@v4 | ||
| uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # ratchet:goreleaser/goreleaser-action@v4 | ||
| with: | ||
| version: latest | ||
| args: release --rm-dist ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }} ${{ ((startsWith(github.ref, 'refs/tags/') && endsWith(github.ref, '-draft')) && '-f .goreleaser.draft.yml') || '' }} | ||
|
|
@@ -122,7 +101,6 @@ jobs: | |
| LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }} | ||
| GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }} | ||
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | ||
|
|
||
| - name: Get container info | ||
| id: container_info | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
|
|
@@ -131,43 +109,35 @@ jobs: | |
| echo "::set-output name=container_digest::$CONTAINER_DIGEST" | ||
| echo "::set-output name=container_tags::$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" | ||
| echo "::set-output name=container_repos::$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" | ||
| - name: Logout from Container registries | ||
| if: ${{ always() }} | ||
| run: | | ||
| docker logout | ||
| docker logout ghcr.io | ||
| - name: Cleanup signing keys | ||
| if: ${{ always() }} | ||
| run: rm -f cosign.key | ||
|
|
||
| sbom: | ||
| name: sbom | ||
| needs: [release] | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| runs-on: ubuntu-20.04 | ||
| env: | ||
| TAGS: "${{ needs.release.outputs.container_tags }}" | ||
|
|
||
| strategy: | ||
| matrix: | ||
| repo: ${{ fromJSON(needs.release.outputs.container_repos) }} | ||
|
|
||
| steps: | ||
| - name: Install cosign | ||
| uses: sigstore/[email protected] | ||
| uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # ratchet:sigstore/cosign-installer@v2.8.1 | ||
| with: | ||
| cosign-release: 'v1.13.1' | ||
|
|
||
| - name: Install Syft | ||
| uses: anchore/sbom-action/[email protected] | ||
|
|
||
| uses: anchore/sbom-action/download-syft@06e109483e6aa305a2b2395eabae554e51530e1d # ratchet:anchore/sbom-action/[email protected] | ||
| - name: Login to Container registries | ||
| run: | | ||
| echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin | ||
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | ||
| - name: Attach SBOM | ||
| env: | ||
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | ||
|
|
@@ -181,35 +151,30 @@ jobs: | |
| cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ${{ matrix.repo }}:${t} | ||
| cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${{ matrix.repo }}:${t} | ||
| done | ||
| - name: Clean up & Logout from Container registries | ||
| if: ${{ always() }} | ||
| run: | | ||
| docker logout | ||
| docker logout ghcr.io | ||
| rm -f cosign.key | ||
| provenance: | ||
| name: provenance | ||
| needs: [release] | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| runs-on: ubuntu-20.04 | ||
|
|
||
| steps: | ||
| - name: Generate provenance for Release | ||
| uses: philips-labs/[email protected] | ||
| uses: philips-labs/slsa-provenance-action@752766b8a3b1ebd09d599e163eeec8fa39e677aa # ratchet:philips-labs/slsa-provenance-action@v0.8.0 | ||
| with: | ||
| command: generate | ||
| subcommand: github-release | ||
| arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }} | ||
| env: | ||
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
|
|
||
| - name: Install cosign | ||
| uses: sigstore/[email protected] | ||
| uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # ratchet:sigstore/cosign-installer@v2.8.1 | ||
| with: | ||
| cosign-release: 'v1.13.1' | ||
|
|
||
| - name: Sign provenance | ||
| run: | | ||
| echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | ||
|
|
@@ -229,54 +194,45 @@ jobs: | |
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | ||
| SIGNATURE: provenance.att.sig | ||
|
|
||
| container-provenance: | ||
| name: container-provenance | ||
| needs: [release] | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| runs-on: ubuntu-20.04 | ||
|
|
||
| strategy: | ||
| matrix: | ||
| repo: ${{ fromJSON(needs.release.outputs.container_repos) }} | ||
|
|
||
| steps: | ||
| - name: Install cosign | ||
| uses: sigstore/[email protected] | ||
| uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # ratchet:sigstore/cosign-installer@v2.8.1 | ||
| with: | ||
| cosign-release: 'v1.13.1' | ||
|
|
||
| - name: Generate provenance for ${{ matrix.repo }} | ||
| uses: philips-labs/[email protected] | ||
| uses: philips-labs/slsa-provenance-action@752766b8a3b1ebd09d599e163eeec8fa39e677aa # ratchet:philips-labs/slsa-provenance-action@v0.8.0 | ||
| with: | ||
| command: generate | ||
| subcommand: container | ||
| arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }} | ||
| env: | ||
| GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | ||
|
|
||
| - name: Get slsa-provenance predicate | ||
| run: | | ||
| cat provenance.att | jq .predicate > provenance-predicate.att | ||
| - name: Login to Container registries | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| run: | | ||
| echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin | ||
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | ||
| - name: Attach provenance to image | ||
| run: | | ||
| echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | ||
| cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} | ||
| env: | ||
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | ||
|
|
||
| - name: Verify attestation | ||
| run: | | ||
| echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub | ||
| cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} | ||
| - name: Logout from Container registries | ||
| if: ${{ always() }} | ||
| run: | | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,4 @@ | ||
| name: Create a provenance | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
|
|
@@ -9,58 +8,48 @@ on: | |
| car_input: | ||
| description: 'Car to input in the artifact text file' | ||
| required: false | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build artifact | ||
| runs-on: ubuntu-20.04 | ||
| steps: | ||
| # traditionally you would build your code here and generate an artifact | ||
| - name: Create first artifact | ||
| run: echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt | ||
|
|
||
| run: echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt | ||
| - name: Create second artifact | ||
| run: echo "audi, tesla, bmw" > cars.txt | ||
|
|
||
| run: echo "audi, tesla, bmw" > cars.txt | ||
| - name: Input workflow ingredient | ||
| if: ${{ github.event.inputs.ingredient_input != '' }} | ||
| if: ${{ github.event.inputs.ingredient_input != '' }} | ||
| run: | | ||
| echo ", ${{github.event.inputs.ingredient_input}}" >> salsa.txt | ||
| - name: Input workflow cars | ||
| if: ${{ github.event.inputs.car_input != '' }} | ||
| if: ${{ github.event.inputs.car_input != '' }} | ||
| run: | | ||
| echo ", ${{github.event.inputs.car_input}}" >> cars.txt | ||
| - name: Upload artifact | ||
| uses: actions/[email protected] | ||
| uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 | ||
| with: | ||
| path: '*.txt' | ||
|
|
||
| generate-provenance: | ||
| needs: build | ||
| name: Generate build provenance | ||
| runs-on: ubuntu-20.04 | ||
| steps: | ||
| # checkout only required to run local action (defined in this repo) | ||
| - name: Checkout | ||
| uses: actions/[email protected] | ||
|
|
||
| uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/[email protected] | ||
| - name: Download build artifact | ||
| uses: actions/[email protected] | ||
|
|
||
| uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/[email protected] | ||
| - name: Generate some extra materials (this usually happens as part of the build process) | ||
| run: | | ||
| echo '[{"uri": "pkg:deb/debian/[email protected]?arch=amd64", "digest": {"sha256": "e1731ae217fcbc64d4c00d707dcead45c828c5f762bcf8cc56d87de511e096fa"}}]' > extra-materials.json | ||
| - name: Generate provenance | ||
| # use action in the root directory | ||
| uses: ./ | ||
| with: | ||
| artifact_path: artifact/ | ||
| extra_materials: extra-materials.json | ||
|
|
||
| - name: Upload provenance | ||
| uses: actions/[email protected] | ||
| uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 | ||
| with: | ||
| path: provenance.json | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,38 +1,32 @@ | ||
| name: Create a provenance from marketplace | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build artifact | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| # traditionally you would build your code here and generate an artifact | ||
| - name: Create artifact | ||
| run: echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt | ||
|
|
||
| run: echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt | ||
| - name: Upload artifact | ||
| uses: actions/[email protected] | ||
| uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 | ||
| with: | ||
| path: salsa.txt | ||
|
|
||
| generate-provenance: | ||
| needs: build | ||
| name: Generate build provenance | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Download build artifact | ||
| uses: actions/[email protected] | ||
|
|
||
| uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/[email protected] | ||
| - name: Generate provenance | ||
| uses: philips-labs/[email protected] | ||
| uses: philips-labs/slsa-provenance-action@752766b8a3b1ebd09d599e163eeec8fa39e677aa # ratchet:philips-labs/slsa-provenance-action@v0.8.0 | ||
| with: | ||
| command: generate | ||
| subcommand: files | ||
| arguments: --artifact-path artifact/ --output-path provenance.json | ||
|
|
||
| - name: Upload provenance | ||
| uses: actions/[email protected] | ||
| uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3.1.1 | ||
| with: | ||
| path: provenance.json |