build: add image signing for dev images and add release sbom (#1629)

ratify-project · Jul 31, 2024 · 17f829a · 17f829a
1 parent bd97bc2
commit 17f829a
Show file tree

Hide file tree

Showing 7 changed files with 95 additions and 32 deletions.
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -60,10 +60,6 @@ jobs:
     secrets: inherit
 
   aks-test-cleanup:
-    env:
-      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
-      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
-      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
     needs: ['build_test_aks_e2e_conditional']
     runs-on: ubuntu-latest
     permissions:
@@ -86,10 +82,10 @@ jobs:
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
         with:
-          client-id: ${{ env.AZURE_CLIENT_ID }}
-          tenant-id: ${{ env.AZURE_TENANT_ID }}
-          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: clean up
         run: |
-          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
+          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
@@ -20,11 +20,6 @@ on:
 jobs:
   build_test_aks_e2e:
     name: "Build and run e2e Test on AKS"
-    env:
-      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
-      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
-      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
-      AZURE_SP_OBJECT_ID: fd917b28-cdc0-4828-92c9-1ca8203842a3
     runs-on: ubuntu-latest
     timeout-minutes: 30
     environment: azure-test
@@ -46,9 +41,9 @@ jobs:
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
         with:
-          client-id: ${{ env.AZURE_CLIENT_ID }}
-          tenant-id: ${{ env.AZURE_TENANT_ID }}
-          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       - name: Cache AAD tokens
         run: |
           az version
@@ -66,7 +61,7 @@ jobs:
 
       - name: Run e2e on Azure
         run: |
-          make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ env.AZURE_SP_OBJECT_ID }}
+          make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ secrets.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ secrets.AZURE_SP_OBJECT_ID }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4

diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml
@@ -13,13 +13,30 @@ jobs:
     permissions:
       packages: write
       contents: read
+      id-token: write
+    environment: azure-publish
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
         with:
           egress-policy: audit
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+      - name: Install Notation
+        uses: notaryproject/notation-action/setup@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0
+      - name: Install cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      - name: Az CLI login
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      - name: Cache AAD tokens
+        run: |
+          az version
+          # Key Vault: 
+          az account get-access-token --scope https://vault.azure.net/.default --output none
       - name: prepare
         id: prepare
         run: |
@@ -100,6 +117,27 @@ jobs:
         run: |
           helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
           helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
+      - name: Sign with Notation
+        uses: notaryproject/notation-action/sign@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0
+        with:
+          plugin_name: azure-kv
+          plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }}
+          plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }}
+          key_id: ${{ secrets.AZURE_KV_KEY_ID }}
+          target_artifact_reference: |-
+            ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+            ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
+          signature_format: cose
+      - name: Sign with Cosign
+        run: |
+          cosign sign --yes ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+          cosign sign --yes ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+          cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+          cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+          cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
       - name: clear
         if: always()
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,17 +24,21 @@ jobs:
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=3.0.2
       with:
           fetch-depth: 0
+
+    - name: Install Syft
+      uses: anchore/sbom-action/download-syft@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0
 
     - name: Set up Go
       uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: '1.22'
 
     - name: Goreleaser
+      id: goreleaser
       uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
       with:
-        version: '1.18.0'
-        args: release --rm-dist
+        version: '2.0.1'
+        args: release --clean
       env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml
@@ -48,10 +48,6 @@ jobs:
     secrets: inherit
 
   aks-test-cleanup:
-    env:
-      AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
-      AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
-      AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
     needs: ['build_test_aks_e2e']
     runs-on: ubuntu-latest
     permissions:
@@ -74,10 +70,10 @@ jobs:
       - name: Az CLI login
         uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
         with:
-          client-id: ${{ env.AZURE_CLIENT_ID }}
-          tenant-id: ${{ env.AZURE_TENANT_ID }}
-          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: clean up
         run: |
-          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
+          make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -1,4 +1,5 @@
 # Check the documentation at https://goreleaser.com for more options
+version: 2
 before:
   hooks:
     - go mod tidy
@@ -57,15 +58,15 @@ release:
   prerelease: auto
   draft: true
 archives:
-  - replacements:
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-    format_overrides:
+  - format_overrides:
       - goos: windows
         format: zip
 checksum:
   name_template: 'checksums.txt'
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
 snapshot:
   name_template: '{{ incpatch .Version }}-next'
 changelog:

diff --git a/.well-known/pki-validation/ratify-verification.crt b/.well-known/pki-validation/ratify-verification.crt
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFsDCCA5igAwIBAgIQbZCNsoQpQC+/hsEf/FdjDjANBgkqhkiG9w0BAQsFADBa
+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxFzAV
+BgNVBAoTDnJhdGlmeS1wcm9qZWN0MRMwEQYDVQQDEwpyYXRpZnkuZGV2MB4XDTI0
+MDYxMDIyNDQ1OVoXDTI1MDYxMDIyNTQ1OVowWjELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRcwFQYDVQQKEw5yYXRpZnktcHJvamVj
+dDETMBEGA1UEAxMKcmF0aWZ5LmRldjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAM6wAPQhVoIA7qbckyk8qYYiTnKjlUXaThXn8RYe6+dYQjBypxciAyyJ
+NLbM675gXTc26rZDm29ldsych6G6VSP0wkziqZHIYKTSZ/kSzw0mm/KLRgHQPKsj
+PdhVYnLbg4keyKvSRBDmKl6I04VMNXERezJWpcK0F+6wtt6BKZOJRSPCbTPhHIVY
+U5iwqwMt9lOzNgWKsFUfTW+eZ2sPOJzpu78h/0JaOGgsms80Btm5UBjeJCWAOQDS
+VzurUk8Q5EX5X4faNbUiKLREY4210ELVZq8xU1yixkzO2reh9Sw6maG2YLW3W0rc
+bn1PTxz5ddvTF1r/J+A9JSQUhVCM7sEfh9oXW6az4OeZVCD1beG1mX5mtE/kzZqN
+9KfzvBSwdFx4D4t0KBG4/f2/k2pwZuTy3qqA+R9cd434jJpdY4/dQi0JTAG7XmuG
+HMpEM/1TQmXV3Nccwbyy5W2D07/y4fDVSxh2czumK8C7hWs0EX3CQ0C4mi0o3GjD
+1meir2GYKDqQUyVQx0gcDgOVDQRsyA2zQ3gUy7/7RGDbtaGN0XVT0kBMU66aS6Mj
+z69YEu+Yj3QNqVQL/Ms4A2G+mPXoqVTikQxbDI5Bi3d5U0Xu6zQ7/Wx+li1pO2TV
+3tNSyy5Tj/IT5Mou5e5oDt81yIfrXtb6Mye5zJ6uiqq5RwK9+b2BAgMBAAGjcjBw
+MA4GA1UdDwEB/wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMD
+MB8GA1UdIwQYMBaAFO4kXbjSuXzopPxrB1tKZ5g4oZQ/MB0GA1UdDgQWBBTuJF24
+0rl86KT8awdbSmeYOKGUPzANBgkqhkiG9w0BAQsFAAOCAgEASs8iFwuuh1lB1eM7
+cDM2rZfExb0RFXkcHWdF6+dEwuchn9rjKKXFLXU4k5sARKj+rTzxKGKNbymCLUto
+DzaJwwWygZu7HoG5DHGcj5StlBXNELMCoRwFW/MjRTv4Sfkiakw03PUBeiZeg8Xb
+SB3WuZreD0c/DPiONuXGSdx5cPgf0NkMTY8hiOoENP9eBCqcMhCUGMYRf1sIXr4m
+YWuS5KTB93DsWLjdw+X9FDi0irFa1uP01IM+iSsPtoGoT1tV8fnYl5anvBCLsh8U
+Y9vAXwJvZM6XlfA5XX4fzq82KuLASMBktyhXrYWeGBUOYOpQa4M3c/KiJyYjtm08
+pFRBdbzUwK1GF2mDfO/8oyyqPMhdkD3dO6/iToOklSLcNS4AVoTBE+S62QHHluBD
+zlmeVabCB/TGLRm5wlKKm7YRI7DJXF0HVQ5KS8vXjbT1MzN7WB+Iey2lelH3U+CR
+V50lbGJhvs8WiSojzcl1xJAvhRaWXZ/h8TCBI8srQzBlZ+/8o2zhs4nlEFrgurzq
+Vd+m0s1lM1iGHrE//AxlU7NVh2yCjrhPumQ53Sv53LG3Kl5RD86Pvhd01ORvKKNR
+zS27F63BGy6basxXtHR8ibCPNs1gbT24YLfaPiXmhy0j8dwPhEFGwQEIL8peSG56
+6OcrwcZ4J28hTXOl4EIJ2Prp9mQ=
+-----END CERTIFICATE-----