-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
added cosign to sign container image and attestations upgraded docker related actions
- Loading branch information
1 parent
a8e0e9f
commit f9f9011
Showing
2 changed files
with
162 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -239,10 +239,10 @@ jobs: | |
| run: make | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v1 | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v1 | ||
| uses: docker/setup-buildx-action@v3 | ||
| with: | ||
| buildkitd-flags: --debug | ||
|
|
||
|
|
@@ -255,6 +255,23 @@ jobs: | |
| platforms: ${{ matrix.platform }} | ||
| push: false | ||
| tags: "${{ env.OPERATOR_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }},${{ env.OPERATOR_IMAGE_REPOSITORY }}:${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}" | ||
| load: true | ||
|
|
||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: image | ||
| image-ref: ${{ env.OPERATOR_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }} | ||
| format: "cosign-vuln" | ||
| output: "operator-cosignvuln.json" | ||
|
|
||
| - name: Run Trivy SBOM generator | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: image | ||
| image-ref: ${{ env.OPERATOR_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }} | ||
| format: "spdx-json" | ||
| output: "operator-spdxjson.json" | ||
|
|
||
| - name: Prepare Distribution Artifacts | ||
| shell: bash | ||
|
|
@@ -264,13 +281,22 @@ jobs: | |
| # Move and Rename Manager Binary | ||
| mv bin/manager dist/${{ env.REPOSITORY_NAME }}-manager-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }} | ||
| mkdir attestation | ||
| mv operator-*.json attestation | ||
| - name: Upload Dist | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: dist | ||
| path: dist | ||
|
|
||
| - name: Upload attestation | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: attestation | ||
| path: attestation | ||
|
|
||
| build-bundle: | ||
| runs-on: ubuntu-latest | ||
| name: build-bundle | ||
|
|
@@ -339,10 +365,10 @@ jobs: | |
| run: operator-sdk bundle validate ./bundle --select-optional name=operatorhub | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v1 | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v1 | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: "Build Bundle Image" | ||
| uses: docker/build-push-action@v3 | ||
|
|
@@ -353,6 +379,23 @@ jobs: | |
| platforms: ${{ matrix.platform }} | ||
| push: false | ||
| tags: "${{ env.BUNDLE_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }},${{ env.BUNDLE_IMAGE_REPOSITORY }}:${{ env.BUNDLE_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}" | ||
| load: true | ||
|
|
||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: image | ||
| image-ref: ${{ env.BUNDLE_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }} | ||
| format: "cosign-vuln" | ||
| output: "bundle-cosignvuln.json" | ||
|
|
||
| - name: Run Trivy SBOM generator | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: image | ||
| image-ref: ${{ env.BUNDLE_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }} | ||
| format: "spdx-json" | ||
| output: "bundle-spdxjson.json" | ||
|
|
||
| - name: Prepare Distribution Artifacts | ||
| shell: bash | ||
|
|
@@ -365,13 +408,22 @@ jobs: | |
| tar -czvf ${{ env.REPOSITORY_NAME }}-bundle-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}.tar.gz ${{ env.REPOSITORY_NAME }}-bundle-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }} | ||
| mv ${{ env.REPOSITORY_NAME }}-bundle-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}.tar.gz dist | ||
| rm -Rf ${{ env.REPOSITORY_NAME }}-bundle-${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }} | ||
| mkdir attestation | ||
| mv bundle-*.json attestation | ||
| - name: Upload Dist | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: dist | ||
| path: dist | ||
|
|
||
| - name: Upload attestation | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: attestation | ||
| path: attestation | ||
|
|
||
| package-helm: | ||
| runs-on: ubuntu-latest | ||
| name: package-helm | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -223,6 +223,9 @@ jobs: | |
| OPERATOR_IMAGE_REGISTRY: ${{ needs.setup.outputs.operator_image_registry }} | ||
| BUNDLE_IMAGE_REPOSITORY: "${{ needs.setup.outputs.bundle_image_registry }}/${{ needs.setup.outputs.bundle_image_repository_name }}" | ||
| BUNDLE_IMAGE_REGISTRY: ${{ needs.setup.outputs.bundle_image_registry }} | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: Set up Go | ||
|
|
@@ -233,6 +236,18 @@ jobs: | |
| - name: Check out code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Validate variables | ||
| run: | | ||
| if [ "${{ needs.setup.outputs.operator_image_registry }}" == "" ]; then | ||
| echo "Required setup outputs 'operator_image_registry' is not set. Check setup 'Complete Job' step." | ||
| exit 1 | ||
| fi | ||
| if [ "${{ needs.setup.outputs.bundle_image_registry }}" == "" ]; then | ||
| echo "Required setup outputs 'bundle_image_registry' is not set. Check setup 'Complete Job' step." | ||
| exit 1 | ||
| fi | ||
| - name: Go Build Cache | ||
| uses: actions/cache@v3 | ||
| with: | ||
|
|
@@ -280,21 +295,26 @@ jobs: | |
| run: make | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v1 | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v1 | ||
| uses: docker/setup-buildx-action@v3 | ||
| with: | ||
| buildkitd-flags: --debug | ||
|
|
||
| - name: Setup cosign | ||
| uses: sigstore/cosign-installer@v3 | ||
|
|
||
| - name: Login to Operator Registry | ||
| uses: docker/login-action@v1 | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ${{ env.OPERATOR_IMAGE_REGISTRY }} | ||
| username: ${{ secrets.REGISTRY_USERNAME }} | ||
| password: ${{ secrets.REGISTRY_PASSWORD }} | ||
|
|
||
| - name: "Build Operator Image" | ||
| uses: docker/build-push-action@v3 | ||
| id: build_push | ||
| with: | ||
| context: . | ||
| file: "./ci.Dockerfile" | ||
|
|
@@ -303,6 +323,42 @@ jobs: | |
| push: true | ||
| tags: "${{ env.OPERATOR_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }},${{ env.OPERATOR_IMAGE_REPOSITORY }}:${{ env.OPERATOR_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}" | ||
|
|
||
| - name: Sign Operator Image | ||
| id: sign_operator | ||
| env: | ||
| IMAGE_URI: ${{ env.OPERATOR_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }} | ||
| run: | | ||
| cosign sign --yes ${IMAGE_URI} | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/[email protected] | ||
| env: | ||
| TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} | ||
| TRIVY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} | ||
| with: | ||
| scan-type: image | ||
| image-ref: ${{ env.OPERATOR_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }} | ||
| format: "cosign-vuln" | ||
| output: "cosign-vuln.json" | ||
|
|
||
| - name: Run Trivy SBOM generator | ||
| uses: aquasecurity/[email protected] | ||
| env: | ||
| TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} | ||
| TRIVY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} | ||
| with: | ||
| scan-type: image | ||
| image-ref: ${{ env.OPERATOR_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }} | ||
| format: "spdx-json" | ||
| output: "spdx-json.json" | ||
|
|
||
| - name: Attach attestations for Operator Image | ||
| env: | ||
| IMAGE_URI: ${{ env.OPERATOR_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }} | ||
| run: | | ||
| cosign attest --yes --type vuln --predicate cosign-vuln.json ${IMAGE_URI} | ||
| cosign attest --yes --type spdx --predicate spdx-json.json ${IMAGE_URI} | ||
| - name: Prepare Distribution Artifacts | ||
| shell: bash | ||
| run: | | ||
|
|
@@ -376,6 +432,10 @@ jobs: | |
| OPERATOR_IMAGE_REGISTRY: ${{ needs.setup.outputs.operator_image_registry }} | ||
| BUNDLE_IMAGE_REPOSITORY: "${{ needs.setup.outputs.bundle_image_registry }}/${{ needs.setup.outputs.bundle_image_repository_name }}" | ||
| BUNDLE_IMAGE_REGISTRY: ${{ needs.setup.outputs.bundle_image_registry }} | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| steps: | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v4 | ||
|
|
@@ -435,20 +495,24 @@ jobs: | |
| run: operator-sdk bundle validate ./bundle --select-optional name=operatorhub | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v1 | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v1 | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Setup cosign | ||
| uses: sigstore/cosign-installer@v3 | ||
|
|
||
| - name: Login to Bundle Registry | ||
| uses: docker/login-action@v1 | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ${{ env.BUNDLE_IMAGE_REGISTRY }} | ||
| username: ${{ secrets.REGISTRY_USERNAME }} | ||
| password: ${{ secrets.REGISTRY_PASSWORD }} | ||
|
|
||
| - name: "Build Bundle Image" | ||
| uses: docker/build-push-action@v3 | ||
| id: build_push | ||
| with: | ||
| context: . | ||
| file: ./bundle.Dockerfile | ||
|
|
@@ -457,6 +521,42 @@ jobs: | |
| push: true | ||
| tags: "${{ env.BUNDLE_IMAGE_REPOSITORY }}:latest-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }},${{ env.BUNDLE_IMAGE_REPOSITORY }}:${{ env.BUNDLE_VERSION }}-${{ steps.setup-build-step.outputs.platform_os }}-${{ steps.setup-build-step.outputs.platform_arch }}" | ||
|
|
||
| - name: Sign Bundle Image | ||
| id: sign_bundle | ||
| env: | ||
| IMAGE_URI: ${{ env.BUNDLE_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }} | ||
| run: | | ||
| cosign sign --yes ${IMAGE_URI} | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/[email protected] | ||
| env: | ||
| TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} | ||
| TRIVY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} | ||
| with: | ||
| scan-type: image | ||
| image-ref: ${{ env.BUNDLE_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }} | ||
| format: "cosign-vuln" | ||
| output: "cosign-vuln.json" | ||
|
|
||
| - name: Run Trivy SBOM generator | ||
| uses: aquasecurity/[email protected] | ||
| env: | ||
| TRIVY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} | ||
| TRIVY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }} | ||
| with: | ||
| scan-type: image | ||
| image-ref: ${{ env.BUNDLE_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }} | ||
| format: "spdx-json" | ||
| output: "spdx-json.json" | ||
|
|
||
| - name: Attach attestations for Bundle Image | ||
| env: | ||
| IMAGE_URI: ${{ env.BUNDLE_IMAGE_REPOSITORY }}@${{ steps.build_push.outputs.digest }} | ||
| run: | | ||
| cosign attest --yes --type vuln --predicate cosign-vuln.json ${IMAGE_URI} | ||
| cosign attest --yes --type spdx --predicate spdx-json.json ${IMAGE_URI} | ||
| - name: Prepare Distribution Artifacts | ||
| shell: bash | ||
| run: | | ||
|
|
||