From 1237285d1f6dd0e33306650dbc419e8fae39188b Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Mon, 10 Jun 2024 17:07:31 +0800 Subject: [PATCH] fix: rework CI to enable attestation --- .github/workflows/build.yaml | 23 ++++++++++- .github/workflows/coverage.yaml | 2 +- .github/workflows/dependency-review.yaml | 2 +- .github/workflows/lint.yaml | 2 +- .github/workflows/ossf-analysis.yaml | 2 +- .github/workflows/release.yaml | 49 ++++++++++++------------ .goreleaser.yaml | 20 ---------- 7 files changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8d968288..bece752d 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -24,10 +24,11 @@ jobs: with: go-version: stable - run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV" - - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 + - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 + id: goreleaser with: version: latest - args: build --clean --debug --single-target --snapshot + args: build --clean --verbose --single-target --snapshot - name: Login to GHCR if: github.actor != 'dependabot[bot]' uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 @@ -52,3 +53,21 @@ jobs: file: Dockerfile build-args: BINARY=${{ matrix.binary }} context: dist/${{ matrix.binary }}_linux_amd64_v1 + check-tag: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + fetch-depth: 0 + - id: ccv + uses: smlx/ccv@d3de774e9b607b079940a7a86952f44643743336 # v0.9.0 + with: + write-tag: false + - run: | + echo "new-tag=$NEW_TAG" + echo "new-tag-version=$NEW_TAG_VERSION" + env: + NEW_TAG: ${{steps.ccv.outputs.new-tag}} + NEW_TAG_VERSION: ${{steps.ccv.outputs.new-tag-version}} diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index fe7faba4..1ce55c80 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -23,7 +23,7 @@ jobs: uses: vladopajic/go-test-coverage@1079cd4e58dda229c04ffdb6324fc3756b8542ff # v2.10.1 with: profile: cover.out - local-prefix: github.com/uselagoon/lagoon-ssh-portal + local-prefix: github.com/${{ github.repository }} git-token: ${{ secrets.GITHUB_TOKEN }} # orphan branch for storing badges git-branch: badges diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index cb757374..2c706e13 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -11,6 +11,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2 + - uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 with: config-file: .github/dependency-review-config.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index b505428e..578f92f4 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -35,6 +35,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - uses: docker://rhysd/actionlint:latest@sha256:2eb91a78b5a19140be099c7b4262d298c2567f2a9f27e10ed2a4323c5bcface8 + - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0 with: args: -color diff --git a/.github/workflows/ossf-analysis.yaml b/.github/workflows/ossf-analysis.yaml index 04168eca..0d6d3c58 100644 --- a/.github/workflows/ossf-analysis.yaml +++ b/.github/workflows/ossf-analysis.yaml @@ -26,6 +26,6 @@ jobs: # of the value entered here. publish_results: true - name: Upload SARIF results to code scanning - uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7 + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 with: sarif_file: results.sarif diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a4c18789..5d000ac4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,40 +11,24 @@ jobs: contents: write runs-on: ubuntu-latest outputs: - new-tag: ${{ steps.bump-tag.outputs.new }} - new-tag-version: ${{ steps.bump-tag.outputs.new_tag_version }} + new-tag: ${{ steps.ccv.outputs.new-tag }} steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: fetch-depth: 0 - - name: Configure git - run: | - git config --global user.name "$GITHUB_ACTOR" - git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 - with: - go-version: stable - - name: Install ccv - run: > - curl -sSL https://github.com/smlx/ccv/releases/download/v0.3.2/ccv_0.3.2_linux_amd64.tar.gz - | sudo tar -xz -C /usr/local/bin ccv - name: Bump tag if necessary - id: bump-tag - run: | - if [ -z "$(git tag -l "$(ccv)")" ]; then - git tag "$(ccv)" - git push --tags - echo "new=true" >> "$GITHUB_OUTPUT" - echo "new_tag_version=$(git tag --points-at HEAD)" >> "$GITHUB_OUTPUT" - fi + id: ccv + uses: smlx/ccv@d3de774e9b607b079940a7a86952f44643743336 # v0.9.0 release-build: permissions: # create release contents: write - # push docker images to regsitry + # push docker images to registry packages: write # use OIDC token for signing id-token: write + # required by attest-build-provenance + attestations: write needs: release-tag if: needs.release-tag.outputs.new-tag == 'true' runs-on: ubuntu-latest @@ -63,7 +47,6 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Set up environment run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV" - - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1 id: sbom env: @@ -72,10 +55,28 @@ jobs: run: mv "$GITHUB_SBOM_PATH" ./sbom.spdx.json env: GITHUB_SBOM_PATH: ${{ steps.sbom.outputs.fileName }} - - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 + - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 + id: goreleaser with: version: latest args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_SBOM_PATH: ./sbom.spdx.json + # parse artifacts to the format required for image attestation + - run: | + echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT" + echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT" + id: image_metadata + env: + ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}} + # attest archives + - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + with: + subject-path: "dist/*.tar.gz" + # attest images + - uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0 + with: + subject-digest: ${{steps.image_metadata.outputs.digest}} + subject-name: ${{steps.image_metadata.outputs.name}} + push-to-registry: true diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 21195bff..e82aff5a 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -31,18 +31,6 @@ builds: changelog: use: github-native -signs: -- cmd: cosign - signature: "${artifact}.sig" - certificate: "${artifact}.pem" - args: - - "sign-blob" - - "--output-signature=${signature}" - - "--output-certificate=${certificate}" - - "${artifact}" - - "--yes" - artifacts: checksum - dockers: # ssh-portal - ids: @@ -128,14 +116,6 @@ docker_manifests: - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:v{{ .Version }}-amd64" - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}/ssh-token:v{{ .Version }}-arm64v8" -docker_signs: -- args: - - "sign" - - "${artifact}@${digest}" - - "--yes" - artifacts: all - output: true - release: extra_files: - glob: "{{ .Env.GITHUB_SBOM_PATH }}"