From 413d60f8ba1c3fa3cc1402c922a2d85820b9f023 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Fri, 21 Jan 2022 17:31:38 +0200 Subject: [PATCH] Publish SBOM and sign release artifacts Signed-off-by: Stefan Prodan --- .github/workflows/cifuzz.yaml | 4 +++ .github/workflows/e2e.yaml | 5 ++- .github/workflows/nightly.yaml | 3 ++ .github/workflows/release.yml | 57 ++++++++++++++++++++-------------- .github/workflows/scan.yaml | 5 ++- .goreleaser.yaml | 39 +++++++++++++++++++++++ 6 files changed, 87 insertions(+), 26 deletions(-) create mode 100644 .goreleaser.yaml diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml index 202ce966d..ab6eb2f09 100644 --- a/.github/workflows/cifuzz.yaml +++ b/.github/workflows/cifuzz.yaml @@ -3,6 +3,10 @@ on: pull_request: branches: - main + +permissions: + contents: read # for actions/checkout to fetch code + jobs: Fuzzing: runs-on: ubuntu-latest diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index b8dc52cc8..10f1251e7 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -1,5 +1,4 @@ name: e2e - on: workflow_dispatch: pull_request: @@ -7,6 +6,10 @@ on: branches: - main - "feature/**" + +permissions: + contents: read # for actions/checkout to fetch code + jobs: kind: runs-on: ubuntu-latest diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 0d60165a2..6d0e84500 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -4,6 +4,9 @@ on: - cron: '0 0 * * *' workflow_dispatch: +permissions: + contents: read # for actions/checkout to fetch code + env: REPOSITORY: ${{ github.repository }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9204fa830..c20c3d6db 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,11 @@ on: default: 'rc' required: true +permissions: + contents: write # needed to write releases + id-token: write # needed for keyless signing + packages: write # needed for ghcr access + env: CONTROLLER: ${{ github.event.repository.name }} @@ -31,13 +36,9 @@ jobs: echo ::set-output name=VERSION::${VERSION} - name: Setup QEMU uses: docker/setup-qemu-action@v1 - with: - platforms: all - name: Setup Docker Buildx id: buildx uses: docker/setup-buildx-action@v1 - with: - buildkitd-flags: "--debug" - name: Login to GitHub Container Registry uses: docker/login-action@v1 with: @@ -49,7 +50,16 @@ jobs: with: username: fluxcdbot password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} - - name: Publish multi-arch container image + - name: Generate images meta + id: meta + uses: docker/metadata-action@v3 + with: + images: | + fluxcd/${{ env.CONTROLLER }} + ghcr.io/fluxcd/${{ env.CONTROLLER }} + tags: | + type=raw,value=${{ steps.prep.outputs.VERSION }} + - name: Publish images uses: docker/build-push-action@v2 with: push: true @@ -57,35 +67,34 @@ jobs: context: . file: ./Dockerfile platforms: linux/amd64,linux/arm/v7,linux/arm64 - tags: | - ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - labels: | - org.opencontainers.image.title=${{ github.event.repository.name }} - org.opencontainers.image.description=${{ github.event.repository.description }} - org.opencontainers.image.url=${{ github.event.repository.html_url }} - org.opencontainers.image.revision=${{ github.sha }} - org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }} - org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} - name: Check images run: | docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} - - name: Generate release manifests + - uses: sigstore/cosign-installer@main + - name: Sign images + env: + COSIGN_EXPERIMENTAL: 1 + run: | + cosign sign fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} + cosign sign ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} + - name: Generate release artifacts if: startsWith(github.ref, 'refs/tags/v') run: | mkdir -p config/release kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml - - name: Create release + echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md + - uses: anchore/sbom-action/download-syft@v0 + - name: Create release and SBOM if: startsWith(github.ref, 'refs/tags/v') - uses: ncipollo/release-action@v1 + uses: goreleaser/goreleaser-action@v2 with: - prerelease: true - artifacts: "config/release/*.yaml" - artifactContentType: "text/plain" - body: | - [CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md) - token: ${{ secrets.GITHUB_TOKEN }} + version: latest + args: release --release-notes=config/release/notes.md --rm-dist --skip-validate + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index a949ab300..c1135cc05 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -1,5 +1,4 @@ name: Scan - on: push: branches: [ main ] @@ -8,6 +7,10 @@ on: schedule: - cron: '18 10 * * 3' +permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for codeQL to write security events + jobs: fossa: name: FOSSA diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 000000000..36c03edf5 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,39 @@ +project_name: helm-controller + +builds: + - skip: true + +release: + prerelease: "true" + extra_files: + - glob: config/release/*.yaml + +checksum: + extra_files: + - glob: config/release/*.yaml + +source: + enabled: true + name_template: "{{ .ProjectName }}_{{ .Version }}_source_code" + +sboms: + - id: source + artifacts: source + documents: + - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json" + +# signs the checksum file +# all files (including the sboms) are included in the checksum +# https://goreleaser.com/customization/sign +signs: + - cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + certificate: "${artifact}.pem" + args: + - sign-blob + - "--output-certificate=${certificate}" + - "--output-signature=${signature}" + - "${artifact}" + artifacts: checksum + output: true