From 2993b616029d10d94b06d5ec8cf533081952dbdc Mon Sep 17 00:00:00 2001 From: dsm0014 Date: Fri, 12 Jul 2024 19:41:54 -0400 Subject: [PATCH 1/3] secure build pipeline --- .github/workflows/go-build.yml | 61 +++++++++++++++++++++++++++++++++- 1 file changed, 60 insertions(+), 1 deletion(-) diff --git a/.github/workflows/go-build.yml b/.github/workflows/go-build.yml index 85ef2fc..ea64aec 100644 --- a/.github/workflows/go-build.yml +++ b/.github/workflows/go-build.yml @@ -78,4 +78,63 @@ jobs: - name: Upload scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file + sarif_file: 'trivy-results.sarif' + + Release: + needs: Sacn + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Set up QEMU # Virtualization tool + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push snapshot + if: startsWith(github.ref, 'refs/tags/v') != true + uses: docker/build-push-action@v4 + with: + push: true + tags: rafttech/konfirm:${{ github.sha }} + + - name: set RELEASE_VERSION + if: startsWith(github.ref, 'refs/tags/v') + run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV + - name: Build and push release + if: startsWith(github.ref, 'refs/tags/v') + uses: docker/build-push-action@v4 + with: + push: true + tags: rafttech/konfirm:${{ env.RELEASE_VERSION }} + + - name: Generate Snapshot SPDX JSON format SBOM + if: startsWith(github.ref, 'refs/tags/v') + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + format: 'spdx-json' + output: konfirm.sbom.json + image-ref: rafttech/konfirm:${{ github.sha }} + + - name: Generate Release SPDX JSON format SBOM + if: startsWith(github.ref, 'refs/tags/v') + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + format: 'spdx-json' + output: konfirm.sbom.json + image-ref: rafttech/konfirm:${{ env.RELEASE_VERSION }} + + - name: Upload SBOM to pipeline + uses: actions/upload-artifact@v3 + with: + name: konfirm.sbom.json + path: konfirm.sbom.json \ No newline at end of file From efddbb77515e2b07d8791dce524da8f3ac92443c Mon Sep 17 00:00:00 2001 From: dsm0014 Date: Fri, 12 Jul 2024 20:09:54 -0400 Subject: [PATCH 2/3] rename --- .github/workflows/go-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-build.yml b/.github/workflows/go-build.yml index ea64aec..035fb62 100644 --- a/.github/workflows/go-build.yml +++ b/.github/workflows/go-build.yml @@ -115,7 +115,7 @@ jobs: push: true tags: rafttech/konfirm:${{ env.RELEASE_VERSION }} - - name: Generate Snapshot SPDX JSON format SBOM + - name: Generate Snapshot SBOM if: startsWith(github.ref, 'refs/tags/v') uses: aquasecurity/trivy-action@master with: @@ -124,7 +124,7 @@ jobs: output: konfirm.sbom.json image-ref: rafttech/konfirm:${{ github.sha }} - - name: Generate Release SPDX JSON format SBOM + - name: Generate Release SBOM if: startsWith(github.ref, 'refs/tags/v') uses: aquasecurity/trivy-action@master with: From 501c5922d20c48fd0952f5864639452bf717807e Mon Sep 17 00:00:00 2001 From: dsm0014 Date: Fri, 12 Jul 2024 20:25:43 -0400 Subject: [PATCH 3/3] typo --- .github/workflows/go-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-build.yml b/.github/workflows/go-build.yml index 035fb62..e87102d 100644 --- a/.github/workflows/go-build.yml +++ b/.github/workflows/go-build.yml @@ -81,7 +81,7 @@ jobs: sarif_file: 'trivy-results.sarif' Release: - needs: Sacn + needs: Scan runs-on: ubuntu-latest steps: - uses: actions/checkout@v3