-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secure build pipeline #184
base: develop
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -78,4 +78,63 @@ jobs: | |
- name: Upload scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v3 | ||
with: | ||
sarif_file: 'trivy-results.sarif' | ||
sarif_file: 'trivy-results.sarif' | ||
|
||
Release: | ||
needs: Scan | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
|
||
- name: Set up QEMU # Virtualization tool | ||
uses: docker/setup-qemu-action@v3 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Login to Docker Hub | ||
uses: docker/login-action@v3 | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
||
- name: Build and push snapshot | ||
if: startsWith(github.ref, 'refs/tags/v') != true | ||
uses: docker/build-push-action@v4 | ||
with: | ||
push: true | ||
tags: rafttech/konfirm:${{ github.sha }} | ||
|
||
- name: set RELEASE_VERSION | ||
if: startsWith(github.ref, 'refs/tags/v') | ||
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV | ||
- name: Build and push release | ||
if: startsWith(github.ref, 'refs/tags/v') | ||
uses: docker/build-push-action@v4 | ||
with: | ||
push: true | ||
tags: rafttech/konfirm:${{ env.RELEASE_VERSION }} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same comment as above regarding snapshots. |
||
- name: Generate Snapshot SBOM | ||
if: startsWith(github.ref, 'refs/tags/v') | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
scan-type: 'image' | ||
format: 'spdx-json' | ||
output: konfirm.sbom.json | ||
image-ref: rafttech/konfirm:${{ github.sha }} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. SBOMs are also available via GitHub, which uses go.mod/go.sum. That wouldn't include the base image, but I wonder if that wouldn't be more accurate for Go dependencies. Can the two be merged in some way, or can Trivy include the image scan and go.mod/sum? |
||
- name: Generate Release SBOM | ||
if: startsWith(github.ref, 'refs/tags/v') | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
scan-type: 'image' | ||
format: 'spdx-json' | ||
output: konfirm.sbom.json | ||
image-ref: rafttech/konfirm:${{ env.RELEASE_VERSION }} | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should we upload the generated SBOM to Docker Hub? If so, can we add an attestation/signature? |
||
- name: Upload SBOM to pipeline | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: konfirm.sbom.json | ||
path: konfirm.sbom.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the use case for publishing snapshots? For dev/testing, I'd expect devs to build locally. I'm definitely open to the idea, but I'd like to document the use case.