From d1432cde2dac80b3817fb241803a01b94354a553 Mon Sep 17 00:00:00 2001 From: Sergio Rua Date: Mon, 23 Sep 2024 12:02:25 +0100 Subject: [PATCH 1/9] Pipeline changes - Remove spaces from artefacts - Adds attestation for tar.gz --- .github/workflows/release.yml | 9 +++++++-- package.json | 6 +++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d0474d40..7f302f8b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -142,6 +142,11 @@ jobs: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} + - name: Attest Build Provenance for TGZ + uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + with: + subject-path: "dist/AxonOps.Workbench-${GITHUB_REF_NAME}-linux-x64.tar.gz" + - name: Azure login if: runner.os == 'Windows' uses: azure/login@v2 @@ -163,8 +168,8 @@ jobs: - name: Build signed installer if: runner.os == 'Windows' run: | - azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps Workbench-%GITHUB_REF_NAME%-win-x64.exe" - azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps Workbench-%GITHUB_REF_NAME%-win-x64.msi" + azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps.Workbench-%GITHUB_REF_NAME%-win-x64.exe" + azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps.Workbench-%GITHUB_REF_NAME%-win-x64.msi" shell: cmd # Ensure this task is right before the Upload diff --git a/package.json b/package.json index ac35373c..12d9e823 100755 --- a/package.json +++ b/package.json @@ -30,14 +30,14 @@ "provider": "github" } ], - "artifactName": "${productName}-${version}-${os}-${arch}.${ext}", + "artifactName": "AxonOps.Workbench-${version}-${os}-${arch}.${ext}", "win": { "icon": "./renderer/assets/images/axonops-icon-256x256.ico", "target": [ "nsis", "msi" ], - "artifactName": "${productName}-${version}-${os}-${arch}.${ext}" + "artifactName": "AxonOps.Workbench-${version}-${os}-${arch}.${ext}" }, "linux": { "icon": "./renderer/assets/images/", @@ -49,7 +49,7 @@ "Keywords": "cassandra;axonops;development;workbench", "Icon": "/usr/share/icons/hicolor/256x256/apps/axonops-workbench.png" }, - "artifactName": "${productName}-${version}-${os}-${arch}.${ext}" + "artifactName": "AxonOps.Workbench-${version}-${os}-${arch}.${ext}" }, "mac": { "icon": "./renderer/assets/images/axonops-icon-512x512.icns", From 16308058875ed997a42330e957887066346b150b Mon Sep 17 00:00:00 2001 From: Sergio Rua Date: Mon, 23 Sep 2024 12:07:25 +0100 Subject: [PATCH 2/9] Attestation permissions --- .github/workflows/release.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7f302f8b..a599077b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,11 @@ defaults: run: shell: bash +permissions: + id-token: write + attestations: write + contents: read + jobs: build: name: Build on ${{ matrix.target }} From f7025d61e8c3f6561657b88c79dd3f3874721e46 Mon Sep 17 00:00:00 2001 From: Sergio Rua Date: Mon, 23 Sep 2024 12:34:59 +0100 Subject: [PATCH 3/9] Attestation fixes file not found --- .github/workflows/release.yml | 3 ++- .github/workflows/trivy.yml | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a599077b..4c78284c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -108,6 +108,7 @@ jobs: export CSC_IDENTITY_AUTO_DISCOVERY=false if [ "$(uname -s )" == "Linux" ]; then npm run linux + echo "LINUX_TGZ_PATH=dist/AxonOps.Workbench-${GITHUB_REF_NAME}-linux-x64.tar.gz" >> $GITHUB_ENV fi if [[ "$(uname -s)" =~ "MINGW64" ]]; then unset CSC_KEY_PASSWORD @@ -150,7 +151,7 @@ jobs: - name: Attest Build Provenance for TGZ uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 with: - subject-path: "dist/AxonOps.Workbench-${GITHUB_REF_NAME}-linux-x64.tar.gz" + subject-path: "${LINUX_TGZ_PATH}" - name: Azure login if: runner.os == 'Windows' diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000..6c7abdfc --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,33 @@ +name: build +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Run Trivy + runs-on: ubuntu-22.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Merge both requirements.txt + run: | + cat v6.*/requirements.txt > requirements-dev.txt + sort -u -o requirements.txt requirements-dev.txt + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: "MEDIUM,HIGH,CRITICAL" + #scanners: "vuln" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' From fb0e79f7044898bb4b1800fc6e31ffff0e609c27 Mon Sep 17 00:00:00 2001 From: Sergio Rua Date: Mon, 23 Sep 2024 12:41:00 +0100 Subject: [PATCH 4/9] Remove requirements --- .github/workflows/trivy.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6c7abdfc..986c5b93 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -12,11 +12,6 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Merge both requirements.txt - run: | - cat v6.*/requirements.txt > requirements-dev.txt - sort -u -o requirements.txt requirements-dev.txt - - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 with: From 64db60342d31d0a363d7a8cd3a305832bf3f0975 Mon Sep 17 00:00:00 2001 From: Sergio Rua Date: Mon, 23 Sep 2024 13:54:35 +0100 Subject: [PATCH 5/9] Remove requirements --- .github/workflows/release.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4c78284c..dc56fc10 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -108,7 +108,6 @@ jobs: export CSC_IDENTITY_AUTO_DISCOVERY=false if [ "$(uname -s )" == "Linux" ]; then npm run linux - echo "LINUX_TGZ_PATH=dist/AxonOps.Workbench-${GITHUB_REF_NAME}-linux-x64.tar.gz" >> $GITHUB_ENV fi if [[ "$(uname -s)" =~ "MINGW64" ]]; then unset CSC_KEY_PASSWORD @@ -148,10 +147,10 @@ jobs: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - - name: Attest Build Provenance for TGZ - uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 - with: - subject-path: "${LINUX_TGZ_PATH}" + # - name: Attest Build Provenance for TGZ + # uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + # with: + # subject-path: "${LINUX_TGZ_PATH}" - name: Azure login if: runner.os == 'Windows' From b8bdf6597ec604c6e9771c1645ca1cc4c1154d9e Mon Sep 17 00:00:00 2001 From: Sergio Rua Date: Mon, 23 Sep 2024 14:01:23 +0100 Subject: [PATCH 6/9] use glob pattern --- .github/workflows/release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dc56fc10..08a29312 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -147,10 +147,10 @@ jobs: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - # - name: Attest Build Provenance for TGZ - # uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 - # with: - # subject-path: "${LINUX_TGZ_PATH}" + - name: Attest Build Provenance for TGZ + uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + with: + subject-path: "dist/*.tar.gz" - name: Azure login if: runner.os == 'Windows' From 6b6d3751e0270aa0024611137081d99021b49509 Mon Sep 17 00:00:00 2001 From: Sergio Rua Date: Mon, 23 Sep 2024 14:14:43 +0100 Subject: [PATCH 7/9] Packages permission --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 08a29312..46fca49d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,8 @@ defaults: permissions: id-token: write attestations: write - contents: read + contents: write + packages: write jobs: build: From 367f7ba5920817638d2fc6b66081c0837cc54342 Mon Sep 17 00:00:00 2001 From: Sergio Rua Date: Mon, 23 Sep 2024 15:18:00 +0100 Subject: [PATCH 8/9] Attestations are last --- .github/workflows/release.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 46fca49d..2ba0a18c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -148,11 +148,6 @@ jobs: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - - name: Attest Build Provenance for TGZ - uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 - with: - subject-path: "dist/*.tar.gz" - - name: Azure login if: runner.os == 'Windows' uses: azure/login@v2 @@ -228,6 +223,20 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Attest Build Provenance for TGZ + uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + with: + subject-path: | + dist/*.zip + dist/*.pkg + dist/*.dmg + dist/*.deb + dist/*.rpm + dist/*.exe + dist/*.tar.gz + dist/*.nsis + dist/*.msi + # Release choco and brew release-brew: From a82707110dbf527c6587f1b59779c1d7c2abb521 Mon Sep 17 00:00:00 2001 From: Sergio Rua Date: Mon, 23 Sep 2024 15:46:39 +0100 Subject: [PATCH 9/9] Permissions --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2ba0a18c..c817b251 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,8 @@ permissions: attestations: write contents: write packages: write + pull-requests: read + deployments: read jobs: build: