Skip to content

⬆️ Bump sigstore/cosign-installer from 3.2.0 to 3.5.0 #693

⬆️ Bump sigstore/cosign-installer from 3.2.0 to 3.5.0

⬆️ Bump sigstore/cosign-installer from 3.2.0 to 3.5.0 #693

Workflow file for this run

name: Continuous integration
on:
push:
pull_request:
types: [ opened, reopened ]
workflow_dispatch:
jobs:
build:
name: Build
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Go
uses: actions/[email protected]
with:
go-version-file: go.mod
check-latest: true
- name: Get dependencies
run: make download
- name: Lint
run: |
result="$(make lint)"
echo "$result"
[ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0
- name: Build
run: make build
- name: Test
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
run: make test
- name: Coverage
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
run: make coverage-out
- name: Upload Code Coverage
uses: codecov/[email protected]
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.out
flags: unittests
name: codecov-umbrella
fail_ci_if_error: true
verbose: true
release:
name: release
needs: [build]
outputs:
container_digest: ${{ steps.container_info.outputs.container_digest }}
container_tags: ${{ steps.container_info.outputs.container_tags }}
runs-on: ubuntu-20.04
permissions:
contents: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/[email protected]
with:
go-version-file: go.mod
check-latest: true
- name: Install cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.1'
- name: Install Syft
uses: anchore/sbom-action/[email protected]
- name: Login to ghcr.io
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set release variables
id: release-vars
run: |
make release-vars > /tmp/fatt-release-vars.env
source /tmp/fatt-release-vars.env
if [[ -n "$LDFLAGS" ]]; then
echo "LDFLAGS=$LDFLAGS" >>"${GITHUB_OUTPUT}"
fi
if [[ -n "$GIT_HASH" ]]; then
echo "GIT_HASH=$GIT_HASH" >>"${GITHUB_OUTPUT}"
fi
rm -f /tmp/fatt-release-vars.env
- name: Install signing key
run: echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
- name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
uses: goreleaser/goreleaser-action@v5
with:
version: latest
args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Get container info
id: container_info
if: startsWith(github.ref, 'refs/tags/')
run: |
export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }})
echo "container_digest=$CONTAINER_DIGEST" >>"${GITHUB_OUTPUT}"
echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >>"${GITHUB_OUTPUT}"
- name: Cleanup signing keys
if: ${{ always() }}
run: rm -f cosign.key
sbom:
name: sbom
needs: [release]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-20.04
env:
TAGS: "${{ needs.release.outputs.container_tags }}"
steps:
- name: Install cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.1'
- name: Install Syft
uses: anchore/sbom-action/[email protected]
- name: Login to ghcr.io
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Attach SBOM
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
REPO: ghcr.io/philips-labs/fatt
run: |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
IFS=,
for t in ${TAGS}; do
cosign verify --key cosign.pub ${REPO}:${t}
syft ${REPO}:${t} -o spdx-json > sbom-spdx.json
cosign attach sbom --sbom sbom-spdx.json --type spdx ${REPO}:${t}
cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ${REPO}:${t}
cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${REPO}:${t}
done
- name: Clean up signing keys
if: ${{ always() }}
run: |
rm -f cosign.key
provenance:
name: provenance
needs: [release]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-20.04
steps:
- name: Generate provenance for Release
uses: philips-labs/[email protected]
with:
command: generate
subcommand: github-release
arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Install cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.1'
- name: Sign provenance
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
cat "${SIGNATURE}"
curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
curl_args+=(-H "Accept: application/vnd.github.v3+json")
release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')"
echo "Upload ${SIGNATURE} to release with id ${release_id}…"
curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
curl "${curl_args[@]}" \
--data-binary @"${SIGNATURE}" \
"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
SIGNATURE: provenance.att.sig
container-provenance:
name: container-provenance
needs: [release]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-20.04
env:
REPO: ghcr.io/philips-labs/fatt
steps:
- name: Install cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.1'
- name: Generate provenance for ${REPO}
uses: philips-labs/[email protected]
with:
command: generate
subcommand: container
arguments: --repository ${REPO} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Get slsa-provenance predicate
run: |
cat provenance.att | jq .predicate > provenance-predicate.att
- name: Login to ghcr.io
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Attach provenance to image
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${REPO}@${{ needs.release.outputs.container_digest }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Verify attestation
run: |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
cosign verify-attestation --key cosign.pub ${REPO}@${{ needs.release.outputs.container_digest }}
- name: Cleanup signing keys
if: ${{ always() }}
run: |
rm -f cosign.key