Skip to content

Commit

Permalink
updated config
Browse files Browse the repository at this point in the history 
Signed-off-by: Horiodino <holiodin@gmail.com>
  • Loading branch information
@Horiodino
Horiodino committed Oct 9, 2024
1 parent d680135 commit 4ca0eb3
Show file tree
Hide file tree
Showing 8 changed files with 167 additions and 83 deletions.
13 changes: 4 additions & 9 deletions .github/workflows/go-base.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,21 +85,13 @@ jobs:
tag: v0.1.0

hermetic_builds:
needs: [merge-dev, merge-runtime]
# needs: [merge-dev, merge-runtime]
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name : Replace base image in Dockerfile
run: |
# This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also
sed -i "s|FROM .* AS base|FROM holiodin01/go-base-dev:v0.1.0 AS base|g" go-server-example/Dockerfile
sed -i "s|FROM .* AS final|FROM holiodin01/go-base-runtime:v0.1.0 AS final|g" go-server-example/Dockerfile
cat go-server-example/Dockerfile

- name: Login to Docker Hub
uses: docker/login-action@v3
Expand All @@ -113,6 +105,8 @@ jobs:
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--build-arg BASE_IMAGE=holiodin01/go-base-dev:v0.1.0 \
--build-arg RUNTIME_IMAGE=holiodin01/go-base-runtime:v0.1.0 \
--no-cache \
--tag holiodin01/go-final:latest \
--network=none \
Expand Down Expand Up @@ -160,6 +154,7 @@ jobs:
fi
sign-the-image:
needs: hermetic_builds
runs-on: ubuntu-latest
permissions:
id-token: write
Expand Down
69 changes: 47 additions & 22 deletions .github/workflows/python-base.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,17 +55,13 @@ jobs:


hermetic_builds:
needs: merge
# needs: merge
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name : Replace base image in Dockerfile
run: |
# This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also
sed -i "s|FROM .* AS base|FROM holiodin01/python-base:v0.1.0 AS base|g" python/Dockerfile
cat python/Dockerfile

- name: Login to Docker Hub
uses: docker/login-action@v3
Expand All @@ -79,14 +75,15 @@ jobs:
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--build-arg BASE_IMAGE=holiodin01/python-base:v0.1.0 \
--no-cache \
--tag holiodin01/python-final:latest \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=oci \
.
https://github.com/buildsafedev/examples.git\#multiarch-builds:python
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
Expand All @@ -101,24 +98,52 @@ jobs:
run: |
docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then
if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
echo "Hermetic build"
else
echo "Not hermetic build"
else
echo "Not a hermetic build"
fi
# Check for vulnerabilities :)

# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: grype holiodin01/python-final:latest


# Sign and push the image
run: |
grype holiodin01/python-final:latest
output=$(grype holiodin01/python-final:latest)
if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
echo "Image Coinatins vulnerabilities"
exit 1
else
echo "No high vulnerabilities found"
fi
sign-the-image:
needs: hermetic_builds
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}


- name: Sign and push image
env:
COSIGN_EXPERIMENTAL: "true"
run: |
export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }}
echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key
echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub
cosign sign --yes holiodin01/python-final:latest
cosign verify \
--certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-base.yaml@refs/heads/multiarch-builds" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
holiodin01/python-final:latest
cosign sign --yes --key cosign.key holiodin01/python-final:latest
cosign verify --key cosign.pub holiodin01/python-final:latest
cosign triangulate holiodin01/python-final:latest
cosign triangulate holiodin01/python-final:latest
70 changes: 48 additions & 22 deletions .github/workflows/python-pip.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,17 +54,13 @@ jobs:
tag: v0.1.0

hermetic_builds:
needs: merge
# needs: merge
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name : Replace base image in Dockerfile
run: |
# This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also
sed -i "s|FROM .* AS base|FROM holiodin01/python-pip-base:v0.1.0 AS base|g" python-pip/Dockerfile
cat python-pip/Dockerfile

- name: Login to Docker Hub
uses: docker/login-action@v3
Expand All @@ -78,17 +74,19 @@ jobs:
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--build-arg BASE_IMAGE=holiodin01/python-pip-base:v0.1.0 \
--no-cache \
--tag holiodin01/python-pip-final:latest \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=oci \
.
https://github.com/buildsafedev/examples.git\#multiarch-builds:python-pip
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main

# Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url
- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
Expand All @@ -97,26 +95,54 @@ jobs:

- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
docker buildx imagetools inspect holiodin01/python-pip-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then
if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
echo "Hermetic build"
else
echo "Not hermetic build"
else
echo "Not a hermetic build"
fi

# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: grype holiodin01/python-pip-final:latest


# Sign and push the image
run: |
grype holiodin01/python-pip-final:latest
output=$(grype holiodin01/python-pip-final:latest)
if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
echo "Image Coinatins vulnerabilities"
exit 1
else
echo "No high vulnerabilities found"
fi
sign-the-image:
needs: hermetic_builds
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}


- name: Sign and push image
env:
COSIGN_EXPERIMENTAL: "true"
run: |
export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }}
echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key
echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub
cosign sign --yes holiodin01/python-pip-final:latest
cosign verify \
--certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-pip.yaml@refs/heads/multiarch-builds" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
holiodin01/python-pip-final:latest
cosign sign --yes --key cosign.key holiodin01/python-pip-final:latest
cosign verify --key cosign.pub holiodin01/python-pip-final:latest
cosign triangulate holiodin01/python-pip-final:latest
cosign triangulate holiodin01/python-pip-final:latest
76 changes: 52 additions & 24 deletions .github/workflows/rust-base.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,19 +83,12 @@ jobs:
tag: v0.1.0

hermetic_builds:
needs: [merge-dev, merge-runtime]
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name : Replace base image in Dockerfile
run: |
# This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also
sed -i "s|FROM .* AS base|FROM holiodin01/rust-base-dev:v0.1.0 AS base|g" rust/Dockerfile
sed -i "s|FROM .* AS final|FROM holiodin01/rust-base-runtime:v0.1.0 AS final|g" rust/Dockerfile
cat rust/Dockerfile

- name: Login to Docker Hub
uses: docker/login-action@v3
Expand All @@ -109,17 +102,20 @@ jobs:
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--build-arg BASE_IMAGE=holiodin01/rust-base-dev:v0.1.0 \
--build-arg RUNTIME_IMAGE=holiodin01/rust-base-runtime:v0.1.0 \
--no-cache \
--tag holiodin01/rust-final:latest \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=oci \
.
https://github.com/buildsafedev/examples.git\#multiarch-builds:rust
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main

# Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url
- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
Expand All @@ -128,26 +124,58 @@ jobs:

- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/go-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
docker buildx imagetools inspect holiodin01/rust-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then
if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
echo "Hermetic build"
else
echo "Not hermetic build"
else
echo "Not a hermetic build"
fi
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: grype holiodin01/go-final:latest


# Sign and push the image
run: |
grype holiodin01/rust-final:latest
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: |
grype holiodin01/rust-final:latest
output=$(grype holiodin01/rust-final:latest)
if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
echo "Image Coinatins vulnerabilities"
exit 1
else
echo "No high vulnerabilities found"
fi
sign-the-image:
needs: hermetic_builds
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}


- name: Sign and push image
env:
COSIGN_EXPERIMENTAL: "true"
run: |
export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }}
echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key
echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub
cosign sign --yes holiodin01/rust-final:latest
cosign verify \
--certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/rust-base.yaml@refs/heads/multiarch-builds" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
holiodin01/rust-final:latest
cosign sign --yes --key cosign.key holiodin01/go-final:latest
cosign verify --key cosign.pub holiodin01/go-final:latest
cosign triangulate holiodin01/go-final:latest
cosign triangulate holiodin01/rust-final:latest
Loading

0 comments on commit 4ca0eb3

Please sign in to comment.