diff --git a/.github/workflows/go-base.yaml b/.github/workflows/go-base.yaml index ecd7e72..877dff0 100644 --- a/.github/workflows/go-base.yaml +++ b/.github/workflows/go-base.yaml @@ -85,21 +85,13 @@ jobs: tag: v0.1.0 hermetic_builds: - needs: [merge-dev, merge-runtime] + # needs: [merge-dev, merge-runtime] runs-on: ubuntu-latest permissions: id-token: write steps: - name: Checkout uses: actions/checkout@v4 - - - name : Replace base image in Dockerfile - run: | - # This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also - sed -i "s|FROM .* AS base|FROM holiodin01/go-base-dev:v0.1.0 AS base|g" go-server-example/Dockerfile - sed -i "s|FROM .* AS final|FROM holiodin01/go-base-runtime:v0.1.0 AS final|g" go-server-example/Dockerfile - - cat go-server-example/Dockerfile - name: Login to Docker Hub uses: docker/login-action@v3 @@ -113,6 +105,8 @@ jobs: docker buildx create --name mybuilder --use --driver docker-container docker buildx build \ + --build-arg BASE_IMAGE=holiodin01/go-base-dev:v0.1.0 \ + --build-arg RUNTIME_IMAGE=holiodin01/go-base-runtime:v0.1.0 \ --no-cache \ --tag holiodin01/go-final:latest \ --network=none \ @@ -160,6 +154,7 @@ jobs: fi sign-the-image: + needs: hermetic_builds runs-on: ubuntu-latest permissions: id-token: write diff --git a/.github/workflows/python-base.yaml b/.github/workflows/python-base.yaml index 8838b49..4a430a2 100644 --- a/.github/workflows/python-base.yaml +++ b/.github/workflows/python-base.yaml @@ -55,17 +55,13 @@ jobs: hermetic_builds: - needs: merge + # needs: merge runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Checkout uses: actions/checkout@v4 - - - name : Replace base image in Dockerfile - run: | - # This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also - sed -i "s|FROM .* AS base|FROM holiodin01/python-base:v0.1.0 AS base|g" python/Dockerfile - cat python/Dockerfile - name: Login to Docker Hub uses: docker/login-action@v3 @@ -79,6 +75,7 @@ jobs: docker buildx create --name mybuilder --use --driver docker-container docker buildx build \ + --build-arg BASE_IMAGE=holiodin01/python-base:v0.1.0 \ --no-cache \ --tag holiodin01/python-final:latest \ --network=none \ @@ -86,7 +83,7 @@ jobs: --platform=linux/amd64 \ --push \ --output type=oci \ - . + https://github.com/buildsafedev/examples.git\#multiarch-builds:python - name: Install Nix uses: DeterminateSystems/nix-installer-action@main @@ -101,24 +98,52 @@ jobs: run: | docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json cat slsa.json - if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then + if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then echo "Hermetic build" - else - echo "Not hermetic build" + else + echo "Not a hermetic build" fi - # Check for vulnerabilities :) + + + # Check for vulnerabilities :) - name: Check for vulnerabilities - run: grype holiodin01/python-final:latest - - - # Sign and push the image + run: | + grype holiodin01/python-final:latest + output=$(grype holiodin01/python-final:latest) + if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then + echo "Image Coinatins vulnerabilities" + exit 1 + else + echo "No high vulnerabilities found" + fi + + sign-the-image: + needs: hermetic_builds + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" run: | - export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} - echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key - echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub + cosign sign --yes holiodin01/python-final:latest + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/python-final:latest - cosign sign --yes --key cosign.key holiodin01/python-final:latest - cosign verify --key cosign.pub holiodin01/python-final:latest - cosign triangulate holiodin01/python-final:latest \ No newline at end of file + cosign triangulate holiodin01/python-final:latest \ No newline at end of file diff --git a/.github/workflows/python-pip.yaml b/.github/workflows/python-pip.yaml index 60217bf..fb2af4a 100644 --- a/.github/workflows/python-pip.yaml +++ b/.github/workflows/python-pip.yaml @@ -54,17 +54,13 @@ jobs: tag: v0.1.0 hermetic_builds: - needs: merge + # needs: merge runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Checkout uses: actions/checkout@v4 - - - name : Replace base image in Dockerfile - run: | - # This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also - sed -i "s|FROM .* AS base|FROM holiodin01/python-pip-base:v0.1.0 AS base|g" python-pip/Dockerfile - cat python-pip/Dockerfile - name: Login to Docker Hub uses: docker/login-action@v3 @@ -78,6 +74,7 @@ jobs: docker buildx create --name mybuilder --use --driver docker-container docker buildx build \ + --build-arg BASE_IMAGE=holiodin01/python-pip-base:v0.1.0 \ --no-cache \ --tag holiodin01/python-pip-final:latest \ --network=none \ @@ -85,10 +82,11 @@ jobs: --platform=linux/amd64 \ --push \ --output type=oci \ - . + https://github.com/buildsafedev/examples.git\#multiarch-builds:python-pip - name: Install Nix uses: DeterminateSystems/nix-installer-action@main + # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url - name: Setup Nix development environment uses: nicknovitski/nix-develop@v1 @@ -97,26 +95,54 @@ jobs: - name: Is hermetic build run: | - docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json + docker buildx imagetools inspect holiodin01/python-pip-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json cat slsa.json - if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then + if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then echo "Hermetic build" - else - echo "Not hermetic build" + else + echo "Not a hermetic build" fi + + # Check for vulnerabilities :) - name: Check for vulnerabilities - run: grype holiodin01/python-pip-final:latest - - - # Sign and push the image + run: | + grype holiodin01/python-pip-final:latest + output=$(grype holiodin01/python-pip-final:latest) + if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then + echo "Image Coinatins vulnerabilities" + exit 1 + else + echo "No high vulnerabilities found" + fi + + sign-the-image: + needs: hermetic_builds + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" run: | - export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} - echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key - echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub + cosign sign --yes holiodin01/python-pip-final:latest + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-pip.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/python-pip-final:latest - cosign sign --yes --key cosign.key holiodin01/python-pip-final:latest - cosign verify --key cosign.pub holiodin01/python-pip-final:latest - cosign triangulate holiodin01/python-pip-final:latest \ No newline at end of file + cosign triangulate holiodin01/python-pip-final:latest \ No newline at end of file diff --git a/.github/workflows/rust-base.yaml b/.github/workflows/rust-base.yaml index aa3df7d..00064ae 100644 --- a/.github/workflows/rust-base.yaml +++ b/.github/workflows/rust-base.yaml @@ -83,19 +83,12 @@ jobs: tag: v0.1.0 hermetic_builds: - needs: [merge-dev, merge-runtime] runs-on: ubuntu-latest + permissions: + id-token: write steps: - name: Checkout uses: actions/checkout@v4 - - - name : Replace base image in Dockerfile - run: | - # This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also - sed -i "s|FROM .* AS base|FROM holiodin01/rust-base-dev:v0.1.0 AS base|g" rust/Dockerfile - sed -i "s|FROM .* AS final|FROM holiodin01/rust-base-runtime:v0.1.0 AS final|g" rust/Dockerfile - - cat rust/Dockerfile - name: Login to Docker Hub uses: docker/login-action@v3 @@ -109,6 +102,8 @@ jobs: docker buildx create --name mybuilder --use --driver docker-container docker buildx build \ + --build-arg BASE_IMAGE=holiodin01/rust-base-dev:v0.1.0 \ + --build-arg RUNTIME_IMAGE=holiodin01/rust-base-runtime:v0.1.0 \ --no-cache \ --tag holiodin01/rust-final:latest \ --network=none \ @@ -116,10 +111,11 @@ jobs: --platform=linux/amd64 \ --push \ --output type=oci \ - . + https://github.com/buildsafedev/examples.git\#multiarch-builds:rust - name: Install Nix uses: DeterminateSystems/nix-installer-action@main + # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url - name: Setup Nix development environment uses: nicknovitski/nix-develop@v1 @@ -128,26 +124,58 @@ jobs: - name: Is hermetic build run: | - docker buildx imagetools inspect holiodin01/go-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json + docker buildx imagetools inspect holiodin01/rust-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json cat slsa.json - if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then + if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then echo "Hermetic build" - else - echo "Not hermetic build" + else + echo "Not a hermetic build" fi # Check for vulnerabilities :) - name: Check for vulnerabilities - run: grype holiodin01/go-final:latest - - - # Sign and push the image + run: | + grype holiodin01/rust-final:latest + + # Check for vulnerabilities :) + - name: Check for vulnerabilities + run: | + grype holiodin01/rust-final:latest + + output=$(grype holiodin01/rust-final:latest) + if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then + echo "Image Coinatins vulnerabilities" + exit 1 + else + echo "No high vulnerabilities found" + fi + + sign-the-image: + needs: hermetic_builds + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.7.0 + with: + cosign-release: 'v2.4.1' + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Sign and push image + env: + COSIGN_EXPERIMENTAL: "true" run: | - export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} - echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key - echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub + cosign sign --yes holiodin01/rust-final:latest + cosign verify \ + --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/rust-base.yaml@refs/heads/multiarch-builds" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + holiodin01/rust-final:latest - cosign sign --yes --key cosign.key holiodin01/go-final:latest - cosign verify --key cosign.pub holiodin01/go-final:latest - cosign triangulate holiodin01/go-final:latest \ No newline at end of file + cosign triangulate holiodin01/rust-final:latest \ No newline at end of file diff --git a/go-server-example/Dockerfile b/go-server-example/Dockerfile index 12cb278..809fedc 100644 --- a/go-server-example/Dockerfile +++ b/go-server-example/Dockerfile @@ -1,7 +1,11 @@ # syntax=docker/dockerfile:1 +ARG BASE_IMAGE=holiodin01/go-base-dev:v0.1.0 +ARG RUNTIME_IMAGE=holiodin01/go-base-runtime:v0.1.0 + # Stage 1: Build the application -FROM holiodin01/go-base-dev:v0.1.0 AS build +FROM ${BASE_IMAGE} AS build +# FROM holiodin01/go-base-dev:v0.1.0 AS build WORKDIR /src @@ -13,7 +17,8 @@ RUN mkdir -p /tmp RUN CGO_ENABLED=0 GOOS=linux go build -mod=vendor -o /bin/server . # Stage 2: Create the final image -FROM holiodin01/go-base-runtime:v0.1.0 AS final +FROM ${RUNTIME_IMAGE} AS final +# FROM holiodin01/go-base-runtime:v0.1.0 AS final WORKDIR /app diff --git a/python-pip/Dockerfile b/python-pip/Dockerfile index dae2aa5..067b25e 100644 --- a/python-pip/Dockerfile +++ b/python-pip/Dockerfile @@ -1,4 +1,5 @@ -FROM holiodin01/python-pip-base:v0.1.0 AS base +ARG BASE_IMAGE=holiodin01/python-pip-base:v0.1.0 +FROM ${BASE_IMAGE} AS build # Prevents Python from writing pyc files. ENV PYTHONDONTWRITEBYTECODE=1 diff --git a/python/Dockerfile b/python/Dockerfile index 8c48feb..8e4cc8f 100644 --- a/python/Dockerfile +++ b/python/Dockerfile @@ -1,4 +1,5 @@ -FROM holiodin01/python-base:v0.1.0 as base +ARG BASE_IMAGE=holiodin01/python-base:v0.1.0 +FROM ${BASE_IMAGE} as build # Prevents Python from writing pyc files. ENV PYTHONDONTWRITEBYTECODE=1 diff --git a/rust/Dockerfile b/rust/Dockerfile index 57557d5..710f56b 100644 --- a/rust/Dockerfile +++ b/rust/Dockerfile @@ -7,10 +7,13 @@ # Want to help us make this template better? Share your feedback here: https://forms.gle/ybq9Krt8jtBL3iCk7 ARG APP_NAME=rust-todo +ARG BASE_IMAGE=holiodin01/rust-base-dev:v0.1.0 +ARG RUNTIME_IMAGE=holiodin01/rust-base-runtime:v0.1.0 ############################# # Create a stage for building the application. -FROM holiodin01/rust-base-dev:v0.1.0 AS build +FROM ${BASE_IMAGE} AS build +# FROM holiodin01/rust-base-dev:v0.1.0 AS build RUN mkdir -p /tmp ARG APP_NAME WORKDIR /app @@ -28,7 +31,7 @@ cp ./target/release/$APP_NAME /bin/todo # image from the build stage where the necessary files are copied from the build # stage. -FROM holiodin01/rust-base-runtime:v0.1.0 AS final +FROM ${RUNTIME_IMAGE} AS final # Copy the executable from the "build" stage. COPY --from=build /bin/todo /bin/