Skip to content

Commit

Permalink
update config
Browse files Browse the repository at this point in the history 
Signed-off-by: Horiodino <holiodin@gmail.com>
  • Loading branch information
@Horiodino
Horiodino committed Oct 11, 2024
1 parent 4ca0eb3 commit 93f0193
Show file tree
Hide file tree
Showing 26 changed files with 464 additions and 359 deletions.
46 changes: 20 additions & 26 deletions .github/workflows/go-base.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
name: go-base
env :
image_tag: v1

on:
push:
Expand All @@ -16,7 +18,7 @@ jobs:
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/go-base-dev
ociBlock: go-dev
tag: v0.1.0
tag: ${{ env.image_tag }}

prepare-go-runtime:
runs-on: ubuntu-latest
Expand All @@ -30,7 +32,7 @@ jobs:
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/go-base-runtime
ociBlock: go-runtime
tag: v0.1.0
tag: ${{ env.image_tag }}

# Build the oci images for dev and runtime
build:
Expand Down Expand Up @@ -67,7 +69,7 @@ jobs:
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/go-base-dev
ociBlock: go-dev
tag: v0.1.0
tag: ${{ env.image_tag }}
merge-runtime:
needs: build
runs-on: ubuntu-latest
Expand All @@ -82,10 +84,10 @@ jobs:
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/go-base-runtime
ociBlock: go-runtime
tag: v0.1.0
tag: ${{ env.image_tag }}

hermetic_builds:
# needs: [merge-dev, merge-runtime]
needs: [merge-dev, merge-runtime]
runs-on: ubuntu-latest
permissions:
id-token: write
Expand All @@ -102,13 +104,18 @@ jobs:
working-directory: go-server-example
run: |
# Use command substitution to assign the digests
base_img_digest=$(docker manifest inspect holiodin01/go-base-dev:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
runtime_img_digest=$(docker manifest inspect holiodin01/go-base-runtime:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--build-arg BASE_IMAGE=holiodin01/go-base-dev:v0.1.0 \
--build-arg RUNTIME_IMAGE=holiodin01/go-base-runtime:v0.1.0 \
--build-arg BASE_IMAGE=holiodin01/go-base-dev@${base_img_digest} \
--build-arg RUNTIME_IMAGE=holiodin01/go-base-runtime@${runtime_img_digest} \
--no-cache \
--tag holiodin01/go-final:latest \
--tag holiodin01/go-final:${{ env.image_tag }} \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
Expand All @@ -127,7 +134,7 @@ jobs:

- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/go-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
docker buildx imagetools inspect holiodin01/go-final:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
echo "Hermetic build"
Expand All @@ -137,21 +144,8 @@ jobs:
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: |
grype holiodin01/go-final:latest
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: |
grype holiodin01/go-final:latest
run: grype holiodin01/go-final:${{ env.image_tag }} --only-fixed --fail-on high

output=$(grype holiodin01/go-final:latest)
if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
echo "Image Coinatins vulnerabilities"
exit 1
else
echo "No high vulnerabilities found"
fi

sign-the-image:
needs: hermetic_builds
Expand All @@ -175,10 +169,10 @@ jobs:
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign --yes holiodin01/go-final:latest
cosign sign --yes holiodin01/go-final:${{ env.image_tag }}
cosign verify \
--certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
holiodin01/go-final:latest
holiodin01/go-final:${{ env.image_tag }}
cosign triangulate holiodin01/go-final:latest
cosign triangulate holiodin01/go-final:${{ env.image_tag }}
31 changes: 14 additions & 17 deletions .github/workflows/python-base.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
name: python-base
env :
image_tag: v1

on:
push:
Expand All @@ -16,7 +18,7 @@ jobs:
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-base
ociBlock: python-dev
tag: v0.1.0
tag: ${{ env.image_tag }}

build:
needs: prepare
Expand Down Expand Up @@ -51,11 +53,11 @@ jobs:
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-base
ociBlock: python-dev
tag: v0.1.0
tag: ${{ env.image_tag }}


hermetic_builds:
# needs: merge
needs: merge
runs-on: ubuntu-latest
permissions:
id-token: write
Expand All @@ -72,12 +74,14 @@ jobs:
working-directory: python
run: |
base_img_digest=$(docker manifest inspect holiodin01/python-base:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--build-arg BASE_IMAGE=holiodin01/python-base:v0.1.0 \
--build-arg BASE_IMAGE=holiodin01/python-base@${base_img_digest} \
--no-cache \
--tag holiodin01/python-final:latest \
--tag holiodin01/python-final:${{ env.image_tag }} \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
Expand All @@ -96,7 +100,7 @@ jobs:

- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
docker buildx imagetools inspect holiodin01/python-final:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
echo "Hermetic build"
Expand All @@ -109,14 +113,7 @@ jobs:
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: |
grype holiodin01/python-final:latest
output=$(grype holiodin01/python-final:latest)
if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
echo "Image Coinatins vulnerabilities"
exit 1
else
echo "No high vulnerabilities found"
fi
grype holiodin01/python-final:${{ env.image_tag }} --only-fixed --fail-on high
sign-the-image:
needs: hermetic_builds
Expand All @@ -140,10 +137,10 @@ jobs:
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign --yes holiodin01/python-final:latest
cosign sign --yes holiodin01/python-final:${{ env.image_tag }}
cosign verify \
--certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-base.yaml@refs/heads/multiarch-builds" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
holiodin01/python-final:latest
holiodin01/python-final:${{ env.image_tag }}
cosign triangulate holiodin01/python-final:latest
cosign triangulate holiodin01/python-final:${{ env.image_tag }}
32 changes: 14 additions & 18 deletions .github/workflows/python-pip.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
name: python-pip-base
env :
image_tag: v1

on:
push:
Expand All @@ -16,7 +18,7 @@ jobs:
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-pip-base
ociBlock: python-dev
tag: v0.1.0
tag: ${{ env.image_tag }}

build:
needs: prepare
Expand Down Expand Up @@ -51,10 +53,10 @@ jobs:
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-pip-base
ociBlock: python-dev
tag: v0.1.0
tag: ${{ env.image_tag }}

hermetic_builds:
# needs: merge
needs: merge
runs-on: ubuntu-latest
permissions:
id-token: write
Expand All @@ -70,13 +72,14 @@ jobs:
- name : Build hermetic image
working-directory: python-pip
run: |
base_img_digest=$(docker manifest inspect holiodin01/python-pip-base:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--build-arg BASE_IMAGE=holiodin01/python-pip-base:v0.1.0 \
--build-arg BASE_IMAGE=holiodin01/python-pip-base@${base_img_digest} \
--no-cache \
--tag holiodin01/python-pip-final:latest \
--tag holiodin01/python-pip-final:${{ env.image_tag }} \
--network=none \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
Expand All @@ -95,7 +98,7 @@ jobs:

- name: Is hermetic build
run: |
docker buildx imagetools inspect holiodin01/python-pip-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
docker buildx imagetools inspect holiodin01/python-pip-final:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
echo "Hermetic build"
Expand All @@ -108,15 +111,8 @@ jobs:
# Check for vulnerabilities :)
- name: Check for vulnerabilities
run: |
grype holiodin01/python-pip-final:latest
output=$(grype holiodin01/python-pip-final:latest)
if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
echo "Image Coinatins vulnerabilities"
exit 1
else
echo "No high vulnerabilities found"
fi
grype holiodin01/python-pip-final:${{ env.image_tag }} --only-fixed --fail-on high
sign-the-image:
needs: hermetic_builds
runs-on: ubuntu-latest
Expand All @@ -139,10 +135,10 @@ jobs:
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign --yes holiodin01/python-pip-final:latest
cosign sign --yes holiodin01/python-pip-final:${{ env.image_tag }}
cosign verify \
--certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/python-pip.yaml@refs/heads/multiarch-builds" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
holiodin01/python-pip-final:latest
holiodin01/python-pip-final:${{ env.image_tag }}
cosign triangulate holiodin01/python-pip-final:latest
cosign triangulate holiodin01/python-pip-final:${{ env.image_tag }}
Loading

0 comments on commit 93f0193

Please sign in to comment.