diff --git a/.github/workflows/go-base.yaml b/.github/workflows/go-base.yaml index 4b4fda2..1c596f4 100644 --- a/.github/workflows/go-base.yaml +++ b/.github/workflows/go-base.yaml @@ -85,7 +85,7 @@ jobs: tag: v0.1.0 hermetic_builds: - # needs: [merge-dev, merge-runtime] + needs: [merge-dev, merge-runtime] runs-on: ubuntu-latest steps: - name: Checkout @@ -94,9 +94,11 @@ jobs: - name : Replace base image in Dockerfile run: | # This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also - sed -i "s|FROM .* AS build|FROM holiodin01/go-base-dev:v0.1.0 AS build|g" go-server-example/Dockerfile + sed -i "s|FROM .* AS base|FROM holiodin01/go-base-dev:v0.1.0 AS base|g" go-server-example/Dockerfile sed -i "s|FROM .* AS final|FROM holiodin01/go-base-runtime:v0.1.0 AS final|g" go-server-example/Dockerfile + cat go-server-example/Dockerfile + - name: Login to Docker Hub uses: docker/login-action@v3 with: @@ -120,12 +122,6 @@ jobs: - name: Install Nix uses: DeterminateSystems/nix-installer-action@main - - - name: Check Nixpkgs inputs - uses: DeterminateSystems/flake-checker-action@main - with: - fail-mode: true - flake-lock-path: go-server-example/bsf/flake.lock # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url - name: Setup Nix development environment diff --git a/.github/workflows/python-base.yaml b/.github/workflows/python-base.yaml index 14c12f8..8838b49 100644 --- a/.github/workflows/python-base.yaml +++ b/.github/workflows/python-base.yaml @@ -60,17 +60,65 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - name: Run Hermetic Build Action - uses: buildsafedev/multiarch-build--action/hermetic-build@hermetic_builds + + - name : Replace base image in Dockerfile + run: | + # This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also + sed -i "s|FROM .* AS base|FROM holiodin01/python-base:v0.1.0 AS base|g" python/Dockerfile + cat python/Dockerfile + + - name: Login to Docker Hub + uses: docker/login-action@v3 with: - oci_registry_username: ${{ secrets.DOCKER_USERNAME }} - oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} - directory: 'python' - image_name: holiodin01/python-final - tag: v0.1.0 - platform: linux/amd64 - base_image: holiodin01/python-base:v0.1.0 - cosign_password : ${{ secrets.COSIGN_PASSWORD }} - cosign_private_key : ${{ secrets.COSIGN_PRIVATE_KEY }} - cosign_public_key : ${{ secrets.COSIGN_PUBLIC_KEY }} - \ No newline at end of file + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name : Build hermetic image + working-directory: python + run: | + + docker buildx create --name mybuilder --use --driver docker-container + + docker buildx build \ + --no-cache \ + --tag holiodin01/python-final:latest \ + --network=none \ + --attest type=provenance,mode=min \ + --platform=linux/amd64 \ + --push \ + --output type=oci \ + . + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url + - name: Setup Nix development environment + uses: nicknovitski/nix-develop@v1 + with: + arguments: ./python/bsf/.#devShell + + - name: Is hermetic build + run: | + docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json + cat slsa.json + if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then + echo "Hermetic build" + else + echo "Not hermetic build" + fi + + # Check for vulnerabilities :) + - name: Check for vulnerabilities + run: grype holiodin01/python-final:latest + + + # Sign and push the image + - name: Sign and push image + run: | + export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} + echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key + echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub + + cosign sign --yes --key cosign.key holiodin01/python-final:latest + cosign verify --key cosign.pub holiodin01/python-final:latest + cosign triangulate holiodin01/python-final:latest \ No newline at end of file diff --git a/.github/workflows/python-pip.yaml b/.github/workflows/python-pip.yaml index 7f9f293..60217bf 100644 --- a/.github/workflows/python-pip.yaml +++ b/.github/workflows/python-pip.yaml @@ -59,16 +59,64 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - name: Run Hermetic Build Action - uses: buildsafedev/multiarch-build--action/hermetic-build@hermetic_builds + + - name : Replace base image in Dockerfile + run: | + # This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also + sed -i "s|FROM .* AS base|FROM holiodin01/python-pip-base:v0.1.0 AS base|g" python-pip/Dockerfile + cat python-pip/Dockerfile + + - name: Login to Docker Hub + uses: docker/login-action@v3 with: - oci_registry_username: ${{ secrets.DOCKER_USERNAME }} - oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} - directory: 'python-pip' - image_name: holiodin01/python-pip-final - tag: v0.1.0 - platform: linux/amd64 - base_image: holiodin01/python-pip-base:v0.1.0 - cosign_password : ${{ secrets.COSIGN_PASSWORD }} - cosign_private_key : ${{ secrets.COSIGN_PRIVATE_KEY }} - cosign_public_key : ${{ secrets.COSIGN_PUBLIC_KEY }} \ No newline at end of file + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name : Build hermetic image + working-directory: python-pip + run: | + + docker buildx create --name mybuilder --use --driver docker-container + + docker buildx build \ + --no-cache \ + --tag holiodin01/python-pip-final:latest \ + --network=none \ + --attest type=provenance,mode=min \ + --platform=linux/amd64 \ + --push \ + --output type=oci \ + . + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url + - name: Setup Nix development environment + uses: nicknovitski/nix-develop@v1 + with: + arguments: ./python-pip/bsf/.#devShell + + - name: Is hermetic build + run: | + docker buildx imagetools inspect holiodin01/python-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json + cat slsa.json + if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then + echo "Hermetic build" + else + echo "Not hermetic build" + fi + + # Check for vulnerabilities :) + - name: Check for vulnerabilities + run: grype holiodin01/python-pip-final:latest + + + # Sign and push the image + - name: Sign and push image + run: | + export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} + echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key + echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub + + cosign sign --yes --key cosign.key holiodin01/python-pip-final:latest + cosign verify --key cosign.pub holiodin01/python-pip-final:latest + cosign triangulate holiodin01/python-pip-final:latest \ No newline at end of file diff --git a/.github/workflows/rust-base.yaml b/.github/workflows/rust-base.yaml index ad2c640..aa3df7d 100644 --- a/.github/workflows/rust-base.yaml +++ b/.github/workflows/rust-base.yaml @@ -88,17 +88,66 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - - name: Run Hermetic Build Action - uses: buildsafedev/multiarch-build--action/hermetic-build@hermetic_builds + + - name : Replace base image in Dockerfile + run: | + # This is a hack to replace the base image in the Dockerfile , you can also use docker cmd also + sed -i "s|FROM .* AS base|FROM holiodin01/rust-base-dev:v0.1.0 AS base|g" rust/Dockerfile + sed -i "s|FROM .* AS final|FROM holiodin01/rust-base-runtime:v0.1.0 AS final|g" rust/Dockerfile + + cat rust/Dockerfile + + - name: Login to Docker Hub + uses: docker/login-action@v3 with: - oci_registry_username: ${{ secrets.DOCKER_USERNAME }} - oci_registry_password: ${{ secrets.DOCKER_PASSWORD }} - directory: 'rust' - image_name: holiodin01/rust-final - tag: v0.1.0 - platform: linux/amd64 - base_image: holiodin01/rust-base-dev:v0.1.0 - runtime_image: holiodin01/rust-base-runtime:v0.1.0 - cosign_password : ${{ secrets.COSIGN_PASSWORD }} - cosign_private_key : ${{ secrets.COSIGN_PRIVATE_KEY }} - cosign_public_key : ${{ secrets.COSIGN_PUBLIC_KEY }} \ No newline at end of file + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name : Build hermetic image + working-directory: rust + run: | + + docker buildx create --name mybuilder --use --driver docker-container + + docker buildx build \ + --no-cache \ + --tag holiodin01/rust-final:latest \ + --network=none \ + --attest type=provenance,mode=min \ + --platform=linux/amd64 \ + --push \ + --output type=oci \ + . + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + # Setup Nix development environment make sure to use ./ before the path otherwise nix takes it as a https url + - name: Setup Nix development environment + uses: nicknovitski/nix-develop@v1 + with: + arguments: ./rust/bsf/.#devShell + + - name: Is hermetic build + run: | + docker buildx imagetools inspect holiodin01/go-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json + cat slsa.json + if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then + echo "Hermetic build" + else + echo "Not hermetic build" + fi + + # Check for vulnerabilities :) + - name: Check for vulnerabilities + run: grype holiodin01/go-final:latest + + + # Sign and push the image + - name: Sign and push image + run: | + export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }} + echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key + echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub + + cosign sign --yes --key cosign.key holiodin01/go-final:latest + cosign verify --key cosign.pub holiodin01/go-final:latest + cosign triangulate holiodin01/go-final:latest \ No newline at end of file