update config

Signed-off-by: Horiodino <holiodin@gmail.com>
buildsafedev · Oct 11, 2024 · b50470d · b50470d
1 parent 4ca0eb3
commit b50470d
Show file tree

Hide file tree

Showing 20 changed files with 320 additions and 215 deletions.
diff --git a/.github/workflows/go-base.yaml b/.github/workflows/go-base.yaml
@@ -85,7 +85,7 @@ jobs:
           tag: v0.1.0
 
   hermetic_builds:
-    # needs: [merge-dev, merge-runtime]
+    needs: [merge-dev, merge-runtime]
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -137,21 +137,8 @@ jobs:
           
       # Check for vulnerabilities :)
       - name: Check for vulnerabilities
-        run: |
-          grype holiodin01/go-final:latest
-
-          # Check for vulnerabilities :)
-          - name: Check for vulnerabilities
-            run: |
-              grype holiodin01/go-final:latest
+        run: grype holiodin01/go-final:latest --only-fixed --fail-on high
 
-              output=$(grype holiodin01/go-final:latest)
-              if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
-                echo "Image Coinatins vulnerabilities"
-              exit 1
-              else
-                echo "No high vulnerabilities found"
-              fi
 
   sign-the-image:
     needs: hermetic_builds

diff --git a/.github/workflows/python-base.yaml b/.github/workflows/python-base.yaml
@@ -55,7 +55,7 @@ jobs:
 
 
   hermetic_builds:
-    # needs: merge
+    needs: merge
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -109,14 +109,7 @@ jobs:
           # Check for vulnerabilities :)
       - name: Check for vulnerabilities
         run: |
-          grype holiodin01/python-final:latest
-          output=$(grype holiodin01/python-final:latest)
-          if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
-              echo "Image Coinatins vulnerabilities"
-            exit 1
-          else
-          echo "No high vulnerabilities found"
-              fi
+          grype holiodin01/python-final:latest --only-fixed --fail-on high
 
   sign-the-image:
     needs: hermetic_builds

diff --git a/.github/workflows/python-pip.yaml b/.github/workflows/python-pip.yaml
@@ -54,7 +54,7 @@ jobs:
           tag: v0.1.0
 
   hermetic_builds:
-    # needs: merge
+    needs: merge
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -108,15 +108,8 @@ jobs:
       # Check for vulnerabilities :)
       - name: Check for vulnerabilities
         run: |
-          grype holiodin01/python-pip-final:latest
-          output=$(grype holiodin01/python-pip-final:latest)
-          if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
-              echo "Image Coinatins vulnerabilities"
-            exit 1
-          else
-          echo "No high vulnerabilities found"
-              fi
-
+          grype holiodin01/python-pip-final:latest --only-fixed --fail-on high
+          
   sign-the-image:
     needs: hermetic_builds
     runs-on: ubuntu-latest

diff --git a/.github/workflows/rust-base.yaml b/.github/workflows/rust-base.yaml
@@ -83,6 +83,7 @@ jobs:
           tag: v0.1.0
 
   hermetic_builds:
+    needs: [merge-dev, merge-runtime]
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -134,21 +135,8 @@ jobs:
           
       # Check for vulnerabilities :)
       - name: Check for vulnerabilities
-        run: |
-          grype holiodin01/rust-final:latest
-
-          # Check for vulnerabilities :)
-          - name: Check for vulnerabilities
-            run: |
-              grype holiodin01/rust-final:latest
+        run: grype holiodin01/rust-final:latest --only-fixed --fail-on high
 
-              output=$(grype holiodin01/rust-final:latest)
-              if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
-                echo "Image Coinatins vulnerabilities"
-              exit 1
-              else
-                echo "No high vulnerabilities found"
-              fi
 
   sign-the-image:
     needs: hermetic_builds

diff --git a/go-server-example/bsf.hcl b/go-server-example/bsf.hcl
@@ -1,6 +1,6 @@
 
 packages {
-  development = ["go@1.22.3", "gotools@0.18.0", "delve@1.22.1", "coreutils-full@~9.5", "tzdata@2024a", "bash@~5.2.15", "grype@~0.80.2", "skopeo@~1.16.1"]
+  development = ["bash@~5.2.15", "coreutils-full@~9.5", "delve@1.22.1", "gotools@0.18.0", "grype@~0.80.2", "skopeo@~1.16.1", "tzdata@2024a", "go@~1.23.1"]
   runtime     = ["cacert@3.95"]
 }
 

diff --git a/go-server-example/bsf.lock b/go-server-example/bsf.lock
@@ -260,13 +260,13 @@
     {
       "package": {
         "name": "go",
-        "revision": "7445ccd775d8b892fc56448d17345443a05f7fb4",
-        "version": "1.22.3",
-        "description": "The Go Programming language",
+        "revision": "2af19cfb6aa40768c4bbefd801a136270e099191",
+        "version": "1.23.1",
+        "description": "Go Programming language",
         "homepage": "https://go.dev/",
         "free": true,
         "spdx_id": "BSD-3-Clause",
-        "epoch_seconds": 1716993062,
+        "epoch_seconds": 1727301923,
         "platforms": [
           "x86_64-darwin",
           "i686-darwin",
@@ -294,9 +294,11 @@
           "s390x-linux",
           "x86_64-linux",
           "wasm64-wasi",
-          "wasm32-wasi"
+          "wasm32-wasi",
+          "i686-freebsd",
+          "x86_64-freebsd"
         ],
-        "attr_name": "go"
+        "attr_name": "go_1_23"
       },
       "runtime": false
     },

diff --git a/go-server-example/bsf/flake.nix b/go-server-example/bsf/flake.nix
@@ -70,7 +70,7 @@
 			nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash  
 			nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full  
 			nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.delve  
-			nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.go  
+			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.go_1_23  
 			nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.gotools  
 			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype  
 			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.skopeo  
@@ -105,7 +105,7 @@
 			nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash  
 			nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full  
 			nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.delve  
-			nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.go  
+			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.go_1_23  
 			nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.gotools  
 			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype  
 			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.skopeo  

diff --git a/python-pip/bsf.hcl b/python-pip/bsf.hcl
@@ -1,6 +1,6 @@
 
 packages {
-  development = ["coreutils-full@9.5", "python3@3.12.2", "bash@5.2.15", "python3.12-pip@~24.0", "cosign@~2.4.0", "grype@~0.80.2"]
+  development = ["coreutils-full@9.5", "bash@5.2.15", "python3.12-pip@~24.0", "cosign@~2.4.0", "grype@~0.80.2", "python3@~3.12.5"]
   runtime     = ["cacert@3.95"]
 }
 

diff --git a/python-pip/bsf.lock b/python-pip/bsf.lock
@@ -309,13 +309,13 @@
     {
       "package": {
         "name": "python3",
-        "revision": "d7570b04936e9b0f5268e0d834dee40368ad3308",
-        "version": "3.12.2",
-        "description": "A high-level dynamically-typed programming language",
+        "revision": "2af19cfb6aa40768c4bbefd801a136270e099191",
+        "version": "3.12.5",
+        "description": "High-level dynamically-typed programming language",
         "homepage": "https://www.python.org",
         "free": true,
         "spdx_id": "Python-2.0",
-        "epoch_seconds": 1709830921,
+        "epoch_seconds": 1727301923,
         "platforms": [
           "aarch64-linux",
           "armv5tel-linux",
@@ -345,9 +345,11 @@
           "i686-cygwin",
           "x86_64-cygwin",
           "x86_64-windows",
-          "i686-windows"
+          "i686-windows",
+          "i686-freebsd",
+          "x86_64-freebsd"
         ],
-        "attr_name": "python312"
+        "attr_name": "python312Full"
       },
       "runtime": false
     },

diff --git a/python-pip/bsf/flake.nix b/python-pip/bsf/flake.nix
@@ -3,11 +3,10 @@
 	description = "";
 
 	inputs = {
-		 nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7.url = "github:nixos/nixpkgs/1ebb7d7bba2953a4223956cfb5f068b0095f84a7";
 		 nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14.url = "github:nixos/nixpkgs/ac5c1886fd9fe49748d7ab80accc4c847481df14";
 		 nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4.url = "github:nixos/nixpkgs/7445ccd775d8b892fc56448d17345443a05f7fb4";
 		 nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191.url = "github:nixos/nixpkgs/2af19cfb6aa40768c4bbefd801a136270e099191";
-		 nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308.url = "github:nixos/nixpkgs/d7570b04936e9b0f5268e0d834dee40368ad3308";
+		 nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7.url = "github:nixos/nixpkgs/1ebb7d7bba2953a4223956cfb5f068b0095f84a7";
 
 		nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
 
@@ -28,23 +27,21 @@
 
 
 	 nix2container , 
-	 nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7, 
 	 nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14, 
 	 nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4, 
 	 nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191, 
-	 nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308, 
+	 nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7, 
 	 }: let
 	  supportedSystems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" "aarch64-linux" ];
 
 
 	  forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
 		inherit system;
 		 nix2containerPkgs = nix2container.packages.${system}; 
-		 nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs = import nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7 { inherit system; };
 		 nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs = import nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14 { inherit system; };
 		 nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs = import nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4 { inherit system; };
 		 nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs = import nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191 { inherit system; };
-		 nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs = import nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308 { inherit system; };
+		 nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs = import nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7 { inherit system; };
 
 
 		pkgs = import nixpkgs { inherit system;  };
@@ -57,11 +54,10 @@
 
 
 
-		 nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, 
 		 nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs, 
 		 nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs, 
 		 nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs, 
-		 nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs, 
+		 nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs, 
 		 ... }: {
 		devShell = pkgs.mkShell {
 		  # The Nix packages provided in the environment
@@ -70,7 +66,7 @@
 			nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full  
 			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.cosign  
 			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype  
-			nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.python312  
+			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.python312Full  
 			nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.python312Packages.pip  
 
 		  ];
@@ -81,7 +77,7 @@
 
 
 
-		 nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs,  nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs,  nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs,  nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs,  nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs,  ... }: {
+		 nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs,  nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs,  nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs,  nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs,  ... }: {
 		runtime = pkgs.buildEnv {
 		  name = "runtimeenv";
 		  paths = [ 
@@ -95,15 +91,15 @@
 
 
 
-	    nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs,  nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs,  nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs,  nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs,  nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs,  ... }: {
+	    nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs,  nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs,  nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs,  nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs,  ... }: {
 		development = pkgs.buildEnv {
 		  name = "devenv";
 		  paths = [ 
 			nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs.bash  
 			nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.coreutils-full  
 			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.cosign  
 			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.grype  
-			nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs.python312  
+			nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs.python312Full  
 			nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs.python312Packages.pip  
 
 		   ];
@@ -114,7 +110,7 @@
 
 
 
-ociImage_python-dev = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system ,  nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs,  nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs,  nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs,  nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs,  nixpkgs-d7570b04936e9b0f5268e0d834dee40368ad3308-pkgs,  ... }: {
+ociImage_python-dev = forEachSupportedSystem ({ pkgs, nix2containerPkgs, system ,  nixpkgs-ac5c1886fd9fe49748d7ab80accc4c847481df14-pkgs,  nixpkgs-7445ccd775d8b892fc56448d17345443a05f7fb4-pkgs,  nixpkgs-2af19cfb6aa40768c4bbefd801a136270e099191-pkgs,  nixpkgs-1ebb7d7bba2953a4223956cfb5f068b0095f84a7-pkgs,  ... }: {
 
 
 

diff --git a/python/bsf.hcl b/python/bsf.hcl
@@ -1,6 +1,6 @@
 
 packages {
-  development = ["coreutils-full@9.5", "python3@3.12.2", "poetry@1.8.2", "bash@5.2.15", "cosign@~2.4.0", "grype@~0.80.2"]
+  development = ["bash@5.2.15", "coreutils-full@9.5", "cosign@~2.4.0", "grype@~0.80.2", "poetry@1.8.2", "python3@~3.12.5"]
   runtime     = ["cacert@3.95"]
 }
 

diff --git a/python/bsf.lock b/python/bsf.lock
@@ -354,13 +354,13 @@
     {
       "package": {
         "name": "python3",
-        "revision": "d7570b04936e9b0f5268e0d834dee40368ad3308",
-        "version": "3.12.2",
-        "description": "A high-level dynamically-typed programming language",
+        "revision": "2af19cfb6aa40768c4bbefd801a136270e099191",
+        "version": "3.12.5",
+        "description": "High-level dynamically-typed programming language",
         "homepage": "https://www.python.org",
         "free": true,
         "spdx_id": "Python-2.0",
-        "epoch_seconds": 1709830921,
+        "epoch_seconds": 1727301923,
         "platforms": [
           "aarch64-linux",
           "armv5tel-linux",
@@ -390,9 +390,11 @@
           "i686-cygwin",
           "x86_64-cygwin",
           "x86_64-windows",
-          "i686-windows"
+          "i686-windows",
+          "i686-freebsd",
+          "x86_64-freebsd"
         ],
-        "attr_name": "python312"
+        "attr_name": "python312Full"
       },
       "runtime": false
     }