updated runner

Signed-off-by: Horiodino <holiodin@gmail.com>
buildsafedev · Oct 8, 2024 · d680135 · d680135
1 parent 6990afe
commit d680135
Show file tree

Hide file tree

Showing 5 changed files with 291 additions and 70 deletions.
diff --git a/.github/workflows/go-base.yaml b/.github/workflows/go-base.yaml
@@ -87,6 +87,8 @@ jobs:
   hermetic_builds:
     needs: [merge-dev, merge-runtime]
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -118,7 +120,7 @@ jobs:
             --platform=linux/amd64 \
             --push \
             --output type=oci \
-            .
+            https://github.com/buildsafedev/examples.git\#multiarch-builds:go-server-example 
         
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@main
@@ -133,24 +135,55 @@ jobs:
         run: |
             docker buildx imagetools inspect holiodin01/go-final:latest --format "{{ json .Provenance.SLSA }}" > slsa.json
             cat slsa.json
-            if [ "$(jq -r '.build.builder' slsa.json)" == "hermetic" ]; then
+            if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
               echo "Hermetic build"
-             else
-              echo "Not hermetic build"
+            else
+              echo "Not a hermetic build"
             fi
           
       # Check for vulnerabilities :)
       - name: Check for vulnerabilities
-        run: grype holiodin01/go-final:latest
-
-
-      # Sign and push the image 
+        run: |
+          grype holiodin01/go-final:latest
+
+          # Check for vulnerabilities :)
+          - name: Check for vulnerabilities
+            run: |
+              grype holiodin01/go-final:latest
+
+              output=$(grype holiodin01/go-final:latest)
+              if echo "$output" | grep -E 'Critical|High|Medium' > /dev/null; then
+                echo "Image Coinatins vulnerabilities"
+              exit 1
+              else
+                echo "No high vulnerabilities found"
+              fi
+
+  sign-the-image:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.7.0
+        with:
+          cosign-release: 'v2.4.1'
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+
       - name: Sign and push image
+        env:
+          COSIGN_EXPERIMENTAL: "true"
         run: |
-            export COSIGN_PASSWORD=${{ secrets.COSIGN_PASSWORD }}
-            echo "${{secrets.COSIGN_PRIVATE_KEY}}" > cosign.key
-            echo "${{secrets.COSIGN_PUBLIC_KEY}}" > cosign.pub
+          cosign sign --yes holiodin01/go-final:latest
+          cosign verify \
+          --certificate-identity "https://github.com/buildsafedev/examples/.github/workflows/go-base.yaml@refs/heads/multiarch-builds" \
+          --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+          holiodin01/go-final:latest
 
-            cosign sign --yes --key cosign.key holiodin01/go-final:latest
-            cosign verify --key cosign.pub  holiodin01/go-final:latest
-            cosign triangulate holiodin01/go-final:latest
+          cosign triangulate holiodin01/go-final:latest
diff --git a/go-server-example/bsf.hcl b/go-server-example/bsf.hcl
@@ -1,6 +1,6 @@
 
 packages {
-  development = ["go@1.22.3", "gotools@0.18.0", "delve@1.22.1", "coreutils-full@~9.5", "tzdata@2024a", "bash@~5.2.15", "grype@~0.80.2", "skopeo@~1.16.1", "cosign@~2.4.0"]
+  development = ["go@1.22.3", "gotools@0.18.0", "delve@1.22.1", "coreutils-full@~9.5", "tzdata@2024a", "bash@~5.2.15", "grype@~0.80.2", "skopeo@~1.16.1"]
   runtime     = ["cacert@3.95"]
 }
 

diff --git a/go-server-example/bsf.lock b/go-server-example/bsf.lock
@@ -216,51 +216,6 @@
       },
       "runtime": false
     },
-    {
-      "package": {
-        "name": "cosign",
-        "revision": "2af19cfb6aa40768c4bbefd801a136270e099191",
-        "version": "2.4.0",
-        "description": "Container Signing CLI with support for ephemeral keys and Sigstore signing",
-        "homepage": "https://github.com/sigstore/cosign",
-        "free": true,
-        "spdx_id": "Apache-2.0",
-        "epoch_seconds": 1727301923,
-        "platforms": [
-          "x86_64-darwin",
-          "i686-darwin",
-          "aarch64-darwin",
-          "armv7a-darwin",
-          "aarch64-linux",
-          "armv5tel-linux",
-          "armv6l-linux",
-          "armv7a-linux",
-          "armv7l-linux",
-          "i686-linux",
-          "loongarch64-linux",
-          "m68k-linux",
-          "microblaze-linux",
-          "microblazeel-linux",
-          "mips-linux",
-          "mips64-linux",
-          "mips64el-linux",
-          "mipsel-linux",
-          "powerpc64-linux",
-          "powerpc64le-linux",
-          "riscv32-linux",
-          "riscv64-linux",
-          "s390-linux",
-          "s390x-linux",
-          "x86_64-linux",
-          "wasm64-wasi",
-          "wasm32-wasi",
-          "i686-freebsd",
-          "x86_64-freebsd"
-        ],
-        "attr_name": "cosign"
-      },
-      "runtime": false
-    },
     {
       "package": {
         "name": "delve",

diff --git a/go-server-example/bsf/flake.lock b/go-server-example/bsf/flake.lock