Skip to content

Commit

Permalink
updated bsf config
Browse files Browse the repository at this point in the history 
Signed-off-by: Horiodino <holiodin@gmail.com>
  • Loading branch information
@Horiodino
Horiodino committed Dec 29, 2024
1 parent 8a2675c commit e0e5cc3
Show file tree
Hide file tree
Showing 15 changed files with 1,261 additions and 945 deletions.
20 changes: 9 additions & 11 deletions .github/workflows/go-base.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,6 @@ jobs:
directory: "golang-example"
registry: ttl.sh


final-img-build:
runs-on: ubuntu-latest
needs: build
Expand Down Expand Up @@ -93,22 +92,21 @@ jobs:
shell: bash
run: |
echo "Downloaded digest files:"
- name: Build hermetic image amd64
- name: Build image amd64
id: build_amd64
working-directory: golang-example
run: |
base_img_digest=$(printf "sha256:%s" "$(basename /tmp/digests/go-dev/*)")
runtime_img_digest=$(printf "sha256:%s" "$(basename /tmp/digests/go-runtime/*)")
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--build-arg BASE_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest} \
--build-arg RUNTIME_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest} \
--no-cache \
--tag ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=image
--no-cache \
--tag ttl.sh/buildsafedev/go-final-amd64:v1 \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=image \
.
amd64_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
echo "digest=$amd64_digest" >> $GITHUB_OUTPUT
Expand All @@ -130,7 +128,7 @@ jobs:
- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
with:
arguments: ./go-server-example/bsf/.#devShell
arguments: ./golang-example/bsf/.#devShell


- name: Is hermetic build
Expand Down
139 changes: 118 additions & 21 deletions .github/workflows/python-base.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,55 +1,152 @@
name: python-base
env:
image_tag: v1
REGISTRY: ttl.sh
owner: buildsafedev
dev_image: python-base
final_image: python-final
final_arm64_image: python-final-arm64
final_amd64_image: python-final-amd64

on:
push:

jobs:
prepare:
prepare-python-dev:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Prepare Action
uses: buildsafedev/multiarch-build--action/prepare-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-base
oci_registry_username: ${{ env.owner}}
oci_registry_password: ${{ secrets.GITHUB_TOKEN }}
image_name: ${{ env.owner }}/${{ env.dev_image }}
ociBlock: python-dev
tag: v0.1.0
tag: ${{ env.image_tag }}

build:
needs: prepare
needs: [prepare-python-dev]
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, linux-arm64]
platform: [ubuntu-latest]
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Run Build Action
uses: buildsafedev/multiarch-build--action/build-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
oci_registry_username: ${{ env.owner }}
oci_registry_password: ${{ secrets.GITHUB_TOKEN }}
ociBlocks: python-dev
directory: 'python'
directory: python
registry: ttl.sh

merge:
final-img-build:
runs-on: ubuntu-latest
needs: build
outputs:
amd64_digest: ${{ steps.build_amd64.outputs.digest }}
permissions:
id-token: write
packages: write
contents: read
attestations: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Download meta bake definition
uses: actions/download-artifact@v4
with:
name: bake-meta-${{ format('python-dev') }}
path: /tmp

- name: Download digests
uses: actions/download-artifact@v4
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true

- name: Verify digest files after download
shell: bash
run: |
echo "Downloaded digest files:"
- name: Build image amd64
id: build_amd64
working-directory: python
run: |
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--no-cache \
--tag ttl.sh/buildsafedev/python-final-amd64:v1 \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=image \
.
amd64_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
echo "digest=$amd64_digest" >> $GITHUB_OUTPUT
scan_image:
needs: final-img-build
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Run Merge Action
uses: buildsafedev/multiarch-build--action/merge-action@main

- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main

- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-base
ociBlock: python-dev
tag: v0.1.0

arguments: ./python/bsf/.#devShell


- name: Is hermetic build
run: |
docker buildx imagetools inspect ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
echo "Hermetic build"
else
echo "Not a hermetic build"
fi
- name: Check for vulnerabilities
run: grype ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} --only-fixed --fail-on low


sign_image:
needs: scan_image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:

- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Sign and push image
env:
COSIGN_EXPERIMENTAL: "true"
run: |
final_img_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
cosign sign --yes ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}@${final_img_digest}
138 changes: 118 additions & 20 deletions .github/workflows/python-pip.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,54 +1,152 @@
name: python-pip-base
env:
image_tag: v1
REGISTRY: ttl.sh
owner: buildsafedev
dev_image: python-pip-base
final_image: python-pip-final
final_arm64_image: python-pip-final-arm64
final_amd64_image: python-pip-final-amd64

on:
push:

jobs:
prepare:
prepare-python-dev:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Prepare Action
uses: buildsafedev/multiarch-build--action/prepare-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-pip-base
oci_registry_username: ${{ env.owner}}
oci_registry_password: ${{ secrets.GITHUB_TOKEN }}
image_name: ${{ env.owner }}/${{ env.dev_image }}
ociBlock: python-dev
tag: v0.1.0
tag: ${{ env.image_tag }}

build:
needs: prepare
needs: [prepare-python-dev]
strategy:
fail-fast: false
matrix:
platform: [ubuntu-latest, linux-arm64]
platform: [ubuntu-latest]
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Run Build Action
uses: buildsafedev/multiarch-build--action/build-action@main
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
oci_registry_username: ${{ env.owner }}
oci_registry_password: ${{ secrets.GITHUB_TOKEN }}
ociBlocks: python-dev
directory: 'python-pip'
directory: python
registry: ttl.sh

merge:
final-img-build:
runs-on: ubuntu-latest
needs: build
outputs:
amd64_digest: ${{ steps.build_amd64.outputs.digest }}
permissions:
id-token: write
packages: write
contents: read
attestations: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Download meta bake definition
uses: actions/download-artifact@v4
with:
name: bake-meta-${{ format('python-dev') }}
path: /tmp

- name: Download digests
uses: actions/download-artifact@v4
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true

- name: Verify digest files after download
shell: bash
run: |
echo "Downloaded digest files:"
- name: Build image amd64
id: build_amd64
working-directory: python-pip
run: |
docker buildx create --name mybuilder --use --driver docker-container
docker buildx build \
--no-cache \
--tag ttl.sh/buildsafedev/python-final-amd64:v1 \
--attest type=provenance,mode=min \
--platform=linux/amd64 \
--push \
--output type=image \
.
amd64_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
echo "digest=$amd64_digest" >> $GITHUB_OUTPUT
scan_image:
needs: final-img-build
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Run Merge Action
uses: buildsafedev/multiarch-build--action/merge-action@main

- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main

- name: Setup Nix development environment
uses: nicknovitski/nix-develop@v1
with:
oci_registry_username: ${{ secrets.DOCKER_USERNAME }}
oci_registry_password: ${{ secrets.DOCKER_PASSWORD }}
image_name: holiodin01/python-pip-base
ociBlock: python-dev
tag: v0.1.0
arguments: ./python/bsf/.#devShell


- name: Is hermetic build
run: |
docker buildx imagetools inspect ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json
cat slsa.json
if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
echo "Hermetic build"
else
echo "Not a hermetic build"
fi
- name: Check for vulnerabilities
run: grype ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} --only-fixed --fail-on low


sign_image:
needs: scan_image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:

- name: Install Cosign
uses: sigstore/cosign-installer@v3.7.0
with:
cosign-release: 'v2.4.1'

- name: Sign and push image
env:
COSIGN_EXPERIMENTAL: "true"
run: |
final_img_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
cosign sign --yes ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}@${final_img_digest}
Loading

0 comments on commit e0e5cc3

Please sign in to comment.