Skip to content

Commit

Permalink
Update attestation implementation (#24837)
Browse files Browse the repository at this point in the history 
for #23825 

This PR fixes the previous implementation for attesting
fleet/fleetctl/orbit binaries, and adds attestation to the fleet desktop
and osqueryd artifacts.

* correct permissions are added to all jobs
* tag removed from `subject-name` when attesting docker image
* using `artifacts.json` rather than the `artifacts` step output from
goreleaser to determine image digest

I'd like to add a separate job verifying the attestations, working on
that now but since all attestation steps are marked as
`continue-on-error` it can be a follow-on if we don't get it in with
this PR.
  • Loading branch information
@sgress454
sgress454 authored Dec 17, 2024
1 parent 474d5c4 commit 0e55419
Show file tree
Hide file tree
Showing 4 changed files with 104 additions and 15 deletions.
33 changes: 28 additions & 5 deletions .github/workflows/generate-desktop-targets.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,10 @@ env:
FLEET_DESKTOP_VERSION: 1.37.0

permissions:
contents: read
contents: write
id-token: write
attestations: write
packages: write

jobs:
desktop-macos:
Expand All @@ -31,7 +34,6 @@ jobs:
# later, avoiding runtime errors on systems using macOS 13 or newer.
runs-on: macos-13
steps:

- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
Expand Down Expand Up @@ -75,6 +77,12 @@ jobs:
FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
make desktop-app-tar-gz
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "desktop.app.tar.gz"

- name: Upload desktop.app.tar.gz
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
Expand All @@ -84,7 +92,6 @@ jobs:
desktop-windows:
runs-on: ubuntu-latest
steps:

- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
Expand All @@ -103,6 +110,12 @@ jobs:
FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
make desktop-windows
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "fleet-desktop.exe"

- name: Upload fleet-desktop.exe
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
Expand All @@ -125,7 +138,6 @@ jobs:
desktop-linux:
runs-on: ubuntu-latest
steps:

- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
Expand All @@ -144,6 +156,12 @@ jobs:
FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
make desktop-linux
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "desktop.tar.gz"

- name: Upload desktop.tar.gz
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
Expand All @@ -153,7 +171,6 @@ jobs:
desktop-linux-arm64:
runs-on: ubuntu-latest
steps:

- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
Expand All @@ -172,6 +189,12 @@ jobs:
FLEET_DESKTOP_VERSION=$FLEET_DESKTOP_VERSION \
make desktop-linux-arm64
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: 'desktop.tar.gz'

- name: Upload desktop.tar.gz
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
Expand Down
29 changes: 28 additions & 1 deletion .github/workflows/generate-osqueryd-targets.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,10 @@ env:
OSQUERY_VERSION: 5.14.1

permissions:
contents: read
contents: write
id-token: write
attestations: write
packages: write

jobs:
generate-macos:
Expand All @@ -45,6 +48,12 @@ jobs:
run: |
make osqueryd-app-tar-gz out-path=. version=$OSQUERY_VERSION
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "osqueryd.app.tar.gz"

- name: Upload osqueryd.app.tar.gz
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
Expand All @@ -70,6 +79,12 @@ jobs:
chmod +x ./opt/osquery/bin/osqueryd
./opt/osquery/bin/osqueryd --version
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "opt/osquery/bin/osqueryd"

- name: Upload osqueryd for linux
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
Expand Down Expand Up @@ -99,6 +114,12 @@ jobs:
chmod +x ./opt/osquery/bin/osqueryd
file ./opt/osquery/bin/osqueryd | grep aarch64
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "opt/osquery/bin/osqueryd"

- name: Upload osqueryd for linux-arm64
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
Expand Down Expand Up @@ -126,6 +147,12 @@ jobs:
msiexec /a osquery-${{ env.OSQUERY_VERSION }}.msi /qb TARGETDIR=C:\temp
C:\temp\osquery\osqueryd\osqueryd.exe --version
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: C:\temp\osquery\osqueryd\osqueryd.exe

- name: Upload osqueryd for Windows
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
Expand Down
13 changes: 8 additions & 5 deletions .github/workflows/goreleaser-fleet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ jobs:
environment: Docker Hub
permissions:
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
Expand Down Expand Up @@ -90,7 +93,7 @@ jobs:
- name: Attest binaries and archives
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "dist/fleet*"
subject-path: "dist/**"

# Get the commit hash so we can get image digests
- name: Get the short commit hash
Expand All @@ -103,23 +106,23 @@ jobs:
continue-on-error: true
id: image_digests
run: |
echo "digest_fleet=$(echo ${{ steps.goreleaser.outputs.artifacts }} | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
echo "digest_fleetctl=$(echo ${{ steps.goreleaser.outputs.artifacts }} | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
echo "digest_fleet=$(cat ./dist/artifact.json | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
echo "digest_fleetctl=$(cat ./dist/artifact.json | jq -r '.[]|select(.type == "Published Docker Image" and (.name | contains("fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"))) | select(. != null)|.extra.Digest')" >> "$GITHUB_OUTPUT"
- name: Attest Fleet image
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
continue-on-error: true
with:
subject-digest: ${{steps.image_digests.outputs.digest_fleet}}
subject-name: "fleetdm/fleet:${{ steps.commit.outputs.short_commit }}"
subject-name: "fleetdm/fleet"
push-to-registry: true

- name: Attest FleetCtl image
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
continue-on-error: true
with:
subject-digest: ${{steps.image_digests.outputs.digest_fleetctl}}
subject-name: "fleetdm/fleetctl:${{ steps.commit.outputs.short_commit }}"
subject-name: "fleetdm/fleetctl"
push-to-registry: true

- name: Get tag
Expand Down
44 changes: 40 additions & 4 deletions .github/workflows/goreleaser-orbit.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,10 @@ jobs:
goreleaser-macos:
runs-on: macos-latest
permissions:
contents: read
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
Expand Down Expand Up @@ -62,6 +65,12 @@ jobs:
AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237

- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "dist/orbit-macos_darwin_all/orbit"

- name: Upload
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
Expand All @@ -71,7 +80,10 @@ jobs:
goreleaser-linux:
runs-on: ubuntu-20.04
permissions:
contents: read
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
Expand All @@ -95,6 +107,12 @@ jobs:
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-linux.yml # v2.4.4

- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "dist/orbit_linux_amd64_v1/orbit"

- name: Upload
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
Expand All @@ -104,7 +122,10 @@ jobs:
goreleaser-linux-arm64:
runs-on: ubuntu-20.04
permissions:
contents: read
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
Expand All @@ -128,6 +149,12 @@ jobs:
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-linux-arm64.yml # v2.4.4

- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "dist/orbit_linux_arm64_v8.0/orbit"

- name: Upload
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
Expand All @@ -137,7 +164,10 @@ jobs:
goreleaser-windows:
runs-on: windows-2022
permissions:
contents: read
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
Expand All @@ -161,6 +191,12 @@ jobs:
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-windows.yml # v2.4.4

- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "dist/orbit_windows_amd64_v1/orbit.exe"

- name: Upload
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
Expand Down

0 comments on commit 0e55419

Please sign in to comment.