Skip to content

Commit

Permalink
Add SLSA signing and provenance to release
Browse files Browse the repository at this point in the history 
Signed-off-by: Alexandr Demicev <alexandr.demicev@suse.com>
  • Loading branch information
@alexander-demicev
alexander-demicev committed Oct 4, 2023
1 parent cecb76d commit 4c8a532
Show file tree
Hide file tree
Showing 2 changed files with 175 additions and 9 deletions.
180 changes: 171 additions & 9 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,11 @@ env:
TAG: ${{ github.ref_name }}
REGISTRY: ghcr.io
USERNAME: ${{ github.actor }}
PASSWORD: ${{ secrets.GITHUB_TOKEN }}
ORG: rancher-sandbox
PROD_REGISTRY: ${{ secrets.REGISTRY_ENDPOINT }}
PROD_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
PROD_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
PROD_ORG: rancher-sandbox
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
RELEASE_DIR: .cr-release-packages
REPO: ${{ github.repository }}

Expand All @@ -29,6 +26,15 @@ jobs:
permissions:
contents: read
packages: write
outputs:
multiarch_image: ${{ steps.ghcr-images.outputs.multiarch_image }}
multiarch_digest: ${{ steps.ghcr-images.outputs.multiarch_digest }}
amd64_image: ${{ steps.ghcr-images.outputs.amd64_image }}
amd64_digest: ${{ steps.ghcr-images.outputs.amd64_digest }}
arm64_digest: ${{ steps.ghcr-images.outputs.arm64_digest }}
arm64_image: ${{ steps.ghcr-images.outputs.arm64_image }}
s390x_image: ${{ steps.ghcr-images.outputs.s390x_image }}
s390x_digest: ${{ steps.ghcr-images.outputs.s390x_digest }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -38,31 +44,187 @@ jobs:
uses: actions/setup-go@v4
with:
go-version: '=1.20.7'
- name: Docker login
- name: Docker login to ghcr registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.USERNAME }}
password: ${{ env.PASSWORD }}
- name: Build docker image
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build docker image for gh registry
run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }}
- name: Push docker image to gh registry
run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }}

- name: Store list of ghcr images and digests
id: ghcr-images
run: |
./scripts/image-digest.sh ${{ env.REGISTRY }} ${{ env.ORG }} ${{ env.TAG }}
- name: Prepare environment for prod registry
run: |
echo "PROD_REGISTRY=${PROD_REGISTRY/https:\/\//}" >> $GITHUB_ENV
- name: Docker login to prod registry
uses: docker/login-action@v3
with:
registry: ${{ env.PROD_REGISTRY }}
username: ${{ env.PROD_USERNAME }}
password: ${{ env.PROD_PASSWORD }}
- name: Build prod docker image
- name: Build docker image for prod registry
run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }}
- name: Push docker image to prod registry
run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }}
- name: Store list of prod images and digests
id: prod-images
run: |
./scripts/image-digest.sh ${{ env.PROD_REGISTRY }} ${{ env.PROD_ORG }} ${{ env.TAG }}
ghcr-sign:
runs-on: ubuntu-latest
needs: [build]
permissions:
packages: write
id-token: write
strategy:
matrix:
images: [
{
"image":"${{ needs.build.outputs.multiarch_image }}",
},
{
"image":"${{ needs.build.outputs.amd64_image }}",
},
{
"image":"${{ needs.build.outputs.arm64_image }}",
},
{
"image":"${{ needs.build.outputs.s390x_image }}",
}
]
steps:
- name: Docker login to ghcr registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.USERNAME }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/cosign-installer@v3.1.2
- name: Sign manifests
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign --yes ${{ matrix.images.image }}
- name: Verify pushed ghcr images
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
ghcr-provenance:
needs: [build, ghcr-sign]
permissions:
actions: read
id-token: write
packages: write
strategy:
matrix:
images: [
{
"image":"${{ needs.build.outputs.multiarch_image }}",
"digest":"${{ needs.build.outputs.multiarch_digest }}"
},
{
"image":"${{ needs.build.outputs.amd64_image }}",
"digest":"${{ needs.build.outputs.amd64_digest }}"
},
{
"image":"${{ needs.build.outputs.arm64_image }}",
"digest":"${{ needs.build.outputs.arm64_digest }}"
},
{
"image":"${{ needs.build.outputs.s390x_image }}",
"digest":"${{ needs.build.outputs.s390x_digest }}"
}
]
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
with:
image: ${{ matrix.images.image }}
digest: ${{ matrix.images.digest }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
prod-sign:
runs-on: ubuntu-latest
needs: [build]
strategy:
matrix:
images: [
{
"image":"${{ needs.build.outputs.multiarch_image }}",
"digest":"${{ needs.build.outputs.multiarch_digest }}"
},
{
"image":"${{ needs.build.outputs.amd64_image }}",
"digest":"${{ needs.build.outputs.amd64_digest }}"
},
{
"image":"${{ needs.build.outputs.arm64_image }}",
"digest":"${{ needs.build.outputs.arm64_digest }}"
},
{
"image":"${{ needs.build.outputs.s390x_image }}",
"digest":"${{ needs.build.outputs.s390x_digest }}"
}
]
steps:
- name: Prepare environment for prod registry
run: |
echo "PROD_REGISTRY=${PROD_REGISTRY/https:\/\//}" >> $GITHUB_ENV
- name: Docker login to prod registry
uses: docker/login-action@v3
with:
registry: ${{ env.PROD_REGISTRY }}
username: ${{ env.PROD_USERNAME }}
password: ${{ env.PROD_PASSWORD }}
- uses: sigstore/cosign-installer@v3.1.2
- name: Sign manifests
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign --yes ${{ matrix.images.image }}
- name: Verify pushed ghcr images
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign verify ${{ matrix.images.image }} --certificate-identity=https://github.com/rancher-sandbox/rancher-turtles/.github/workflows/release.yaml@refs/tags/${{ env.TAG }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com
prod-provenance:
needs: [build, prod-sign]
permissions:
actions: read
id-token: write
packages: write
strategy:
matrix:
images: [
{
"image":"${{ needs.build.outputs.multiarch_image }}",
"digest":"${{ needs.build.outputs.multiarch_digest }}"
},
{
"image":"${{ needs.build.outputs.amd64_image }}",
"digest":"${{ needs.build.outputs.amd64_digest }}"
},
{
"image":"${{ needs.build.outputs.arm64_image }}",
"digest":"${{ needs.build.outputs.arm64_digest }}"
},
{
"image":"${{ needs.build.outputs.s390x_image }}",
"digest":"${{ needs.build.outputs.s390x_digest }}"
}
]
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
with:
image: ${{ matrix.images.image }}
digest: ${{ matrix.images.digest }}
secrets:
registry-username: ${{ secrets.REGISTRY_USERNAME }}
registry-password: ${{ secrets.REGISTRY_PASSWORD }}
release:
name: Create helm release
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,10 @@ docker-build-%:
docker-build: docker-pull-prerequisites ## Run docker-build-* targets for all providers
DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=. --build-arg ldflags="$(LDFLAGS)" . -t $(MANIFEST_IMG):$(TAG)

docker-list-all:
@echo $(CONTROLLER_IMG):${TAG}
@for arch in $(ALL_ARCH); do echo $(CONTROLLER_IMG)-$${arch}:${TAG}; done

##@ Deployment

ifndef ignore-not-found
Expand Down

0 comments on commit 4c8a532

Please sign in to comment.