Merge pull request #81 from viccuad/gha-refactor

ci: Refactor GHA workflows as kubewarden-controller ones
kubewarden · Aug 1, 2023 · b27900e · b27900e
2 parents 84336bf + 19b6de2
commit b27900e
Show file tree

Hide file tree

Showing 7 changed files with 197 additions and 105 deletions.
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -1,48 +1,39 @@
-name: Build container image
-# to depend on other workflows, or provide container image for all branches
+name: Build container image, sign it, and generate SBOMs
 
 on:
   workflow_call:
     outputs:
       digest:
         description: "Container image digest"
         value: ${{jobs.build.outputs.digest}}
+
   push:
     branches:
-      - main
+      - "main"
+      - "feat-**"
 
 jobs:
   build:
-    name: Build
-    uses: kubewarden/audit-scanner/.github/workflows/reusable-container-image.yml@main
+    uses: ./.github/workflows/container-image.yml
     permissions:
       packages: write
     with:
       push-image: true
 
   sign:
-    runs-on: ubuntu-latest
+    needs: build
+    uses: ./.github/workflows/sign-image.yml
     permissions:
       packages: write
       id-token: write
-    needs: build
-    steps:
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3
-
-      - name: Sign the images
-        run: |
-          cosign sign --yes \
-            ${{needs.build.outputs.repository}}@${{needs.build.outputs.digest}}
+    with:
+      image-digest: ${{ needs.build.outputs.digest }}
 
-      - name: Sign the SBOM
-        run: |
-          tag=$(echo '${{needs.build.outputs.digest}}' | sed 's/:/-/g')
-          cosign sign --yes \
-            "${{needs.build.outputs.repository}}:$tag.sbom"
+  sbom:
+    needs: build
+    uses: ./.github/workflows/sbom.yml
+    permissions:
+      packages: write
+      id-token: write
+    with:
+      image-digest: ${{ needs.build.outputs.digest }}
diff --git a/...ub/workflows/reusable-container-image.yml → .github/workflows/container-image.yml b/...ub/workflows/reusable-container-image.yml → .github/workflows/container-image.yml
@@ -1,16 +1,11 @@
-name: Reusable container image build
-# useful to call from the real workflows
+name: Build container image
 
 on:
   workflow_call:
     inputs:
       push-image:
         type: boolean
         required: true
-      generate-sbom:
-        type: boolean
-        required: false
-        default: true
     outputs:
       repository:
         description: "Repository used to build the container image"
@@ -54,24 +49,17 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       -
-        name: Install Golang
-        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4
-        with:
-          go-version: '1.19'
-      -
-        name: Install the bom command
-        uses: kubewarden/github-actions/kubernetes-bom-installer@d849020c9137340c2373d1cbc9cc571b2b18c17e # v2
-      -
-        name: Install Cosign
-        if: ${{ inputs.generate-sbom == true }}
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3
-      -
-        name: Retrieve tag name
-        if: ${{ startsWith(github.ref, 'refs/heads/') }}
+        name: Retrieve tag name (main branch)
+        if: ${{ startsWith(github.ref, 'refs/heads/main') }}
         run: |
           echo TAG_NAME=latest >> $GITHUB_ENV
       -
-        name: Retrieve tag name
+        name: Retrieve tag name (feat branch)
+        if: ${{ startsWith(github.ref, 'refs/heads/feat') }}
+        run: |
+          echo "TAG_NAME=latest-$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
+      -
+        name: Retrieve tag name (tag)
         if: ${{ startsWith(github.ref, 'refs/tags/') }}
         run: |
             echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
@@ -101,24 +89,6 @@ jobs:
           outputs: type=docker,dest=/tmp/audit-scanner-image-${{ env.TAG_NAME }}.tar
           tags: |
             ghcr.io/${{github.repository_owner}}/audit-scanner:${{ env.TAG_NAME }}
-      -
-        name: Test container image
-        if: ${{ startsWith(github.ref, 'refs/tags/') }}
-        run: |
-          docker run --rm ghcr.io/${{ github.repository_owner }}/audit-scanner:${{ env.TAG_NAME }} --help
-      -
-        name: Create SBOM file
-        if: ${{ inputs.generate-sbom == true }}
-        shell: bash
-        run: |
-          bom generate -n https://kubewarden.io/kubewarden.spdx -o audit-scanner.spdx .
-      -
-        name: Attach SBOM file in the container image
-        if: ${{ inputs.generate-sbom == true }}
-        shell: bash
-        run: |
-          set -e
-          cosign attach sbom --sbom audit-scanner.spdx "ghcr.io/${{github.repository_owner}}/audit-scanner@${{ steps.build-image.outputs.digest }}"
       -
         name: Upload container image to use in other jobs
         if: ${{ inputs.push-image == false }}

diff --git a/.github/workflows/openssf.yml b/.github/workflows/openssf.yml
@@ -18,12 +18,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
         with:
           results_file: results.sarif
           results_format: sarif

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -9,10 +9,10 @@ on:
   # pull_request event is required only for autolabeler
   pull_request:
     # Only following types are handled by the action, but one can default to all as well
-    types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize, edited]
   # pull_request_target event is required for autolabeler to support PRs from forks
   pull_request_target:
-    types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize, edited]
 
 permissions:
   contents: read

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,56 +9,55 @@ permissions: read-all
 
 jobs:
   ci:
-    uses: kubewarden/audit-scanner/.github/workflows/ci.yml@main
+    uses: ./.github/workflows/ci.yml
     permissions: read-all
 
-  container-build:
-    uses: kubewarden/audit-scanner/.github/workflows/container-build.yml@main
+  build:
+    name: Build container image, sign it, and generate SBOMs
+    uses: ./.github/workflows/container-build.yml
     permissions:
       id-token: write
       packages: write
-  release:
-    permissions:
-      id-token: write
-      contents: write
-    name: Create release
+
+  crds:
+    name: Build CRDs
     runs-on: ubuntu-latest
-    needs:
-      - ci
-      - container-build
     steps:
       - name: Install Golang
         uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4
         with:
           go-version: '1.19'
 
-      - name: Install the bom command
-        shell: bash
-        run: go install sigs.k8s.io/bom/cmd/bom@v0.2.2
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3
-
       - name: Checkout code
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
 
-      - name: Retrieve tag name
-        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+      - name: Generate CRDs
         run: |
-          echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV
+          tar -czf CRDS.tar.gz -C config/crd $(ls config/crd)
+      - name: Upload CRDs as artifacts
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        with:
+          name: CRDS
+          path: CRDS.tar.gz
 
-      - name: Create SBOM file
-        shell: bash
-        run: |
-          bom generate -n https://kubewarden.io/kubewarden.spdx \
-            --image "ghcr.io/${{github.repository_owner}}/audit-scanner@${{ needs.container-build.outputs.digest }}" \
-            . > audit-scanner-sbom.spdx
+  release:
+    name: Create release
 
-      - name: Sign BOM file
+    needs:
+      - ci
+      - crds
+      - build
+
+    permissions:
+      contents: write
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Retrieve tag name
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
         run: |
-          cosign sign-blob --yes --output-certificate audit-scanner-sbom.spdx.cert \
-            --output-signature audit-scanner-sbom.spdx.sig \
-            audit-scanner-sbom.spdx
+          echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV
 
       - name: Get latest release tag
         id: get_last_release_tag
@@ -93,17 +92,33 @@ jobs:
             }
             core.setFailed(`Draft release not found`)
 
-      - name: tar CRDs
-        run: |
-          tar -czf CRDS.tar.gz -C config/crd $(ls config/crd)
+      - name: Download SBOM artifact
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
+        with:
+          name: sbom
+
+      - name: Download CRDs artifact
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
+        with:
+          name: CRDS
+
+      - name: Display structure of downloaded files
+        run: ls -R
 
       - name: Upload release assets
         id: upload_release_assets
         uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
         with:
           script: |
             let fs = require('fs');
-            let files = ['audit-scanner-sbom.spdx', 'audit-scanner-sbom.spdx.cert', 'audit-scanner-sbom.spdx.sig', "CRDS.tar.gz"]
+            let files = [
+              'audit-scanner-sbom-amd64.spdx',
+              'audit-scanner-sbom-amd64.spdx.cert',
+              'audit-scanner-sbom-amd64.spdx.sig',
+              'audit-scanner-sbom-arm64.spdx',
+              'audit-scanner-sbom-arm64.spdx.cert',
+              'audit-scanner-sbom-arm64.spdx.sig',
+              "CRDS.tar.gz"]
             const {RELEASE_ID} = process.env
 
             for (const file of files) {
@@ -139,7 +154,7 @@ jobs:
             });
 
       - name: Trigger chart update
-        uses: peter-evans/repository-dispatch@08864651bc775a60da929f1f918149f999f9d7d8
+        uses: peter-evans/repository-dispatch@26b39ed245ab8f31526069329e112ab2fb224588 # v2.1.1
         with:
           token: ${{ secrets.HELM_CHART_REPO_ACCESS_TOKEN }}
           repository: "${{github.repository_owner}}/helm-charts"

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -0,0 +1,84 @@
+name: Generate SBOMs
+
+on:
+  workflow_call:
+    inputs:
+      image-digest:
+        type: string
+        required: true
+
+jobs:
+  sbom:
+    name: Generate SBOM, sign and attach them to OCI image
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    permissions:
+      packages: write
+      id-token: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3
+
+      - name: Install the syft command
+        uses: kubewarden/github-actions/syft-installer@00836d4962f80890a32cca1dd324d2ebafc4e29c # v3.1.5
+
+      - name: Install the crane command
+        uses: kubewarden/github-actions/crane-installer@00836d4962f80890a32cca1dd324d2ebafc4e29c # v3.1.5
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Find platform digest
+        shell: bash
+        run: |
+          set -e
+          DIGEST=$(crane digest \
+            --platform "linux/${{ matrix.arch }}" \
+            ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ inputs.image-digest }})
+          echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Create SBOM file
+        shell: bash
+        run: |
+          syft \
+            -o spdx-json \
+            --file audit-scanner-sbom-${{ matrix.arch }}.spdx \
+            ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ env.PLATFORM_DIGEST }}
+
+      - name: Sign SBOM file
+        run: |
+          cosign sign-blob --yes \
+            --output-certificate audit-scanner-sbom-${{ matrix.arch }}.spdx.cert \
+            --output-signature audit-scanner-sbom-${{ matrix.arch }}.spdx.sig \
+            audit-scanner-sbom-${{ matrix.arch }}.spdx
+
+      - name: Attach SBOM file in the container image
+        shell: bash
+        run: |
+          cosign attach \
+            sbom --sbom audit-scanner-sbom-${{ matrix.arch }}.spdx \
+            ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ env.PLATFORM_DIGEST }}
+
+      - name: Sign SBOM file pushed to OCI registry
+        shell: bash
+        run: |
+          set -e
+          SBOM_TAG="$(echo ${{ env.PLATFORM_DIGEST }} | sed -e 's/:/-/g').sbom"
+
+          cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/audit-scanner:${SBOM_TAG}
+
+      -
+        name: Upload SBOMs as artifacts
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
+        with:
+          name: sbom
+          path: audit-scanner-sbom-*