-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: use docker buildx to create attestation files.
Updates the Github workflow to use the Docker buildx to generate the SLSA attestation and SBOM files. Furthermore, the previous workflow used to generate the SBOM files has been updated to download the data from the container registry and upload them to the release page as it does before. Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
- Loading branch information
Showing
7 changed files
with
276 additions
and
137 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
name: Sign attestation files | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
image-digest: | ||
type: string | ||
required: true | ||
|
||
jobs: | ||
sbom: | ||
name: Fetch, sign and verify SBOM and provenance files | ||
strategy: | ||
matrix: | ||
arch: [amd64, arm64] | ||
|
||
permissions: | ||
packages: write | ||
id-token: write | ||
|
||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Install cosign | ||
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | ||
|
||
- name: Install the crane command | ||
uses: kubewarden/github-actions/crane-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5 | ||
|
||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Verify container image signature | ||
run: | | ||
cosign verify \ | ||
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | ||
--certificate-identity="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/container-image.yml@${{ github.ref }}" \ | ||
ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ inputs.image-digest }} | ||
- name: Find platform digest | ||
shell: bash | ||
run: | | ||
set -e | ||
DIGEST=$(crane digest \ | ||
--platform "linux/${{ matrix.arch }}" \ | ||
ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ inputs.image-digest }}) | ||
echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" | ||
- name: Find attestation digest | ||
run: | | ||
set -e | ||
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ inputs.image-digest }} \ | ||
| jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest' | ||
) | ||
echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV" | ||
- name: Find provenance manifest digest | ||
run: | | ||
set -e | ||
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \ | ||
jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest') | ||
echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV" | ||
- name: Find SBOM manifest layers digest | ||
run: | | ||
set -e | ||
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \ | ||
jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")') | ||
echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" | ||
- name: Download provenance and SBOM files | ||
run: | | ||
set -e | ||
crane blob ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.PROVENANCE_DIGEST}} > audit-scanner-attestation-${{ matrix.arch }}-provenance.json | ||
sha256sum audit-scanner-attestation-${{ matrix.arch }}-provenance.json >> audit-scanner-attestation-${{ matrix.arch }}-checksum.txt | ||
for sbom_digest in "${{ env.SBOM_DIGEST }}"; do | ||
crane blob ghcr.io/${{github.repository_owner}}/audit-scanner@$sbom_digest > audit-scanner-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json | ||
sha256sum audit-scanner-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json >> audit-scanner-attestation-${{ matrix.arch }}-checksum.txt | ||
done | ||
- name: Sign checksum file | ||
run: | | ||
cosign sign-blob --yes \ | ||
--bundle audit-scanner-attestation-${{ matrix.arch }}-checksum-cosign.bundle \ | ||
audit-scanner-attestation-${{ matrix.arch }}-checksum.txt | ||
cosign verify-blob \ | ||
--bundle audit-scanner-attestation-${{ matrix.arch }}-checksum-cosign.bundle \ | ||
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | ||
--certificate-identity="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/attestation.yml@${{ github.ref }}" \ | ||
audit-scanner-attestation-${{ matrix.arch }}-checksum.txt | ||
- name: Upload SBOMs as artifacts | ||
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | ||
with: | ||
name: attestation-${{ matrix.arch }} | ||
path: audit-scanner-attestation-${{ matrix.arch }}* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.