diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 00000000..a1c00789 --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,37 @@ +# Build the rock +name: Build + +on: + workflow_call: + +jobs: + build: + runs-on: ubuntu-22.04 + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Get name + id: name + run: echo "name=$(yq '.name' rockcraft.yaml)" >> "$GITHUB_OUTPUT" + + - uses: canonical/craft-actions/rockcraft-pack@main + id: rockcraft + + - name: Install Syft + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + + - name: Create SBOM + run: syft ${{ steps.rockcraft.outputs.rock }} -o spdx-json=${{ steps.name.outputs.name }}.sbom.json + + - name: Upload SBOM + uses: actions/upload-artifact@v3 + with: + name: ${{ steps.name.outputs.name }}-sbom + path: "${{ steps.name.outputs.name }}.sbom.json" + + - uses: actions/upload-artifact@v3 + with: + name: rock + path: ${{ steps.rockcraft.outputs.rock }} diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml new file mode 100644 index 00000000..742e5f83 --- /dev/null +++ b/.github/workflows/publish.yaml @@ -0,0 +1,43 @@ +# Publish the rock image to ghcr +name: Publish + +on: + workflow_call: + +jobs: + publish: + runs-on: ubuntu-22.04 + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Log in to the Container registry + uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Install skopeo + run: | + sudo snap install --devmode --channel edge skopeo + + - name: Install yq + run: | + sudo snap install yq + + - uses: actions/download-artifact@v3 + with: + name: rock + + - name: Import and push to github package + run: | + image_name="$(yq '.name' rockcraft.yaml)" + version="$(yq '.version' rockcraft.yaml)" + rock_file=$(ls *.rock | tail -n 1) + sudo skopeo \ + --insecure-policy \ + copy \ + oci-archive:"${rock_file}" \ + docker-daemon:"ghcr.io/canonical/${image_name}:${version}" + docker push ghcr.io/canonical/${image_name}:${version} diff --git a/.github/workflows/push_any.yaml b/.github/workflows/push_any.yaml new file mode 100644 index 00000000..6e803746 --- /dev/null +++ b/.github/workflows/push_any.yaml @@ -0,0 +1,16 @@ +name: Push (any) + +# When pushing to any branch other than "main", we: +# * build the rock image + +on: + push: + branches-ignore: + - "main" + paths: + - "rockcraft.yaml" + - ".github/workflows/**.yaml" + +jobs: + build: + uses: ./.github/workflows/build.yaml diff --git a/.github/workflows/push_main.yaml b/.github/workflows/push_main.yaml new file mode 100644 index 00000000..1b975272 --- /dev/null +++ b/.github/workflows/push_main.yaml @@ -0,0 +1,27 @@ +name: Push (main) + +# When pushing to the "main" branch, we: +# * build the rock image +# * publish the image +# * scan the image and upload the artifacts to the repository + +on: + push: + branches: + - main + paths: + - "rockcraft.yaml" + - ".github/workflows/**.yaml" + workflow_dispatch: + +jobs: + build: + uses: ./.github/workflows/build.yaml + + publish: + needs: build + uses: ./.github/workflows/publish.yaml + + scan: + needs: publish + uses: ./.github/workflows/scan.yaml diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml new file mode 100644 index 00000000..0396fc1c --- /dev/null +++ b/.github/workflows/scan.yaml @@ -0,0 +1,30 @@ +# Scan the published rock image and upload the results +name: Scan + +on: + workflow_call: + +jobs: + scan: + runs-on: ubuntu-22.04 + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Get name and version + id: image_info + run: | + echo "image_name=$(yq '.name' rockcraft.yaml)" >> "$GITHUB_OUTPUT" + echo "version=$(yq '.version' rockcraft.yaml)" >> "$GITHUB_OUTPUT" + + - name: Scan image with Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: "ghcr.io/canonical/${{ steps.image_info.outputs.image_name }}:${{ steps.image_info.outputs.version }}" + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload scan results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif'