From 654bfb90c014304e5aefb13a370985c93bc057d2 Mon Sep 17 00:00:00 2001
From: Nikos <nikos.sklikas@canonical.com>
Date: Wed, 26 Apr 2023 14:44:38 +0300
Subject: [PATCH 1/2] Add github workflows

---
 .github/workflows/build.yaml     |  9 +++++++++
 .github/workflows/publish.yaml   |  9 +++++++++
 .github/workflows/push_any.yaml  | 13 +++++++++++++
 .github/workflows/push_main.yaml | 20 ++++++++++++++++++++
 .github/workflows/scan.yaml      |  9 +++++++++
 5 files changed, 60 insertions(+)
 create mode 100644 .github/workflows/build.yaml
 create mode 100644 .github/workflows/publish.yaml
 create mode 100644 .github/workflows/push_any.yaml
 create mode 100644 .github/workflows/push_main.yaml
 create mode 100644 .github/workflows/scan.yaml

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
new file mode 100644
index 00000000..8d8d7acf
--- /dev/null
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,9 @@
+name: Build
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    uses: canonical/kratos-rock/.github/workflows/build.yaml@main
+    secrets: inherit
\ No newline at end of file
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
new file mode 100644
index 00000000..04827a57
--- /dev/null
+++ b/.github/workflows/publish.yaml
@@ -0,0 +1,9 @@
+name: Publish
+
+on:
+  workflow_call:
+
+jobs:
+  publish:
+    uses: canonical/kratos-rock/.github/workflows/publish.yaml@main
+    secrets: inherit
diff --git a/.github/workflows/push_any.yaml b/.github/workflows/push_any.yaml
new file mode 100644
index 00000000..66e55ebc
--- /dev/null
+++ b/.github/workflows/push_any.yaml
@@ -0,0 +1,13 @@
+name: Push (any)
+
+on:
+  push:
+    branches-ignore:
+      - "main"
+    paths:
+      - "rockcraft.yaml"
+      - ".github/workflows/**.yaml"
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
diff --git a/.github/workflows/push_main.yaml b/.github/workflows/push_main.yaml
new file mode 100644
index 00000000..dcde1cf4
--- /dev/null
+++ b/.github/workflows/push_main.yaml
@@ -0,0 +1,20 @@
+name: Push (main)
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "rockcraft.yaml"
+      - ".github/workflows/**.yaml"
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+
+  publish:
+    needs: build
+    uses: ./.github/workflows/publish.yaml
+
+  scan:
+    uses: ./.github/workflows/scan.yaml
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
new file mode 100644
index 00000000..a866d7ed
--- /dev/null
+++ b/.github/workflows/scan.yaml
@@ -0,0 +1,9 @@
+name: Scan
+
+on:
+  workflow_call:
+
+jobs:
+  scan:
+    uses: canonical/kratos-rock/.github/workflows/scan.yaml@main
+    secrets: inherit

From 4cd723c32471ecdc085b4f3146684950e1b3d9dd Mon Sep 17 00:00:00 2001
From: Nikos <nikos.sklikas@canonical.com>
Date: Thu, 27 Apr 2023 14:54:58 +0300
Subject: [PATCH 2/2] Remove dependencies to kratos-rock workflows

---
 .github/workflows/build.yaml     | 32 +++++++++++++++++++++++++--
 .github/workflows/publish.yaml   | 38 ++++++++++++++++++++++++++++++--
 .github/workflows/push_any.yaml  |  3 +++
 .github/workflows/push_main.yaml |  7 ++++++
 .github/workflows/scan.yaml      | 25 +++++++++++++++++++--
 5 files changed, 99 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 8d8d7acf..a1c00789 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,3 +1,4 @@
+# Build the rock
 name: Build
 
 on:
@@ -5,5 +6,32 @@ on:
 
 jobs:
   build:
-    uses: canonical/kratos-rock/.github/workflows/build.yaml@main
-    secrets: inherit
\ No newline at end of file
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Get name
+        id: name
+        run: echo "name=$(yq '.name' rockcraft.yaml)" >> "$GITHUB_OUTPUT"
+
+      - uses: canonical/craft-actions/rockcraft-pack@main
+        id: rockcraft
+
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Create SBOM
+        run: syft ${{ steps.rockcraft.outputs.rock }} -o spdx-json=${{ steps.name.outputs.name }}.sbom.json
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ steps.name.outputs.name }}-sbom
+          path: "${{ steps.name.outputs.name }}.sbom.json"
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: rock
+          path: ${{ steps.rockcraft.outputs.rock }}
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 04827a57..742e5f83 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -1,3 +1,4 @@
+# Publish the rock image to ghcr
 name: Publish
 
 on:
@@ -5,5 +6,38 @@ on:
 
 jobs:
   publish:
-    uses: canonical/kratos-rock/.github/workflows/publish.yaml@main
-    secrets: inherit
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install skopeo
+        run: |
+          sudo snap install --devmode --channel edge skopeo
+
+      - name: Install yq
+        run: |
+          sudo snap install yq
+
+      - uses: actions/download-artifact@v3
+        with:
+          name: rock
+
+      - name: Import and push to github package
+        run: |
+          image_name="$(yq '.name' rockcraft.yaml)"
+          version="$(yq '.version' rockcraft.yaml)"
+          rock_file=$(ls *.rock | tail -n 1)
+          sudo skopeo \
+            --insecure-policy \
+            copy \
+            oci-archive:"${rock_file}" \
+            docker-daemon:"ghcr.io/canonical/${image_name}:${version}"
+          docker push ghcr.io/canonical/${image_name}:${version}
diff --git a/.github/workflows/push_any.yaml b/.github/workflows/push_any.yaml
index 66e55ebc..6e803746 100644
--- a/.github/workflows/push_any.yaml
+++ b/.github/workflows/push_any.yaml
@@ -1,5 +1,8 @@
 name: Push (any)
 
+# When pushing to any branch other than "main", we:
+# * build the rock image
+
 on:
   push:
     branches-ignore:
diff --git a/.github/workflows/push_main.yaml b/.github/workflows/push_main.yaml
index dcde1cf4..1b975272 100644
--- a/.github/workflows/push_main.yaml
+++ b/.github/workflows/push_main.yaml
@@ -1,5 +1,10 @@
 name: Push (main)
 
+# When pushing to the "main" branch, we:
+# * build the rock image
+# * publish the image
+# * scan the image and upload the artifacts to the repository
+
 on:
   push:
     branches:
@@ -7,6 +12,7 @@ on:
     paths:
       - "rockcraft.yaml"
       - ".github/workflows/**.yaml"
+  workflow_dispatch:
 
 jobs:
   build:
@@ -17,4 +23,5 @@ jobs:
     uses: ./.github/workflows/publish.yaml
 
   scan:
+    needs: publish
     uses: ./.github/workflows/scan.yaml
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index a866d7ed..0396fc1c 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -1,3 +1,4 @@
+# Scan the published rock image and upload the results
 name: Scan
 
 on:
@@ -5,5 +6,25 @@ on:
 
 jobs:
   scan:
-    uses: canonical/kratos-rock/.github/workflows/scan.yaml@main
-    secrets: inherit
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Get name and version
+        id: image_info
+        run: |
+          echo "image_name=$(yq '.name' rockcraft.yaml)" >> "$GITHUB_OUTPUT"
+          echo "version=$(yq '.version' rockcraft.yaml)" >> "$GITHUB_OUTPUT"
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ghcr.io/canonical/${{ steps.image_info.outputs.image_name }}:${{ steps.image_info.outputs.version }}"
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload scan results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'