Skip to content

Commit

Permalink
ci: Generate and sign provenance information as image layer for SLSA …
Browse files Browse the repository at this point in the history 
…lvl 3 (#504)

* ci: Generate and sign provenance info as image layer

Configure docker buildx to generate provenance attestations
as explained in
https://docs.docker.com/build/metadata/attestations/slsa-provenance.

Find the specific layer digest that corresponds to that provenance
attestation, both for linux/amd64 and linux/arm64 architectures, and
sign it.

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>

* ci: Use github.repository_owner instead of hardcoded org

This allows to test the CI workflows in a fork, and to not need
push permissions to production OCI registry namespace under
ghcr.io/kyverno.

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>

---------

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
  • Loading branch information
@viccuad
viccuad authored Oct 12, 2024
1 parent d65d925 commit 8f5e4af
Show file tree
Hide file tree
Showing 2 changed files with 90 additions and 20 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/release-chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,11 +75,11 @@ jobs:
- name: Push to OCI
run: |
set -e
output=$(helm push .cr-release-packages/policy-reporter-${{ env.VERSION }}.tgz oci://ghcr.io/kyverno/charts 2>&1)
output=$(helm push .cr-release-packages/policy-reporter-${{ env.VERSION }}.tgz oci://ghcr.io/${{github.repository_owner}}/charts 2>&1)
digest=$( echo "$output" | grep Digest | cut -c9-)
echo CR_DIGEST=$digest
echo "CR_DIGEST=$digest" >> "$GITHUB_ENV"
- name: Sign Chart
run: |
cosign sign --yes ghcr.io/kyverno/charts/policy-reporter@${{ env.CR_DIGEST }}
cosign sign --yes ghcr.io/${{github.repository_owner}}/charts/policy-reporter@${{ env.CR_DIGEST }}
104 changes: 87 additions & 17 deletions .github/workflows/release-image.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: release-image
on:
push:
tags:
- 'v*'
- "v*"

paths-ignore:
- README.md
Expand All @@ -12,7 +12,7 @@ on:
permissions:
contents: read
packages: write
id-token: write
id-token: write

jobs:
push-policy-reporter:
Expand Down Expand Up @@ -54,18 +54,35 @@ jobs:
with:
push: true
platforms: linux/arm64,linux/amd64
cache-from: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache
cache-to: type=registry,ref=ghcr.io/kyverno/policy-reporter:buildcache,mode=max
provenance: mode=max
cache-from: type=registry,ref=ghcr.io/${{github.repository_owner}}/policy-reporter:buildcache
cache-to: type=registry,ref=ghcr.io/${{github.repository_owner}}/policy-reporter:buildcache,mode=max
tags: |
ghcr.io/kyverno/policy-reporter:${{ env.VERSION }}
ghcr.io/${{github.repository_owner}}/policy-reporter:${{ env.VERSION }}
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

- name: Sign image
shell: bash
env:
COSIGN_REPOSITORY: ghcr.io/${{github.repository_owner}}/signatures
run: |
set -e
cosign sign --yes \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/${{github.repository_owner}}/policy-reporter@${{ steps.push.outputs.digest }}
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.2.0
with:
go-version-file: go.mod
cache-dependency-path: go.sum

- uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
with:
version: v1
args: app -licenses -json -output policy-reporter-bom.cdx.json -main .
Expand All @@ -75,22 +92,75 @@ jobs:
name: policy-reporter-bom-cdx
path: policy-reporter-bom.cdx.json

- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

- shell: bash
- name: Attach SBOM to image
shell: bash
env:
COSIGN_REPOSITORY: ghcr.io/kyverno/signatures
COSIGN_REPOSITORY: ghcr.io/${{github.repository_owner}}/sbom
run: |
cosign attach sbom --sbom ./policy-reporter-bom.cdx.json --type cyclonedx ghcr.io/${{github.repository_owner}}/policy-reporter@${{ steps.push.outputs.digest }}
- name: Install the crane command
uses: kubewarden/github-actions/crane-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5

- name: Find platform digest
shell: bash
run: |
set -e
DIGEST_AMD64=$(crane digest \
--platform "linux/amd64" \
ghcr.io/${{github.repository_owner}}/policy-reporter@${{ steps.push.outputs.digest }})
echo "PLATFORM_DIGEST_AMD64=${DIGEST_AMD64}" >> "$GITHUB_ENV"
DIGEST_ARM64=$(crane digest \
--platform "linux/arm64" \
ghcr.io/${{github.repository_owner}}/policy-reporter@${{ steps.push.outputs.digest }})
echo "PLATFORM_DIGEST_ARM64=${DIGEST_ARM64}" >> "$GITHUB_ENV"
- name: Find attestation digest
run: |
set -e
DIGEST_AMD64=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-reporter@${{ steps.push.outputs.digest }} \
| jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST_AMD64 }}") | .digest'
)
echo "ATTESTATION_MANIFEST_DIGEST_AMD64=${DIGEST_AMD64}" >> "$GITHUB_ENV"
DIGEST_ARM64=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-reporter@${{ steps.push.outputs.digest }} \
| jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST_ARM64 }}") | .digest'
)
echo "ATTESTATION_MANIFEST_DIGEST_ARM64=${DIGEST_ARM64}" >> "$GITHUB_ENV"
- name: Sign attestation manifest
run: |
cosign sign --yes \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/kyverno/policy-reporter@${{ steps.push.outputs.digest }}
- shell: bash
env:
COSIGN_REPOSITORY: ghcr.io/kyverno/sbom
ghcr.io/${{github.repository_owner}}/policy-reporter@${{ env.ATTESTATION_MANIFEST_DIGEST_AMD64}}
cosign sign --yes \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/${{github.repository_owner}}/policy-reporter@${{ env.ATTESTATION_MANIFEST_DIGEST_ARM64}}
- name: Find provenance manifest digest
run: |
set -e
DIGEST_AMD64=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-reporter@${{ env.ATTESTATION_MANIFEST_DIGEST_AMD64}} | \
jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
echo "PROVENANCE_DIGEST_AMD64=${DIGEST_AMD64}" >> "$GITHUB_ENV"
DIGEST_ARM64=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-reporter@${{ env.ATTESTATION_MANIFEST_DIGEST_ARM64}} | \
jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
echo "PROVENANCE_DIGEST_ARM64=${DIGEST_ARM64}" >> "$GITHUB_ENV"
- name: Sign provenance manifest
run: |
cosign attach sbom --sbom ./policy-reporter-bom.cdx.json --type cyclonedx ghcr.io/kyverno/policy-reporter@${{ steps.push.outputs.digest }}
cosign sign --yes \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/${{github.repository_owner}}/policy-reporter@${{ env.PROVENANCE_DIGEST_AMD64}}
cosign sign --yes \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/${{github.repository_owner}}/policy-reporter@${{ env.PROVENANCE_DIGEST_ARM64}}

0 comments on commit 8f5e4af

Please sign in to comment.