feat: Integrate GoReleaser, Cosign and Syft (#595)

* build: integrate goreleaser, syft and cosign Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: chmod for all binaries Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: version-env Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: remove prefix Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: remove prefix Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: schellcheck Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: shellcheck Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: several script updates Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: remove main-prefix Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
2026-05-25 09:43:28 +00:00 · 2022-10-02 15:25:17 +02:00
parent 8cabfb7d75
commit ba1328ca12
12 changed files with 237 additions and 75 deletions
--- a/.github/scripts/goreleaser-install.sh
+++ b/.github/scripts/goreleaser-install.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+set -e
+
+RELEASES_URL="https://github.com/goreleaser/goreleaser/releases"
+FILE_BASENAME="goreleaser"
+
+test -z "$VERSION" && {
+    echo "Unable to get goreleaser version." >&2
+    exit 1
+}
+
+test -z "$TMPDIR" && TMPDIR="$(mktemp -d)"
+TAR_FILE="$TMPDIR/${FILE_BASENAME}_$(uname -s)_$(uname -m).tar.gz"
+export TAR_FILE
+
+(
+    echo "Downloading GoReleaser $VERSION..."
+    curl -sfLo "$TAR_FILE" \
+        "$RELEASES_URL/download/$VERSION/${FILE_BASENAME}_$(uname -s)_$(uname -m).tar.gz"
+    cd "$TMPDIR"
+    curl -sfLo "checksums.txt" "$RELEASES_URL/download/$VERSION/checksums.txt"
+    curl -sfLo "checksums.txt.sig" "$RELEASES_URL/download/$VERSION/checksums.txt.sig"
+    echo "Verifying checksums..."
+    sha256sum --ignore-missing --quiet --check checksums.txt
+    if command -v cosign >/dev/null 2>&1; then
+        echo "Verifying signatures..."
+        COSIGN_EXPERIMENTAL=1 cosign verify-blob \
+            --signature checksums.txt.sig \
+            checksums.txt
+    else
+        echo "Could not verify signatures, cosign is not installed."
+    fi
+)
+
+tar -xf "$TAR_FILE" -O goreleaser > "$TMPDIR/goreleaser"
+rm "$TMPDIR/checksums.txt" "$TMPDIR/checksums.txt.sig"
+rm "$TAR_FILE"
--- a/.github/workflows/on-main-push.yaml
+++ b/.github/workflows/on-main-push.yaml
@@ -14,6 +14,10 @@ jobs:
  tag-scan-and-push-final-image:
    name: "Build, scan, and publish tagged image"
    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
    steps:
      - uses: actions/checkout@v3

@@ -46,20 +50,42 @@ jobs:
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
-        id: buildx
        uses: docker/setup-buildx-action@v2

      - name: Find current tag version
        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
        id: tags

+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+
+      - name: Build binaries
+        run: make kured-release-snapshot
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_EXPERIMENTAL: 1
+
      - name: Build image
        uses: docker/build-push-action@v3
        with:
          context: .
-          file: cmd/kured/Dockerfile.multi
          platforms: linux/arm64, linux/amd64, linux/arm/v7, linux/arm/v6, linux/386
          push: true
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-${{ steps.tags.outputs.sha_short }}
          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+
+      - name: Generate SBOM
+        run: |
+          .tmp/syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }} -o spdx | jq --compact-output > kured.sbom
+
+      - name: Sign and attest artifacts
+        run: |
+          .tmp/cosign sign -f -r ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+
+          .tmp/cosign sign-blob --output-signature kured.sbom.sig --output-certificate kured.sbom.pem kured.sbom
+
+          .tmp/cosign attest -f --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+          .tmp/cosign attach sbom --type syft --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
--- a/.github/workflows/on-pr.yaml
+++ b/.github/workflows/on-pr.yaml
@@ -6,7 +6,7 @@ on:
 jobs:
  pr-gotest:
    name: Run go tests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@v3
@@ -91,13 +91,23 @@ jobs:
        with:
          go-version: "${{ steps.awk_gomod.outputs.version }}"
          check-latest: true
-      - run: make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+      - name: Find current tag version
+        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+        id: tags
+      - name: Build image
+        run: VERSION="${{ steps.tags.outputs.sha_short }}" make image
      - uses: Azure/container-scan@v0
        env:
          # See https://github.com/goodwithtech/dockle/issues/188
          DOCKLE_HOST: "unix:///var/run/docker.sock"
        with:
-          image-name: ghcr.io/${{ github.repository_owner }}/kured:${{ github.sha }}
+          image-name: ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }}

  # This ensures the latest code works with the manifests built from tree.
  # It is useful for two things:
@@ -127,10 +137,19 @@ jobs:
        with:
          go-version: "${{ steps.awk_gomod.outputs.version }}"
          check-latest: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+      - name: Find current tag version
+        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+        id: tags
      - name: Build artifacts
        run: |
-          make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
-          make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" manifest
+          VERSION="${{ steps.tags.outputs.sha_short }}" make image
+          VERSION="${{ steps.tags.outputs.sha_short }}" make manifest

      - name: Workaround "Failed to attach 1 to compat systemd cgroup /actions_job/..." on gh actions
        run: |
@@ -149,7 +168,7 @@ jobs:
          version: v0.14.0

      - name: Preload previously built images onto kind cluster
-        run: kind load docker-image ghcr.io/${{ github.repository_owner }}/kured:${{ github.sha }} --name chart-testing
+        run: kind load docker-image ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }} --name chart-testing

      - name: Do not wait for an hour before detecting the rebootSentinel
        run: |
--- a/.github/workflows/on-tag.yaml
+++ b/.github/workflows/on-tag.yaml
@@ -16,6 +16,10 @@ jobs:
  tag-scan-and-push-final-image:
    name: "Build, scan, and publish tagged image"
    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
    steps:
      - uses: actions/checkout@v3
      - name: Find go version
@@ -31,14 +35,33 @@ jobs:
      - name: Find current tag version
        run: echo "::set-output name=version::${GITHUB_REF#refs/tags/}"
        id: tags
-      - run: |
-          make DH_ORG="${{ github.repository_owner }}" VERSION="${{ steps.tags.outputs.version }}" image
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+      - name: Build binaries
+        run: make kured-release-tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_EXPERIMENTAL: 1
+      - name: Build single image for scan
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+
      - uses: Azure/container-scan@v0
        env:
          # See https://github.com/goodwithtech/dockle/issues/188
          DOCKLE_HOST: "unix:///var/run/docker.sock"
        with:
-          image-name: ghcr.io/${{ github.repository_owner }}/kured:${{ steps.tags.outputs.version }}
+          image-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}

      - name: Login to ghcr.io
        uses: docker/login-action@v2
@@ -53,23 +76,27 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Build image
+      - name: Build release images
        uses: docker/build-push-action@v3
        with:
          context: .
-          file: cmd/kured/Dockerfile.multi
          platforms: linux/arm64, linux/amd64, linux/arm/v7, linux/arm/v6, linux/386
          push: true
-#          cache-from: type=registry,ref=user/app:buildcache
-#          cache-to: type=inline
+          labels: ${{ steps.meta.outputs.labels }}
          tags: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
-          labels: ${{ steps.meta.outputs.labels }}

+      - name: Generate SBOM
+        run: |
+          .tmp/syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} -o spdx | jq --compact-output > kured.sbom
+
+      - name: Sign and attest artifacts
+        run: |
+          .tmp/cosign sign -f -r ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+
+          .tmp/cosign sign-blob --output-signature kured.sbom.sig kured.sbom
+
+          .tmp/cosign attest -f --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+          .tmp/cosign attach sbom --type syft --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
--- a/.github/workflows/periodics-daily.yaml
+++ b/.github/workflows/periodics-daily.yaml
@@ -7,7 +7,7 @@ on:
 jobs:
  periodics-gotest:
    name: Run go tests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@v3
@@ -63,10 +63,20 @@ jobs:
        with:
          go-version: "${{ steps.awk_gomod.outputs.version }}"
          check-latest: true
-      - run: make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+      - name: Find current tag version
+        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+        id: tags
+      - name: Build artifacts
+        run: VERSION="${{ steps.tags.outputs.sha_short }}" make image
      - uses: Azure/container-scan@v0
        env:
          # See https://github.com/goodwithtech/dockle/issues/188
          DOCKLE_HOST: "unix:///var/run/docker.sock"
        with:
-          image-name: ghcr.io/${{ github.repository_owner }}/kured:${{ github.sha }}
+          image-name: ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }}