From 57f3fa0b7d2e77ea64ece4553a3c9915b449b37d Mon Sep 17 00:00:00 2001 From: "J-K. Solbakken" Date: Fri, 17 Mar 2023 13:52:48 +0100 Subject: [PATCH] sign and attest --- .github/workflows/deploy.yml | 39 ++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c419ee9..e34e7a0 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,19 +1,16 @@ name: Build wonderwall - on: [push] - env: GOOGLE_REGISTRY: europe-north1-docker.pkg.dev/nais-io/nais/images GITHUB_REGISTRY: ghcr.io - jobs: test: runs-on: ubuntu-20.04 steps: - name: Checkout latest code - uses: actions/checkout@v3 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # ratchet:actions/setup-go@v3 with: go-version: ">=1.20.2" - name: Test Go @@ -30,34 +27,34 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # ratchet:actions/checkout@v3 - id: "auth" name: "Authenticate to Google Cloud" - uses: "google-github-actions/auth@v1" + uses: "google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d" # ratchet:google-github-actions/auth@v1 with: workload_identity_provider: ${{ secrets.NAIS_IO_WORKLOAD_IDENTITY_PROVIDER }} service_account: "gh-wonderwall@nais-io.iam.gserviceaccount.com" token_format: "access_token" - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # ratchet:docker/setup-qemu-action@v2 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # ratchet:docker/setup-buildx-action@v2 - name: Login to Google Artifact Registry - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2 with: registry: ${{ env.GOOGLE_REGISTRY }} username: "oauth2accesstoken" password: "${{ steps.auth.outputs.access_token }}" - name: Login to GitHub Container Registry - uses: docker/login-action@v2 + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2 with: registry: ${{ env.GITHUB_REGISTRY }} username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker meta id: metadata - uses: docker/metadata-action@v4 + uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # ratchet:docker/metadata-action@v4 with: images: | ${{ env.GOOGLE_REGISTRY }}/wonderwall @@ -74,7 +71,8 @@ jobs: type=semver,pattern=v{{major}} type=sha,prefix={{date 'YYYY-MM-DD'}}- - name: Build and push - uses: docker/build-push-action@v4 + id: build-push + uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # ratchet:docker/build-push-action@v4 with: context: . file: Dockerfile @@ -85,3 +83,18 @@ jobs: labels: ${{ steps.metadata.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max + - name: Install cosign + uses: sigstore/cosign-installer@ca922a571676e06d3299cce5d520e178ba89a276 # ratchet:sigstore/cosign-installer@main + with: + cosign-release: 'v2.0.0' + - name: Sign the container image for GAR + run: cosign sign --yes ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }} + - name: Create SBOM + uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # ratchet:aquasecurity/trivy-action@master + with: + scan-type: 'image' + format: 'cyclonedx' + output: 'cyclone.sbom.json' + image-ref: ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }} + - name: Attest + run: cosign attest --yes --predicate cyclone.sbom.json --type cyclonedx cosign sign --yes ${{ env.GOOGLE_REGISTRY }}/wonderwall@${{ steps.build-push.outputs.digest }}