-
Notifications
You must be signed in to change notification settings - Fork 11
Expand file tree
/
Copy pathaction.yml
More file actions
121 lines (119 loc) · 5.67 KB
/
action.yml
File metadata and controls
121 lines (119 loc) · 5.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: attestation
description: extract and sign provenance and SBOM files
inputs:
component:
description: |
The component name (e.g., policy-server, kubewarden-controller, audit-scanner)
required: true
arch:
description: architecture being processed
required: true
GITHUB_TOKEN:
description: |
The GitHub token with permission to publish images to ghcr.
required: true
runs:
using: composite
steps:
- name: Install cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Install the crane command
uses: kubewarden/github-actions/crane-installer@v4.6.0
- name: Login to GitHub Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ inputs.GITHUB_TOKEN }}
- name: Download all digests
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
path: ${{ runner.temp }}/digests
pattern: digest-${{ inputs.component }}-*
merge-multiple: true
- name: Retrieve digest
working-directory: ${{ runner.temp }}/digests
shell: bash
run: |
set -e
DIGEST=$(cat ${{ inputs.component }}-${{ inputs.arch }}.txt)
echo "DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Find attestation digest
shell: bash
run: |
set -e
DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.DIGEST }} \
| jq -r '.manifests[]
| select(.annotations["vnd.docker.reference.type"] == "attestation-manifest")
| .digest')
if [[ -z "${DIGEST}" ]]; then
echo "ERROR: No attestation manifest found for ${{ inputs.component }} (${{ inputs.arch }})"
exit 1
fi
echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Find provenance manifest digest
shell: bash
run: |
set -e
DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST }} |
jq -r '.layers[]
| select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v1")
| .digest')
if [[ -z "${DIGEST}" ]]; then
echo "ERROR: No SLSA provenance layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }})"
exit 1
fi
echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Find SBOM manifest layer digest
shell: bash
run: |
set -e
DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
jq -r '.layers
| map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document"))
| map(.digest)
| if length == 0 then empty
elif length == 1 then .[0]
else error("ERROR: Multiple SBOM layers found in attestation manifest")
end')
if [[ -z "${DIGEST}" ]]; then
echo "ERROR: No SBOM layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }})"
exit 1
fi
echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
# We need to upload provenance and SBOM files, plus their signatures under the GitHub Release page.
# Moreover, the files have to be named in a certain way.
# This is required by [ossf](https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases)
- name: Download provenance and SBOM files
shell: bash
run: |
set -e
crane blob ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.PROVENANCE_DIGEST}} \
> ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl
crane blob ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.SBOM_DIGEST}} \
> ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json
- name: Sign provenance and SBOM files
shell: bash
run: |
set -e
cosign sign-blob --yes \
--bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl.bundle.sigstore \
${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl
cosign verify-blob \
--bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl.bundle.sigstore \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity="${{ github.server_url }}/${{ github.workflow_ref }}" \
${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl
cosign sign-blob --yes \
--bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json.bundle.sigstore \
${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json
cosign verify-blob \
--bundle ${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json.bundle.sigstore \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity="${{ github.server_url }}/${{ github.workflow_ref }}" \
${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json
- name: Upload SBOMs as artifacts
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: attestation-${{ inputs.component }}-${{ inputs.arch }}
path: ${{ inputs.component }}-attestation-${{ inputs.arch }}*