diff --git a/.github/workflows/attestation.yml b/.github/workflows/attestation.yml index ca616bbf..37e99b1d 100644 --- a/.github/workflows/attestation.yml +++ b/.github/workflows/attestation.yml @@ -20,6 +20,9 @@ jobs: env: CRANE_VERSION: v0.20.5 CRANE_CHECKSUM: ad4cd9af2568c62c97e346de6d1295ee8c6ce3341f7b71cf02d41292b4532680 + COMPONENT: ${{ inputs.component }} + ARCH: ${{ inputs.arch }} + GH_REF: ${{ github.ref }} steps: - name: Install cosign @@ -50,12 +53,12 @@ jobs: working-directory: ${{ runner.temp }}/digests run: | set -e - DIGEST=$(cat ${{ inputs.component }}-${{ inputs.arch }}.txt) + DIGEST=$(cat "${COMPONENT}-${ARCH}.txt") echo "DIGEST=${DIGEST}" >> "$GITHUB_ENV" - name: Find attestation digest run: | set -e - DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ inputs.component }}@${{ env.DIGEST }} \ + DIGEST=$(crane manifest "ghcr.io/${{ github.repository_owner }}/sbomscanner/${COMPONENT}@${DIGEST}" \ | jq -r '.manifests[] | select(.annotations["vnd.docker.reference.type"] == "attestation-manifest") | .digest') @@ -63,7 +66,7 @@ jobs: - name: Find provenance manifest digest run: | set -e - DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST }} | + DIGEST=$(crane manifest "ghcr.io/${{ github.repository_owner }}/sbomscanner/${COMPONENT}@${ATTESTATION_MANIFEST_DIGEST}" | jq -r '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v1") | .digest') @@ -71,7 +74,7 @@ jobs: - name: Find SBOM manifest layer digest run: | set -e - DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/sbomscanner/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \ + DIGEST=$(crane manifest "ghcr.io/${{github.repository_owner}}/sbomscanner/${COMPONENT}@${ATTESTATION_MANIFEST_DIGEST}" | \ jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")') echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" @@ -81,30 +84,30 @@ jobs: - name: Download provenance and SBOM files run: | set -e - crane blob ghcr.io/${{github.repository_owner}}/sbomscanner/${{ inputs.component }}@${{ env.PROVENANCE_DIGEST}} \ - > SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl - crane blob ghcr.io/${{github.repository_owner}}/sbomscanner/${{ inputs.component }}@${{ env.SBOM_DIGEST}} \ - > SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json + crane blob "ghcr.io/${{github.repository_owner}}/sbomscanner/${COMPONENT}@${PROVENANCE_DIGEST}" \ + > "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl" + crane blob "ghcr.io/${{github.repository_owner}}/sbomscanner/${COMPONENT}@${SBOM_DIGEST}" \ + > "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json" - name: Sign provenance and SBOM files run: | set -e cosign sign-blob --yes \ - --bundle SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl.bundle.sigstore \ - SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl + --bundle "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl.bundle.sigstore" \ + "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl" cosign verify-blob \ - --bundle SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl.bundle.sigstore \ + --bundle "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl.bundle.sigstore" \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/attestation.yml@${{ github.ref }}" \ - SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-provenance.intoto.jsonl + --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/attestation.yml@${GH_REF}" \ + "SBOMscanner-${COMPONENT}-attestation-${ARCH}-provenance.intoto.jsonl" cosign sign-blob --yes \ - --bundle SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json.bundle.sigstore \ - SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json + --bundle "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json.bundle.sigstore" \ + "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json" cosign verify-blob \ - --bundle SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json.bundle.sigstore \ + --bundle "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json.bundle.sigstore" \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/attestation.yml@${{ github.ref }}" \ - SBOMscanner-${{ inputs.component }}-attestation-${{ inputs.arch }}-sbom.json + --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/attestation.yml@${GH_REF}" \ + "SBOMscanner-${COMPONENT}-attestation-${ARCH}-sbom.json" - name: Upload SBOMs as artifacts uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml index 772f6e01..aaae1b14 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/container-build.yml @@ -72,10 +72,12 @@ jobs: ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ matrix.component }}@${{ steps.build-image.outputs.digest }} - name: Verify container image signature + env: + GH_REF: ${{ github.ref }} run: | cosign verify \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/container-build.yml@${{ github.ref }}" \ + --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/container-build.yml@${GH_REF}" \ ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ matrix.component }}@${{ steps.build-image.outputs.digest }} - name: Export digest @@ -127,8 +129,10 @@ jobs: - name: Retrieve tag name (release) if: ${{ !startsWith(github.ref, 'refs/heads/main') }} + env: + VERSION: ${{ inputs.version }} run: | - echo TAG_NAME=${{ inputs.version }} >> $GITHUB_ENV + echo "TAG_NAME=${VERSION}" >> "$GITHUB_ENV" - name: Create and push multi-arch manifest for ${{ matrix.component }} id: create-manifest @@ -182,10 +186,12 @@ jobs: echo "MULTI_ARCH_MANIFEST_DIGEST=$multi_arch_manifest_digest" >> $GITHUB_ENV - name: Verify multi-arch manifest signature + env: + GH_REF: ${{ github.ref }} run: | cosign verify \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/container-build.yml@${{ github.ref }}" \ + --certificate-identity="https://github.com/${{github.repository_owner}}/sbomscanner/.github/workflows/container-build.yml@${GH_REF}" \ ghcr.io/${{ github.repository_owner }}/sbomscanner/${{ matrix.component }}@${{ env.MULTI_ARCH_MANIFEST_DIGEST}} attest: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63aa6057..0b4cdeb6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,8 +22,10 @@ jobs: steps: - name: Retrieve tag name if: ${{ startsWith(github.ref, 'refs/tags/') }} + env: + REF_NAME: ${{ github.ref_name }} run: | - echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV + echo "TAG_NAME=${REF_NAME}" >> "$GITHUB_ENV" - name: Get release ID from the release created by release drafter uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: