fix review comments

Signed-off-by: saisatishkarra <[email protected]>

.github/workflows/_build_publish.yaml

@@ -128,15 +128,15 @@ jobs:
           make test/container-structure/${{ matrix.image }}
       - name: scan amd64 image
         id: scan_image-amd64
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
         with:
           asset_prefix: image_${{ matrix.image }}-amd64
           image: ./build/docker/${{ matrix.image }}-amd64.tar
           upload-sbom-release-assets: true
       - name: scan arm64 image
         id: scan_image-arm64
         if: ${{ fromJSON(inputs.FULL_MATRIX) }}
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
         with:
           asset_prefix: image_${{ matrix.image }}-arm64
           image: ./build/docker/${{ matrix.image }}-arm64.tar
@@ -184,7 +184,7 @@ jobs:
       - name: sign image
         if: ${{ fromJSON(inputs.ALLOW_PUSH) }}
         id: sign
-        uses: Kong/public-shared-actions/security-actions/sign-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3
+        uses: Kong/public-shared-actions/security-actions/sign-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
         with:
           image_digest: ${{ steps.image_digest.outputs.digest }}
           tags: ${{ steps.image_meta.outputs.image }}

.github/workflows/build-test-distribute.yaml

@@ -66,7 +66,7 @@ jobs:
       - run: |
           make check
       - id: sca-project
-        uses: Kong/public-shared-actions/security-actions/sca@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3
+        uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
         with:
           dir: .
           config: .syft.yaml
@@ -76,7 +76,7 @@ jobs:
           echo "images=$(make images/info/release/json)" >> $GITHUB_OUTPUT
           echo "registry=$(make docker/info/registry)" >> $GITHUB_OUTPUT
           echo "version=$(make build/info/version)" >> $GITHUB_OUTPUT
-          echo "distribution_repository=$(make build/info/distribution/repo)" >> $GITHUB_OUTPUT
+          echo "distribution_repository=$(make build/info/cloudsmith_repository)" >> $GITHUB_OUTPUT
   test:
     permissions:
       contents: read
@@ -126,6 +126,9 @@ jobs:
     permissions:
       contents: write
       actions: read # For getting workflow run info
+    env:
+      SECURITY_ASSETS_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets"
+      SECURITY_ASSETS_PACKAGE_NAME: "security-assets" # Cloudsmith package for hosting security assets
     steps:
       - name: "Halt due to previous failures"
         run: |-
@@ -134,96 +137,46 @@ jobs:
           # so we manually check it here. An example could be found here: https://github.com/kumahq/kuma/actions/runs/7044980149
           [[ ${{ contains(needs.*.result, 'failure')|| contains(needs.*.result, 'cancelled') }} == "true" ]] && exit 1
           echo "All dependent jobs succeeded"
-        # Aggregated package for SBOMs helps avoid depending on variable asset names
-        # Easy to match and filter on file extensions produced in various distributed jobs
-        # (FIX): (Anchore SBOM action Bug)[https://github.com/anchore/sbom-action/issues/434]
       - name: "Download all SBOM assets"
         id: collect_sbom
-        if: ${{ fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success') }}
-        run: |-
-          echo "SBOM_DOWNLOAD_PATH=${{ env.SBOM_DOWNLOAD_PATH }}" >> $GITHUB_OUTPUT
-          gh run download ${{ github.run_id }} -D ${{ env.SBOM_DOWNLOAD_PATH }} -p "${{ env.CYCLONEDX_SBOM_PATTERN }}" -p "${{ env.SPDX_SBOM_PATTERN }}" --repo ${{ github.repository }}
+        if: ${{ needs.build_publish.result == 'success' }}
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
+          pattern: "*sbom.{cyclonedx,spdx}.json"
+          merge-multiple: true
         env:
-          SBOM_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets/sboms"
-          SPDX_SBOM_PATTERN: "*sbom.spdx.json"
-          CYCLONEDX_SBOM_PATTERN: "*sbom.cyclonedx.json"
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # uses: actions/download-artifact@v4
-          # id: collect_sbom
-          # with:
-          #   path: ${{ github.workspace }}/security-assets/sboms
-          #   pattern: "*sbom.{cyclonedx,spdx}.json"
-          #   merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path
       - name: "Download binary artifact provenance"
         if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }}
         id: collect_provenance
-        run: |-
-          echo "PROVENANCE_DOWNLOAD_PATH=${{env.PROVENANCE_DOWNLOAD_PATH}}" >> $GITHUB_OUTPUT
-          gh run download ${{ github.run_id }} -D ${{ env.PROVENANCE_DOWNLOAD_PATH }} -n ${{ env.BINARY_PROVENANCE_ARTIFACT }} --repo ${{ github.repository }}
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
+          pattern: ${{ github.event.repository.name }}.intoto.jsonl
+          merge-multiple: true
         env:
-          PROVENANCE_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets/provenance"
-          BINARY_PROVENANCE_ARTIFACT: "${{ github.event.repository.name }}.intoto.jsonl"
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # uses: actions/download-artifact@v4
-          # with:
-          #   path: ${{ github.workspace }}/security-assets/provenance
-          #   pattern: ${{ github.event.repository.name }}.intoto.jsonl
-          #   merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path
-      - name: "check sbom asset files existence"
-        uses: andstor/file-existence-action@v3
-        id: check_sbom_assets
-        if: ${{ fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success') }}
-        with:
-          files: ${{ steps.collect_sbom.outputs.SBOM_DOWNLOAD_PATH }}
-          fail: true
-      - name: "check provenance asset files existence"
-        uses: andstor/file-existence-action@v3
-        if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }}
-        id: check_provenance_assets
-        with:
-          files: ${{ steps.collect_sbom.outputs.PROVENANCE_DOWNLOAD_PATH }}
-          fail: true
-      - name: "prepare sbom package" # Zip all SBOM assets for artifact types (Images, Repository scanning) produced in the jobs
-        id: prepare_sbom_metadata
-        if: ${{ steps.check_sbom_assets.outputs.file_exists == 'true' }}
-        run: |-
-          SBOM_PACKAGE_NAME="${{github.repository}}-sbom"
-          echo "SBOM_PACKAGE_NAME=${SBOM_PACKAGE_NAME}" >> $GITHUB_OUTPUT
-          zip -rj ${SBOM_PACKAGE_NAME} ${{steps.collect_sbom.outputs.download-path}} -i '*sbom.spdx.json' '*sbom.cyclonedx.json'
-      - name: "Inspect slsa assets"
-        if: ${{ steps.check_provenance_assets.outputs.file_exists == 'true' ||  steps.check_sbom_assets.outputs.file_exists == 'true' }}
-        run: |-
-          ls -alR ${{github.workspace}}/security-assets
-        # Publish aggregated zip file of SBOMs to artifact regstry
-      - name: Push sbom to cloudsmith
-        id: push_sbom
-        if: ${{ steps.check_sbom_assets.outputs.file_exists == 'true' }}
-        uses: cloudsmith-io/action@master
-        with:
-          api-key: ${{ secrets.CLOUDSMITH_API_KEY }}
-          command: "push"
-          format: "raw"
-          owner: "kong"
-          repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}"
-          version: "${{ needs.check.outputs.VERSION_NAME }}"
-          file: "${{ steps.collect_sbom.outputs.download-path }}/${{ steps.prepare_sbom_metadata.outputs.SBOM_PACKAGE_NAME }}"
-          name: "${{ steps.prepare_sbom_metadata.outputs.SBOM_PACKAGE_NAME }}"
-          summary: "SBOM artifacts for ${{ github.repository }}"
-          description: "SBOM artifacts for binaries built from source code and container images"
-      - name: Push binary provenance to cloudsmith
-        if: ${{ steps.check_provenance_assets.outputs.file_exists == 'true' }}
-        id: push_binary_provenance
-        uses: cloudsmith-io/action@master
+      - name: "Generate security assets TAR"
+        if: ${{ needs.build_publish.result == 'success' }}
+        id: security_assets_metadata
+        run: |
+          cd ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
+          find . -maxdepth 1 -type f \( -name '*sbom.*.json' -o -name '*.intoto.jsonl' \) -print | tar -cvzf ${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz -T -
+          ls -alR .
+        # Publish aggregated zip file of SBOMs and/or Binary Provenance to artifact regstry
+      - name: Push security assets to cloudsmith
+        id: push_security_assets
+        if: ${{ needs.provenance.result == 'success' || needs.build_publish.result == 'success' }}
+        uses: cloudsmith-io/action@f04b4de7550751e32961ac16543116f8f5f9bfc2 # v0.6.6
         with:
           api-key: ${{ secrets.CLOUDSMITH_API_KEY }}
           command: "push"
           format: "raw"
           owner: "kong"
           repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}"
           version: "${{ needs.check.outputs.VERSION_NAME }}"
-          file: "${{ steps.collect_provenance.outputs.download-path }}/${{ github.event.repository.name }}.intoto.jsonl"
-          name: "${{ env.BINARY_PROVENANCE_PACKAGE_NAME }}"
-          summary: "Binary Artifact Provenance for ${{ github.repository }}"
-          description: "Provenance file for verifying ${{ github.repository }} binary artifacts"
-        env:
-          BINARY_PROVENANCE_PACKAGE_NAME: "${{github.repository}}-binary-provenance"
+          file: "${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}/${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz"
+          name: "${{ env.SECURITY_ASSETS_PACKAGE_NAME }}"
+          summary: "SLSA security artifacts for ${{ github.repository }}"
+          description: "SBOM and Binary artifact Provenance for ${{ github.repository }}"

mk/distribution.mk

@@ -108,7 +108,7 @@ build/distributions/out: $(patsubst %,build/distributions/out/$(DISTRIBUTION_TAR
 	cd $@; sha256sum *.tar.gz > $(DISTRIBUTION_TARGET_NAME).sha256
 
 .PHONY: build/info/distribution/repo
-build/info/distribution/repo:
+build/info/cloudsmith_repository:
 	@echo $(PULP_PACKAGE_TYPE)-binaries-$(PULP_DIST_VERSION)
 
 # Create a main target which will publish to pulp each to the tar.gz built

mk/docker.mk

@@ -20,8 +20,6 @@ export DOCKER_BUILDKIT := 1
 
 # add targets to build images for each arch
 # $(1) - GOARCH to build for
-# (TODO): Donot hardcode "linux" platform for images
-# (TODO): May be support other image platforms using argument
 
 define IMAGE_TARGETS_BY_ARCH
 .PHONY: image/static/$(1)
@@ -68,7 +66,7 @@ $(foreach goarch,$(SUPPORTED_GOARCHES),$(eval $(call IMAGE_TARGETS_BY_ARCH,$(goa
 
 # add targets to generate docker/{save,load,tag,push} for each supported ARCH
 # add targets to build images for each arch
-# $(1) - Imae Name to build for
+# $(1) - Image Name to build for
 # $(2) - GOARCH to build for
 # (TODO): Support image platform in output file names
 define DOCKER_TARGETS_BY_ARCH