refactor and fix review comments for publishing to cloudsmith

Signed-off-by: saisatishkarra <[email protected]>
kumahq · May 20, 2024 · 61b50ef · 61b50ef
1 parent 5b61650
commit 61b50ef
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 79 deletions.
diff --git a/.github/workflows/_build_publish.yaml b/.github/workflows/_build_publish.yaml
@@ -128,15 +128,15 @@ jobs:
           make test/container-structure/${{ matrix.image }}
       - name: scan amd64 image
         id: scan_image-amd64
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
         with:
           asset_prefix: image_${{ matrix.image }}-amd64
           image: ./build/docker/${{ matrix.image }}-amd64.tar
           upload-sbom-release-assets: true
       - name: scan arm64 image
         id: scan_image-arm64
         if: ${{ fromJSON(inputs.FULL_MATRIX) }}
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
         with:
           asset_prefix: image_${{ matrix.image }}-arm64
           image: ./build/docker/${{ matrix.image }}-arm64.tar
@@ -184,7 +184,7 @@ jobs:
       - name: sign image
         if: ${{ fromJSON(inputs.ALLOW_PUSH) }}
         id: sign
-        uses: Kong/public-shared-actions/security-actions/sign-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3
+        uses: Kong/public-shared-actions/security-actions/sign-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
         with:
           image_digest: ${{ steps.image_digest.outputs.digest }}
           tags: ${{ steps.image_meta.outputs.image }}

diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml
@@ -35,6 +35,7 @@ jobs:
       VERSION_NAME: ${{ steps.metadata.outputs.version }}
       NOTARY_REPOSITORY: ${{ (contains(steps.metadata.outputs.version, 'preview') && 'notary-internal') || 'notary' }}
       CLOUDSMITH_REPOSITORY: ${{ steps.metadata.outputs.distribution_repository }}
+      SECURITY_ASSETS_PACKAGE_NAME: ${{ steps.metadata.outputs.security_assets_package_name }}
     steps:
       - name: "Fail when 'ci/force-publish' label is present on PRs from forks"
         if: ${{ fromJSON(env.FORCE_PUBLISH_FROM_FORK) }}
@@ -66,7 +67,7 @@ jobs:
       - run: |
           make check
       - id: sca-project
-        uses: Kong/public-shared-actions/security-actions/sca@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3
+        uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
         with:
           dir: .
           config: .syft.yaml
@@ -77,6 +78,7 @@ jobs:
           echo "registry=$(make docker/info/registry)" >> $GITHUB_OUTPUT
           echo "version=$(make build/info/version)" >> $GITHUB_OUTPUT
           echo "distribution_repository=$(make build/info/distribution/repo)" >> $GITHUB_OUTPUT
+          echo "security_assets_package_name=$(make build/info/distribution/security/pkg)" >> $GITHUB_OUTPUT
   test:
     permissions:
       contents: read
@@ -126,6 +128,9 @@ jobs:
     permissions:
       contents: write
       actions: read # For getting workflow run info
+    env:
+      SECURITY_ASSETS_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets"
+      SECURITY_ASSETS_PACKAGE_NAME: "${{ needs.check.outputs.SECURITY_ASSETS_PACKAGE_NAME }}"
     steps:
       - name: "Halt due to previous failures"
         run: |-
@@ -140,90 +145,50 @@ jobs:
       - name: "Download all SBOM assets"
         id: collect_sbom
         if: ${{ fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success') }}
-        run: |-
-          echo "SBOM_DOWNLOAD_PATH=${{ env.SBOM_DOWNLOAD_PATH }}" >> $GITHUB_OUTPUT
-          gh run download ${{ github.run_id }} -D ${{ env.SBOM_DOWNLOAD_PATH }} -p "${{ env.CYCLONEDX_SBOM_PATTERN }}" -p "${{ env.SPDX_SBOM_PATTERN }}" --repo ${{ github.repository }}
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
+          pattern: "*sbom.{cyclonedx,spdx}.json"
+          merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path
+        # run: |-
+        #   echo "SBOM_DOWNLOAD_PATH=${{ env.SBOM_DOWNLOAD_PATH }}" >> $GITHUB_OUTPUT
+        #   gh run download ${{ github.run_id }} -D ${{ env.SBOM_DOWNLOAD_PATH }} -p ${{ env.CYCLONEDX_SBOM_PATTERN }} -p ${{ env.SPDX_SBOM_PATTERN }} --repo ${{ github.repository }}
         env:
-          SBOM_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets/sboms"
-          SPDX_SBOM_PATTERN: "*sbom.spdx.json"
-          CYCLONEDX_SBOM_PATTERN: "*sbom.cyclonedx.json"
+          # SPDX_SBOM_PATTERN: '*sbom.spdx.json'
+          # CYCLONEDX_SBOM_PATTERN: '*sbom.cyclonedx.json'
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # uses: actions/download-artifact@v4
-          # id: collect_sbom
-          # with:
-          #   path: ${{ github.workspace }}/security-assets/sboms
-          #   pattern: "*sbom.{cyclonedx,spdx}.json"
-          #   merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path
       - name: "Download binary artifact provenance"
         if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }}
         id: collect_provenance
-        run: |-
-          echo "PROVENANCE_DOWNLOAD_PATH=${{env.PROVENANCE_DOWNLOAD_PATH}}" >> $GITHUB_OUTPUT
-          gh run download ${{ github.run_id }} -D ${{ env.PROVENANCE_DOWNLOAD_PATH }} -n ${{ env.BINARY_PROVENANCE_ARTIFACT }} --repo ${{ github.repository }}
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
+          pattern: ${{ github.event.repository.name }}.intoto.jsonl
+          merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path
+        # run: |-
+        #   echo "PROVENANCE_DOWNLOAD_PATH=${{env.PROVENANCE_DOWNLOAD_PATH}}" >> $GITHUB_OUTPUT
+        #   gh run download ${{ github.run_id }} -D ${{ env.PROVENANCE_DOWNLOAD_PATH }} -n '${{ env.BINARY_PROVENANCE_ARTIFACT }}' --repo ${{ github.repository }}
         env:
-          PROVENANCE_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets/provenance"
-          BINARY_PROVENANCE_ARTIFACT: "${{ github.event.repository.name }}.intoto.jsonl"
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # uses: actions/download-artifact@v4
-          # with:
-          #   path: ${{ github.workspace }}/security-assets/provenance
-          #   pattern: ${{ github.event.repository.name }}.intoto.jsonl
-          #   merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path
-      - name: "check sbom asset files existence"
-        uses: andstor/file-existence-action@v3
-        id: check_sbom_assets
-        if: ${{ fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success') }}
-        with:
-          files: ${{ steps.collect_sbom.outputs.SBOM_DOWNLOAD_PATH }}
-          fail: true
-      - name: "check provenance asset files existence"
-        uses: andstor/file-existence-action@v3
-        if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }}
-        id: check_provenance_assets
-        with:
-          files: ${{ steps.collect_sbom.outputs.PROVENANCE_DOWNLOAD_PATH }}
-          fail: true
-      - name: "prepare sbom package" # Zip all SBOM assets for artifact types (Images, Repository scanning) produced in the jobs
-        id: prepare_sbom_metadata
-        if: ${{ steps.check_sbom_assets.outputs.file_exists == 'true' }}
-        run: |-
-          SBOM_PACKAGE_NAME="${{github.repository}}-sbom"
-          echo "SBOM_PACKAGE_NAME=${SBOM_PACKAGE_NAME}" >> $GITHUB_OUTPUT
-          zip -rj ${SBOM_PACKAGE_NAME} ${{steps.collect_sbom.outputs.download-path}} -i '*sbom.spdx.json' '*sbom.cyclonedx.json'
-      - name: "Inspect slsa assets"
-        if: ${{ steps.check_provenance_assets.outputs.file_exists == 'true' ||  steps.check_sbom_assets.outputs.file_exists == 'true' }}
-        run: |-
-          ls -alR ${{github.workspace}}/security-assets
+      - name: "Generate security assets TAR"
+        if: ${{ (fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success')) || (needs.provenance.result == 'success' && github.ref_type == 'tag') }}
+        id: security_assets_metadata
+        run: |
+          cd ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
+          find . -maxdepth 1 -type f \( -name '*sbom.*.json' -o -name '*.intoto.jsonl' \) -print | tar -cvzf ${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz -T -
+          ls -alR .
         # Publish aggregated zip file of SBOMs to artifact regstry
-      - name: Push sbom to cloudsmith
-        id: push_sbom
-        if: ${{ steps.check_sbom_assets.outputs.file_exists == 'true' }}
-        uses: cloudsmith-io/action@master
-        with:
-          api-key: ${{ secrets.CLOUDSMITH_API_KEY }}
-          command: "push"
-          format: "raw"
-          owner: "kong"
-          repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}"
-          version: "${{ needs.check.outputs.VERSION_NAME }}"
-          file: "${{ steps.collect_sbom.outputs.download-path }}/${{ steps.prepare_sbom_metadata.outputs.SBOM_PACKAGE_NAME }}"
-          name: "${{ steps.prepare_sbom_metadata.outputs.SBOM_PACKAGE_NAME }}"
-          summary: "SBOM artifacts for ${{ github.repository }}"
-          description: "SBOM artifacts for binaries built from source code and container images"
-      - name: Push binary provenance to cloudsmith
-        if: ${{ steps.check_provenance_assets.outputs.file_exists == 'true' }}
-        id: push_binary_provenance
-        uses: cloudsmith-io/action@master
+      - name: Push security assets to cloudsmith
+        id: push_security_assets
+        uses: cloudsmith-io/action@f04b4de7550751e32961ac16543116f8f5f9bfc2 # v0.6.6
         with:
           api-key: ${{ secrets.CLOUDSMITH_API_KEY }}
           command: "push"
           format: "raw"
           owner: "kong"
           repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}"
           version: "${{ needs.check.outputs.VERSION_NAME }}"
-          file: "${{ steps.collect_provenance.outputs.download-path }}/${{ github.event.repository.name }}.intoto.jsonl"
-          name: "${{ env.BINARY_PROVENANCE_PACKAGE_NAME }}"
-          summary: "Binary Artifact Provenance for ${{ github.repository }}"
-          description: "Provenance file for verifying ${{ github.repository }} binary artifacts"
-        env:
-          BINARY_PROVENANCE_PACKAGE_NAME: "${{github.repository}}-binary-provenance"
+          file: "${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}/${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz"
+          name: "${{ env.SECURITY_ASSETS_PACKAGE_NAME }}"
+          summary: "SLSA security artifacts for ${{ github.repository }}"
+          description: "SBOM and Binary artifact Provenance for ${{ github.repository }}"
diff --git a/mk/distribution.mk b/mk/distribution.mk
@@ -111,6 +111,10 @@ build/distributions/out: $(patsubst %,build/distributions/out/$(DISTRIBUTION_TAR
 build/info/distribution/repo:
 	@echo $(PULP_PACKAGE_TYPE)-binaries-$(PULP_DIST_VERSION)
 
+.PHONY: build/info/distribution/security/pkg
+build/info/distribution/security/pkg:
+	@echo $(PULP_PACKAGE_TYPE)-seccurity-assets
+
 # Create a main target which will publish to pulp each to the tar.gz built
 .PHONY: publish/pulp ## Publish to pulp all enabled distributions
 publish/pulp: $(addprefix publish/pulp/$(DISTRIBUTION_TARGET_NAME)-,$(ENABLED_DIST_NAMES))

diff --git a/mk/docker.mk b/mk/docker.mk
@@ -20,8 +20,6 @@ export DOCKER_BUILDKIT := 1
 
 # add targets to build images for each arch
 # $(1) - GOARCH to build for
-# (TODO): Donot hardcode "linux" platform for images
-# (TODO): May be support other image platforms using argument
 
 define IMAGE_TARGETS_BY_ARCH
 .PHONY: image/static/$(1)
@@ -68,7 +66,7 @@ $(foreach goarch,$(SUPPORTED_GOARCHES),$(eval $(call IMAGE_TARGETS_BY_ARCH,$(goa
 
 # add targets to generate docker/{save,load,tag,push} for each supported ARCH
 # add targets to build images for each arch
-# $(1) - Imae Name to build for
+# $(1) - Image Name to build for
 # $(2) - GOARCH to build for
 # (TODO): Support image platform in output file names
 define DOCKER_TARGETS_BY_ARCH