From 8a844dc7aee9713960c0305a82a1e5442db71375 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Wed, 22 May 2024 09:42:15 -0500 Subject: [PATCH] fix review comments Signed-off-by: saisatishkarra --- .github/workflows/_build_publish.yaml | 6 +- .github/workflows/build-test-distribute.yaml | 109 ++++++------------- mk/distribution.mk | 2 +- mk/docker.mk | 4 +- 4 files changed, 36 insertions(+), 85 deletions(-) diff --git a/.github/workflows/_build_publish.yaml b/.github/workflows/_build_publish.yaml index e2082fe8451f..2e5fbd82bea5 100644 --- a/.github/workflows/_build_publish.yaml +++ b/.github/workflows/_build_publish.yaml @@ -128,7 +128,7 @@ jobs: make test/container-structure/${{ matrix.image }} - name: scan amd64 image id: scan_image-amd64 - uses: Kong/public-shared-actions/security-actions/scan-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: asset_prefix: image_${{ matrix.image }}-amd64 image: ./build/docker/${{ matrix.image }}-amd64.tar @@ -136,7 +136,7 @@ jobs: - name: scan arm64 image id: scan_image-arm64 if: ${{ fromJSON(inputs.FULL_MATRIX) }} - uses: Kong/public-shared-actions/security-actions/scan-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: asset_prefix: image_${{ matrix.image }}-arm64 image: ./build/docker/${{ matrix.image }}-arm64.tar @@ -184,7 +184,7 @@ jobs: - name: sign image if: ${{ fromJSON(inputs.ALLOW_PUSH) }} id: sign - uses: Kong/public-shared-actions/security-actions/sign-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3 + uses: Kong/public-shared-actions/security-actions/sign-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: image_digest: ${{ steps.image_digest.outputs.digest }} tags: ${{ steps.image_meta.outputs.image }} diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml index d3f3fd060e83..272dd86ce665 100644 --- a/.github/workflows/build-test-distribute.yaml +++ b/.github/workflows/build-test-distribute.yaml @@ -66,7 +66,7 @@ jobs: - run: | make check - id: sca-project - uses: Kong/public-shared-actions/security-actions/sca@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3 + uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: dir: . config: .syft.yaml @@ -76,7 +76,7 @@ jobs: echo "images=$(make images/info/release/json)" >> $GITHUB_OUTPUT echo "registry=$(make docker/info/registry)" >> $GITHUB_OUTPUT echo "version=$(make build/info/version)" >> $GITHUB_OUTPUT - echo "distribution_repository=$(make build/info/distribution/repo)" >> $GITHUB_OUTPUT + echo "distribution_repository=$(make build/info/cloudsmith_repository)" >> $GITHUB_OUTPUT test: permissions: contents: read @@ -126,6 +126,9 @@ jobs: permissions: contents: write actions: read # For getting workflow run info + env: + SECURITY_ASSETS_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets" + SECURITY_ASSETS_PACKAGE_NAME: "security-assets" # Cloudsmith package for hosting security assets steps: - name: "Halt due to previous failures" run: |- @@ -134,71 +137,38 @@ jobs: # so we manually check it here. An example could be found here: https://github.com/kumahq/kuma/actions/runs/7044980149 [[ ${{ contains(needs.*.result, 'failure')|| contains(needs.*.result, 'cancelled') }} == "true" ]] && exit 1 echo "All dependent jobs succeeded" - # Aggregated package for SBOMs helps avoid depending on variable asset names - # Easy to match and filter on file extensions produced in various distributed jobs - # (FIX): (Anchore SBOM action Bug)[https://github.com/anchore/sbom-action/issues/434] - name: "Download all SBOM assets" id: collect_sbom - if: ${{ fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success') }} - run: |- - echo "SBOM_DOWNLOAD_PATH=${{ env.SBOM_DOWNLOAD_PATH }}" >> $GITHUB_OUTPUT - gh run download ${{ github.run_id }} -D ${{ env.SBOM_DOWNLOAD_PATH }} -p "${{ env.CYCLONEDX_SBOM_PATTERN }}" -p "${{ env.SPDX_SBOM_PATTERN }}" --repo ${{ github.repository }} + if: ${{ needs.build_publish.result == 'success' }} + uses: actions/download-artifact@v4 + with: + path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }} + pattern: "*sbom.{cyclonedx,spdx}.json" + merge-multiple: true env: - SBOM_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets/sboms" - SPDX_SBOM_PATTERN: "*sbom.spdx.json" - CYCLONEDX_SBOM_PATTERN: "*sbom.cyclonedx.json" GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # uses: actions/download-artifact@v4 - # id: collect_sbom - # with: - # path: ${{ github.workspace }}/security-assets/sboms - # pattern: "*sbom.{cyclonedx,spdx}.json" - # merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path - name: "Download binary artifact provenance" if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }} id: collect_provenance - run: |- - echo "PROVENANCE_DOWNLOAD_PATH=${{env.PROVENANCE_DOWNLOAD_PATH}}" >> $GITHUB_OUTPUT - gh run download ${{ github.run_id }} -D ${{ env.PROVENANCE_DOWNLOAD_PATH }} -n ${{ env.BINARY_PROVENANCE_ARTIFACT }} --repo ${{ github.repository }} + uses: actions/download-artifact@v4 + with: + path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }} + pattern: ${{ github.event.repository.name }}.intoto.jsonl + merge-multiple: true env: - PROVENANCE_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets/provenance" - BINARY_PROVENANCE_ARTIFACT: "${{ github.event.repository.name }}.intoto.jsonl" GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # uses: actions/download-artifact@v4 - # with: - # path: ${{ github.workspace }}/security-assets/provenance - # pattern: ${{ github.event.repository.name }}.intoto.jsonl - # merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path - - name: "check sbom asset files existence" - uses: andstor/file-existence-action@v3 - id: check_sbom_assets - if: ${{ fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success') }} - with: - files: ${{ steps.collect_sbom.outputs.SBOM_DOWNLOAD_PATH }} - fail: true - - name: "check provenance asset files existence" - uses: andstor/file-existence-action@v3 - if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }} - id: check_provenance_assets - with: - files: ${{ steps.collect_sbom.outputs.PROVENANCE_DOWNLOAD_PATH }} - fail: true - - name: "prepare sbom package" # Zip all SBOM assets for artifact types (Images, Repository scanning) produced in the jobs - id: prepare_sbom_metadata - if: ${{ steps.check_sbom_assets.outputs.file_exists == 'true' }} - run: |- - SBOM_PACKAGE_NAME="${{github.repository}}-sbom" - echo "SBOM_PACKAGE_NAME=${SBOM_PACKAGE_NAME}" >> $GITHUB_OUTPUT - zip -rj ${SBOM_PACKAGE_NAME} ${{steps.collect_sbom.outputs.download-path}} -i '*sbom.spdx.json' '*sbom.cyclonedx.json' - - name: "Inspect slsa assets" - if: ${{ steps.check_provenance_assets.outputs.file_exists == 'true' || steps.check_sbom_assets.outputs.file_exists == 'true' }} - run: |- - ls -alR ${{github.workspace}}/security-assets + - name: "Generate security assets TAR" + if: ${{ needs.build_publish.result == 'success' }} + id: security_assets_metadata + run: | + cd ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }} + find . -maxdepth 1 -type f \( -name '*sbom.*.json' -o -name '*.intoto.jsonl' \) -print | tar -cvzf ${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz -T - + ls -alR . # Publish aggregated zip file of SBOMs to artifact regstry - - name: Push sbom to cloudsmith - id: push_sbom - if: ${{ steps.check_sbom_assets.outputs.file_exists == 'true' }} - uses: cloudsmith-io/action@master + - name: Push security assets to cloudsmith + id: push_security_assets + if: ${{ needs.provenance.result == 'success' || needs.build_publish.result == 'success' }} + uses: cloudsmith-io/action@f04b4de7550751e32961ac16543116f8f5f9bfc2 # v0.6.6 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: "push" @@ -206,24 +176,7 @@ jobs: owner: "kong" repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}" version: "${{ needs.check.outputs.VERSION_NAME }}" - file: "${{ steps.collect_sbom.outputs.download-path }}/${{ steps.prepare_sbom_metadata.outputs.SBOM_PACKAGE_NAME }}" - name: "${{ steps.prepare_sbom_metadata.outputs.SBOM_PACKAGE_NAME }}" - summary: "SBOM artifacts for ${{ github.repository }}" - description: "SBOM artifacts for binaries built from source code and container images" - - name: Push binary provenance to cloudsmith - if: ${{ steps.check_provenance_assets.outputs.file_exists == 'true' }} - id: push_binary_provenance - uses: cloudsmith-io/action@master - with: - api-key: ${{ secrets.CLOUDSMITH_API_KEY }} - command: "push" - format: "raw" - owner: "kong" - repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}" - version: "${{ needs.check.outputs.VERSION_NAME }}" - file: "${{ steps.collect_provenance.outputs.download-path }}/${{ github.event.repository.name }}.intoto.jsonl" - name: "${{ env.BINARY_PROVENANCE_PACKAGE_NAME }}" - summary: "Binary Artifact Provenance for ${{ github.repository }}" - description: "Provenance file for verifying ${{ github.repository }} binary artifacts" - env: - BINARY_PROVENANCE_PACKAGE_NAME: "${{github.repository}}-binary-provenance" + file: "${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}/${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz" + name: "${{ env.SECURITY_ASSETS_PACKAGE_NAME }}" + summary: "SLSA security artifacts for ${{ github.repository }}" + description: "SBOM and Binary artifact Provenance for ${{ github.repository }}" diff --git a/mk/distribution.mk b/mk/distribution.mk index 460778098e0e..4a62e7341fc9 100644 --- a/mk/distribution.mk +++ b/mk/distribution.mk @@ -108,7 +108,7 @@ build/distributions/out: $(patsubst %,build/distributions/out/$(DISTRIBUTION_TAR cd $@; sha256sum *.tar.gz > $(DISTRIBUTION_TARGET_NAME).sha256 .PHONY: build/info/distribution/repo -build/info/distribution/repo: +build/info/cloudsmith_repository: @echo $(PULP_PACKAGE_TYPE)-binaries-$(PULP_DIST_VERSION) # Create a main target which will publish to pulp each to the tar.gz built diff --git a/mk/docker.mk b/mk/docker.mk index 9c2089db91d6..3644ec53c213 100644 --- a/mk/docker.mk +++ b/mk/docker.mk @@ -20,8 +20,6 @@ export DOCKER_BUILDKIT := 1 # add targets to build images for each arch # $(1) - GOARCH to build for -# (TODO): Donot hardcode "linux" platform for images -# (TODO): May be support other image platforms using argument define IMAGE_TARGETS_BY_ARCH .PHONY: image/static/$(1) @@ -68,7 +66,7 @@ $(foreach goarch,$(SUPPORTED_GOARCHES),$(eval $(call IMAGE_TARGETS_BY_ARCH,$(goa # add targets to generate docker/{save,load,tag,push} for each supported ARCH # add targets to build images for each arch -# $(1) - Imae Name to build for +# $(1) - Image Name to build for # $(2) - GOARCH to build for # (TODO): Support image platform in output file names define DOCKER_TARGETS_BY_ARCH