diff --git a/.github/workflows/_build_publish.yaml b/.github/workflows/_build_publish.yaml index e189b27a6573..0c2e2e82784a 100644 --- a/.github/workflows/_build_publish.yaml +++ b/.github/workflows/_build_publish.yaml @@ -128,7 +128,7 @@ jobs: make test/container-structure/${{ matrix.image }} - name: scan amd64 image id: scan_image-amd64 - uses: Kong/public-shared-actions/security-actions/scan-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: asset_prefix: image_${{ matrix.image }}-amd64 image: ./build/docker/${{ matrix.image }}-amd64.tar @@ -136,7 +136,7 @@ jobs: - name: scan arm64 image id: scan_image-arm64 if: ${{ fromJSON(inputs.FULL_MATRIX) }} - uses: Kong/public-shared-actions/security-actions/scan-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3 + uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: asset_prefix: image_${{ matrix.image }}-arm64 image: ./build/docker/${{ matrix.image }}-arm64.tar @@ -184,7 +184,7 @@ jobs: - name: sign image if: ${{ fromJSON(inputs.ALLOW_PUSH) }} id: sign - uses: Kong/public-shared-actions/security-actions/sign-docker-image@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3 + uses: Kong/public-shared-actions/security-actions/sign-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: image_digest: ${{ steps.image_digest.outputs.digest }} tags: ${{ steps.image_meta.outputs.image }} diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml index 8ef11517a6da..50d195965ef0 100644 --- a/.github/workflows/build-test-distribute.yaml +++ b/.github/workflows/build-test-distribute.yaml @@ -66,7 +66,7 @@ jobs: - run: | make check - id: sca-project - uses: Kong/public-shared-actions/security-actions/sca@a98be0184f832cb24a9dd233f99074e8ba17b488 # v2.2.3 + uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: dir: . config: .syft.yaml @@ -126,6 +126,9 @@ jobs: permissions: contents: write actions: read # For getting workflow run info + env: + SECURITY_ASSETS_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets" + SECURITY_ASSETS_PACKAGE_NAME: "${{github.repository}}-security-assets" steps: - name: "Halt due to previous failures" run: |- @@ -140,80 +143,42 @@ jobs: - name: "Download all SBOM assets" id: collect_sbom if: ${{ fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success') }} - run: |- - echo "SBOM_DOWNLOAD_PATH=${{ env.SBOM_DOWNLOAD_PATH }}" >> $GITHUB_OUTPUT - gh run download ${{ github.run_id }} -D ${{ env.SBOM_DOWNLOAD_PATH }} -p "${{ env.CYCLONEDX_SBOM_PATTERN }}" -p "${{ env.SPDX_SBOM_PATTERN }}" --repo ${{ github.repository }} + uses: actions/download-artifact@v4 + with: + path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }} + pattern: "*sbom.{cyclonedx,spdx}.json" + merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path + # run: |- + # echo "SBOM_DOWNLOAD_PATH=${{ env.SBOM_DOWNLOAD_PATH }}" >> $GITHUB_OUTPUT + # gh run download ${{ github.run_id }} -D ${{ env.SBOM_DOWNLOAD_PATH }} -p ${{ env.CYCLONEDX_SBOM_PATTERN }} -p ${{ env.SPDX_SBOM_PATTERN }} --repo ${{ github.repository }} env: - SBOM_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets/sboms" - SPDX_SBOM_PATTERN: "*sbom.spdx.json" - CYCLONEDX_SBOM_PATTERN: "*sbom.cyclonedx.json" + # SPDX_SBOM_PATTERN: '*sbom.spdx.json' + # CYCLONEDX_SBOM_PATTERN: '*sbom.cyclonedx.json' GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # uses: actions/download-artifact@v4 - # id: collect_sbom - # with: - # path: ${{ github.workspace }}/security-assets/sboms - # pattern: "*sbom.{cyclonedx,spdx}.json" - # merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path - name: "Download binary artifact provenance" if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }} id: collect_provenance - run: |- - echo "PROVENANCE_DOWNLOAD_PATH=${{env.PROVENANCE_DOWNLOAD_PATH}}" >> $GITHUB_OUTPUT - gh run download ${{ github.run_id }} -D ${{ env.PROVENANCE_DOWNLOAD_PATH }} -n ${{ env.BINARY_PROVENANCE_ARTIFACT }} --repo ${{ github.repository }} + uses: actions/download-artifact@v4 + with: + path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }} + pattern: ${{ github.event.repository.name }}.intoto.jsonl + merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path + # run: |- + # echo "PROVENANCE_DOWNLOAD_PATH=${{env.PROVENANCE_DOWNLOAD_PATH}}" >> $GITHUB_OUTPUT + # gh run download ${{ github.run_id }} -D ${{ env.PROVENANCE_DOWNLOAD_PATH }} -n '${{ env.BINARY_PROVENANCE_ARTIFACT }}' --repo ${{ github.repository }} env: - PROVENANCE_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets/provenance" - BINARY_PROVENANCE_ARTIFACT: "${{ github.event.repository.name }}.intoto.jsonl" GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # uses: actions/download-artifact@v4 - # with: - # path: ${{ github.workspace }}/security-assets/provenance - # pattern: ${{ github.event.repository.name }}.intoto.jsonl - # merge-multiple: true # When set, all matched zipped artifacts are extracted into the specified path - - name: "check sbom asset files existence" - uses: andstor/file-existence-action@v3 - id: check_sbom_assets - if: ${{ fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success') }} - with: - files: ${{ steps.collect_sbom.outputs.SBOM_DOWNLOAD_PATH }} - fail: true - - name: "check provenance asset files existence" - uses: andstor/file-existence-action@v3 - if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }} - id: check_provenance_assets - with: - files: ${{ steps.collect_sbom.outputs.PROVENANCE_DOWNLOAD_PATH }} - fail: true - - name: "prepare sbom package" # Zip all SBOM assets for artifact types (Images, Repository scanning) produced in the jobs - id: prepare_sbom_metadata - if: ${{ steps.check_sbom_assets.outputs.file_exists == 'true' }} - run: |- - SBOM_PACKAGE_NAME="${{github.repository}}-sbom" - echo "SBOM_PACKAGE_NAME=${SBOM_PACKAGE_NAME}" >> $GITHUB_OUTPUT - zip -rj ${SBOM_PACKAGE_NAME} ${{steps.collect_sbom.outputs.download-path}} -i '*sbom.spdx.json' '*sbom.cyclonedx.json' - - name: "Inspect slsa assets" - if: ${{ steps.check_provenance_assets.outputs.file_exists == 'true' || steps.check_sbom_assets.outputs.file_exists == 'true' }} - run: |- - ls -alR ${{github.workspace}}/security-assets + - name: "Generate security assets TAR" + if: ${{ (fromJSON(needs.check.outputs.BUILD) && (needs.check.result == 'success' || needs.build_publish.result == 'success')) || (needs.provenance.result == 'success' && github.ref_type == 'tag') }} + id: security_assets_metadata + run: | + cd ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }} + find . -type f -maxdepth 1 \( -name '*sbom.*.json' -o -name '*.intoto.jsonl' \) -print | tar -cvzf ${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz -T - + ls -alR . # Publish aggregated zip file of SBOMs to artifact regstry - - name: Push sbom to cloudsmith - id: push_sbom - if: ${{ steps.check_sbom_assets.outputs.file_exists == 'true' }} - uses: cloudsmith-io/action@master - with: - api-key: ${{ secrets.CLOUDSMITH_API_KEY }} - command: "push" - format: "raw" - owner: "kong" - repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}" - version: "${{ needs.check.outputs.VERSION_NAME }}" - file: "${{ steps.collect_sbom.outputs.download-path }}/${{ steps.prepare_sbom_metadata.outputs.SBOM_PACKAGE_NAME }}" - name: "${{ steps.prepare_sbom_metadata.outputs.SBOM_PACKAGE_NAME }}" - summary: "SBOM artifacts for ${{ github.repository }}" - description: "SBOM artifacts for binaries built from source code and container images" - - name: Push binary provenance to cloudsmith - if: ${{ steps.check_provenance_assets.outputs.file_exists == 'true' }} - id: push_binary_provenance - uses: cloudsmith-io/action@master + - name: Push security assets to cloudsmith + id: push_security_assets + uses: cloudsmith-io/action@f04b4de7550751e32961ac16543116f8f5f9bfc2 # v0.6.6 with: api-key: ${{ secrets.CLOUDSMITH_API_KEY }} command: "push" @@ -221,9 +186,7 @@ jobs: owner: "kong" repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}" version: "${{ needs.check.outputs.VERSION_NAME }}" - file: "${{ steps.collect_provenance.outputs.download-path }}/${{ github.event.repository.name }}.intoto.jsonl" - name: "${{ env.BINARY_PROVENANCE_PACKAGE_NAME }}" - summary: "Binary Artifact Provenance for ${{ github.repository }}" - description: "Provenance file for verifying ${{ github.repository }} binary artifacts" - env: - BINARY_PROVENANCE_PACKAGE_NAME: "${{github.repository}}-binary-provenance" + file: "${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}/${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz" + name: "${{ env.SECURITY_ASSETS_PACKAGE_NAME }}" + summary: "SLSA security artifacts for ${{ github.repository }}" + description: "SBOM and Binary artifact Provenance for ${{ github.repository }}" diff --git a/mk/docker.mk b/mk/docker.mk index 9c2089db91d6..3644ec53c213 100644 --- a/mk/docker.mk +++ b/mk/docker.mk @@ -20,8 +20,6 @@ export DOCKER_BUILDKIT := 1 # add targets to build images for each arch # $(1) - GOARCH to build for -# (TODO): Donot hardcode "linux" platform for images -# (TODO): May be support other image platforms using argument define IMAGE_TARGETS_BY_ARCH .PHONY: image/static/$(1) @@ -68,7 +66,7 @@ $(foreach goarch,$(SUPPORTED_GOARCHES),$(eval $(call IMAGE_TARGETS_BY_ARCH,$(goa # add targets to generate docker/{save,load,tag,push} for each supported ARCH # add targets to build images for each arch -# $(1) - Imae Name to build for +# $(1) - Image Name to build for # $(2) - GOARCH to build for # (TODO): Support image platform in output file names define DOCKER_TARGETS_BY_ARCH