Update docker/build-push-action action to v5.1.0 #113
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: calculator | |
on: | |
push: | |
workflow_dispatch: | |
permissions: {} | |
env: | |
GO_VERSION: "1.21.4" | |
SLSA_VERIFIER_VERSION: "2.4.1" | |
IMAGE_REF: "ghcr.io/${{ github.repository }}/calculator" | |
jobs: | |
unit-tests: | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: read | |
checks: write | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Setup Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Install go-junit-report | |
run: go install github.com/jstemmer/go-junit-report/v2@v2.1.0 | |
- name: Run Unit Tests | |
run: go test -v -timeout 60s -count=3 -race 2>&1 ./... | go-junit-report -set-exit-code > report.xml | |
- name: Test Report | |
uses: dorny/test-reporter@afe6793191b75b608954023a46831a3fe10048d4 # v1.7.0 | |
if: always() | |
with: | |
name: 📋 Unit test report | |
path: report.xml | |
reporter: java-junit | |
build-calculator: | |
runs-on: ubuntu-22.04 | |
outputs: | |
calculator-hash: ${{ steps.calculator-hash.outputs.calculator-hash }} | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Setup Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Build Calculator | |
run: | | |
make build-cli | |
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: calculator | |
path: calculator | |
- name: Compute calculator hash | |
id: calculator-hash | |
run: | | |
CALCULATOR_HASH=$(sha256sum calculator | base64 -w0) | |
echo calculator-hash=${CALCULATOR_HASH} >> $GITHUB_OUTPUT | |
sign-calculator: | |
runs-on: ubuntu-22.04 | |
permissions: | |
id-token: write | |
needs: | |
- build-calculator | |
steps: | |
- name: Install Cosign & Rekor CLI | |
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 | |
- name: Download calculator binary | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: calculator | |
- name: Sign calculator | |
run: | | |
cosign sign-blob calculator --output-certificate calculator.pem --output-signature calculator.sig -y | |
# Verify - as documentation & sanity check | |
cosign verify-blob calculator \ | |
--cert calculator.pem \ | |
--signature calculator.sig \ | |
--certificate-identity-regexp https://github.com/datosh-org/most-secure-calculator/.github/workflows/calculator.yml.* \ | |
--certificate-oidc-issuer https://token.actions.githubusercontent.com | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: calculator.pem | |
path: calculator.pem | |
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: calculator.sig | |
path: calculator.sig | |
build-calculator-image: | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: read | |
packages: write | |
needs: | |
- build-calculator | |
outputs: | |
digest: ${{ steps.build-container-image.outputs.Digest }} | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Docker metadata | |
id: meta | |
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | |
with: | |
images: | | |
${{ env.IMAGE_REF }} | |
tags: | | |
type=raw,value=latest,enable={{is_default_branch}} | |
type=sha,prefix= | |
type=sha,format=long,prefix= | |
type=semver,pattern={{version}} | |
type=semver,pattern=v{{version}} | |
type=ref,event=branch | |
- name: Log in to ghcr.io | |
id: docker-login | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Download calculator binary | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: calculator | |
- name: Build and push container image | |
id: build-container-image | |
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
with: | |
context: . | |
file: cmd/calculator-cli/Dockerfile | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
sign-calculator-image: | |
runs-on: ubuntu-22.04 | |
needs: | |
- build-calculator-image | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install Cosign CLI | |
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 | |
- name: Log in to ghcr.io | |
id: docker-login | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Sign calculator-image | |
run: | | |
cosign sign -y \ | |
${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} | |
cosign verify \ | |
--certificate-identity-regexp https://github.com/datosh-org/most-secure-calculator/.github/workflows/calculator.yml.* \ | |
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
sbom-image: | |
runs-on: ubuntu-22.04 | |
needs: | |
- build-calculator-image | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Log in to ghcr.io | |
id: docker-login | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install syft & grype | |
uses: ./.github/actions/install_syft_grype | |
with: | |
syftVersion: "0.97.0" | |
grypeVersion: "0.73.2" | |
- name: Install Cosign CLI | |
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 | |
- name: Generate and sign SBOM | |
run: | | |
syft -v -o cyclonedx-json ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} > calculator.json | |
cosign attach sbom --sbom calculator.json ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} | |
# broken, see: https://github.com/anchore/syft/issues/2333 | |
# syft attest -o cyclonedx-json ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} > calculator.att.json | |
- name: Check for known vulnerabilities | |
run: | | |
grype ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} --fail-on critical --only-fixed | |
provenance: | |
permissions: | |
actions: read | |
contents: write | |
id-token: write | |
needs: | |
- build-calculator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 | |
with: | |
base64-subjects: "${{ needs.build-calculator.outputs.calculator-hash }}" | |
provenance-verify: | |
runs-on: ubuntu-22.04 | |
needs: | |
- build-calculator | |
- provenance | |
steps: | |
- name: Download calculator binary | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: calculator | |
- name: Download provenance | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: ${{ needs.provenance.outputs.provenance-name }} | |
- name: Install slsa-verifier | |
run: | | |
curl -LO https://github.com/slsa-framework/slsa-verifier/releases/download/v${{ env.SLSA_VERIFIER_VERSION }}/slsa-verifier-linux-amd64 | |
install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier | |
- name: Verify provenance | |
run: | | |
slsa-verifier verify-artifact calculator \ | |
--provenance-path calculator.intoto.jsonl \ | |
--source-uri github.com/datosh-org/most-secure-calculator | |
release: | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: write | |
needs: | |
- build-calculator | |
- sign-calculator | |
- unit-tests | |
- provenance | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- name: Download calculator binary | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: calculator | |
- name: Download calculator certificate | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: calculator.pem | |
- name: Download calculator signature | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: calculator.sig | |
- name: Download provenance | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: ${{ needs.provenance.outputs.provenance-name }} | |
- name: Release | |
uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0 | |
with: | |
draft: true | |
artifacts: "calculator,calculator.pem,calculator.sig,calculator.intoto.jsonl" |