README.md

• sample-ko-monorepo
  • Features
  • Automations
  • Usage
    • Install dependencies
    • Set up
  • Install products
  • Locally run binaries
  • Locally build
  • Signatures and attestations
  • Verifying
  • Troubleshooting
    • images fail to push
  • TODOs
  • Related

sample-ko-monorepo

A sample Go app for demonstrating Ko with

Features

• build each application, where Go package main entrypoints are
• sign container images with Cosign

Automations

Name	Description	Link
Build	Builds and signs Go based container images (ko, cosign)	link
Go test	Runs go test against the repo	link
Lint	Lints for code quality (golangci)	link
Image promotion	Tags images using image digests	link
Conform	Ensures that commits in PRs are standardised	link
Update Go version	Ensures that the Go version which the applications use, is on the latest stable	link

all of the actions are implementing reusable workflows.

Usage

Install dependencies

• kubectl
• kind
• kn
• kn-quickstart
• cosign

Set up

1. under Settings -> Code and automation -> Actions -> General, set Allow GitHub Actions to create and approve pull requests to true

2. add a branch protection rule under Settings -> Code and automation -> Add rule entering

Branch name pattern: main
Require a pull request before merging: true
Require status checks to pass before merging: true
  Require branches to be up to date before merging: true
  Status checks:
    - golangci / lint
    - conform / conform
Require signed commits

Install products

launch a local kind cluster, pre-installed with Knative

kn quickstart kind

apply the pre-built release

kubectl apply -f https://github.com/BobyMCbobs/sample-ko-monorepo/raw/main/deploy/release.yaml

Locally run binaries

go run cmd/webthingy/main.go

go run cmd/mission-critical-service/main.go

Locally build

export KO_DOCKER_REPO=ghcr.io/bobymcbobs/sample-ko-monorepo
ko resolve --bare -f config/

Signatures and attestations

cosign tree IMAGE_REF

Verifying

container images are able to be verified with the following command

cosign verify ghcr.io/bobymcbobs/sample-ko-monorepo/mission-critical-service@sha256:405b54637c79a0b0934d0d7f01464f358fe1fd118fefb1d9b77c8a351e9471b6 --certificate-identity https://github.com/BobyMCbobs/sample-ko-monorepo/.github/workflows/reusable-build.yml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com

SBOMs attestations are able to be verified with the following command

cosign verify-attestation ghcr.io/bobymcbobs/sample-ko-monorepo/mission-critical-service@sha256:405b54637c79a0b0934d0d7f01464f358fe1fd118fefb1d9b77c8a351e9471b6 --certificate-identity https://github.com/BobyMCbobs/sample-ko-monorepo/.github/workflows/reusable-build.yml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com  | jq -r .payload | base64 -d | jq -r .predicate.Data | bom document outline -

Troubleshooting

images fail to push

adjust the actions package access settings in

1. go to github.com/{{org/user}}
2. go to the packages tab
3. click on the package failing
4. ensure that the Actions repository access is set up to point to the source repo
5. set manage Actions access role field to write

TODOs

• dependency security scanning
• automatic dependency updates
• Go version upgrade auto-PR
• add build dependency cache

Related

• sample-docker-monorepo