diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c029c2f..3042952 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -8,6 +8,8 @@ permissions: read-all jobs: build: runs-on: ubuntu-latest + permissions: + packages: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 @@ -40,6 +42,19 @@ jobs: path: target/ if-no-files-found: error + - name: Upload runner binary + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4 + with: + name: runner + path: target/github-stats-*-runner + if-no-files-found: error + + - name: Generate hashes + shell: bash + id: hash + run: | + echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT" + - name: Get image tags id: image_tags uses: redhat-cop/github-actions/get-image-version@main @@ -47,6 +62,7 @@ jobs: IMAGE_CONTEXT_DIR: src/main/docker - name: Build image + id: build_image uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2 with: dockerfiles: src/main/docker/Dockerfile.native-micro @@ -54,6 +70,23 @@ jobs: oci: true tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}" + - name: Push to ghcr.io + if: startsWith(github.ref, 'refs/tags/') + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2 + id: push_image + with: + image: ${{ steps.build_image.outputs.image }} + registry: ghcr.io/${{ github.repository }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + tags: ${{ steps.build_image.outputs.tags }} + + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}" + image_digest: "${{ steps.push_image.outputs.digest }}" + image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}" + analyze: needs: [ build ] runs-on: ubuntu-latest @@ -114,3 +147,96 @@ jobs: GITHUB_LOGIN: ${{ github.repository_owner }} GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} run: ./github-stats-*-runner create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --members-csv=tests/members.csv --fail-if-no-vpn=false + + sign-image: + needs: [ build ] + permissions: + id-token: write + packages: write + if: startsWith(github.ref, 'refs/tags/') + env: + image_uri: ${{ needs.build.outputs.image_uri }} # todo + runs-on: ubuntu-latest + steps: + - name: Setup cosign + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3 + + - name: Cosign login + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io + + - name: Sign Image + run: | + cosign sign --yes ${image_uri} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # 0.16.0 + env: + TRIVY_USERNAME: ${{ github.repository_owner }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + scan-type: image + image-ref: ${{ env.image_uri }} + format: "cosign-vuln" + output: "cosign-vuln.json" + + - name: Run Trivy SBOM generator + uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # 0.16.0 + env: + TRIVY_USERNAME: ${{ github.repository_owner }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + scan-type: image + image-ref: ${{ env.image_uri }} + format: "spdx-json" + output: "spdx-json.json" + + - name: Attach attestations + run: | + cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri} + cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri} + + provenance_binary: + needs: [ build ] + if: startsWith(github.ref, 'refs/tags/') + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: true + + provenance_image: + needs: [ build ] + permissions: + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + packages: write # for uploading attestations. + if: startsWith(github.ref, 'refs/tags/') + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + with: + image: ${{ needs.build.outputs.image_repo }} + digest: ${{ needs.build.outputs.image_digest }} + registry-username: ${{ github.repository_owner }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + release: + needs: [ build ] + runs-on: ubuntu-latest + if: startsWith(github.ref, 'refs/tags/') + permissions: + contents: write + steps: + - name: Download runner + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4 + with: + name: runner + + - name: Upload assets to release + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 + with: + files: | + github-stats-*-runner \ No newline at end of file diff --git a/renovate.json b/renovate.json index 01ae43a..d84a1bb 100644 --- a/renovate.json +++ b/renovate.json @@ -3,5 +3,19 @@ "extends": [ "config:best-practices", "schedule:earlyMondays" + ], + "packageRules": [ + { + "matchDepTypes": [ + "action" + ], + "matchPackageNames": [ + "slsa-framework/slsa-github-generator" + ], + "matchUpdateTypes": [ + "pinDigest" + ], + "enabled": false + } ] }