Skip to content

Commit

Permalink
ci: improve release workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
janfuhrer committed Jun 25, 2024
1 parent f8bfd9c commit 7ec5a3d
Show file tree
Hide file tree
Showing 3 changed files with 71 additions and 52 deletions.
35 changes: 18 additions & 17 deletions .github/workflows/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@
Following workflows are implemented in the repository.
[SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) is used to store the results for an analysis of code scanning tools in the Security tab of the repository.

| Workflow | Jobs | Trigger | SARIF upload | Description |
| :----------------------------------------------- | :------------------------------ | :------------------------------------------------------------ | :----------- | ----------------------------------------------------------------------------------------------- |
| [codeql.yml](./codeql.yml) | `analyze` | push/pr to `main`, cron: `00 13 * * 1` | yes | Semantic code analysis |
| [dependency-review.yml](./dependency-review.yml) | `dependency-review` | pr to `main` | - | Check pull request for vulnerabilities in dependencies or invalid licenses are being introduced |
| [golangci-lint.yml](./golangci-lint.yml) | `lint` | push/pr on `*` | - | Lint Go Code |
| [gosec.yml](./gosec.yml) | `analyze` | push/pr on `*` | - | Inspects source code for security problems in Go code |
| [osv-scan.yml](./osv-scan.yml) | `analyze` | push/pr to `main`, cron: `30 13 * * 1` | yes | Scanning for vulnerabilites in dependencies |
| [release.yml](./release.yml) | see [release chapter](#release) | push tag `v*` | - | Create release with go binaries and docker container |
| [scorecard.yml](./scorecard.yml) | `analyze` | push to `main`, cron: `00 14 * * 1`, change branch protection | yes | Create OpenSSF analysis and create project score |
| Workflow | Jobs | Trigger | SARIF upload | Description |
| :----------------------------------------------------- | :------------------------------ | :------------------------------------------------------------ | :----------- | ----------------------------------------------------------------------------------------------- |
| [codeql.yml](./codeql.yml) | `analyze` | push/pr to `main`, cron: `00 13 * * 1` | yes | Semantic code analysis |
| [dependency-review.yml](./dependency-review.yml) | `dependency-review` | pr to `main` | - | Check pull request for vulnerabilities in dependencies or invalid licenses are being introduced |
| [golangci-lint.yml](./golangci-lint.yml) | `lint` | push/pr on `*` | - | Lint Go Code |
| [gosec.yml](./gosec.yml) | `analyze` | push/pr on `*` | - | Inspects source code for security problems in Go code |
| [osv-scan.yml](./osv-scan.yml) | `analyze` | push/pr to `main`, cron: `30 13 * * 1` | yes | Scanning for vulnerabilites in dependencies |
| [release.yml](./release.yml) | see [release chapter](#release) | push tag `v*` | - | Create release with go binaries and docker container |
| [release-verification.yml](./release-verification.yml) | see [release chapter](#release) | release published | - | Verify assets of a new release |
| [scorecard.yml](./scorecard.yml) | `analyze` | push to `main`, cron: `00 14 * * 1`, change branch protection | yes | Create OpenSSF analysis and create project score |

## CodeQL

Expand Down Expand Up @@ -53,14 +54,14 @@ Action: https://github.com/google/osv-scanner-action

The release workflow includes multiple jobs to create a release of the project. Following jobs are implemented:

| Job | GitHub Action | Description |
| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------- |
| `goreleaser` | [goreleaser-action](https://github.com/goreleaser/goreleaser-action) | Creates the go archives & checksums file |
| `ko-publish` | [publish-image action](../actions/publish-image/action.yaml) | Create the container images & SBOMs, sign images and upload to the GitHub registry |
| `binary-provenance` | [generator_generic_slsa3](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) | Generate provenance for all release artifacts (go archives & SBOMs) |
| `image-provenance` | [generator_container_slsa3](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) | Generates provenance for the container images |
| `verification-with-slsa-verifier` | - | Verifying the cryptographic signatures on provenance for all binary releases |
| `verification-with-cosign` | - | Verifying the cryptographic signatures on provenance for the container image |
| Job | GitHub Action | Description |
| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------- |
| `goreleaser` | [goreleaser-action](https://github.com/goreleaser/goreleaser-action) | Creates the go archives & checksums file |
| `ko-publish` | [publish-image action](../actions/publish-image/action.yaml) | Create the container images & SBOMs, sign images and upload to the GitHub registry |
| `binary-provenance` | [generator_generic_slsa3](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) | Generate provenance for all release artifacts (go archives & SBOMs) |
| `image-provenance` | [generator_container_slsa3](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) | Generates provenance for the container images |
| `verification-with-cosign` | - | Verifying the cryptographic signatures on provenance for the container image |
| `verification-with-slsa-verifier` | - | Verifying the cryptographic signatures on provenance for all binary releases (only possible if release is published) |

### Go Release

Expand Down
52 changes: 52 additions & 0 deletions .github/workflows/release-verification.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: verify-release-assets

on:
release:
types: [published]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {}

jobs:
verification-with-slsa-verifier:
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1

- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
echo "Downloading release assets (tag: $GITHUB_REF_NAME)"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME"
# verify each artifact in checksum.txt file with the provenance
- name: Verify assets
run: |
set -euo pipefail
echo "Verifying checksums.txt"
cosign verify-blob \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp '^https://github.com/natrontech/pbs-exporter/.github/workflows/release.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+(-rc.[0-9]+)?$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
checksums=$(cat checksums.txt)
while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Verifying $fn"
slsa-verifier verify-artifact --provenance-path "multiple.intoto.jsonl" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$fn"
done <<<"$checksums"
36 changes: 1 addition & 35 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ jobs:
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true # upload to a new release
draft-release: true

image-provenance:
needs: [ko-publish]
Expand All @@ -122,41 +123,6 @@ jobs:
registry-password: ${{ secrets.GITHUB_TOKEN }}
provenance-registry-password: ${{ secrets.GITHUB_TOKEN }}

verification-with-slsa-verifier:
needs: [goreleaser, binary-provenance]
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1

- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom.json"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
# verify each artifact in checksum.txt file with the provenance
- name: Verify assets
env:
CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
checksums=$(echo "$CHECKSUMS" | base64 -d)
while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Verifying $fn"
slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$fn"
done <<<"$checksums"
verification-with-cosign:
needs: [ko-publish, image-provenance]
runs-on: ubuntu-latest
Expand Down

0 comments on commit 7ec5a3d

Please sign in to comment.