From 8cce1ad284a8b4ac018cf17f6c2dd9c3eb9fcf67 Mon Sep 17 00:00:00 2001 From: Moritz Johner Date: Thu, 27 Oct 2022 08:59:19 +0200 Subject: [PATCH] feat: attach sbom/provenance files to GH release, fix clomonitor (#1656) * feat: attach sbom/provenance files to GH release, fix clomonitor Signed-off-by: Moritz Johner * fix: remove codesee Signed-off-by: Moritz Johner Signed-off-by: Moritz Johner --- .clomonitor.yml | 4 + .github/CODEOWNERS | 1 + .github/actions/sign/action.yml | 10 ++- .github/workflows/codesee-arch-diagram.yml | 87 ---------------------- .github/workflows/release.yml | 13 +++- README.md | 7 ++ 6 files changed, 30 insertions(+), 92 deletions(-) create mode 100644 .clomonitor.yml create mode 100644 .github/CODEOWNERS delete mode 100644 .github/workflows/codesee-arch-diagram.yml diff --git a/.clomonitor.yml b/.clomonitor.yml new file mode 100644 index 000000000..e78432475 --- /dev/null +++ b/.clomonitor.yml @@ -0,0 +1,4 @@ +licenseScanning: + # License scanning of dependencies is done from a GitHub Action. + # You can view the latest results on the main branch following this link + url: https://github.com/external-secrets/external-secrets/actions/workflows/dlc.yml?query=branch%3Amain diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 000000000..9bdb1e4c8 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @external-secrets/maintainers diff --git a/.github/actions/sign/action.yml b/.github/actions/sign/action.yml index 03968465e..5e55697ee 100644 --- a/.github/actions/sign/action.yml +++ b/.github/actions/sign/action.yml @@ -67,11 +67,12 @@ runs: - name: Attach SBOM to image shell: bash + id: sbom env: COSIGN_EXPERIMENTAL: "1" run: | - syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom-spdx.json - cosign attest --predicate sbom-spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" + syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json + cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson' - name: Generate provenance @@ -79,16 +80,17 @@ runs: with: command: generate subcommand: container - arguments: --repository "${{ inputs.image-name }}" --output-path provenance.att --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}" + arguments: --repository "${{ inputs.image-name }}" --output-path provenance.${{ inputs.image-tag }}.intoto.jsonl --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}" env: COSIGN_EXPERIMENTAL: "0" GITHUB_TOKEN: "${{ inputs.GITHUB_TOKEN }}" - name: Attach provenance shell: bash + id: provenance env: COSIGN_EXPERIMENTAL: "1" run: | - jq '.predicate' provenance.att > provenance-predicate.att + jq '.predicate' provenance.${{ inputs.image-tag }}.intoto.jsonl > provenance-predicate.att cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} diff --git a/.github/workflows/codesee-arch-diagram.yml b/.github/workflows/codesee-arch-diagram.yml deleted file mode 100644 index 6cb6afd53..000000000 --- a/.github/workflows/codesee-arch-diagram.yml +++ /dev/null @@ -1,87 +0,0 @@ -on: - push: - branches: - - main - pull_request_target: - types: [opened, synchronize, reopened] - -name: CodeSee Map - -jobs: - test_map_action: - runs-on: ubuntu-latest - continue-on-error: true - name: Run CodeSee Map Analysis - steps: - - name: checkout - id: checkout - uses: actions/checkout@v2 - with: - repository: ${{ github.event.pull_request.head.repo.full_name }} - ref: ${{ github.event.pull_request.head.ref }} - fetch-depth: 0 - - # codesee-detect-languages has an output with id languages. - - name: Detect Languages - id: detect-languages - uses: Codesee-io/codesee-detect-languages-action@latest - - - name: Configure JDK 16 - uses: actions/setup-java@v2 - if: ${{ fromJSON(steps.detect-languages.outputs.languages).java }} - with: - java-version: '16' - distribution: 'zulu' - - # CodeSee Maps Go support uses a static binary so there's no setup step required. - - - name: Configure Node.js 14 - uses: actions/setup-node@v2 - if: ${{ fromJSON(steps.detect-languages.outputs.languages).javascript }} - with: - node-version: '14' - - - name: Configure Python 3.x - uses: actions/setup-python@v4.3.0 - if: ${{ fromJSON(steps.detect-languages.outputs.languages).python }} - with: - python-version: '3.10' - architecture: 'x64' - - - name: Configure Ruby '3.x' - uses: ruby/setup-ruby@v1 - if: ${{ fromJSON(steps.detect-languages.outputs.languages).ruby }} - with: - ruby-version: '3.0' - - # We need the rust toolchain because it uses rustc and cargo to inspect the package - - name: Configure Rust 1.x stable - uses: actions-rs/toolchain@v1 - if: ${{ fromJSON(steps.detect-languages.outputs.languages).rust }} - with: - toolchain: stable - - - name: Generate Map - id: generate-map - uses: Codesee-io/codesee-map-action@latest - with: - step: map - api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }} - github_ref: ${{ github.ref }} - languages: ${{ steps.detect-languages.outputs.languages }} - - - name: Upload Map - id: upload-map - uses: Codesee-io/codesee-map-action@latest - with: - step: mapUpload - api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }} - github_ref: ${{ github.ref }} - - - name: Insights - id: insights - uses: Codesee-io/codesee-map-action@latest - with: - step: insights - api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }} - github_ref: ${{ github.ref }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 07c3f8224..864346b22 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -74,7 +74,7 @@ jobs: permissions: id-token: write - contents: read + contents: write env: SOURCE_TAG: main${{ matrix.tag_suffix }} @@ -120,6 +120,7 @@ jobs: run: make docker.promote - name: Sign promoted image + id: sign uses: ./.github/actions/sign with: image-name: ${{ env.IMAGE_NAME }} @@ -127,3 +128,13 @@ jobs: GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Update Release + uses: softprops/action-gh-release@v1 + with: + tag_name: ${{ github.event.inputs.version }} + files: | + provenance.${{ env.RELEASE_TAG }}.intoto.jsonl + sbom.${{ env.RELEASE_TAG }}.spdx.json + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/README.md b/README.md index c457cb4e4..8700b4828 100644 --- a/README.md +++ b/README.md @@ -44,10 +44,17 @@ Anyone is welcome to join. Feel free to ask questions, request feedback, raise a Please report vulnerabilities by email to contact@external-secrets.io. Also see our [SECURITY.md file](SECURITY.md) for details. +## software bill of materials +We attach SBOM and provenance file to our GitHub release. Also, they are attached to container images. + ## Adopters Please create a PR and add your company or project to our [ADOPTERS.md file](ADOPTERS.md) if you are using our project! +## Roadmap + +You can find the roadmap in our documentation: https://external-secrets.io/main/contributing/roadmap/ + ## Kicked off by ![](assets/Godaddylogo_2020.png)