mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
feat: attach sbom/provenance files to GH release, fix clomonitor (#1656)
* feat: attach sbom/provenance files to GH release, fix clomonitor Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> * fix: remove codesee Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
This commit is contained in:
parent
411f03ffe1
commit
8cce1ad284
6 changed files with 30 additions and 92 deletions
4
.clomonitor.yml
Normal file
4
.clomonitor.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
licenseScanning:
|
||||||
|
# License scanning of dependencies is done from a GitHub Action.
|
||||||
|
# You can view the latest results on the main branch following this link
|
||||||
|
url: https://github.com/external-secrets/external-secrets/actions/workflows/dlc.yml?query=branch%3Amain
|
1
.github/CODEOWNERS
vendored
Normal file
1
.github/CODEOWNERS
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
* @external-secrets/maintainers
|
10
.github/actions/sign/action.yml
vendored
10
.github/actions/sign/action.yml
vendored
|
@ -67,11 +67,12 @@ runs:
|
||||||
|
|
||||||
- name: Attach SBOM to image
|
- name: Attach SBOM to image
|
||||||
shell: bash
|
shell: bash
|
||||||
|
id: sbom
|
||||||
env:
|
env:
|
||||||
COSIGN_EXPERIMENTAL: "1"
|
COSIGN_EXPERIMENTAL: "1"
|
||||||
run: |
|
run: |
|
||||||
syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom-spdx.json
|
syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json
|
||||||
cosign attest --predicate sbom-spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
|
cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
|
||||||
cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'
|
cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'
|
||||||
|
|
||||||
- name: Generate provenance
|
- name: Generate provenance
|
||||||
|
@ -79,16 +80,17 @@ runs:
|
||||||
with:
|
with:
|
||||||
command: generate
|
command: generate
|
||||||
subcommand: container
|
subcommand: container
|
||||||
arguments: --repository "${{ inputs.image-name }}" --output-path provenance.att --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}"
|
arguments: --repository "${{ inputs.image-name }}" --output-path provenance.${{ inputs.image-tag }}.intoto.jsonl --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}"
|
||||||
env:
|
env:
|
||||||
COSIGN_EXPERIMENTAL: "0"
|
COSIGN_EXPERIMENTAL: "0"
|
||||||
GITHUB_TOKEN: "${{ inputs.GITHUB_TOKEN }}"
|
GITHUB_TOKEN: "${{ inputs.GITHUB_TOKEN }}"
|
||||||
|
|
||||||
- name: Attach provenance
|
- name: Attach provenance
|
||||||
shell: bash
|
shell: bash
|
||||||
|
id: provenance
|
||||||
env:
|
env:
|
||||||
COSIGN_EXPERIMENTAL: "1"
|
COSIGN_EXPERIMENTAL: "1"
|
||||||
run: |
|
run: |
|
||||||
jq '.predicate' provenance.att > provenance-predicate.att
|
jq '.predicate' provenance.${{ inputs.image-tag }}.intoto.jsonl > provenance-predicate.att
|
||||||
cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
|
cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
|
||||||
cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}
|
cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}
|
||||||
|
|
87
.github/workflows/codesee-arch-diagram.yml
vendored
87
.github/workflows/codesee-arch-diagram.yml
vendored
|
@ -1,87 +0,0 @@
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
pull_request_target:
|
|
||||||
types: [opened, synchronize, reopened]
|
|
||||||
|
|
||||||
name: CodeSee Map
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
test_map_action:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
continue-on-error: true
|
|
||||||
name: Run CodeSee Map Analysis
|
|
||||||
steps:
|
|
||||||
- name: checkout
|
|
||||||
id: checkout
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
with:
|
|
||||||
repository: ${{ github.event.pull_request.head.repo.full_name }}
|
|
||||||
ref: ${{ github.event.pull_request.head.ref }}
|
|
||||||
fetch-depth: 0
|
|
||||||
|
|
||||||
# codesee-detect-languages has an output with id languages.
|
|
||||||
- name: Detect Languages
|
|
||||||
id: detect-languages
|
|
||||||
uses: Codesee-io/codesee-detect-languages-action@latest
|
|
||||||
|
|
||||||
- name: Configure JDK 16
|
|
||||||
uses: actions/setup-java@v2
|
|
||||||
if: ${{ fromJSON(steps.detect-languages.outputs.languages).java }}
|
|
||||||
with:
|
|
||||||
java-version: '16'
|
|
||||||
distribution: 'zulu'
|
|
||||||
|
|
||||||
# CodeSee Maps Go support uses a static binary so there's no setup step required.
|
|
||||||
|
|
||||||
- name: Configure Node.js 14
|
|
||||||
uses: actions/setup-node@v2
|
|
||||||
if: ${{ fromJSON(steps.detect-languages.outputs.languages).javascript }}
|
|
||||||
with:
|
|
||||||
node-version: '14'
|
|
||||||
|
|
||||||
- name: Configure Python 3.x
|
|
||||||
uses: actions/setup-python@v4.3.0
|
|
||||||
if: ${{ fromJSON(steps.detect-languages.outputs.languages).python }}
|
|
||||||
with:
|
|
||||||
python-version: '3.10'
|
|
||||||
architecture: 'x64'
|
|
||||||
|
|
||||||
- name: Configure Ruby '3.x'
|
|
||||||
uses: ruby/setup-ruby@v1
|
|
||||||
if: ${{ fromJSON(steps.detect-languages.outputs.languages).ruby }}
|
|
||||||
with:
|
|
||||||
ruby-version: '3.0'
|
|
||||||
|
|
||||||
# We need the rust toolchain because it uses rustc and cargo to inspect the package
|
|
||||||
- name: Configure Rust 1.x stable
|
|
||||||
uses: actions-rs/toolchain@v1
|
|
||||||
if: ${{ fromJSON(steps.detect-languages.outputs.languages).rust }}
|
|
||||||
with:
|
|
||||||
toolchain: stable
|
|
||||||
|
|
||||||
- name: Generate Map
|
|
||||||
id: generate-map
|
|
||||||
uses: Codesee-io/codesee-map-action@latest
|
|
||||||
with:
|
|
||||||
step: map
|
|
||||||
api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
|
|
||||||
github_ref: ${{ github.ref }}
|
|
||||||
languages: ${{ steps.detect-languages.outputs.languages }}
|
|
||||||
|
|
||||||
- name: Upload Map
|
|
||||||
id: upload-map
|
|
||||||
uses: Codesee-io/codesee-map-action@latest
|
|
||||||
with:
|
|
||||||
step: mapUpload
|
|
||||||
api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
|
|
||||||
github_ref: ${{ github.ref }}
|
|
||||||
|
|
||||||
- name: Insights
|
|
||||||
id: insights
|
|
||||||
uses: Codesee-io/codesee-map-action@latest
|
|
||||||
with:
|
|
||||||
step: insights
|
|
||||||
api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
|
|
||||||
github_ref: ${{ github.ref }}
|
|
13
.github/workflows/release.yml
vendored
13
.github/workflows/release.yml
vendored
|
@ -74,7 +74,7 @@ jobs:
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
id-token: write
|
id-token: write
|
||||||
contents: read
|
contents: write
|
||||||
|
|
||||||
env:
|
env:
|
||||||
SOURCE_TAG: main${{ matrix.tag_suffix }}
|
SOURCE_TAG: main${{ matrix.tag_suffix }}
|
||||||
|
@ -120,6 +120,7 @@ jobs:
|
||||||
run: make docker.promote
|
run: make docker.promote
|
||||||
|
|
||||||
- name: Sign promoted image
|
- name: Sign promoted image
|
||||||
|
id: sign
|
||||||
uses: ./.github/actions/sign
|
uses: ./.github/actions/sign
|
||||||
with:
|
with:
|
||||||
image-name: ${{ env.IMAGE_NAME }}
|
image-name: ${{ env.IMAGE_NAME }}
|
||||||
|
@ -127,3 +128,13 @@ jobs:
|
||||||
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
|
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
|
||||||
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
|
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Update Release
|
||||||
|
uses: softprops/action-gh-release@v1
|
||||||
|
with:
|
||||||
|
tag_name: ${{ github.event.inputs.version }}
|
||||||
|
files: |
|
||||||
|
provenance.${{ env.RELEASE_TAG }}.intoto.jsonl
|
||||||
|
sbom.${{ env.RELEASE_TAG }}.spdx.json
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
||||||
|
|
|
@ -44,10 +44,17 @@ Anyone is welcome to join. Feel free to ask questions, request feedback, raise a
|
||||||
|
|
||||||
Please report vulnerabilities by email to contact@external-secrets.io. Also see our [SECURITY.md file](SECURITY.md) for details.
|
Please report vulnerabilities by email to contact@external-secrets.io. Also see our [SECURITY.md file](SECURITY.md) for details.
|
||||||
|
|
||||||
|
## software bill of materials
|
||||||
|
We attach SBOM and provenance file to our GitHub release. Also, they are attached to container images.
|
||||||
|
|
||||||
## Adopters
|
## Adopters
|
||||||
|
|
||||||
Please create a PR and add your company or project to our [ADOPTERS.md file](ADOPTERS.md) if you are using our project!
|
Please create a PR and add your company or project to our [ADOPTERS.md file](ADOPTERS.md) if you are using our project!
|
||||||
|
|
||||||
|
## Roadmap
|
||||||
|
|
||||||
|
You can find the roadmap in our documentation: https://external-secrets.io/main/contributing/roadmap/
|
||||||
|
|
||||||
## Kicked off by
|
## Kicked off by
|
||||||
|
|
||||||
![](assets/Godaddylogo_2020.png)
|
![](assets/Godaddylogo_2020.png)
|
||||||
|
|
Loading…
Reference in a new issue