1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00

feat: attach sbom/provenance files to GH release, fix clomonitor (#1656)

* feat: attach sbom/provenance files to GH release, fix clomonitor

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: remove codesee

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
This commit is contained in:
Moritz Johner 2022-10-27 08:59:19 +02:00 committed by GitHub
parent 411f03ffe1
commit 8cce1ad284
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 30 additions and 92 deletions

4
.clomonitor.yml Normal file
View file

@ -0,0 +1,4 @@
licenseScanning:
# License scanning of dependencies is done from a GitHub Action.
# You can view the latest results on the main branch following this link
url: https://github.com/external-secrets/external-secrets/actions/workflows/dlc.yml?query=branch%3Amain

1
.github/CODEOWNERS vendored Normal file
View file

@ -0,0 +1 @@
* @external-secrets/maintainers

View file

@ -67,11 +67,12 @@ runs:
- name: Attach SBOM to image - name: Attach SBOM to image
shell: bash shell: bash
id: sbom
env: env:
COSIGN_EXPERIMENTAL: "1" COSIGN_EXPERIMENTAL: "1"
run: | run: |
syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom-spdx.json syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json
cosign attest --predicate sbom-spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson' cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'
- name: Generate provenance - name: Generate provenance
@ -79,16 +80,17 @@ runs:
with: with:
command: generate command: generate
subcommand: container subcommand: container
arguments: --repository "${{ inputs.image-name }}" --output-path provenance.att --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}" arguments: --repository "${{ inputs.image-name }}" --output-path provenance.${{ inputs.image-tag }}.intoto.jsonl --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}"
env: env:
COSIGN_EXPERIMENTAL: "0" COSIGN_EXPERIMENTAL: "0"
GITHUB_TOKEN: "${{ inputs.GITHUB_TOKEN }}" GITHUB_TOKEN: "${{ inputs.GITHUB_TOKEN }}"
- name: Attach provenance - name: Attach provenance
shell: bash shell: bash
id: provenance
env: env:
COSIGN_EXPERIMENTAL: "1" COSIGN_EXPERIMENTAL: "1"
run: | run: |
jq '.predicate' provenance.att > provenance-predicate.att jq '.predicate' provenance.${{ inputs.image-tag }}.intoto.jsonl > provenance-predicate.att
cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}

View file

@ -1,87 +0,0 @@
on:
push:
branches:
- main
pull_request_target:
types: [opened, synchronize, reopened]
name: CodeSee Map
jobs:
test_map_action:
runs-on: ubuntu-latest
continue-on-error: true
name: Run CodeSee Map Analysis
steps:
- name: checkout
id: checkout
uses: actions/checkout@v2
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
fetch-depth: 0
# codesee-detect-languages has an output with id languages.
- name: Detect Languages
id: detect-languages
uses: Codesee-io/codesee-detect-languages-action@latest
- name: Configure JDK 16
uses: actions/setup-java@v2
if: ${{ fromJSON(steps.detect-languages.outputs.languages).java }}
with:
java-version: '16'
distribution: 'zulu'
# CodeSee Maps Go support uses a static binary so there's no setup step required.
- name: Configure Node.js 14
uses: actions/setup-node@v2
if: ${{ fromJSON(steps.detect-languages.outputs.languages).javascript }}
with:
node-version: '14'
- name: Configure Python 3.x
uses: actions/setup-python@v4.3.0
if: ${{ fromJSON(steps.detect-languages.outputs.languages).python }}
with:
python-version: '3.10'
architecture: 'x64'
- name: Configure Ruby '3.x'
uses: ruby/setup-ruby@v1
if: ${{ fromJSON(steps.detect-languages.outputs.languages).ruby }}
with:
ruby-version: '3.0'
# We need the rust toolchain because it uses rustc and cargo to inspect the package
- name: Configure Rust 1.x stable
uses: actions-rs/toolchain@v1
if: ${{ fromJSON(steps.detect-languages.outputs.languages).rust }}
with:
toolchain: stable
- name: Generate Map
id: generate-map
uses: Codesee-io/codesee-map-action@latest
with:
step: map
api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
github_ref: ${{ github.ref }}
languages: ${{ steps.detect-languages.outputs.languages }}
- name: Upload Map
id: upload-map
uses: Codesee-io/codesee-map-action@latest
with:
step: mapUpload
api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
github_ref: ${{ github.ref }}
- name: Insights
id: insights
uses: Codesee-io/codesee-map-action@latest
with:
step: insights
api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
github_ref: ${{ github.ref }}

View file

@ -74,7 +74,7 @@ jobs:
permissions: permissions:
id-token: write id-token: write
contents: read contents: write
env: env:
SOURCE_TAG: main${{ matrix.tag_suffix }} SOURCE_TAG: main${{ matrix.tag_suffix }}
@ -120,6 +120,7 @@ jobs:
run: make docker.promote run: make docker.promote
- name: Sign promoted image - name: Sign promoted image
id: sign
uses: ./.github/actions/sign uses: ./.github/actions/sign
with: with:
image-name: ${{ env.IMAGE_NAME }} image-name: ${{ env.IMAGE_NAME }}
@ -127,3 +128,13 @@ jobs:
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }} GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Update Release
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ github.event.inputs.version }}
files: |
provenance.${{ env.RELEASE_TAG }}.intoto.jsonl
sbom.${{ env.RELEASE_TAG }}.spdx.json
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

View file

@ -44,10 +44,17 @@ Anyone is welcome to join. Feel free to ask questions, request feedback, raise a
Please report vulnerabilities by email to contact@external-secrets.io. Also see our [SECURITY.md file](SECURITY.md) for details. Please report vulnerabilities by email to contact@external-secrets.io. Also see our [SECURITY.md file](SECURITY.md) for details.
## software bill of materials
We attach SBOM and provenance file to our GitHub release. Also, they are attached to container images.
## Adopters ## Adopters
Please create a PR and add your company or project to our [ADOPTERS.md file](ADOPTERS.md) if you are using our project! Please create a PR and add your company or project to our [ADOPTERS.md file](ADOPTERS.md) if you are using our project!
## Roadmap
You can find the roadmap in our documentation: https://external-secrets.io/main/contributing/roadmap/
## Kicked off by ## Kicked off by
![](assets/Godaddylogo_2020.png) ![](assets/Godaddylogo_2020.png)