Skip to content

branch cosign-slsa triggers cicd #8

branch cosign-slsa triggers cicd

branch cosign-slsa triggers cicd #8

# Using Kaniko: refer to the following documentations:
# * https://github.com/marketplace/actions/kaniko-action
# * https://github.com/int128/kaniko-action#inputs
name: "Build a container that ship with goreleaser, cosign, ko-build, trivy, syft and push to GitHub Container Registry (GHCR)"
on:
pull_request:
branches:
- main
- release/*
push:
branches:
- main
- containerfiles # TODO: remove after testing
- cosign-slsa # TODO: remove after testing
# Global KANIKO Variables:
# See: https://github.com/int128/kaniko-action
# - KANIKO_BUILD_CONTEXT is the path to the location of the Containerfile.
# - BASE_CONTAINERFILE_NAME is name and location of the Containerfile for base image with a /bin/bash entrypoint.
# - GOREL_ENTRYP_CONTAINERFILE_NAME is name and location of the Containerfile form image with ENTRYPOINT [ "/go/bin/goreleaser" ]
env:
KANIKO_BUILD_CONTEXT: "${{ github.workspace }}"
BASE_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr.base"
GOREL_ENTRYP_CONTAINERFILE_NAME: "${{ github.workspace }}/Containerfile.goreleaser-ko-cosign-trivy-syft-x86-arm64-root-usr"
jobs:
# Kaniko job to build a container image "goreleaser-glibc-image-base" has a /bin/bash entrypoint
build-base-image:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Extract Tools Versions from Containerfile as we use this in tags names
id: extract
run: |
# Extract values from the Containerfile
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $BASE_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
- name: Container metadata and tags
uses: docker/metadata-action@v5
id: metadata
with:
images: ghcr.io/${{ github.repository }}-base
tags: |
type=ref,event=branch
# use tools version as tags
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}}
# minimal (short sha)
type=sha
# full length sha
type=sha,format=long
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build the OCI image (base image entrytoint /bin/bash)
id: kaniko
uses: int128/kaniko-action@v1
with:
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
cache: true
cache-repository: ghcr.io/${{ github.repository }}/cache
file: ${{ env.BASE_CONTAINERFILE_NAME }}
context: ${{ env.KANIKO_BUILD_CONTEXT }}
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity
outputs:
oci-image-digest: ${{ steps.kaniko.outputs.digest }}
# Job to build a SLSA provenance attestation
base-image-provenance:
name: Generate SLSA provenance attestation for OCI
needs: build-base-image # Ensure this job runs after build-base-image
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2

Check failure on line 119 in .github/workflows/base-container-build.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/base-container-build.yaml

Invalid workflow file

error parsing called workflow ".github/workflows/base-container-build.yaml" -> "slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2" : failed to fetch workflow: reference to workflow should be either a valid branch, tag, or commit
with:
image: ghcr.io/${{ github.repository }}-base
digest: ${{ needs.build-base-image.outputs.oci-image-digest }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}
# Kaniko job to build a container image "goreleaser-glibc-image" that has a goreleaser entrypoint
build-goreleaser-entryp-image:
needs: build-base-image # Ensure this job runs after build-base-image
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Extract Tools Versions from Containerfile as we use this in tags names
id: extract
run: |
# Extract values from the Containerfile
GOLANG_VERSION=$(grep -m1 'ARG GOLANG_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GOLANG_VERSION=${GOLANG_VERSION}" >> $GITHUB_OUTPUT
GORELEASER_VERSION=$(grep -m1 'ARG GORELEASER_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "GORELEASER_VERSION=${GORELEASER_VERSION}" >> $GITHUB_OUTPUT
TRIVY_VERSION=$(grep -m1 'ARG TRIVY_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "TRIVY_VERSION=${TRIVY_VERSION}" >> $GITHUB_OUTPUT
COSIGN_VERSION=$(grep -m1 'ARG COSIGN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "COSIGN_VERSION=${COSIGN_VERSION}" >> $GITHUB_OUTPUT
KO_VERSION=$(grep -m1 'ARG KO_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "KO_VERSION=${KO_VERSION}" >> $GITHUB_OUTPUT
SYFT_VERSION=$(grep -m1 'ARG SYFT_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "SYFT_VERSION=${SYFT_VERSION}" >> $GITHUB_OUTPUT
DEBIAN_VERSION=$(grep -m1 'ARG DEBIAN_VERSION=' $GOREL_ENTRYP_CONTAINERFILE_NAME | cut -d'=' -f2)
echo "DEBIAN_VERSION=${DEBIAN_VERSION}" >> $GITHUB_OUTPUT
- name: Container metadata and tags
uses: docker/metadata-action@v5
id: metadata
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=ref,event=branch
# use tools version as tags
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}
type=raw,value=golang-${{ steps.extract.outputs.golang_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=goreleaser-${{ steps.extract.outputs.goreleaser_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=cosign-${{ steps.extract.outputs.cosign_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=ko-${{ steps.extract.outputs.ko_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=trivy-${{ steps.extract.outputs.trivy_version }}-${{ steps.extract.outputs.debian_version}}
type=raw,value=syft-${{ steps.extract.outputs.syft_version }}-${{ steps.extract.outputs.debian_version}}
# minimal (short sha)
type=sha
# full length sha
type=sha,format=long
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build the OCI image
uses: int128/kaniko-action@v1
id: kaniko
with:
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
cache: true
cache-repository: ghcr.io/${{ github.repository }}/cache
file: ${{ env.GOREL_ENTRYP_CONTAINERFILE_NAME }}
context: ${{ env.KANIKO_BUILD_CONTEXT }}
verbosity: "info" # https://github.com/GoogleContainerTools/kaniko#flag---verbosity
outputs:
oci-image-digest: ${{ steps.kaniko.outputs.digest }}
goreleaser-entryp-image-provenance:
name: Generate SLSA provenance attestation for OCI
needs: build-goreleaser-entryp-image # Ensure this job runs after build-base-image
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing. Required for SLSA and Cosign
packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2
with:
image: ghcr.io/${{ github.repository }}
digest: ${{ needs.build-goreleaser-entryp-image.outputs.oci-image-digest }}
secrets:
registry-username: ${{ github.actor }}
registry-password: ${{ secrets.GITHUB_TOKEN }}