Skip to content

Commit

Permalink
Merge pull request #34 from natrontech/ci/improve-release
Browse files Browse the repository at this point in the history 
ci: fix draft release for binary provenance
  • Loading branch information
@janfuhrer
janfuhrer authored Jun 25, 2024
2 parents f8bfd9c + 76aab23 commit f06af03
Show file tree
Hide file tree
Showing 4 changed files with 127 additions and 52 deletions.
35 changes: 18 additions & 17 deletions .github/workflows/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,16 @@
Following workflows are implemented in the repository.
[SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) is used to store the results for an analysis of code scanning tools in the Security tab of the repository.

| Workflow | Jobs | Trigger | SARIF upload | Description |
| :----------------------------------------------- | :------------------------------ | :------------------------------------------------------------ | :----------- | ----------------------------------------------------------------------------------------------- |
| [codeql.yml](./codeql.yml) | `analyze` | push/pr to `main`, cron: `00 13 * * 1` | yes | Semantic code analysis |
| [dependency-review.yml](./dependency-review.yml) | `dependency-review` | pr to `main` | - | Check pull request for vulnerabilities in dependencies or invalid licenses are being introduced |
| [golangci-lint.yml](./golangci-lint.yml) | `lint` | push/pr on `*` | - | Lint Go Code |
| [gosec.yml](./gosec.yml) | `analyze` | push/pr on `*` | - | Inspects source code for security problems in Go code |
| [osv-scan.yml](./osv-scan.yml) | `analyze` | push/pr to `main`, cron: `30 13 * * 1` | yes | Scanning for vulnerabilites in dependencies |
| [release.yml](./release.yml) | see [release chapter](#release) | push tag `v*` | - | Create release with go binaries and docker container |
| [scorecard.yml](./scorecard.yml) | `analyze` | push to `main`, cron: `00 14 * * 1`, change branch protection | yes | Create OpenSSF analysis and create project score |
| Workflow | Jobs | Trigger | SARIF upload | Description |
| :----------------------------------------------------- | :------------------------------ | :------------------------------------------------------------ | :----------- | ----------------------------------------------------------------------------------------------- |
| [codeql.yml](./codeql.yml) | `analyze` | push/pr to `main`, cron: `00 13 * * 1` | yes | Semantic code analysis |
| [dependency-review.yml](./dependency-review.yml) | `dependency-review` | pr to `main` | - | Check pull request for vulnerabilities in dependencies or invalid licenses are being introduced |
| [golangci-lint.yml](./golangci-lint.yml) | `lint` | push/pr on `*` | - | Lint Go Code |
| [gosec.yml](./gosec.yml) | `analyze` | push/pr on `*` | - | Inspects source code for security problems in Go code |
| [osv-scan.yml](./osv-scan.yml) | `analyze` | push/pr to `main`, cron: `30 13 * * 1` | yes | Scanning for vulnerabilites in dependencies |
| [release.yml](./release.yml) | see [release chapter](#release) | push tag `v*` | - | Create release with go binaries and docker container |
| [release-verification.yml](./release-verification.yml) | see [release chapter](#release) | release published | - | Verify assets of a new release |
| [scorecard.yml](./scorecard.yml) | `analyze` | push to `main`, cron: `00 14 * * 1`, change branch protection | yes | Create OpenSSF analysis and create project score |

## CodeQL

Expand Down Expand Up @@ -53,14 +54,14 @@ Action: https://github.com/google/osv-scanner-action

The release workflow includes multiple jobs to create a release of the project. Following jobs are implemented:

| Job | GitHub Action | Description |
| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------- |
| `goreleaser` | [goreleaser-action](https://github.com/goreleaser/goreleaser-action) | Creates the go archives & checksums file |
| `ko-publish` | [publish-image action](../actions/publish-image/action.yaml) | Create the container images & SBOMs, sign images and upload to the GitHub registry |
| `binary-provenance` | [generator_generic_slsa3](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) | Generate provenance for all release artifacts (go archives & SBOMs) |
| `image-provenance` | [generator_container_slsa3](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) | Generates provenance for the container images |
| `verification-with-slsa-verifier` | - | Verifying the cryptographic signatures on provenance for all binary releases |
| `verification-with-cosign` | - | Verifying the cryptographic signatures on provenance for the container image |
| Job | GitHub Action | Description |
| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------- |
| `goreleaser` | [goreleaser-action](https://github.com/goreleaser/goreleaser-action) | Creates the go archives & checksums file |
| `ko-publish` | [publish-image action](../actions/publish-image/action.yaml) | Create the container images & SBOMs, sign images and upload to the GitHub registry |
| `binary-provenance` | [generator_generic_slsa3](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) | Generate provenance for all release artifacts (go archives & SBOMs) |
| `image-provenance` | [generator_container_slsa3](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) | Generates provenance for the container images |
| `verification-with-cosign` | - | Verifying the cryptographic signatures on provenance for the container image |
| `verification-with-slsa-verifier` | - | Verifying the cryptographic signatures on provenance for all binary releases (only possible if release is published) |

### Go Release

Expand Down
52 changes: 52 additions & 0 deletions .github/workflows/release-verification.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: verify-release-assets

on:
release:
types: [published]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: {}

jobs:
verification-with-slsa-verifier:
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1

- name: Install Cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
echo "Downloading release assets (tag: $GITHUB_REF_NAME)"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME"
# verify each artifact in checksum.txt file with the provenance
- name: Verify assets
run: |
set -euo pipefail
echo "Verifying checksums.txt"
cosign verify-blob \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp '^https://github.com/natrontech/pbs-exporter/.github/workflows/release.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+(-rc.[0-9]+)?$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
checksums=$(cat checksums.txt)
while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Verifying $fn"
slsa-verifier verify-artifact --provenance-path "multiple.intoto.jsonl" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$fn"
done <<<"$checksums"
36 changes: 1 addition & 35 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ jobs:
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true # upload to a new release
draft-release: true

image-provenance:
needs: [ko-publish]
Expand All @@ -122,41 +123,6 @@ jobs:
registry-password: ${{ secrets.GITHUB_TOKEN }}
provenance-registry-password: ${{ secrets.GITHUB_TOKEN }}

verification-with-slsa-verifier:
needs: [goreleaser, binary-provenance]
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1

- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom.json"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
# verify each artifact in checksum.txt file with the provenance
- name: Verify assets
env:
CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
checksums=$(echo "$CHECKSUMS" | base64 -d)
while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Verifying $fn"
slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$fn"
done <<<"$checksums"
verification-with-cosign:
needs: [ko-publish, image-provenance]
runs-on: ubuntu-latest
Expand Down
56 changes: 56 additions & 0 deletions SECURITY-INSIGHTS.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
header:
schema-version: 1.0.0
expiration-date: '2025-06-25T10:00:00.000Z'
last-updated: '2024-06-25'
last-reviewed: '2024-06-25'
project-url: https://github.com/natrontech/pbs-exporter
changelog: https://github.com/natrontech/pbs-exporter/blob/main/CHANGELOG.md
license: https://github.com/natrontech/pbs-exporter/blob/main/LICENSE
project-lifecycle:
bug-fixes-only: false
core-team:
- name: Jan Fuhrer
contact: [email protected]
- name: Sven Gerber
contact: [email protected]
status: concept
contribution-policy:
accepts-pull-requests: true
accepts-automated-pull-requests: true
contributing-policy: https://github.com/natrontech/pbs-exporter/blob/main/CONTRIBUTING.md
code-of-conduct: https://github.com/natrontech/pbs-exporter/blob/main/CODE_OF_CONDUCT.md
distribution-points:
- https://github.com/natrontech/pbs-exporter/releases
- https://github.com/orgs/natrontech/packages?repo_name=pbs-exporter
security-testing:
- tool-type: sca
tool-name: Dependabot
tool-version: latest
integration:
ad-hoc: false
ci: true
before-release: true
comment: |
Dependabot is enabled for this repo.
security-contacts:
- type: email
value: [email protected]
primary: true
vulnerability-reporting:
accepts-vulnerability-reports: true
bug-bounty-available: false
email-contact: [email protected]
security-policy: https://github.com/natrontech/pbs-exporter/blob/main/SECURITY.md
comment: |
Report security vulnerabilities via GitHub Security Advisory in this repository.
dependencies:
third-party-packages: true
dependencies-lists:
- https://github.com/natrontech/pbs-exporter/blob/main/go.mod
sbom:
- sbom-file: https://github.com/natrontech/pbs-exporter/releases
sbom-format: CycloneDX
sbom-url: https://github.com/natrontech/pbs-exporter/blob/main/SECURITY.md#sbom
- sbom-file: https://github.com/natrontech/pbs-exporter/pkgs/container/sbom
sbom-format: CycloneDX
sbom-url: https://github.com/natrontech/pbs-exporter/blob/main/SECURITY.md#sbom

0 comments on commit f06af03

Please sign in to comment.