Merge pull request #170 from Kong/feat/slsa #151
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Package & Release | |
| # This workflow uses actions that are not certified by GitHub. | |
| # They are provided by a third-party and are governed by | |
| # separate terms of service, privacy policy, and support | |
| # documentation. | |
| on: | |
| push: | |
| branches: [ "master" ] | |
| # Publish semver tags as releases. | |
| tags: [ 'v*.*.*' ] | |
| pull_request: | |
| branches: [ "master" ] | |
| env: | |
| # Use docker.io for Docker Hub if empty | |
| REGISTRY: ghcr.io | |
| # Format as <account>/<repo> | |
| # Must be lower case for container tools to parse correctly | |
| IMAGE_NAME: kong/insomnia-mockbin | |
| HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.repository_owner == 'Kong' }} | |
| # Local docker OCI archive name until the image is pushed to registry | |
| DOCKER_OCI_ARCHIVE: "docker-archive" | |
| # Always use Docker Hub for publishing image signatures | |
| ## docker.io/kong/notary - Use Public Notary repository for release image signatures | |
| ## docker.io/kong/notary-internal - Use Private Notary repository for internal image signatures | |
| NOTARY_REPOSITORY: ${{ github.ref_type == 'tag' || github.ref_name == 'master' && 'kong/notary' || 'kong/notary-internal' }} | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| # Perform SCA analysis for the code repository | |
| # Produces SBOM and CVE report | |
| # Helps understand vulnerabilities / license compliance across third party dependencies | |
| - id: sca-project | |
| uses: Kong/public-shared-actions/security-actions/sca@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2 | |
| with: | |
| dir: . | |
| upload-sbom-release-assets: true | |
| # Build docker images | |
| build-images: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| needs: [check] | |
| outputs: | |
| image_tags: ${{ steps.meta.outputs.tags }} | |
| image_tag_version: ${{ steps.meta.outputs.version }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| # Set up BuildKit Docker container builder to be able to build | |
| # multi-platform images and export cache | |
| # https://github.com/docker/setup-buildx-action | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
| # Extract metadata (tags, labels) for Docker Image | |
| # https://github.com/docker/metadata-action | |
| - name: Extract Docker metadata | |
| id: meta | |
| env: | |
| DOCKER_METADATA_PR_HEAD_SHA: true | |
| uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| sep-tags: "," | |
| # Build Docker image with Buildx (don't push on PR) | |
| # https://github.com/docker/build-push-action | |
| - name: Build Docker image | |
| id: build-and-push | |
| uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 | |
| with: | |
| context: . | |
| push: false # only push after the image is scanned | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # these 2 options are needed so that the MediaType of the manifest is | |
| # OCI-compliant for other downstream integrations | |
| # see also: | |
| # - https://github.com/docker/buildx/issues/1507 | |
| # - https://github.com/docker/buildx/issues/1509#issuecomment-1378538197 | |
| provenance: false | |
| outputs: type=docker,dest=${{ env.DOCKER_OCI_ARCHIVE }}.tar,oci-mediatypes=true | |
| - name: Upload Docker OCI layout TAR Artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ env.DOCKER_OCI_ARCHIVE }} | |
| path: ${{ env.DOCKER_OCI_ARCHIVE }}.tar | |
| if-no-files-found: error | |
| retention-days: 1 | |
| scan-images: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| needs: [check, build-images] | |
| if: > | |
| github.repository_owner == 'Kong' | |
| && needs.build-images.result == 'success' | |
| steps: | |
| - name: Download OCI docker TAR artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: ${{ env.DOCKER_OCI_ARCHIVE }} | |
| path: ${{ github.workspace }} | |
| - name: Load OCI docker TAR artifact | |
| run: | | |
| docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar | |
| docker image ls | |
| - name: Scan the docker OCI Tar ball | |
| id: sbom_action_amd64 | |
| uses: Kong/public-shared-actions/security-actions/scan-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2 | |
| with: | |
| asset_prefix: image-${{ env.IMAGE_NAME }}-amd64 | |
| image: ${{ env.DOCKER_OCI_ARCHIVE }}.tar | |
| upload-sbom-release-assets: true | |
| release-images: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write # needed for publishing the images | |
| id-token: write # needed for keyless signing of the images | |
| needs: [check, build-images, scan-images] | |
| if: > | |
| github.repository_owner == 'Kong' | |
| && needs.scan-images.result == 'success' | |
| && github.event_name != 'pull_request' | |
| env: | |
| IMAGE_TAGS: ${{ needs.build-images.outputs.image_tags }} | |
| outputs: | |
| image_name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| image_manifest_sha: ${{ steps.image_manifest_metadata.outputs.image_manifest_sha }} | |
| notary_repository: ${{ env.NOTARY_REPOSITORY }} | |
| steps: | |
| - name: Download OCI docker TAR artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: ${{ env.DOCKER_OCI_ARCHIVE }} | |
| path: ${{ github.workspace }} | |
| - name: Load OCI docker TAR artifact | |
| run: | | |
| docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar | |
| docker image ls | |
| # Login against a Docker registry except on PR | |
| # https://github.com/docker/login-action | |
| - name: Log into image registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push images to registry | |
| id: publish_images | |
| run: | | |
| for tag in ${IMAGE_TAGS//,/ }; do \ | |
| docker push $tag; \ | |
| done | |
| # Setup regctl to parse platform specific image digest from image manifest | |
| - name: Install regctl | |
| uses: regclient/actions/regctl-installer@main | |
| # The image manifest digest/sha is generated only after the image is published to registry | |
| - name: Parse architecture specific digest from image manifest | |
| id: image_manifest_metadata | |
| run: | | |
| IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build-images.outputs.IMAGE_TAG_VERSION }} | |
| sha="$(regctl image digest "${IMAGE}")" | |
| echo "sha=${sha}" >> $GITHUB_OUTPUT | |
| # Signing images requires image manifest digest | |
| - name: Sign images | |
| id: sign_images | |
| if: ${{ steps.image_manifest_metadata.outputs.sha != '' }} | |
| uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2 | |
| with: | |
| image_digest: ${{ steps.image_manifest_metadata.outputs.sha }} | |
| tags: ${{ env.IMAGE_TAGS }} | |
| image_registry_domain: ghcr.io | |
| registry_username: ${{ github.actor }} | |
| registry_password: ${{ secrets.GITHUB_TOKEN }} | |
| # Optional: Central notary repository for image signatures | |
| # signature_registry_domain: docker.io | |
| # signature_registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} | |
| # signature_registry_password: ${{ secrets.GHA_DOCKERHUB_PUSH_TOKEN }} | |
| # signature_registry: ${{ env.NOTARY_REPOSITORY }} | |
| release-images-provenance: | |
| needs: ["check", "build-images", "scan-images", "release-images"] | |
| if: ${{ github.ref_type == 'tag' || (github.event_name == 'push' && github.ref_name == 'master') }} | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| permissions: | |
| contents: write | |
| id-token: write # For using token to sign images | |
| actions: read # For getting workflow run info to build provenance | |
| packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues | |
| with: | |
| image: ${{ needs.release-images.outputs.image_name }} # Image repository without tag. Eg: kong/insomnia-mockbins | |
| digest: ${{ needs.release-images.outputs.image_manifest_sha }} # Image manifest digest for the published docker image/TAR | |
| #provenance-repository: ${{ needs.release-images.outputs.notary_repository }} | |
| secrets: | |
| registry-username: ${{ github.actor }} | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| # provenance-registry-username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }} | |
| # provenance-registry-password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }} |