forked from kyverno/reports-server
-
Notifications
You must be signed in to change notification settings - Fork 0
165 lines (153 loc) · 5.74 KB
/
reuse.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
name: Create Publish and Sign Docker Image for FIPS Compliance
on:
workflow_call:
inputs:
publish_command:
required: true
type: string
digest_command:
required: true
type: string
image_name:
required: true
type: string
tag:
required: true
type: string
main:
type: string
secrets:
registry_username:
required: true
registry_password:
required: true
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Detect Runner Architecture
run: |
ARCH=$(uname -m)
echo "Detected architecture: $ARCH"
echo "ARCH=$ARCH" >> $GITHUB_ENV
- name: Checkout release
if: ${{ inputs.tag == 'release'}}
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ~1.23.5
- name: Install Cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Cache Go modules
uses: actions/cache@v4
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Log into ghcr.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up binfmt
uses: docker/[email protected]
- name: Install binfmt
run: |
docker run --rm --privileged tonistiigi/binfmt --install all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
id: buildx
with:
install: true
- name: Run Trivy vulnerability scanner in repo mode
if: ${{inputs.tag == 'release'}}
uses: aquasecurity/trivy-action@40c4ca9e7421287d0c5576712fdff370978f9c3c
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Set Version
if: ${{ inputs.tag == 'release'}}
run: |
echo "REPORTS_SERVER_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV
- name: Generate SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0
with:
version: v1
args: app -licenses -json -output ${{inputs.image_name}}-${{ env.REPORTS_SERVER_VERSION }}-bom.cdx.json -main ${{inputs.main}}
- name: Upload SBOM JSON
if: ${{inputs.tag == 'release'}}
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: ${{inputs.image_name}}-bom-cdx
path: ${{inputs.image_name}}-v*-bom.cdx.json
- name: Check branch
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}}
id: check-branch
run: |
if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then
echo ::set-output name=match::true
fi
- name: Docker images publish
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
run: make ${{inputs.publish_command}} FIPS_ENABLED=1
- name: get image digest
if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}}
id: get-step-image
run: |
digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1)
echo "digest=${digest}" >> $GITHUB_ENV
- name: Docker release-images publish
if: ${{inputs.tag == 'release' }}
run: make ${{inputs.publish_command}} FIPS_ENABLED=1
- name: Clear Sigstore TUF Cache
run: |
rm -rf ~/.sigstore
- name: Get release-image digest
if: ${{ inputs.tag == 'release' }}
id: get-step
run: |
digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1 2>/dev/null || true)
if [[ -z "$digest" ]]; then
echo "Error: Unable to generate digest. Ensure the repository exists and credentials are valid." >&2
exit 1
fi
echo "digest=$digest" >> $GITHUB_ENV
echo "Digest: $digest"
- name: Debug Digest
run: |
echo "Digest: ${{ env.digest }}"
if [[ -z "${{ env.digest }}" || "${{ env.digest }}" == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ]]; then
echo "Error: Digest is empty or invalid." >&2
exit 1
fi
- name: Sign release-image
if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }}
env:
COSIGN_EXPERIMENTAL: "true"
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures"
digest: ${{ env.digest }}
run: |
echo "Signing with digest: $digest"
cosign sign --yes \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:$digest
- name: Attach SBOM
if: ${{inputs.tag == 'release'}}
env:
COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/sbom"
run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ env.digest }}