Skip to content

feat: ignore in_review observations for CSAF for now #329

feat: ignore in_review observations for CSAF for now

feat: ignore in_review observations for CSAF for now #329

name: Build and push dev images
on:
push:
branches:
- stackable
permissions:
id-token: write
jobs:
docker_backend_dev:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
attestations: write
id-token: write
outputs:
digest: ${{ steps.build-and-push-backend.outputs.digest }}
steps:
-
name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
-
name: Set up QEMU
uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
-
name: Login to Stackable Harbor
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: oci.stackable.tech
username: robot$stackable+github-action-build
password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }}
-
name: Set up Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # tag=v3.3.0
-
name: Set current date as env variable
run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
-
name: Build and push backend
id: build-and-push-backend
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
file: ./docker/backend/prod/django/Dockerfile
platforms: linux/amd64
push: true
# Disable buildkit attestations so the pushed reference is the image
# manifest digest (not an index), which the SLSA generator requires.
provenance: false
tags: oci.stackable.tech/stackable/secobserve-backend:dev
build-args: |
CREATED=${{ env.CREATED }}
REVISION=${{ github.sha }}
VERSION=dev
-
name: Sign the published backend image
run: cosign sign -y oci.stackable.tech/stackable/secobserve-backend@${{ steps.build-and-push-backend.outputs.digest }}
provenance_backend_dev:
needs: [docker_backend_dev]
permissions:
actions: read # detect the build workflow that generated the image
id-token: write # mint the OIDC token for keyless signing
packages: write # needed until https://github.com/slsa-framework/slsa-github-generator/issues/1257 is resolved
# MUST be referenced by a @vX.Y.Z tag (not a SHA), otherwise the
# reusable workflow cannot verify its own provenance.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
with:
image: oci.stackable.tech/stackable/secobserve-backend
digest: ${{ needs.docker_backend_dev.outputs.digest }}
registry-username: robot$stackable+github-action-build
secrets:
registry-password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }}
docker_frontend_dev:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
attestations: write
id-token: write
outputs:
digest: ${{ steps.build-and-push-frontend.outputs.digest }}
steps:
-
name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
-
name: Set up QEMU
uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
-
name: Login to Stackable Harbor
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: oci.stackable.tech
username: robot$stackable+github-action-build
password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }}
- name: Set up Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # tag=v3.3.0
-
name: Set current date as env variable
run: echo "CREATED=$(date +'%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
-
name: Build and push frontend
id: build-and-push-frontend
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
file: ./docker/frontend/prod/Dockerfile
platforms: linux/amd64
push: true
# Disable buildkit attestations so the pushed reference is the image
# manifest digest (not an index), which the SLSA generator requires.
provenance: false
tags: oci.stackable.tech/stackable/secobserve-frontend:dev
build-args: |
CREATED=${{ env.CREATED }}
REVISION=${{ github.sha }}
VERSION=dev
-
name: Sign the published frontend image
run: cosign sign -y oci.stackable.tech/stackable/secobserve-frontend@${{ steps.build-and-push-frontend.outputs.digest }}
provenance_frontend_dev:
needs: [docker_frontend_dev]
permissions:
actions: read # detect the build workflow that generated the image
id-token: write # mint the OIDC token for keyless signing
packages: write # needed until https://github.com/slsa-framework/slsa-github-generator/issues/1257 is resolved
# MUST be referenced by a @vX.Y.Z tag (not a SHA), otherwise the
# reusable workflow cannot verify its own provenance.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
with:
image: oci.stackable.tech/stackable/secobserve-frontend
digest: ${{ needs.docker_frontend_dev.outputs.digest }}
registry-username: robot$stackable+github-action-build
secrets:
registry-password: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }}