From 257ae9a8c0c91af67536ed9a08e01e50647759bd Mon Sep 17 00:00:00 2001 From: cpanato Date: Mon, 27 May 2024 12:16:48 +0200 Subject: [PATCH] add attestation Signed-off-by: cpanato --- .github/workflows/release.yaml | 28 +++++++------- .github/workflows/reusable_build_docker.yaml | 10 ++--- .../workflows/reusable_publish_docker.yaml | 37 ++++++++++++++----- 3 files changed, 46 insertions(+), 29 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fad067f56b8..30133788a71 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,13 +6,13 @@ on: # Checks if any concurrent jobs is running for release CI and eventually cancel it. concurrency: group: ci-release - cancel-in-progress: true - + cancel-in-progress: true + jobs: release-settings: runs-on: ubuntu-latest outputs: - is_latest: ${{ steps.get_settings.outputs.is_latest }} + is_latest: ${{ steps.get_settings.outputs.is_latest }} bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} steps: - name: Get latest release @@ -80,14 +80,14 @@ jobs: arch: x86_64 # static: ${{ matrix.static != '' && true || false }} version: ${{ github.event.release.tag_name }} - + test-packages-arm64: needs: [release-settings, build-packages-arm64] uses: ./.github/workflows/reusable_test_packages.yaml with: arch: aarch64 version: ${{ github.event.release.tag_name }} - + publish-packages: needs: [release-settings, test-packages, test-packages-arm64] uses: ./.github/workflows/reusable_publish_packages.yaml @@ -95,7 +95,7 @@ jobs: bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} version: ${{ github.event.release.tag_name }} secrets: inherit - + # Both build-docker and its arm64 counterpart require build-packages because they use its output build-docker: needs: [release-settings, build-packages, publish-packages] @@ -106,7 +106,7 @@ jobs: version: ${{ github.event.release.tag_name }} tag: ${{ github.event.release.tag_name }} secrets: inherit - + build-docker-arm64: needs: [release-settings, build-packages, publish-packages] uses: ./.github/workflows/reusable_build_docker.yaml @@ -125,7 +125,7 @@ jobs: is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} tag: ${{ github.event.release.tag_name }} sign: true - + release-body: needs: [release-settings, publish-docker] if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases @@ -135,7 +135,7 @@ jobs: steps: - name: Clone repo uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - + - name: Extract LIBS and DRIVER versions run: | cp .github/release_template.md release-body.md @@ -143,26 +143,26 @@ jobs: DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver') sed -i s/LIBSVER/$LIBS_VERS/g release-body.md sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md - + - name: Append release matrixes run: | sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md - + - name: Generate release notes uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73 with: milestone: ${{ github.event.release.tag_name }} output: ./notes.md - + - name: Merge release notes to pre existent body run: cat notes.md >> release-body.md - + - name: Attach release creator to release body run: | echo "" >> release-body.md echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md - + - name: Release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index d15382af791..450c513fe16 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -20,12 +20,12 @@ on: required: true type: string -# Here we just build all docker images as tarballs, +# Here we just build all docker images as tarballs, # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow. -# In this way, we don't need to publish any arch specific image, +# In this way, we don't need to publish any arch specific image, # and this "build" workflow is actually only building images. -permissions: +permissions: contents: read jobs: @@ -37,10 +37,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - + - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - + - name: Build falco image run: | cd ${{ github.workspace }}/docker/falco/ diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index 85ff441c2fb..82e632ecce8 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -18,44 +18,49 @@ on: default: false permissions: - id-token: write contents: read - + jobs: publish-docker: runs-on: ubuntu-latest + + permissions: + attestations: write + id-token: write + contents: read + steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - + - name: Download images tarballs uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-images path: /tmp/falco-images - + - name: Load all images run: | for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done - + - name: Login to Docker Hub uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_SECRET }} - + - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr" aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public. - + - name: Login to Amazon ECR id: login-ecr-public uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0 with: - registry-type: public - + registry-type: public + - name: Setup Crane uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3 with: @@ -86,7 +91,7 @@ jobs: inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian push: true - + - name: Create falco-driver-loader manifest on Docker Hub uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 with: @@ -149,3 +154,15 @@ jobs: cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }} cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }} cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }} + + - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + with: + subject-name: docker.io/falcosecurity/falco + subject-digest: ${{ steps.digests.outputs.falco }} + push-to-registry: true + + - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + with: + subject-name: docker.io/falcosecurity/falco-driver-loader + subject-digest: ${{ steps.digests.outputs.falco-driver-loader }} + push-to-registry: true