Merge pull request #168 from alanjino/main

cosign implemented in capten repo

.github/workflows/agent-docker-image-pr.yml

@@ -0,0 +1,52 @@
+name: Agent Docker Image CI - PR
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE: ${{ github.repository }}/agent
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+            fetch-depth: 0
+
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - uses: docker/setup-buildx-action@v1
+        name: Set up Docker Buildx
+
+      -
+        name: Login to ghcr registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      -
+        name: Build and push on PR
+        uses: docker/build-push-action@v4
+        if: github.event_name == 'pull_request'
+        with:
+          context: .
+          file: ./dockerfiles/agent/Dockerfile
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:pr-${{ github.event.pull_request.number }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
+  

.github/workflows/agent-docker-image-release.yml

@@ -0,0 +1,59 @@
+name: Agent Docker Image CI release
+on:
+  push:
+    tags:
+      - "v*.*.*"
+jobs:
+  push_to_registry:
+    name: Build and push Docker image github container registry.
+    runs-on: ubuntu-20.04
+    permissions:
+      packages: write
+      id-token: write
+      contents: read
+      actions: read
+      security-events: write
+    env:
+      REGISTRY: ghcr.io
+      GH_URL: https://github.com
+      IMAGE: ${{ github.repository }}/agent
+    steps:
+      - name: Set environment variable
+        run: |
+          echo "RELEASE_VERSION=${GITHUB_REF:10}" >> $GITHUB_ENV
+      - name: Test environment variable
+        run: echo ${{ env.RELEASE_VERSION }}
+      - name: Check out GitHub repo
+        uses: actions/checkout@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build image and push to GitHub Container Registry
+        uses: docker/build-push-action@v4
+        with:
+          push: true
+          context: ./
+          file: ./dockerfiles/agent/Dockerfile
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.RELEASE_VERSION }}
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+      - name: Sign the images
+        run: |
+          cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.RELEASE_VERSION }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+      - name: Verify the pushed tags
+        run: cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.RELEASE_VERSION }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/agent-docker-image-release.yml@refs/tags/${{ env.RELEASE_VERSION }}  --certificate-oidc-issuer https://token.actions.githubusercontent.com
+        env:
+          COSIGN_EXPERIMENTAL: 1
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          image-ref: '.'
+          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT

.github/workflows/agent-docker-image.yml

@@ -7,17 +7,13 @@ on:
       - 'charts/**'
     branches:
       - 'main'
-    tags:
-      - 'v*.*.*'
-  pull_request:
-    branches:
-      - 'main'
 
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE: ${{ github.repository }}/agent
+  GH_URL: https://github.com
 
 jobs:
   build:
@@ -63,22 +59,30 @@ jobs:
         with:
           context: .
           file: ./dockerfiles/agent/Dockerfile
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }}
           labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            "GITHUB_TOKEN=${{ secrets.TOKEN }}"
+
+          push: true
 
-      -
-        name: Build and push on PR
-        uses: docker/build-push-action@v4
-        if: github.event_name == 'pull_request'
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+
+      - name: Sign the images
+        run: |
+          cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Verify the pushed tags
+        run: cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/agent-docker-image.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@master
         with:
-          context: .
-          file: ./dockerfiles/agent/Dockerfile
-          push: true
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:pr-${{ github.event.pull_request.number }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            "GITHUB_TOKEN=${{ secrets.TOKEN }}"
-  
+          scan-type: 'fs'
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          image-ref: '.'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/climon-docker-image-pr.yml

@@ -0,0 +1,53 @@
+name: Climon Docker Image CI - PR
+
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE: ${{ github.repository }}/climon
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+        with:
+            fetch-depth: 0
+
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - uses: docker/setup-buildx-action@v1
+        name: Set up Docker Buildx
+
+      -
+        name: Login to ghcr registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      -
+        name: Build and push on PR
+        uses: docker/build-push-action@v4
+        if: github.event_name == 'pull_request'
+        with:
+          context: .
+          file: ./dockerfiles/climon/Dockerfile
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:pr-${{ github.event.pull_request.number }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
+

.github/workflows/climon-docker-image-release.yml

@@ -0,0 +1,59 @@
+name: Climon Docker Image CI release
+on:
+  push:
+    tags:
+      - "v*.*.*"
+jobs:
+  push_to_registry:
+    name: Build and push Docker image github container registry.
+    runs-on: ubuntu-20.04
+    permissions:
+      packages: write
+      id-token: write
+      contents: read
+      actions: read
+      security-events: write
+    env:
+      REGISTRY: ghcr.io
+      GH_URL: https://github.com
+      IMAGE: ${{ github.repository }}/climon
+    steps:
+      - name: Set environment variable
+        run: |
+          echo "RELEASE_VERSION=${GITHUB_REF:10}" >> $GITHUB_ENV
+      - name: Test environment variable
+        run: echo ${{ env.RELEASE_VERSION }}
+      - name: Check out GitHub repo
+        uses: actions/checkout@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build image and push to GitHub Container Registry
+        uses: docker/build-push-action@v4
+        with:
+          push: true
+          context: ./
+          file: ./dockerfiles/climon/Dockerfile
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.RELEASE_VERSION }}
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+      - name: Sign the images
+        run: |
+          cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.RELEASE_VERSION }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+      - name: Verify the pushed tags
+        run: cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.RELEASE_VERSION }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/climon-docker-image-release.yml@refs/tags/${{ env.RELEASE_VERSION }}  --certificate-oidc-issuer https://token.actions.githubusercontent.com
+        env:
+          COSIGN_EXPERIMENTAL: 1
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          image-ref: '.'
+          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT

.github/workflows/climon-docker-image.yml

@@ -8,17 +8,13 @@ on:
       - 'charts/**'
     branches:
       - 'main'
-    tags:
-      - 'v*.*.*'
-  pull_request:
-    branches:
-      - 'main'
 
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE: ${{ github.repository }}/climon
+  GH_URL: https://github.com
 
 jobs:
   build:
@@ -64,22 +60,30 @@ jobs:
         with:
           context: .
           file: ./dockerfiles/climon/Dockerfile
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }}
           labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            "GITHUB_TOKEN=${{ secrets.TOKEN }}"
-
-      -
-        name: Build and push on PR
-        uses: docker/build-push-action@v4
-        if: github.event_name == 'pull_request'
-        with:
-          context: .
-          file: ./dockerfiles/climon/Dockerfile
+
           push: true
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE }}:pr-${{ github.event.pull_request.number }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            "GITHUB_TOKEN=${{ secrets.TOKEN }}"
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+
+      - name: Sign the images
+        run: |
+          cosign sign -y ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Verify the pushed tags
+        run: cosign verify ${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/climon-docker-image.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'github'
+          output: 'dependency-results.sbom.json'
+          image-ref: '.'
+          github-pat: ${{ secrets.GITHUB_TOKEN }}