init

GoogleCloudPlatform · Mar 16, 2023 · c9767ae · c9767ae
commit c9767ae
Show file tree

Hide file tree

Showing 1,257 changed files with 1,280,354 additions and 0 deletions.
diff --git a/.codecov.yaml b/.codecov.yaml
@@ -0,0 +1,6 @@
+coverage:
+  precision: 2
+  range:
+  - 10.0
+  - 70.0
+  round: up
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+- package-ecosystem: "gomod"
+  directory: "/"
+  schedule:
+    interval: "daily"
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "daily"
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,95 @@
+name: build-image
+
+on:
+  workflow_call:
+    inputs:
+      image_repo:
+        description: 'Fully-qualified image repo (registry/project/repo)'
+        required: true
+        type: string
+      image_name:
+        description: 'Image name (e.g. my-image)'
+        required: true
+        type: string
+      auth_provider:
+        description: 'OIDC provider ID'
+        required: true
+        type: string
+      auth_user:
+        description: 'OIDC user ID'
+        required: true
+        type: string
+      go_version:
+        description: 'Go version to use'
+        required: false
+        type: string
+        default: '1.20.1'
+    outputs:
+      digest:
+        value: ${{ jobs.build.outputs.digest }}
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    outputs:
+      digest: ${{ steps.image.outputs.digest }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      id-token: write
+    steps:
+
+    - name: Checkout Code
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c  # v3.3.0
+
+    - name: Get Version
+      run: |-
+        set -euo pipefail
+        echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+        echo "CURRENT_DATE=$(date '+%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
+        echo "RELEASE_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
+
+    - id: auth
+      name: Auth GCP
+      uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d  # v1.0.0
+      with:
+        token_format: "access_token"
+        workload_identity_provider: ${{ inputs.auth_provider }}
+        service_account: ${{ inputs.auth_user }}
+
+    - name: Define Metadata
+      id: meta
+      uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96  # v4.3.0
+      with:
+        images: |
+          ${{ inputs.image_repo }}/${{ inputs.image_name }}
+        tags: |
+          type=raw,enable=true,value=${{ env.RELEASE_VERSION }}
+          type=raw,enable=true,value=${{ env.RELEASE_COMMIT }}
+          type=raw,enable=true,value=latest
+
+    - name: Registry Auth
+      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a  # v2.1.0
+      with:
+        registry: ${{ inputs.image_repo }}
+        username: oauth2accesstoken
+        password: ${{ steps.auth.outputs.access_token }}
+
+    - name: Image Push
+      id: push
+      uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671  # v4.0.0
+      with:
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        build-args: |
+          VERSION=${{ env.RELEASE_VERSION }}
+          COMMIT=${{ env.RELEASE_COMMIT }}
+          DATE=${{ env.CURRENT_DATE }}
+
+    - name: Export Digest
+      id: image
+      run: |
+        echo "digest=${{ inputs.image_repo }}/${{ inputs.image_name }}@${{ steps.push.outputs.digest }}" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/import.yaml b/.github/workflows/import.yaml
@@ -0,0 +1,65 @@
+name: import-vulnerabilities
+
+on:
+  workflow_call:
+    inputs:
+      image_digest:
+        description: 'Fully-qualified image uri (repo/image@digest)'
+        required: true
+        type: string
+      auth_provider:
+        description: 'OIDC provider ID'
+        required: true
+        type: string
+      auth_user:
+        description: 'OIDC user ID'
+        required: true
+        type: string
+      target_project:
+        description: 'Target project ID where vulnerability scan will be imported'
+        required: true
+        type: string
+      report_path:
+        description: 'Path to vulnerability scan report'
+        type: string
+        default: 'report.json'
+
+permissions:
+  contents: read
+
+jobs:
+  import:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      id-token: write
+    steps:
+
+    - name: Checkout Code
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c  # v3.3.0
+
+    - id: auth
+      name: Auth GCP
+      uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d  # v1.0.0
+      with:
+        token_format: "access_token"
+        workload_identity_provider: ${{ inputs.auth_provider }}
+        service_account: ${{ inputs.auth_user }}
+
+    - id: scan
+      name: Vulnerability Scan
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ inputs.image_digest }}
+        scanners: vuln
+        format: json
+        output: ${{ inputs.report_path }}
+        timeout: 5m
+        hide-progress: true
+
+    - uses: GoogleCloudPlatform/aactl@main
+      with:
+        project: ${{ inputs.target_project }}
+        digest: ${{ inputs.image_digest }}
+        file: ${{ inputs.report_path }}
+        format: trivy
diff --git a/.github/workflows/on-push-test.yaml b/.github/workflows/on-push-test.yaml
@@ -0,0 +1,21 @@
+name: push-test
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    uses: ./.github/workflows/test.yaml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      go-version: ^1.20.1
+      scan-severity: 'CRITICAL,HIGH,MEDIUM'
diff --git a/.github/workflows/on-tag-cli.yaml b/.github/workflows/on-tag-cli.yaml
@@ -0,0 +1,114 @@
+name: tag-cli
+on:
+  push:
+    tags:
+    - 'v[0-9]+.[0-9]+.[0-9]+'  # Only build tag with semantic versioning format
+
+permissions:
+  contents: read
+
+jobs:
+
+  test:
+    uses: ./.github/workflows/test.yaml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      go-version: ^1.20.1
+      scan-severity: 'CRITICAL,HIGH,MEDIUM'
+
+  release:
+    outputs:
+      hashes: ${{ steps.checksum.outputs.hashes }}
+    runs-on: ubuntu-latest
+    needs:
+    - test
+    permissions:
+      contents: write
+    steps:
+    - name: Setup Go
+      uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568  # v3.5.0
+      with:
+        go-version: ^1.20.1
+    - run: go version
+    - name: Cache Go Modules
+      uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8  # v3.3.1
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+    - name: Checkout Code
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c  # v3.3.0
+    - name: Prune Git History
+      run: git fetch --prune --unshallow
+    - name: Install Syft
+      uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479  # v0.13.3
+      with:
+        version: v0.13.1
+    - name: Build CLI
+      uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b  # v4.2.0
+      id: releaser
+      with:
+        distribution: goreleaser
+        version: latest
+        args: release --clean
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+    - name: Gen Hashes
+      id: checksum
+      env:
+        ARTIFACTS: "${{ steps.releaser.outputs.artifacts }}"
+      run: |
+        set -euo pipefail
+        checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+        echo "hashes=$(cat $checksum_file | base64 -w0)" >> $GITHUB_OUTPUT
+
+  provenance:
+    needs:
+    - release
+    permissions:
+      actions: read    # To read the workflow path.
+      id-token: write  # To sign the provenance.
+      contents: write  # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true
+      compile-generator: true
+
+  verify:
+    env:
+      ATT_FILE_NAME: "multiple.intoto.jsonl"
+    needs:
+    - release
+    - provenance
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - name: Install SLSA Verifier
+        uses: slsa-framework/slsa-verifier/actions/installer@a43888265e1f6aae98c924538298944f2721dcf0  # v2.0.1
+      - name: Download Assets
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "aactl*"
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
+      - name: Verify Assets
+        env:
+          CHECKSUMS: ${{ needs.release.outputs.hashes }}
+        run: |
+          set -euo pipefail
+          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          while read -r line; do
+              artifact=$(echo $line | cut -d ' ' -f2)
+              slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
+                                            --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                            --source-tag "$GITHUB_REF_NAME" \
+                                            "$artifact"
+          done <<<"$checksums"