feat: use docker buildx to create attestation files.

Updates the Github workflow to use the Docker buildx to generate the SLSA attestation and SBOM files. Furthermore, the previous workflow used to generate the SBOM files has been updated to download the data from the container registry and upload them to the release page as it does before. Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
kubewarden · Oct 10, 2024 · 5be4f40 · 5be4f40
1 parent 7c28dee
commit 5be4f40
Show file tree

Hide file tree

Showing 7 changed files with 310 additions and 137 deletions.
diff --git a/.github/workflows/attestation.yml b/.github/workflows/attestation.yml
@@ -0,0 +1,138 @@
+name: Sign attestation files
+
+on:
+  workflow_call:
+    inputs:
+      image-digest:
+        type: string
+        required: true
+
+jobs:
+  sbom:
+    name: Fetch, sign and verify SBOM and provenance files
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    permissions:
+      packages: write
+      id-token: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+
+      - name: Install the crane command
+        uses: kubewarden/github-actions/crane-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify container image signature
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/container-image.yml@${{ github.ref }}" \
+            ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ inputs.image-digest }}
+
+      - name: Find platform digest
+        shell: bash
+        run: |
+          set -e
+          DIGEST=$(crane digest \
+            --platform "linux/${{ matrix.arch }}" \
+            ghcr.io/${{ github.repository_owner }}/audit-scanner@${{ inputs.image-digest }})
+          echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Find attestation digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ inputs.image-digest }} \
+            | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest'
+          )
+          echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign attestation manifest
+        run: |
+          cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/attestation.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}}
+
+      - name: Find provenance manifest digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
+            jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
+          echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign provenance manifest
+        run: |
+          cosign sign --yes \
+          ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.PROVENANCE_DIGEST}}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/attestation.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.PROVENANCE_DIGEST}}
+
+      - name: Find SBOM manifest layers digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.ATTESTATION_MANIFEST_DIGEST}} |  \
+            jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
+          echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign SBOM layers
+        run: |
+          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
+            cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@$sbom_digest
+          done
+
+      - name: Verify SBOM layers
+        run: |
+          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
+            cosign verify \
+              --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+              --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/attestation.yml@${{ github.ref }}" \
+              ghcr.io/${{github.repository_owner}}/audit-scanner@$sbom_digest
+          done
+
+      - name: Download provenance and SBOM files
+        run: |
+          set -e
+          crane blob ghcr.io/${{github.repository_owner}}/audit-scanner@${{ env.PROVENANCE_DIGEST}} > audit-scanner-attestation-${{ matrix.arch }}-provenance.json
+          md5sum audit-scanner-attestation-${{ matrix.arch }}-provenance.json >> audit-scanner-attestation-${{ matrix.arch }}-checksum.txt
+
+
+          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
+            crane blob ghcr.io/${{github.repository_owner}}/audit-scanner@$sbom_digest > audit-scanner-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json
+            md5sum audit-scanner-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json >> audit-scanner-attestation-${{ matrix.arch }}-checksum.txt
+          done
+            
+      - name: Sign checksum file
+        run: |
+          cosign sign-blob --yes \
+            --bundle audit-scanner-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
+            audit-scanner-attestation-${{ matrix.arch }}-checksum.txt
+            
+          cosign verify-blob \
+            --bundle audit-scanner-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/attestation.yml@${{ github.ref }}" \
+            audit-scanner-attestation-${{ matrix.arch }}-checksum.txt
+
+      - name: Upload SBOMs as artifacts
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: attestation-${{ matrix.arch }}
+          path: audit-scanner-attestation-${{ matrix.arch }}*
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -15,23 +15,15 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/container-image.yml
-    permissions:
-      packages: write
-    with:
-      push-image: true
-
-  sign:
-    needs: build
-    uses: ./.github/workflows/sign-image.yml
     permissions:
       packages: write
       id-token: write
     with:
-      image-digest: ${{ needs.build.outputs.digest }}
+      push-image: true
 
   sbom:
     needs: build
-    uses: ./.github/workflows/sbom.yml
+    uses: ./.github/workflows/attestation.yml
     permissions:
       packages: write
       id-token: write

diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
@@ -25,6 +25,7 @@ jobs:
     name: Build container image
     permissions:
       packages: write
+      id-token: write
     runs-on: ubuntu-latest
     outputs:
       repository: ${{ steps.setoutput.outputs.repository }}
@@ -65,8 +66,22 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64, linux/arm64
           push: true
+          sbom: true
+          provenance: mode=max
           tags: |
             ghcr.io/${{github.repository_owner}}/audit-scanner:${{ env.TAG_NAME }}
+
+      - name: Sign container image
+        if: ${{ inputs.push-image }}
+        run: |
+          cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@${{ inputs.image-digest }}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/${{github.repository_owner}}/audit-scanner/.github/workflows/container-image.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/audit-scanner@${{ inputs.image-digest }}
+
       - # Only build amd64 because buildx does not allow multiple platforms when
         # exporting the image to a tarball. As we use this only for end-to-end tests
         # and they run on amd64 arch, let's skip the arm64 build for now.
@@ -77,15 +92,19 @@ jobs:
           context: .
           file: ./Dockerfile
           platforms: linux/amd64
+          sbom: true
+          provenance: mode=max
           outputs: type=docker,dest=/tmp/audit-scanner-image-${{ env.TAG_NAME }}.tar
           tags: |
             ghcr.io/${{github.repository_owner}}/audit-scanner:${{ env.TAG_NAME }}
+
       - name: Upload container image to use in other jobs
         if: ${{ inputs.push-image == false }}
         uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
           name: audit-scanner-image-${{ env.TAG_NAME }}
           path: /tmp/audit-scanner-image-${{ env.TAG_NAME }}.tar
+
       - id: setoutput
         name: Set output parameters
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,6 +34,7 @@ jobs:
       - name: Generate CRDs
         run: |
           tar -czf CRDS.tar.gz -C config/crd $(ls config/crd)
+
       - name: Upload CRDs as artifacts
         uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
         with:
@@ -92,10 +93,10 @@ jobs:
             }
             core.setFailed(`Draft release not found`)
 
-      - name: Download SBOM artifacts
+      - name: Download attestation artifacts
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          pattern: sbom-*
+          pattern: attestation-*
           path: ./
           merge-multiple: true
 
@@ -109,6 +110,12 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R
 
+      - name: Create tarball for the attestation files
+        run: |
+          for arch in "amd64" "arm64"; do
+            tar -czf attestation-$arch.tar.gz $(ls audit-scanner-attestation-$arch-*)
+          done
+
       - name: Upload release assets
         id: upload_release_assets
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
@@ -118,12 +125,8 @@ jobs:
             let path = require('path');
 
             let files = [
-              'audit-scanner-sbom-amd64.spdx',
-              'audit-scanner-sbom-amd64.spdx.cert',
-              'audit-scanner-sbom-amd64.spdx.sig',
-              'audit-scanner-sbom-arm64.spdx',
-              'audit-scanner-sbom-arm64.spdx.cert',
-              'audit-scanner-sbom-arm64.spdx.sig',
+              'attestation-amd64.tar.gz',
+              'attestation-arm64.tar.gz',
               "CRDS.tar.gz"]
             const {RELEASE_ID} = process.env
 

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
diff --git a/.github/workflows/sign-image.yml b/.github/workflows/sign-image.yml