From 7d5db0d13a034e86c2e9470d008069acba1679a7 Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Tue, 5 Mar 2024 21:53:47 +0200 Subject: [PATCH] Add example workflows and make targets for demo-repo-go (#23) * Update gitignore Signed-off-by: Radoslav Dimitrov * Add the workflows, makefiles and everything else Signed-off-by: Radoslav Dimitrov --------- Signed-off-by: Radoslav Dimitrov --- .github/dependabot.yml | 7 -- .../build-binary-signed-ghat-malicious.yml | 39 ++++++++ .../workflows/build-binary-signed-ghat.yml | 35 +++++++ .github/workflows/build-binary-unsigned.yml | 35 +++++++ .../build-image-signed-cosign-malicious.yml | 64 +++++++++++++ ...uild-image-signed-cosign-static-copied.yml | 57 ++++++++++++ .../build-image-signed-cosign-static.yml | 57 ++++++++++++ .../workflows/build-image-signed-cosign.yml | 60 ++++++++++++ .../build-image-signed-ghat-malicious.yml | 41 +++++++++ .../build-image-signed-ghat-static-copied.yml | 38 ++++++++ .../build-image-signed-ghat-static.yml | 38 ++++++++ .github/workflows/build-image-signed-ghat.yml | 37 ++++++++ .github/workflows/build-image-unsigned.yml | 59 ++++++++++++ .github/workflows/build.yml | 91 ------------------- .github/workflows/main.yml | 35 ------- .gitignore | 12 +++ Dockerfile.static | 1 + Makefile | 55 +++++++++++ README.md | 35 +++++-- go.mod | 2 +- 20 files changed, 655 insertions(+), 143 deletions(-) delete mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/build-binary-signed-ghat-malicious.yml create mode 100644 .github/workflows/build-binary-signed-ghat.yml create mode 100644 .github/workflows/build-binary-unsigned.yml create mode 100644 .github/workflows/build-image-signed-cosign-malicious.yml create mode 100644 .github/workflows/build-image-signed-cosign-static-copied.yml create mode 100644 .github/workflows/build-image-signed-cosign-static.yml create mode 100644 .github/workflows/build-image-signed-cosign.yml create mode 100644 .github/workflows/build-image-signed-ghat-malicious.yml create mode 100644 .github/workflows/build-image-signed-ghat-static-copied.yml create mode 100644 .github/workflows/build-image-signed-ghat-static.yml create mode 100644 .github/workflows/build-image-signed-ghat.yml create mode 100644 .github/workflows/build-image-unsigned.yml delete mode 100644 .github/workflows/build.yml delete mode 100644 .github/workflows/main.yml create mode 100644 Dockerfile.static create mode 100644 Makefile diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index cde08643..00000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,7 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "gomod" - directory: "/" - schedule: - interval: "daily" - open-pull-requests-limit: 10 diff --git a/.github/workflows/build-binary-signed-ghat-malicious.yml b/.github/workflows/build-binary-signed-ghat-malicious.yml new file mode 100644 index 00000000..9c26d8db --- /dev/null +++ b/.github/workflows/build-binary-signed-ghat-malicious.yml @@ -0,0 +1,39 @@ +name: binary-signed-ghat-malicious + +on: + workflow_dispatch: + +jobs: + build: + permissions: + id-token: write + packages: write + contents: write + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: The malicious step + run: | + echo "// This is a malicious update" >> main.go + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.21' + + - name: Run Go build + run: | + go build -v -o demo-repo-go-binary ./... + + - name: Sign artifact + uses: github-early-access/generate-build-provenance@main + with: + subject-path: '${{ github.workspace }}/demo-repo-go-binary' + + - name: Upload artifact + uses: actions/upload-artifact@v3 + with: + name: demo-repo-go-binary + path: demo-repo-go-binary diff --git a/.github/workflows/build-binary-signed-ghat.yml b/.github/workflows/build-binary-signed-ghat.yml new file mode 100644 index 00000000..d003555f --- /dev/null +++ b/.github/workflows/build-binary-signed-ghat.yml @@ -0,0 +1,35 @@ +name: binary-signed-ghat + +on: + workflow_dispatch: + +jobs: + build: + permissions: + id-token: write + packages: write + contents: write + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.21' + + - name: Run Go build + run: | + go build -v -o demo-repo-go-binary ./... + + - name: Sign artifact + uses: github-early-access/generate-build-provenance@main + with: + subject-path: '${{ github.workspace }}/demo-repo-go-binary' + + - name: Upload artifact + uses: actions/upload-artifact@v3 + with: + name: demo-repo-go-binary + path: demo-repo-go-binary diff --git a/.github/workflows/build-binary-unsigned.yml b/.github/workflows/build-binary-unsigned.yml new file mode 100644 index 00000000..8090ab48 --- /dev/null +++ b/.github/workflows/build-binary-unsigned.yml @@ -0,0 +1,35 @@ +name: binary-unsigned + +on: + workflow_dispatch: + +jobs: + build: + permissions: + id-token: write + packages: write + contents: write + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.21' + + - name: Run Go build + run: | + go build -v -o demo-repo-go-binary ./... + +# - name: Sign artifact +# uses: github-early-access/generate-build-provenance@main +# with: +# subject-path: '${{ github.workspace }}/demo-repo-go-binary' + + - name: Upload artifact + uses: actions/upload-artifact@v3 + with: + name: demo-repo-go-binary + path: demo-repo-go-binary diff --git a/.github/workflows/build-image-signed-cosign-malicious.yml b/.github/workflows/build-image-signed-cosign-malicious.yml new file mode 100644 index 00000000..947c8573 --- /dev/null +++ b/.github/workflows/build-image-signed-cosign-malicious.yml @@ -0,0 +1,64 @@ +name: image-signed-cosign(latest,daily)-malicious +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: The malicious step + run: | + echo "// This is a malicious update" >> main.go + + - name: Install Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + + - name: Sign the published Docker image + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST} + echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-cosign-static-copied.yml b/.github/workflows/build-image-signed-cosign-static-copied.yml new file mode 100644 index 00000000..962bac07 --- /dev/null +++ b/.github/workflows/build-image-signed-cosign-static-copied.yml @@ -0,0 +1,57 @@ +name: image-signed-cosign(static)-copied +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Install Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:static + context: . + file : Dockerfile.static + + + - name: Sign the published Docker image + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "ghcr.io/${{ github.repository }}:static" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-cosign-static.yml b/.github/workflows/build-image-signed-cosign-static.yml new file mode 100644 index 00000000..3d3eb827 --- /dev/null +++ b/.github/workflows/build-image-signed-cosign-static.yml @@ -0,0 +1,57 @@ +name: image-signed-cosign(static) +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Install Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:static + context: . + file : Dockerfile.static + + + - name: Sign the published Docker image + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "ghcr.io/${{ github.repository }}:static" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-cosign.yml b/.github/workflows/build-image-signed-cosign.yml new file mode 100644 index 00000000..036b1562 --- /dev/null +++ b/.github/workflows/build-image-signed-cosign.yml @@ -0,0 +1,60 @@ +name: image-signed-cosign(latest,daily) +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Install Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + + - name: Sign the published Docker image + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST} + echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-ghat-malicious.yml b/.github/workflows/build-image-signed-ghat-malicious.yml new file mode 100644 index 00000000..0921ea9c --- /dev/null +++ b/.github/workflows/build-image-signed-ghat-malicious.yml @@ -0,0 +1,41 @@ +name: image-signed-ghat(latest)-malicious +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: The malicious step + run: | + make build-malicious-image + + - name: Log into ghcr.io + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + id: push-step + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:latest + context: . + + - name: Attest image + uses: github-early-access/generate-build-provenance@main + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push-step.outputs.digest }} + push-to-registry: true \ No newline at end of file diff --git a/.github/workflows/build-image-signed-ghat-static-copied.yml b/.github/workflows/build-image-signed-ghat-static-copied.yml new file mode 100644 index 00000000..d03734e2 --- /dev/null +++ b/.github/workflows/build-image-signed-ghat-static-copied.yml @@ -0,0 +1,38 @@ +name: image-signed-ghat(static)-copied +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Log into ghcr.io + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + id: push-step + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:static + context: . + file : Dockerfile.static + + - name: Attest image + uses: github-early-access/generate-build-provenance@main + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push-step.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/build-image-signed-ghat-static.yml b/.github/workflows/build-image-signed-ghat-static.yml new file mode 100644 index 00000000..bfc3eac1 --- /dev/null +++ b/.github/workflows/build-image-signed-ghat-static.yml @@ -0,0 +1,38 @@ +name: image-signed-ghat(static) +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Log into ghcr.io + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + id: push-step + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:static + context: . + file : Dockerfile.static + + - name: Attest image + uses: github-early-access/generate-build-provenance@main + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push-step.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/build-image-signed-ghat.yml b/.github/workflows/build-image-signed-ghat.yml new file mode 100644 index 00000000..0edc6b6d --- /dev/null +++ b/.github/workflows/build-image-signed-ghat.yml @@ -0,0 +1,37 @@ +name: image-signed-ghat(latest) +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Log into ghcr.io + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + id: push-step + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:latest + context: . + + - name: Attest image + uses: github-early-access/generate-build-provenance@main + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push-step.outputs.digest }} + push-to-registry: true \ No newline at end of file diff --git a/.github/workflows/build-image-unsigned.yml b/.github/workflows/build-image-unsigned.yml new file mode 100644 index 00000000..255ccb2c --- /dev/null +++ b/.github/workflows/build-image-unsigned.yml @@ -0,0 +1,59 @@ +name: image-unsigned(latest,daily) +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + +# - name: Install Cosign +# uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 +# with: +# cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + +# - name: Sign the published Docker image +# env: +# DIGEST: ${{ steps.build-and-push.outputs.digest }} +# run: | +# echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST} +# echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 03554208..00000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,91 +0,0 @@ -name: Docker -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -on: - workflow_dispatch: - schedule: - - cron: '15 12 * * *' - push: - branches: ["main"] - # Publish semver tags as releases. - tags: ['v*.*.*'] - pull_request: - branches: ["main"] -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - steps: - - name: Checkout repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 - with: - cosign-release: 'v2.1.1' - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - name: generate build provenance - if: ${{ github.event_name != 'pull_request' }} - uses: github-early-access/generate-build-provenance@main - with: - subject-name: ${{ steps.meta.outputs.tags }} - subject-digest: ${{ steps.build-and-push.outputs.digest }} - push-to-registry: false - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable - TAGS: ${{ steps.meta.outputs.tags }} - DIGEST: ${{ steps.build-and-push.outputs.digest }} - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 88d2e2b9..00000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: build-binary - -on: - workflow_dispatch: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - -jobs: - build: - permissions: - id-token: write - packages: write - contents: write - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: '1.21' - - name: Run Go build - run: | - go build -v -o demo-go ./... - - name: Sign artifact - uses: github-early-access/generate-build-provenance@main - with: - subject-path: '${{ github.workspace }}/demo-go' - - name: Upload artifact - uses: actions/upload-artifact@v3 - with: - name: demo-go-binary - path: demo-go diff --git a/.gitignore b/.gitignore index 3b735ec4..9c45ba69 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,15 @@ # Go workspace file go.work + +# Filter out key files +*.key +*.pem +*.crt +*.csr +*.pub +*.base64 +*.sig + +.idea/ +demo-go-binary diff --git a/Dockerfile.static b/Dockerfile.static new file mode 100644 index 00000000..bf60eca5 --- /dev/null +++ b/Dockerfile.static @@ -0,0 +1 @@ +FROM golang:1.21.6@sha256:0c22572a0b01ce93bb9d1f0bea2f198b6b827225a194a1f3a185d0fd4b4513b7 diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..aa552520 --- /dev/null +++ b/Makefile @@ -0,0 +1,55 @@ +# Replace this with your image name, i.e. ghcr.io//demo-repo-go:latest +IMAGE_NAME?=ghcr.io/stacklok/demo-repo-go:latest + +# Replace this with your GitHub username and PAT. +# This is used to authenticate with GitHub Container Registry (GHCR) +# and push the image to your repository. +# The PAT should have read/write access for packages. +CR_USERNAME?=stacklok +CR_PAT?=ghp_1234567890abcdefghij1234567890abcdefghij + +.PHONY: login +login: + @echo "Logging in to GitHub Container Registry" + @echo "${CR_PAT}" | docker login ghcr.io -u $(CR_USERNAME) --password-stdin + +.PHONY: build-image +build-image: + @echo "Building a safe image..." + docker build -t $(IMAGE_NAME) . + +.PHONY: build-malicious-image +build-malicious-image: + @echo "Building a malicious image..." + @echo "// Maliciously altered on $$(date)" >> main.go + docker build -t $(IMAGE_NAME) . + + +.PHONY: push-image +push-image: + @echo "Pushing image..." + docker push $(IMAGE_NAME) + +.PHONY: keygen +keygen: + @cosign generate-key-pair + + +.PHONY: sign-keypair +sign-keypair: + @cosign sign $(IMAGE_NAME) --key cosign.key + +.PHONY: sign-oidc +sign-oidc: + @cosign sign $(IMAGE_NAME) + +.PHONY: build-binary +build-binary: + @echo "Building a safe binary..." + go build -o demo-go-binary ./... + +.PHONY: build-malicious-binary +build-malicious-binary: + @echo "Building a malicious binary..." + @echo "// Maliciously altered on $$(date)" >> main.go + go build -o demo-go-binary ./... \ No newline at end of file diff --git a/README.md b/README.md index a67586b0..b0e255f5 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,32 @@ ## Overview -`dummyrepo-go`, is a template is primarily intended for testing and -demonstration purposes with stacklok projects. It is a simple Go project. +The `demo-repo-go` project is a repository template primarily intended for testing and +demonstration purposes with stacklok projects. It is a simple Go project that allows you to +quickly get started with testing and demonstrating how you can use Minder and Trusty with +your Go projects. It features continuous integration (CI) workflows that demonstrate how to +build, test, and sign artifacts using Sigstore and GitHub Attestations. + + +## Features + +- Simple Go server application +- Dockerfile for building a container image + +GitHub Actions workflows for: +- Producing signed and unsigned artifacts using Sigstore and GitHub attestations API +- Producing artifacts such as container images and binaries +- Producing container images that are reproducible (always the same digest) +- Producing "malicious" container images for testing purposes (e.g., code content was altered while building the image) + +Makefile targets for simulating out-of-band signing of artifacts (both intended and not): +- Generating signed container images and "malicious" images +- Pushing container images to container registry (GHCR) +- Generating a local key pair for signing container images +- Sign container images using Sigstore by using a local key pair or by going through the Sigstore OIDC sign-in flow + +Branches: +- Set of pre-created branches to use for opening PRs each demonstrating a different feature or use case with Minder and Trusty ## How to Use This Template @@ -15,11 +39,4 @@ demonstration purposes with stacklok projects. It is a simple Go project. 2. **Create New Repository**: Provide your repository with a name, description, and set the privacy settings. Click "Create repository from template." -## Features - -- Pre-configured `go.mod` file -- Sample Go code in `main.go`. -- `.gitignore` file suitable for Go projects -- GitHub Actions CI workflow - Happy testing! 🦦🎉 diff --git a/go.mod b/go.mod index 0177f763..e6f2df14 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ -module github.com/stacklok/dummyrepo-go +module github.com/stacklok/demo-repo-go go 1.20