From beee2c921b31ba6aaead16aea02ddb571e256843 Mon Sep 17 00:00:00 2001 From: cpanato Date: Mon, 27 May 2024 12:16:48 +0200 Subject: [PATCH] add attestation Signed-off-by: cpanato --- .github/workflows/release.yaml | 28 +++++------ .github/workflows/reusable_build_docker.yaml | 10 ++-- .../workflows/reusable_publish_docker.yaml | 46 ++++++++++++++----- 3 files changed, 53 insertions(+), 31 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fad067f56b8..30133788a71 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,13 +6,13 @@ on: # Checks if any concurrent jobs is running for release CI and eventually cancel it. concurrency: group: ci-release - cancel-in-progress: true - + cancel-in-progress: true + jobs: release-settings: runs-on: ubuntu-latest outputs: - is_latest: ${{ steps.get_settings.outputs.is_latest }} + is_latest: ${{ steps.get_settings.outputs.is_latest }} bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} steps: - name: Get latest release @@ -80,14 +80,14 @@ jobs: arch: x86_64 # static: ${{ matrix.static != '' && true || false }} version: ${{ github.event.release.tag_name }} - + test-packages-arm64: needs: [release-settings, build-packages-arm64] uses: ./.github/workflows/reusable_test_packages.yaml with: arch: aarch64 version: ${{ github.event.release.tag_name }} - + publish-packages: needs: [release-settings, test-packages, test-packages-arm64] uses: ./.github/workflows/reusable_publish_packages.yaml @@ -95,7 +95,7 @@ jobs: bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }} version: ${{ github.event.release.tag_name }} secrets: inherit - + # Both build-docker and its arm64 counterpart require build-packages because they use its output build-docker: needs: [release-settings, build-packages, publish-packages] @@ -106,7 +106,7 @@ jobs: version: ${{ github.event.release.tag_name }} tag: ${{ github.event.release.tag_name }} secrets: inherit - + build-docker-arm64: needs: [release-settings, build-packages, publish-packages] uses: ./.github/workflows/reusable_build_docker.yaml @@ -125,7 +125,7 @@ jobs: is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }} tag: ${{ github.event.release.tag_name }} sign: true - + release-body: needs: [release-settings, publish-docker] if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases @@ -135,7 +135,7 @@ jobs: steps: - name: Clone repo uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - + - name: Extract LIBS and DRIVER versions run: | cp .github/release_template.md release-body.md @@ -143,26 +143,26 @@ jobs: DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver') sed -i s/LIBSVER/$LIBS_VERS/g release-body.md sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md - + - name: Append release matrixes run: | sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md - + - name: Generate release notes uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73 with: milestone: ${{ github.event.release.tag_name }} output: ./notes.md - + - name: Merge release notes to pre existent body run: cat notes.md >> release-body.md - + - name: Attach release creator to release body run: | echo "" >> release-body.md echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md - + - name: Release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml index 21d0ff57a30..f71cb1ad378 100644 --- a/.github/workflows/reusable_build_docker.yaml +++ b/.github/workflows/reusable_build_docker.yaml @@ -20,9 +20,9 @@ on: required: true type: string -# Here we just build all docker images as tarballs, +# Here we just build all docker images as tarballs, # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow. -# In this way, we don't need to publish any arch specific image, +# In this way, we don't need to publish any arch specific image, # and this "build" workflow is actually only building images. permissions: @@ -37,10 +37,10 @@ jobs: steps: - name: Checkout uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - + - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - + - name: Build no-driver image run: | cd ${{ github.workspace }}/docker/no-driver/ @@ -60,7 +60,7 @@ jobs: --build-arg TARGETARCH=${TARGETARCH} \ . docker save docker.io/falcosecurity/falco-distroless:${{ inputs.arch }}-${{ inputs.tag }} --output /tmp/falco-distroless-${{ inputs.arch }}.tar - + - name: Build falco image run: | cd ${{ github.workspace }}/docker/falco/ diff --git a/.github/workflows/reusable_publish_docker.yaml b/.github/workflows/reusable_publish_docker.yaml index 47418527417..55234d55997 100644 --- a/.github/workflows/reusable_publish_docker.yaml +++ b/.github/workflows/reusable_publish_docker.yaml @@ -18,44 +18,49 @@ on: default: false permissions: - id-token: write contents: read - + jobs: publish-docker: runs-on: ubuntu-latest + + permissions: + attestations: write + id-token: write + contents: read + steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - + - name: Download images tarballs uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: falco-images path: /tmp/falco-images - + - name: Load all images run: | for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done - + - name: Login to Docker Hub uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: username: ${{ secrets.DOCKERHUB_USER }} password: ${{ secrets.DOCKERHUB_SECRET }} - + - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr" aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public. - + - name: Login to Amazon ECR id: login-ecr-public uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0 with: - registry-type: public - + registry-type: public + - name: Setup Crane uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3 with: @@ -88,7 +93,7 @@ jobs: inputs: docker.io/falcosecurity/falco-distroless:${{ inputs.tag }} images: docker.io/falcosecurity/falco-distroless:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco-distroless:x86_64-${{ inputs.tag }} push: true - + - name: Tag slim manifest on Docker Hub run: | crane copy docker.io/falcosecurity/falco-no-driver:${{ inputs.tag }} docker.io/falcosecurity/falco:${{ inputs.tag }}-slim @@ -99,7 +104,7 @@ jobs: inputs: docker.io/falcosecurity/falco:${{ inputs.tag }} images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }},docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }} push: true - + - name: Create falco-driver-loader manifest on Docker Hub uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0 with: @@ -157,7 +162,6 @@ jobs: - name: Sign images with cosign if: inputs.sign env: - COSIGN_EXPERIMENTAL: "true" COSIGN_YES: "true" run: | cosign sign docker.io/falcosecurity/falco-no-driver@${{ steps.digests.outputs.falco-no-driver }} @@ -171,3 +175,21 @@ jobs: cosign sign public.ecr.aws/falcosecurity/falco@${{ steps.digests.outputs.falco }} cosign sign public.ecr.aws/falcosecurity/falco-driver-loader@${{ steps.digests.outputs.falco-driver-loader }} cosign sign public.ecr.aws/falcosecurity/falco-driver-loader-legacy@${{ steps.digests.outputs.falco-driver-loader-legacy }} + + - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + with: + subject-name: docker.io/falcosecurity/falco + subject-digest: ${{ steps.digests.outputs.falco }} + push-to-registry: true + + - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + with: + subject-name: docker.io/falcosecurity/falco-no-driver + subject-digest: ${{ steps.digests.outputs.falco-no-driver }} + push-to-registry: true + + - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2 + with: + subject-name: docker.io/falcosecurity/falco-distroless + subject-digest: ${{ steps.digests.outputs.falco-distroless }} + push-to-registry: true