Skip to content

added explicit permissions to ci (#146) #88

added explicit permissions to ci (#146)

added explicit permissions to ci (#146) #88

name: Build confbatstest
on:
push:
paths:
- .github/workflows/confbatstest-build.yaml
- confbatstest/**
# Declare default permissions as read only.
permissions: read-all
jobs:
build-confbatstest:
permissions:
packages: write
env:
context: confbatstest
image_name: confbatstest
branch_name: ${{ github.head_ref || github.ref_name }}
ref_type: ${{ github.ref_type }}
owner: ${{ github.repository_owner }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Get image tags
id: image_tags
uses: redhat-cop/github-actions/get-image-version@main
with:
IMAGE_CONTEXT_DIR: ${{ env.context }}
- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
with:
dockerfile: confbatstest/Dockerfile_build
ignore: DL3041 # https://github.com/hadolint/hadolint/wiki/DL3041
- name: Build image
id: build_image
uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2
with:
context: ${{ env.context }}
dockerfiles: |
./${{ env.context }}/Dockerfile_build
image: ${{ env.image_name }}
oci: true
tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"
- name: Push to ghcr.io
if: ${{ env.ref_type == 'tag' || env.owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token
uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2
id: push_image
with:
image: ${{ steps.build_image.outputs.image }}
registry: ghcr.io/${{ github.repository }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
tags: ${{ steps.build_image.outputs.tags }}
outputs:
image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}"
image_digest: "${{ steps.push_image.outputs.digest }}"
image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}"
sign-confbatstest:
needs: [build-confbatstest]
permissions:
id-token: write
packages: write
if: ${{ github.ref_type == 'tag' || github.repository_owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token
env:
image_uri: ${{ needs.build-confbatstest.outputs.image_uri }}
runs-on: ubuntu-latest
steps:
- name: Setup cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3
- name: Cosign login
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io
- name: Sign Image
run: |
cosign sign --yes ${image_uri}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # 0.16.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "cosign-vuln"
output: "cosign-vuln.json"
- name: Run Trivy SBOM generator
uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # 0.16.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "spdx-json"
output: "spdx-json.json"
- name: Attach attestations
run: |
cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri}
cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri}
provenance:
needs: [build-confbatstest,sign-confbatstest]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: ${{ github.ref_type == 'tag' || github.repository_owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build-confbatstest.outputs.image_repo }}
digest: ${{ needs.build-confbatstest.outputs.image_digest }}
registry-username: ${{ github.repository_owner }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}