Skip to content

Commit

Permalink
add attestation
Browse files Browse the repository at this point in the history
Signed-off-by: cpanato <[email protected]>
  • Loading branch information
cpanato authored and poiana committed Dec 5, 2024
1 parent 35d8618 commit 257ae9a
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 29 deletions.
28 changes: 14 additions & 14 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@ on:
# Checks if any concurrent jobs is running for release CI and eventually cancel it.
concurrency:
group: ci-release
cancel-in-progress: true
cancel-in-progress: true

jobs:
release-settings:
runs-on: ubuntu-latest
outputs:
is_latest: ${{ steps.get_settings.outputs.is_latest }}
is_latest: ${{ steps.get_settings.outputs.is_latest }}
bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
steps:
- name: Get latest release
Expand Down Expand Up @@ -80,22 +80,22 @@ jobs:
arch: x86_64
# static: ${{ matrix.static != '' && true || false }}
version: ${{ github.event.release.tag_name }}

test-packages-arm64:
needs: [release-settings, build-packages-arm64]
uses: ./.github/workflows/reusable_test_packages.yaml
with:
arch: aarch64
version: ${{ github.event.release.tag_name }}

publish-packages:
needs: [release-settings, test-packages, test-packages-arm64]
uses: ./.github/workflows/reusable_publish_packages.yaml
with:
bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
version: ${{ github.event.release.tag_name }}
secrets: inherit

# Both build-docker and its arm64 counterpart require build-packages because they use its output
build-docker:
needs: [release-settings, build-packages, publish-packages]
Expand All @@ -106,7 +106,7 @@ jobs:
version: ${{ github.event.release.tag_name }}
tag: ${{ github.event.release.tag_name }}
secrets: inherit

build-docker-arm64:
needs: [release-settings, build-packages, publish-packages]
uses: ./.github/workflows/reusable_build_docker.yaml
Expand All @@ -125,7 +125,7 @@ jobs:
is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
tag: ${{ github.event.release.tag_name }}
sign: true

release-body:
needs: [release-settings, publish-docker]
if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
Expand All @@ -135,34 +135,34 @@ jobs:
steps:
- name: Clone repo
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

- name: Extract LIBS and DRIVER versions
run: |
cp .github/release_template.md release-body.md
LIBS_VERS=$(cat cmake/modules/falcosecurity-libs.cmake | grep 'set(FALCOSECURITY_LIBS_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*')
DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
- name: Append release matrixes
run: |
sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
- name: Generate release notes
uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
with:
milestone: ${{ github.event.release.tag_name }}
output: ./notes.md

- name: Merge release notes to pre existent body
run: cat notes.md >> release-body.md

- name: Attach release creator to release body
run: |
echo "" >> release-body.md
echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
- name: Release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/reusable_build_docker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,12 @@ on:
required: true
type: string

# Here we just build all docker images as tarballs,
# Here we just build all docker images as tarballs,
# then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
# In this way, we don't need to publish any arch specific image,
# In this way, we don't need to publish any arch specific image,
# and this "build" workflow is actually only building images.

permissions:
permissions:
contents: read

jobs:
Expand All @@ -37,10 +37,10 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

- name: Build falco image
run: |
cd ${{ github.workspace }}/docker/falco/
Expand Down
37 changes: 27 additions & 10 deletions .github/workflows/reusable_publish_docker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,44 +18,49 @@ on:
default: false

permissions:
id-token: write
contents: read

jobs:
publish-docker:
runs-on: ubuntu-latest

permissions:
attestations: write
id-token: write
contents: read

steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

- name: Download images tarballs
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: falco-images
path: /tmp/falco-images

- name: Load all images
run: |
for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
- name: Login to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_SECRET }}

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.

- name: Login to Amazon ECR
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
with:
registry-type: public
registry-type: public

- name: Setup Crane
uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
with:
Expand Down Expand Up @@ -86,7 +91,7 @@ jobs:
inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian
images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
push: true

- name: Create falco-driver-loader manifest on Docker Hub
uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
with:
Expand Down Expand Up @@ -149,3 +154,15 @@ jobs:
cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-name: docker.io/falcosecurity/falco
subject-digest: ${{ steps.digests.outputs.falco }}
push-to-registry: true

- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-name: docker.io/falcosecurity/falco-driver-loader
subject-digest: ${{ steps.digests.outputs.falco-driver-loader }}
push-to-registry: true

0 comments on commit 257ae9a

Please sign in to comment.