Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci(.github)[SEC-1084]: SLSA supply chain security controls #7479

Merged
merged 2 commits into from
Jun 4, 2024
Merged

ci(.github)[SEC-1084]: SLSA supply chain security controls #7479

merged 2 commits into from
Jun 4, 2024

Conversation

saisatishkarra
Copy link
Contributor

@saisatishkarra saisatishkarra commented Jun 3, 2024
edited
Loading

New

  • Unify GH release for insomnia and inso-cli using tag:core@<tag>
  • Perform keyless image signing:
    • inso-cli docker image
    • No images for other artifacts are produced
  • Signatures for container image signing are published to
    • docker.io/kong/notary : public (for semver tags w/o alpha|beta)
    • docker.io/kong/notary-internal : private alpha|beta tags
  • Perform keyless image provenance generation:
    • insomnia binary artifacts
    • inso-cli binary artifacts
    • inso-cli docker image
  • Perform repository scanning for SCA and SBOM analyzing root level package-lock.json
  • All SBOMs produced from images and repository scanning will be updated as:
    • Github release / tag assets for release / tag event
    • GIthub workflow assets for push / pr for release branches

@saisatishkarra
Copy link
Contributor Author

@jackkav / @filfreire An alpha release tag / branch is needed to test these changes.

jackkav
jackkav reviewed Jun 3, 2024
View reviewed changes
.github/workflows/release-build.yml Outdated
build-and-upload-release-artifacts:
timeout-minutes: 30
runs-on: ${{ matrix.os }}
env:
INSO_PACKAGE_NAME: insomnia-inso
INSO_PACKAGE_WS_PATH: ./packages/insomnia-inso/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WS_PATH isn't very clear what WS means, just _PATH would be clearer.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also the amount of indirection here makes the scripts hard to read.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i have removed the INSO_PACKAGE_WS_PATH and INSO_PACKAGE_ARIFACTS_PATH variables and replaced with ./packages/<env.ISNO_PACKAGE_NAME>/<path>

@saisatishkarra
Copy link
Contributor Author

Signatures for container image signing are published to:

  1. docker.io/kong/notary : public (for semver tags w/o alpha|beta)
  2. docker.io/kong/notary-internal : private repo (alpha|beta) tags

@jackkav LMK if the alpha and beta tags are considered for external use and the signatures must be publicly verifiable? In this case, i can point to kong/notary instead of kong/notary-internal for alpha|beta tags

@jackkav
Copy link
Contributor

jackkav commented Jun 4, 2024

lets merge this when we have a spare hour or two to test an alpha and fix any issues.

@jackkav jackkav merged commit 722d268 into Kong:develop Jun 4, 2024
6 checks passed
saisatishkarra added a commit that referenced this pull request Jun 5, 2024
@saisatishkarra
ci(.github)[SEC-1084]: SLSA supply chain security controls (#7479)
9e44532 
* ci(.github)[SEC-1084]: SLSA supply chain security controls

* fix gh review comments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackkav jackkav jackkav approved these changes

@filfreire filfreire Awaiting requested review from filfreire

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@saisatishkarra @jackkav