ci: add SBOM and cosign for all binaries and docker images (#3910)

* ci: add sboms and cosign
kubeshop · May 30, 2023 · 697412c · 697412c
1 parent da396b5
commit 697412c
Show file tree

Hide file tree

Showing 12 changed files with 173 additions and 6 deletions.
diff --git a/.github/workflows/docker-build-api-executors-beta-tag.yaml b/.github/workflows/docker-build-api-executors-beta-tag.yaml
@@ -6,13 +6,19 @@ on:
 env:
   ALPINE_IMAGE: alpine:3.18.0
 
+permissions:
+  id-token: write # needed for keyless signing with cosign
+
 jobs:
   api:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
@@ -65,6 +71,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
@@ -109,6 +118,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
@@ -150,6 +162,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
@@ -192,6 +207,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
@@ -294,6 +312,9 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v1
@@ -315,12 +336,21 @@ jobs:
           docker manifest create kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }} --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-cypress12-amd64 --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-cypress12-arm64v8
           docker manifest push -p kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}
 
+      - name: Sign images with cosign
+        run: |
+          cosign sign kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-cypress12-amd64 --yes
+          cosign sign kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-cypress12-arm64v8 --yes
+          cosign sign kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }} --yes
+
   executor_playwright:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 

diff --git a/.github/workflows/docker-build-api-executors-tag.yaml b/.github/workflows/docker-build-api-executors-tag.yaml
@@ -7,13 +7,19 @@ on:
 env:
   ALPINE_IMAGE: alpine:3.18.0
 
+permissions:
+  id-token: write # needed for keyless signing with cosign
+
 jobs:
   api:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v1
@@ -78,12 +84,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
 
       - name: Go Cache
         uses: actions/cache@v2
@@ -133,6 +142,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
@@ -185,6 +197,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
@@ -238,6 +253,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
 
@@ -365,9 +383,13 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
+
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v1
 
+    - uses: sigstore/cosign-installer@v3.0.5
+    - uses: anchore/sbom-action/download-syft@v0.14.2
+
     - name: Set up Docker Buildx
       id: buildx
       uses: docker/setup-buildx-action@v1
@@ -391,18 +413,26 @@ jobs:
       run: |
         docker manifest create kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-${{ matrix.version }} --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-${{ matrix.version }}-amd64 --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-${{ matrix.version }}-arm64v8
         docker manifest push -p kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-${{ matrix.version }}
+        cosign sign kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-${{ matrix.version }}-amd64 --yes
+        cosign sign kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-${{ matrix.version }}-arm64v8 --yes
+        cosign sign kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-${{ matrix.version }} --yes
 
         docker manifest create kubeshop/testkube-cypress-executor:${{ matrix.version }} --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-${{ matrix.version }}-amd64 --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-${{ matrix.version }}-arm64v8
         docker manifest push -p kubeshop/testkube-cypress-executor:${{ matrix.version }}
+        cosign sign kubeshop/testkube-cypress-executor:${{ matrix.version }} --yes
 
         docker manifest create kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }} --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-cypress12-amd64 --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-cypress12-arm64v8
         docker manifest push -p kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}
+        cosign sign kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }} --yes
+
 
         docker manifest create kubeshop/testkube-cypress-executor:latest --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-cypress12-amd64 --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-cypress12-arm64v8
         docker manifest push -p kubeshop/testkube-cypress-executor:latest
+        cosign sign kubeshop/testkube-cypress-executor:latest --yes
 
         docker manifest create kubeshop/testkube-cypress-executor:legacy --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-npm-amd64 --amend kubeshop/testkube-cypress-executor:${{ steps.tag.outputs.tag }}-npm-arm64v8
         docker manifest push -p kubeshop/testkube-cypress-executor:legacy
+        cosign sign kubeshop/testkube-cypress-executor:legacy --yes
 
 
   executor_playwright:
@@ -411,6 +441,9 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v2
 
+    - uses: sigstore/cosign-installer@v3.0.5
+    - uses: anchore/sbom-action/download-syft@v0.14.2
+
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v1
 

diff --git a/.github/workflows/release-dev.yaml b/.github/workflows/release-dev.yaml
@@ -5,6 +5,9 @@ on:
     tags:
       - "v[0-9]+.[0-9]+.[0-9]+-*"
 
+permissions:
+  id-token: write # needed for keyless signing
+
 jobs:
   pre_build:
     name: Pre-build
@@ -65,6 +68,8 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
       - name: Download Artifacts for Linux
         uses: actions/download-artifact@master
         with:
@@ -147,7 +152,7 @@ jobs:
           Copy-Item 'windows\testkube_windows_386\kubectl-testkube.exe' '.\kubectl-testkube.exe'
           Copy-Item 'build\installer\windows\testkube.wxs' '.\testkube.wxs'
           Copy-Item 'build\installer\windows\tk.bat' '.\tk.bat'
-          Copy-Item 'build\installer\windows\testkube.bat' '.\testkube.bat'          
+          Copy-Item 'build\installer\windows\testkube.bat' '.\testkube.bat'
           & "$env:WIX\bin\candle.exe" *.wxs
           & "$env:WIX\bin\light.exe" *.wixobj
           & "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" sign /f "$env:P12_CERT" /p "$env:P12_PASSWORD" /d "Kubetest by Kubeshop" /tr http://timestamp.digicert.com testkube.msi

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -5,6 +5,10 @@ on:
     tags:
       - "v[0-9]+.[0-9]+.[0-9]+"
 
+permissions:
+  id-token: write # needed for keyless signing
+  contents: write
+
 env:
   TESTKUBE_CHOCO_REPO: https://chocolatey.kubeshop.io/
 
@@ -69,6 +73,8 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+      - uses: sigstore/cosign-installer@v3.0.5
+      - uses: anchore/sbom-action/download-syft@v0.14.2
       - name: Download Artifacts for Linux
         uses: actions/download-artifact@master
         with:

diff --git a/.goreleaser-dev.yml b/.goreleaser-dev.yml
@@ -22,6 +22,26 @@ archives:
       amd64: x86_64
 checksum:
   name_template: "checksums.txt"
+
+source:
+  enabled: true
+
+sboms:
+  - artifacts: archive
+  - id: source 
+    artifacts: source
+
+signs:
+  - cmd: cosign
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+      - "--yes"
+    artifacts: all
+    output: true
 changelog:
   sort: asc
   filters:

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -23,6 +23,26 @@ archives:
 checksum:
   name_template: "checksums.txt"
 
+source:
+  enabled: true
+
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
+
+signs:
+  - cmd: cosign
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+      - "--yes"
+    artifacts: all
+    output: true
+
 changelog:
   sort: asc
   use: github

diff --git a/goreleaser_files/.goreleaser-docker-build-api.yml b/goreleaser_files/.goreleaser-docker-build-api.yml
@@ -78,4 +78,13 @@ docker_manifests:
       - kubeshop/testkube-api-server:{{ .Version }}-arm64v8
 
 release:
-  disable: true
+  disable: true
+
+docker_signs:
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - 'sign'
+      - '${artifact}'
+      - "--yes"
diff --git a/goreleaser_files/.goreleaser-docker-build-executor-gradle.yml b/goreleaser_files/.goreleaser-docker-build-executor-gradle.yml
@@ -186,4 +186,13 @@ docker_manifests:
       - kubeshop/testkube-gradle-executor:{{ .Version }}-jdk11-arm64v8
 
 release:
-  disable: true
+  disable: true
+
+docker_signs:
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - 'sign'
+      - '${artifact}'
+      - "--yes"
diff --git a/goreleaser_files/.goreleaser-docker-build-executor-jmeter.yml b/goreleaser_files/.goreleaser-docker-build-executor-jmeter.yml
@@ -77,3 +77,12 @@ docker_manifests:
 
 release:
   disable: true
+
+docker_signs:
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - 'sign'
+      - '${artifact}'
+      - "--yes"
diff --git a/goreleaser_files/.goreleaser-docker-build-executor-maven.yml b/goreleaser_files/.goreleaser-docker-build-executor-maven.yml
@@ -186,4 +186,13 @@ docker_manifests:
       - kubeshop/testkube-maven-executor:{{ .Version }}-jdk11-arm64v8
 
 release:
-  disable: true
+  disable: true
+
+docker_signs:
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - 'sign'
+      - '${artifact}'
+      - "--yes"
diff --git a/goreleaser_files/.goreleaser-docker-build-executor-playwright.yml b/goreleaser_files/.goreleaser-docker-build-executor-playwright.yml
@@ -148,4 +148,13 @@ docker_manifests:
       - kubeshop/testkube-playwright-executor:{{ .Version }}-npm-arm64v8
 
 release:
-  disable: true
+  disable: true
+
+docker_signs:
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - 'sign'
+      - '${artifact}'
+      - "--yes"