ci(.github): publish slsa artifacts to cloudsmith #10215

saisatishkarra · 2024-05-11T00:26:00Z

Summary

Source JIRA: https://konghq.atlassian.net/browse/SEC-1106
Downloads SLSA workflow run assets from various jobs in CI using glob pattern on file extensions
Upload the below cloudsmith packages in RAW package format:
SBOMs: <repo>-sbom - Aggregated ZIP file with all SBOMs for image artifacts and Source Code from which binary was built
Binary Provenance: <repo>-binary-provenance - ZIP file containing provenance for binary verification

Checklist prior to review

Link to relevant issue as well as docs and UI issues --
This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) and it will work on Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
Tests (Unit test, E2E tests, manual test on universal and k8s) --
- Don't forget ci/ labels to run additional/fewer tests
Do you need to update UPGRADE.md? --
Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label) --

.github/workflows/build-test-distribute.yaml

mk/docker.mk

saisatishkarra · 2024-05-13T15:15:39Z

@lahabana Currently i tried working with actions/download-artifact@v4 and gh run download {run_id} -p <pattern> doesn't support downloading artifacts in a same workflow uploaded by other jobs until the workflow is completed. This is due to an issue in the upstream anchore/sbom-action that uses an older actions/upload-artifact@{v1,v2,v3}. There is an open PR but not merged.

i am looking to use workflow_run(doesn't support to only run on specific filtered tags) event to trigger a separate downstream workflow to push to cloudsmith and download assets after the caller (build-test-distribute.yml) is complete. I will refactor the PR and address your other suggestions.

LMK your thoughts if you have a way to approach this to solve for running a separate workflow to download assets filtered for specific tags / branches.

lahabana · 2024-05-17T08:13:56Z

i am looking to use workflow_run(actions/starter-workflows#1137) event to trigger a separate downstream workflow to push to cloudsmith and download assets after the caller (build-test-distribute.yml) is complete. I will refactor the PR and address your other suggestions.

Honestly I'm not super fan of workflow_run the event driven base of the execution just makes it hard to follow.
Calling it with workflow_call achieves the same (and it's what's done for other workflows in build-test-distribute or inline like it is here is fine too.

mk/distribution.mk

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>

saisatishkarra · 2024-05-22T14:51:45Z

Waiting on @curiositycasualty to merge release-script PR and update the new version in this PR ⤴️

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>

saisatishkarra · 2024-05-23T17:39:43Z

The PR is ready for review/merge with the updated release scripts that use the version passed by kuma / mesh. All review comments have been addressed.

@lahabana Looking for review/merge and port to KM and have a release tag until further review comments.

github-actions · 2024-06-11T12:29:24Z

backporting to release-2.5 with action

backporting to release-2.4 with action
backporting to release-2.7 with action

Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>

#10439) * ci(.github): publish slsa artifacts to cloudsmith (#10215) Signed-off-by: saisatishkarra <saisatish.karra@konghq.com>

saisatishkarra requested a review from a team as a code owner May 11, 2024 00:26

saisatishkarra requested review from michaelbeaumont, slonka and Automaat and removed request for a team May 11, 2024 00:26

saisatishkarra force-pushed the feat/slsa-cloudsmith-publishing branch 4 times, most recently from 3b1fd22 to e5c68bd Compare May 11, 2024 04:29