Attestation and SBOMs (#1672)

martincostello · web-flow · commit 830066f968dc · 2024-05-02T09:04:54.000+01:00
- Try out container image attestation.
- Generating and attest SBOMs.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -41,6 +41,11 @@ jobs:
     outputs:
       container-tag: ${{ steps.publish-container.outputs.container-tag }}
 
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -107,17 +112,49 @@ jobs:
 
     - name: Publish container
       id: publish-container
-      if: ${{ runner.os == 'Linux' }}
+      if: runner.os == 'Linux'
       shell: pwsh
       env:
         ContainerRegistry: ${{ env.PUBLISH_CONTAINER == 'true' && env.CONTAINER_REGISTRY || '' }}
       run: |
         dotnet publish ./src/API --arch x64 --os linux -p:PublishProfile=DefaultContainer
         if (-Not [string]::IsNullOrWhiteSpace(${env:CONTAINER_REGISTRY})) {
-          $containerTag = "${env:CONTAINER_REGISTRY}/${env:GITHUB_REPOSITORY}:github-${env:GITHUB_RUN_NUMBER}".ToLowerInvariant()
+          $containerImage = "${env:CONTAINER_REGISTRY}/${env:GITHUB_REPOSITORY}".ToLowerInvariant()
+          $containerTag = "${containerImage}:github-${env:GITHUB_RUN_NUMBER}".ToLowerInvariant()
+          "container-image=${containerImage}" >> "${env:GITHUB_OUTPUT}"
           "container-tag=${containerTag}" >> "${env:GITHUB_OUTPUT}"
         }
 
+    - name: Generate SBOM for binaries
+      uses: anchore/sbom-action@v0
+      with:
+        path: ./artifacts/publish
+        output-file: ./artifacts/sbom-publish.json
+
+    - name: Generate SBOM for container
+      uses: anchore/sbom-action@v0
+      if: env.PUBLISH_CONTAINER == 'true' && steps.publish-container.outputs.container-digest != ''
+      with:
+        image: ${{ steps.publish-container.outputs.container-tag }}
+        output-file: ./artifacts/sbom-container.json
+
+    - name: Attest container image
+      uses: actions/attest-build-provenance@v1
+      if: env.PUBLISH_CONTAINER == 'true' && steps.publish-container.outputs.container-digest != ''
+      with:
+        push-to-registry: true
+        subject-digest: ${{ steps.publish-container.outputs.container-digest }}
+        subject-name: ${{ steps.publish-container.outputs.container-image }}
+
+    - name: Attest SBOM for container
+      uses: actions/attest-sbom@v1
+      if: env.PUBLISH_CONTAINER == 'true' && steps.publish-container.outputs.container-digest != ''
+      with:
+        push-to-registry: true
+        sbom-path: ./artifacts/sbom-container.json
+        subject-digest: ${{ steps.publish-container.outputs.container-digest }}
+        subject-name: ${{ steps.publish-container.outputs.container-image }}
+
   deploy:
     if: github.event.repository.fork == false && github.ref_name == github.event.repository.default_branch
     name: deploy-production
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -36,4 +36,5 @@ jobs:
     - name: Lint workflows
       uses: docker://rhysd/actionlint@sha256:daa1edae4a6366f320b68abb60b74fb59a458c17b61938d3c62709d92b231558 # v1.6.27
       with:
-        args: -color
+        # Remove -ignore once v1.6.28 released - see https://github.com/rhysd/actionlint/pull/418#issuecomment-2089713941
+        args: -color -ignore "attestations"
diff --git a/src/API/API.csproj b/src/API/API.csproj
@@ -52,4 +52,7 @@
       <Content Include="wwwroot/**" CopyToPublishDirectory="PreserveNewest" Exclude="$(DefaultItemExcludes);$(DefaultExcludesInProjectFolder);@(Content)" />
     </ItemGroup>
   </Target>
+  <Target Name="OutputContainerDigest" AfterTargets="PublishContainer" Condition=" '$(GITHUB_OUTPUT)' != '' ">
+    <WriteLinesToFile File="$(GITHUB_OUTPUT)" Lines="container-digest=$(GeneratedContainerDigest)" />
+  </Target>
 </Project>
