feat: implemented SBOM and update version of actions (#34)

rakutentech · Dec 5, 2022 · d0faaf6 · d0faaf6
1 parent b82e5b2
commit d0faaf6
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 23 deletions.
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -17,7 +17,7 @@ jobs:
           - 6.0.13
           - 6.0.14
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - uses: engineerd/setup-kind@v0.5.0
       with:
         version: v0.11.1  
@@ -28,4 +28,4 @@ jobs:
     - name: Testing
       run: |
         export PASSENGER_VERSION=${{ matrix.passenger-version }}
-        ./test/kubernetes/run.sh
+        ./test/kubernetes/run.sh
diff --git a/.github/workflows/passenger-app.yml b/.github/workflows/passenger-app.yml
@@ -19,25 +19,25 @@ jobs:
           - 6.0.13
     steps:
     - name: checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
     - name: Set env
       run: echo "TAG_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v2
 
     - name: Login to GitHub Container Registry
-      uses: docker/login-action@v1
+      uses: docker/login-action@v2
       with:
         registry: ghcr.io
         username: ${{ secrets.USERNAME }}
         password: ${{ secrets.CR_PAT }}
 
     - name: Build and push
-      uses: docker/build-push-action@v2
+      uses: docker/build-push-action@v3
       with:
         context: ./test/passenger-app
         push: true

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -9,11 +9,11 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-go@v2
+    - uses: actions/checkout@v3
+    - uses: actions/setup-go@v3
       with:
         go-version: '1.19'
-    - uses: actions/cache@v2
+    - uses: actions/cache@v3
       with:
         path: ~/go/pkg/mod
         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -28,7 +28,7 @@ jobs:
       run: go test -json ./... > test.json
     - name: annotate tests
       if: always()
-      uses: guyarb/golang-test-annotations@v0.2.0
+      uses: guyarb/golang-test-annotations@v0.5.1
       with:
         test-results: test.json
   lint:
@@ -38,11 +38,11 @@ jobs:
         go-version: [1.19]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-go@v2
+    - uses: actions/checkout@v3
+    - uses: actions/setup-go@v3
       with:
         stable: 'true'
         go-version: '1.19'
-    - uses: golangci/golangci-lint-action@v2
+    - uses: golangci/golangci-lint-action@v3
       with:
-        skip-go-installation: true
+        skip-go-installation: true
diff --git a/.github/workflows/releease.yml b/.github/workflows/releease.yml
@@ -11,27 +11,33 @@ jobs:
   build:
     name: build
     runs-on: ubuntu-latest
+    env:
+      COSIGN_EXPERIMENTAL: "1"
     steps:
-    - name: checkout
-      uses: actions/checkout@v2
+    - name: Checkout
+      uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
+    - name: Install cosign
+      uses: sigstore/cosign-installer@v2
+
     - name: Set env
       run: echo "TAG_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
+      uses: docker/setup-buildx-action@v2
 
     - name: Login to GitHub Container Registry
-      uses: docker/login-action@v1
+      uses: docker/login-action@v2
       with:
         registry: ghcr.io
         username: ${{ secrets.USERNAME }}
         password: ${{ secrets.CR_PAT }}
 
     - name: Build and push
-      uses: docker/build-push-action@v2
+      id: build-and-push
+      uses: docker/build-push-action@v3
       with:
         context: .
         push: true
@@ -42,24 +48,47 @@ jobs:
           ghcr.io/${{ github.repository }}:latest
           ghcr.io/${{ github.repository }}:${{ env.TAG_VERSION }}
 
+    - name: Write signing key
+      run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
+      shell: bash
+
+    - name: Generate SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        image: ghcr.io/${{ github.repository }}:${{ env.TAG_VERSION }}
+        artifact-name: sbom.spdx.json
+        output-file: sbom.spdx.json
+
+    - name: Attach SBOM file in image
+      run: |
+        cosign attest --key cosign.key --type spdx --predicate sbom.spdx.json ghcr.io/${{ github.repository }}:${{ env.TAG_VERSION }}@${{ steps.build-and-push.outputs.digest }}
+        cosign attest --key cosign.key --type spdx --predicate sbom.spdx.json ghcr.io/${{ github.repository }}:latest@${{ steps.build-and-push.outputs.digest }}
+      shell: bash
+
+    - name: Published a signed image
+      env:
+        COSIGN_EXPERIMENTAL: "1"
+      run: |
+        cosign sign --key cosign.key ghcr.io/${{ github.repository }}:${{ env.TAG_VERSION }}@${{ steps.build-and-push.outputs.digest }}
+        cosign sign --key cosign.key ghcr.io/${{ github.repository }}:latest@${{ steps.build-and-push.outputs.digest }}
   release:
     name: release
     needs: build
     runs-on: ubuntu-latest
     steps:
     - name: checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         fetch-depth: 0
     - name: Set up Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v3
       with:
         go-version: 1.19
 
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v2
+      uses: goreleaser/goreleaser-action@v3
       with:
         version: latest
         args: release --rm-dist
       env:
-        GITHUB_TOKEN: ${{ secrets.CR_PAT }}
+        GITHUB_TOKEN: ${{ secrets.CR_PAT }}