From 38783cec141a021fba7445be988493df1e9c5bf6 Mon Sep 17 00:00:00 2001 From: Tom Gehrke Date: Tue, 19 Mar 2024 10:38:26 +0100 Subject: [PATCH 1/3] Add workflow to build node installer image --- .github/workflows/container-image.yml | 7 ++- ...ontainer-build.yml => installer-build.yml} | 5 ++- .github/workflows/manager-build.yml | 43 +++++++++++++++++++ .github/workflows/sbom.yml | 23 +++++----- .github/workflows/sign-image.yml | 5 ++- 5 files changed, 69 insertions(+), 14 deletions(-) rename .github/workflows/{container-build.yml => installer-build.yml} (80%) create mode 100644 .github/workflows/manager-build.yml diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml index a07aa44..3468f5d 100644 --- a/.github/workflows/container-image.yml +++ b/.github/workflows/container-image.yml @@ -3,6 +3,9 @@ name: Build container image on: workflow_call: inputs: + image-name: + type: string + required: true push-image: type: boolean required: true @@ -64,10 +67,10 @@ jobs: platforms: linux/amd64, linux/arm64 push: true tags: | - ghcr.io/${{ github.repository }}:${{ env.TAG_NAME }} + ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}:${{ env.TAG_NAME }} - id: setoutput name: Set output parameters run: | - echo "repository=ghcr.io/${{ github.repository }}" >> $GITHUB_OUTPUT + echo "repository=ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}" >> $GITHUB_OUTPUT echo "tag=${{ env.TAG_NAME }}" >> $GITHUB_OUTPUT echo "digest=${{ steps.build-image.outputs.digest }}" >> $GITHUB_OUTPUT diff --git a/.github/workflows/container-build.yml b/.github/workflows/installer-build.yml similarity index 80% rename from .github/workflows/container-build.yml rename to .github/workflows/installer-build.yml index 9383b8b..e8d2be4 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/installer-build.yml @@ -1,4 +1,4 @@ -name: Build container image, sign it, and generate SBOMs +name: Build installer image, sign it, and generate SBOMs on: workflow_call: @@ -19,6 +19,7 @@ jobs: contents: read packages: write with: + image-name: node-installer push-image: true sign: @@ -28,6 +29,7 @@ jobs: packages: write id-token: write with: + image-repository: ${{ needs.build.outputs.repository }} image-digest: ${{ needs.build.outputs.digest }} sbom: @@ -37,4 +39,5 @@ jobs: packages: write id-token: write with: + image-name: node-installer image-digest: ${{ needs.build.outputs.digest }} diff --git a/.github/workflows/manager-build.yml b/.github/workflows/manager-build.yml new file mode 100644 index 0000000..a61a04d --- /dev/null +++ b/.github/workflows/manager-build.yml @@ -0,0 +1,43 @@ +name: Build manager image, sign it, and generate SBOMs + +on: + workflow_call: + outputs: + digest: + description: "Container image digest" + value: ${{jobs.build.outputs.digest}} + + push: + branches: + - "main" + - "feat-**" + +jobs: + build: + uses: ./.github/workflows/container-image.yml + permissions: + contents: read + packages: write + with: + image-name: runtime-class-manager + push-image: true + + sign: + needs: build + uses: ./.github/workflows/sign-image.yml + permissions: + packages: write + id-token: write + with: + image-repository: ${{ needs.build.outputs.repository }} + image-digest: ${{ needs.build.outputs.digest }} + + sbom: + needs: build + uses: ./.github/workflows/sbom.yml + permissions: + packages: write + id-token: write + with: + image-name: runtime-class-manager + image-digest: ${{ needs.build.outputs.digest }} diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 9657bf5..c7f41b1 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -3,6 +3,9 @@ name: Generate SBOMs on: workflow_call: inputs: + image-name: + type: string + required: true image-digest: type: string required: true @@ -42,7 +45,7 @@ jobs: set -e DIGEST=$(crane digest \ --platform "linux/${{ matrix.arch }}" \ - ghcr.io/${{ github.repository }}@${{ inputs.image-digest }}) + ghcr.io/${{ github.repository_owner}}/${{ inputs.image-name }}@${{ inputs.image-digest }}) echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" - name: Create SBOM file @@ -50,22 +53,22 @@ jobs: run: | syft \ -o spdx-json \ - --file runtime-class-manager-sbom-${{ matrix.arch }}.spdx \ - ghcr.io/${{ github.repository }}@${{ env.PLATFORM_DIGEST }} + --file ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}@${{ env.PLATFORM_DIGEST }} - name: Sign SBOM file run: | cosign sign-blob --yes \ - --output-certificate runtime-class-manager-sbom-${{ matrix.arch }}.spdx.cert \ - --output-signature runtime-class-manager-sbom-${{ matrix.arch }}.spdx.sig \ - runtime-class-manager-sbom-${{ matrix.arch }}.spdx + --output-certificate ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx.cert \ + --output-signature ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx.sig \ + ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx - name: Attach SBOM file in the container image shell: bash run: | cosign attach \ - sbom --sbom runtime-class-manager-sbom-${{ matrix.arch }}.spdx \ - ghcr.io/${{ github.repository }}@${{ env.PLATFORM_DIGEST }} + sbom --sbom ${{ inputs.image-name }}-sbom-${{ matrix.arch }}.spdx \ + ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}@${{ env.PLATFORM_DIGEST }} - name: Sign SBOM file pushed to OCI registry shell: bash @@ -74,10 +77,10 @@ jobs: SBOM_TAG="$(echo ${{ env.PLATFORM_DIGEST }} | sed -e 's/:/-/g').sbom" cosign sign --yes \ - ghcr.io/${{ github.repository }}:${SBOM_TAG} + ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}:${SBOM_TAG} - name: Upload SBOMs as artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: sbom-${{ matrix.arch }} - path: runtime-class-manager-sbom-* + path: ${{ inputs.image-name }}-sbom-* diff --git a/.github/workflows/sign-image.yml b/.github/workflows/sign-image.yml index 288f54d..20f9492 100644 --- a/.github/workflows/sign-image.yml +++ b/.github/workflows/sign-image.yml @@ -3,6 +3,9 @@ name: Sign image on: workflow_call: inputs: + image-repository: + type: string + required: true image-digest: type: string required: true @@ -29,4 +32,4 @@ jobs: - name: Sign container image run: | cosign sign --yes \ - ghcr.io/${{ github.repository }}@${{ inputs.image-digest }} + ${{ inputs.image-repository }}@${{ inputs.image-digest }} From ea378fd4e42548bc36ae0257b3a2a8c9e9287dab Mon Sep 17 00:00:00 2001 From: Tom Gehrke Date: Tue, 19 Mar 2024 10:52:34 +0100 Subject: [PATCH 2/3] customize dockerfile to be built --- .github/workflows/container-image.yml | 11 +++++++++-- .github/workflows/installer-build.yml | 1 + .github/workflows/manager-build.yml | 1 + 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml index 3468f5d..95fc6fb 100644 --- a/.github/workflows/container-image.yml +++ b/.github/workflows/container-image.yml @@ -6,6 +6,13 @@ on: image-name: type: string required: true + dockerfile: + type: string + required: true + docker-context: + type: string + required: false + default: "." push-image: type: boolean required: true @@ -62,8 +69,8 @@ jobs: id: build-image uses: docker/build-push-action@af5a7ed5ba88268d5278f7203fb52cd833f66d6e # v5.2.0 with: - context: . - file: ./Dockerfile + context: ${{ inputs.docker-context }} + file: ${{ inputs.dockerfile }} platforms: linux/amd64, linux/arm64 push: true tags: | diff --git a/.github/workflows/installer-build.yml b/.github/workflows/installer-build.yml index e8d2be4..cb42968 100644 --- a/.github/workflows/installer-build.yml +++ b/.github/workflows/installer-build.yml @@ -20,6 +20,7 @@ jobs: packages: write with: image-name: node-installer + dockerfile: ./images/installer/Dockerfile push-image: true sign: diff --git a/.github/workflows/manager-build.yml b/.github/workflows/manager-build.yml index a61a04d..f49ded0 100644 --- a/.github/workflows/manager-build.yml +++ b/.github/workflows/manager-build.yml @@ -20,6 +20,7 @@ jobs: packages: write with: image-name: runtime-class-manager + dockerfile: ./Dockerfile push-image: true sign: From f63da29ab2cb4940db3ff39565e52a7f39ba92d0 Mon Sep 17 00:00:00 2001 From: Tom Gehrke Date: Tue, 19 Mar 2024 14:23:29 +0100 Subject: [PATCH 3/3] update release workflow --- .github/workflows/release.yml | 44 +++++++++++++++++++++++++---------- .github/workflows/sbom.yml | 2 +- 2 files changed, 33 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 775d910..0ad60b6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,21 +10,34 @@ permissions: read-all jobs: ci: uses: ./.github/workflows/ci.yml - permissions: read-all + permissions: + contents: read + pull-requests: read + checks: write + + build-manager: + name: Build manager image, sign it, and generate SBOMs + uses: ./.github/workflows/manager-build.yml + permissions: + id-token: write + packages: write + contents: read - build: - name: Build container image, sign it, and generate SBOMs - uses: ./.github/workflows/container-build.yml + build-installer: + name: Build installer image, sign it, and generate SBOMs + uses: ./.github/workflows/installer-build.yml permissions: id-token: write packages: write + contents: read release: name: Create release needs: - ci - - build + - build-manager + - build-installer permissions: contents: write @@ -73,7 +86,7 @@ jobs: - name: Download SBOM artifact uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: - pattern: sbom-* + pattern: "*-sbom-*" path: ./ merge-multiple: true @@ -89,12 +102,19 @@ jobs: let path = require('path'); let files = [ - '${{ github.repository }}-sbom-amd64.spdx', - '${{ github.repository }}-sbom-amd64.spdx.cert', - '${{ github.repository }}-sbom-amd64.spdx.sig', - '${{ github.repository }}-sbom-arm64.spdx', - '${{ github.repository }}-sbom-arm64.spdx.cert', - '${{ github.repository }}-sbom-arm64.spdx.sig'] + 'runtime-class-manager-sbom-amd64.spdx', + 'runtime-class-manager-sbom-amd64.spdx.cert', + 'runtime-class-manager-sbom-amd64.spdx.sig', + 'runtime-class-manager-sbom-arm64.spdx', + 'runtime-class-manager-sbom-arm64.spdx.cert', + 'runtime-class-manager-sbom-arm64.spdx.sig', + 'node-installer-sbom-amd64.spdx', + 'node-installer-sbom-amd64.spdx.cert', + 'node-installer-sbom-amd64.spdx.sig', + 'node-installer-sbom-arm64.spdx', + 'node-installer-sbom-arm64.spdx.cert', + 'node-installer-sbom-arm64.spdx.sig', + ] const {RELEASE_ID} = process.env for (const file of files) { diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index c7f41b1..3ef44e1 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -82,5 +82,5 @@ jobs: - name: Upload SBOMs as artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: - name: sbom-${{ matrix.arch }} + name: ${{ inputs.image-name }}-sbom-${{ matrix.arch }} path: ${{ inputs.image-name }}-sbom-*