-
Notifications
You must be signed in to change notification settings - Fork 33
106 lines (89 loc) · 4.74 KB
/
attestation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
name: Sign attestation files
on:
workflow_call:
inputs:
image-digest:
type: string
required: true
jobs:
attestation:
name: Sign attestations and upload as artifacts
strategy:
matrix:
arch: [amd64, arm64]
permissions:
packages: write
id-token: write
runs-on: ubuntu-latest
steps:
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Install the crane command
uses: kubewarden/github-actions/crane-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Find platform digest
shell: bash
run: |
set -e
DIGEST=$(crane digest \
--platform "linux/${{ matrix.arch }}" \
ghcr.io/${{ github.repository_owner }}/kubewarden-controller@${{ inputs.image-digest }})
echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Find attestation digest
run: |
set -e
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ inputs.image-digest }} \
| jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest'
)
echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Find provenance manifest digest
run: |
set -e
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Sign provenance manifest
run: |
cosign sign --yes \
ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}}
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }}" \
ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}}
- name: Find SBOM manifest layer digest
run: |
set -e
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
- name: Download provenance and SBOM files
run: |
set -e
crane blob ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}} \
> kubewarden-controller-attestation-${{ matrix.arch }}-provenance.json
sha256sum kubewarden-controller-attestation-${{ matrix.arch }}-provenance.json \
>> kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
crane blob ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.SBOM_DIGEST}} \
> kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json
sha256sum kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json \
>> kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
- name: Sign checksum file
run: |
cosign sign-blob --yes \
--bundle kubewarden-controller-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
cosign verify-blob \
--bundle kubewarden-controller-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }}" \
kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
- name: Upload SBOMs as artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: attestation-${{ matrix.arch }}
path: kubewarden-controller-attestation-${{ matrix.arch }}*