⬆️ Bump github.com/sigstore/cosign/v2 from 2.2.1 to 2.2.2 #624

Workflow file for this run

	name: Continuous integration

	on:
	push:
	pull_request:
	types: [ opened, reopened ]
	workflow_dispatch:

	jobs:
	build:
	name: Build
	runs-on: ubuntu-20.04

	permissions:
	contents: read

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Set up Go
	uses: actions/[email protected]
	with:
	go-version-file: go.mod
	check-latest: true

	- name: Get dependencies
	run: make download

	- name: Lint
	run: \|
	result="$(make lint)"
	echo "$result"
	[ -n "$(echo "$result" \| grep 'diff -u')" ] && exit 1 \|\| exit 0

	- name: Build
	run: make build

	- name: Test
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	run: make test

	- name: Coverage
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	run: make coverage-out

	- name: Upload Code Coverage
	uses: codecov/[email protected]
	with:
	token: ${{ secrets.CODECOV_TOKEN }}
	files: ./coverage.out
	flags: unittests
	name: codecov-umbrella
	fail_ci_if_error: true
	verbose: true

	release:
	name: release
	needs: [build]
	outputs:
	container_digest: ${{ steps.container_info.outputs.container_digest }}
	container_tags: ${{ steps.container_info.outputs.container_tags }}

	runs-on: ubuntu-20.04

	permissions:
	contents: write
	packages: write

	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Set up Go
	uses: actions/[email protected]
	with:
	go-version-file: go.mod
	check-latest: true

	- name: Install cosign
	uses: sigstore/[email protected]
	with:
	cosign-release: 'v2.2.1'

	- name: Install Syft
	uses: anchore/sbom-action/[email protected]

	- name: Login to ghcr.io
	uses: docker/[email protected]
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Set release variables
	id: release-vars
	run: \|
	make release-vars > /tmp/fatt-release-vars.env
	source /tmp/fatt-release-vars.env
	if [[ -n "$LDFLAGS" ]]; then
	echo "LDFLAGS=$LDFLAGS" >>"${GITHUB_OUTPUT}"
	fi
	if [[ -n "$GIT_HASH" ]]; then
	echo "GIT_HASH=$GIT_HASH" >>"${GITHUB_OUTPUT}"
	fi
	rm -f /tmp/fatt-release-vars.env

	- name: Install signing key
	run: echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key

	- name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') \|\| '' }}
	uses: goreleaser/goreleaser-action@v5
	with:
	version: latest
	args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') \|\| '' }}
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
	GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

	- name: Get container info
	id: container_info
	if: startsWith(github.ref, 'refs/tags/')
	run: \|
	export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }})
	echo "container_digest=$CONTAINER_DIGEST" >>"${GITHUB_OUTPUT}"
	echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" \| paste -s -d ',' -)" >>"${GITHUB_OUTPUT}"

	- name: Cleanup signing keys
	if: ${{ always() }}
	run: rm -f cosign.key

	sbom:
	name: sbom
	needs: [release]
	if: startsWith(github.ref, 'refs/tags/')
	runs-on: ubuntu-20.04
	env:
	TAGS: "${{ needs.release.outputs.container_tags }}"

	steps:
	- name: Install cosign
	uses: sigstore/[email protected]
	with:
	cosign-release: 'v2.2.1'

	- name: Install Syft
	uses: anchore/sbom-action/[email protected]

	- name: Login to ghcr.io
	uses: docker/[email protected]
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Attach SBOM
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	REPO: ghcr.io/philips-labs/fatt
	run: \|
	echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
	IFS=,
	for t in ${TAGS}; do
	cosign verify --key cosign.pub ${REPO}:${t}
	syft ${REPO}:${t} -o spdx-json > sbom-spdx.json
	cosign attach sbom --sbom sbom-spdx.json --type spdx ${REPO}:${t}
	cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ${REPO}:${t}
	cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${REPO}:${t}
	done

	- name: Clean up signing keys
	if: ${{ always() }}
	run: \|
	rm -f cosign.key

	provenance:
	name: provenance
	needs: [release]
	if: startsWith(github.ref, 'refs/tags/')
	runs-on: ubuntu-20.04

	steps:
	- name: Generate provenance for Release
	uses: philips-labs/[email protected]
	with:
	command: generate
	subcommand: github-release
	arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

	- name: Install cosign
	uses: sigstore/[email protected]
	with:
	cosign-release: 'v2.2.1'

	- name: Sign provenance
	run: \|
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
	cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
	cat "${SIGNATURE}"
	curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
	curl_args+=(-H "Accept: application/vnd.github.v3+json")
	release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" \| jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" \| jq -r '.[0].id')"
	echo "Upload ${SIGNATURE} to release with id ${release_id}…"
	curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
	curl "${curl_args[@]}" \
	--data-binary @"${SIGNATURE}" \
	"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	SIGNATURE: provenance.att.sig

	container-provenance:
	name: container-provenance
	needs: [release]
	if: startsWith(github.ref, 'refs/tags/')
	runs-on: ubuntu-20.04
	env:
	REPO: ghcr.io/philips-labs/fatt

	steps:
	- name: Install cosign
	uses: sigstore/[email protected]
	with:
	cosign-release: 'v2.2.1'

	- name: Generate provenance for ${REPO}
	uses: philips-labs/[email protected]
	with:
	command: generate
	subcommand: container
	arguments: --repository ${REPO} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

	- name: Get slsa-provenance predicate
	run: \|
	cat provenance.att \| jq .predicate > provenance-predicate.att

	- name: Login to ghcr.io
	uses: docker/[email protected]
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Attach provenance to image
	run: \|
	echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
	cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${REPO}@${{ needs.release.outputs.container_digest }}
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

	- name: Verify attestation
	run: \|
	echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
	cosign verify-attestation --key cosign.pub ${REPO}@${{ needs.release.outputs.container_digest }}

	- name: Cleanup signing keys
	if: ${{ always() }}
	run: \|
	rm -f cosign.key

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

⬆️ Bump github.com/sigstore/cosign/v2 from 2.2.1 to 2.2.2 #624

Workflow file

⬆️ Bump github.com/sigstore/cosign/v2 from 2.2.1 to 2.2.2 #624

Jobs

Run details

Workflow file for this run