.github/workflows/ci.yaml

name: Continuous integration

on:
  push:
  pull_request:
    types: [ opened, reopened ]
  workflow_dispatch:

jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04

    permissions:
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v4.1.0
        with:
          go-version-file: go.mod
          check-latest: true

      - name: Get dependencies
        run: make download

      - name: Lint
        run: |
          result="$(make  lint)"
          echo "$result"
          [ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0

      - name: Build
        run: make build

      - name: Test
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make test

      - name: Coverage
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        run: make coverage-out

      - name: Upload Code Coverage
        uses: codecov/codecov-action@v3.1.4
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./coverage.out
          flags: unittests
          name: codecov-umbrella
          fail_ci_if_error: true
          verbose: true

  release:
    name: release
    needs: [build]
    outputs:
      container_digest: ${{ steps.container_info.outputs.container_digest }}
      container_tags: ${{ steps.container_info.outputs.container_tags }}

    runs-on: ubuntu-20.04

    permissions:
      contents: write
      packages: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/setup-go@v4.1.0
        with:
          go-version-file: go.mod
          check-latest: true

      - name: Install cosign
        uses: sigstore/cosign-installer@v3.1.2
        with:
          cosign-release: 'v2.2.0'

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@v0.14.3

      - name: Login to ghcr.io
        uses: docker/login-action@v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set release variables
        id: release-vars
        run: |
          make release-vars > /tmp/fatt-release-vars.env
          source /tmp/fatt-release-vars.env
          if [[ -n "$LDFLAGS" ]]; then
            echo "LDFLAGS=$LDFLAGS" >>"${GITHUB_OUTPUT}"
          fi
          if [[ -n "$GIT_HASH" ]]; then
            echo "GIT_HASH=$GIT_HASH" >>"${GITHUB_OUTPUT}"
          fi
          rm -f /tmp/fatt-release-vars.env

      - name: Install signing key
        run: echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key

      - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
        uses: goreleaser/goreleaser-action@v5
        with:
          version: latest
          args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }}
          GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }}
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

      - name: Get container info
        id: container_info
        if: startsWith(github.ref, 'refs/tags/')
        run: |
          export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }})
          echo "container_digest=$CONTAINER_DIGEST" >>"${GITHUB_OUTPUT}"
          echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >>"${GITHUB_OUTPUT}"

      - name: Cleanup signing keys
        if: ${{ always() }}
        run: rm -f cosign.key

  sbom:
    name: sbom
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-20.04
    env:
      TAGS: "${{ needs.release.outputs.container_tags }}"

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@v3.1.2
        with:
          cosign-release: 'v2.2.0'

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@v0.14.3

      - name: Login to ghcr.io
        uses: docker/login-action@v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Attach SBOM
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          REPO: ghcr.io/philips-labs/fatt
        run: |
          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
          IFS=,
          for t in ${TAGS}; do
            cosign verify --key cosign.pub ${REPO}:${t}
            syft ${REPO}:${t} -o spdx-json > sbom-spdx.json
            cosign attach sbom --sbom sbom-spdx.json --type spdx ${REPO}:${t}
            cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ${REPO}:${t}
            cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${REPO}:${t}
          done

      - name: Clean up signing keys
        if: ${{ always() }}
        run: |
          rm -f cosign.key

  provenance:
    name: provenance
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-20.04

    steps:
      - name: Generate provenance for Release
        uses: philips-labs/slsa-provenance-action@v0.8.0
        with:
          command: generate
          subcommand: github-release
          arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Install cosign
        uses: sigstore/cosign-installer@v3.1.2
        with:
          cosign-release: 'v2.2.0'

      - name: Sign provenance
        run: |
          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
          cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
          cat "${SIGNATURE}"
          curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
          curl_args+=(-H "Accept: application/vnd.github.v3+json")
          release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')"
          echo "Upload ${SIGNATURE} to release with id ${release_id}…"
          curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
          curl "${curl_args[@]}" \
            --data-binary @"${SIGNATURE}" \
            "https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          SIGNATURE: provenance.att.sig

  container-provenance:
    name: container-provenance
    needs: [release]
    if: startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-20.04
    env:
      REPO: ghcr.io/philips-labs/fatt

    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@v3.1.2
        with:
          cosign-release: 'v2.2.0'

      - name: Generate provenance for ${REPO}
        uses: philips-labs/slsa-provenance-action@v0.8.0
        with:
          command: generate
          subcommand: container
          arguments: --repository ${REPO} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Get slsa-provenance predicate
        run: |
          cat provenance.att | jq .predicate > provenance-predicate.att

      - name: Login to ghcr.io
        uses: docker/login-action@v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Attach provenance to image
        run: |
          echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
          cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${REPO}@${{ needs.release.outputs.container_digest }}
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

      - name: Verify attestation
        run: |
          echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
          cosign verify-attestation --key cosign.pub ${REPO}@${{ needs.release.outputs.container_digest }}

      - name: Cleanup signing keys
        if: ${{ always() }}
        run: |
          rm -f cosign.key