Skip to content

Commit

Permalink
add attestation to regular docker image build
Browse files Browse the repository at this point in the history
  • Loading branch information
@momentmaker
momentmaker committed Aug 29, 2024
1 parent 5122cb5 commit 43050f4
Showing 1 changed file with 146 additions and 141 deletions.
287 changes: 146 additions & 141 deletions .github/workflows/build-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,57 @@ jobs:
# with:
# github-token: ${{ secrets.GITHUB_TOKEN }}

# build-sign-publish-chainlink:
build-sign-publish-chainlink:
# needs: [checks]
if: ${{ ! startsWith(github.ref_name, 'release/') }}
runs-on: ubuntu-20.04
environment: build-publish
permissions:
id-token: write
contents: write
attestations: write
outputs:
docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }}
docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

- name: Build, sign and publish chainlink image
id: build-sign-publish
uses: ./.github/actions/build-sign-publish-chainlink
with:
publish: true
aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
aws-region: ${{ secrets.AWS_REGION }}
ecr-hostname: ${{ env.ECR_HOSTNAME }}
ecr-image-name: ${{ env.ECR_IMAGE_NAME }}
dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
sign-images: true
verify-signature: true

- name: Attest Docker image
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
push-to-registry: true

# - name: Collect Metrics
# if: always()
# id: collect-gha-metrics
# uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
# with:
# id: build-chainlink-publish
# org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
# basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
# hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
# this-job-name: build-sign-publish-chainlink
# continue-on-error: true

# goreleaser-build-sign-publish-chainlink:
# needs: [checks]
# if: ${{ ! startsWith(github.ref_name, 'release/') }}
# runs-on: ubuntu-20.04
Expand All @@ -35,163 +85,118 @@ jobs:
# id-token: write
# contents: write
# attestations: write
# outputs:
# docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }}
# docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
# steps:
# - name: Checkout repository
# uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

# - name: Build, sign and publish chainlink image
# id: build-sign-publish
# uses: ./.github/actions/build-sign-publish-chainlink
# - name: Configure aws credentials
# uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
# with:
# publish: true
# aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
# aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
# role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
# role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
# aws-region: ${{ secrets.AWS_REGION }}
# ecr-hostname: ${{ env.ECR_HOSTNAME }}
# ecr-image-name: ${{ env.ECR_IMAGE_NAME }}
# dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
# dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
# sign-images: true
# verify-signature: true
# mask-aws-account-id: true
# role-session-name: goreleaser-build-sign-publish-chainlink

# - name: Build, sign, and publish image
# id: goreleaser-build-sign-publish
# uses: ./.github/actions/goreleaser-build-sign-publish
# with:
# docker-registry: ${{ env.ECR_HOSTNAME}}
# docker-image-name: ${{ env.ECR_IMAGE_NAME }}
# docker-image-tag: ${{ github.ref_name }}
# goreleaser-exec: ./tools/bin/goreleaser_wrapper
# goreleaser-config: .goreleaser.develop.yaml
# goreleaser-key: ${{ secrets.GORELEASER_KEY }}
# zig-version: 0.11.0
# enable-cosign: true
# cosign-version: "v2.4.0"

# - name: Output image name and digest
# id: get-image-name-digest
# shell: bash
# run: |
# artifact_path="dist/artifacts.json"

# jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${artifact_path} >> output.txt
# echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY"
# while read -r line; do
# echo "$line" | tee -a "$GITHUB_STEP_SUMMARY"
# done < output.txt

# core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64"
# plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64"
# core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64"
# plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64"

# echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
# echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
# echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
# echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"

# - name: Attest tarballs
# uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
# with:
# subject-path: "dist/*.tar.gz"

# - name: Attest Docker image (core-amd64)
# uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
# with:
# subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }}
# subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
# push-to-registry: true

# - name: Attest Docker image (plugings-amd64)
# uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
# with:
# subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }}
# subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
# push-to-registry: true

# - name: Attest Docker image (core-arm64)
# uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
# with:
# subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }}
# subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
# push-to-registry: true

# - name: Attest Docker image (plugings-arm64)
# uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
# with:
# subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }}
# subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
# push-to-registry: true

# - name: Upload SBOMs
# uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
# with:
# name: goreleaser-sboms
# path: dist/*.sbom.json

# - name: Print SBOM artifact to job summary
# env:
# GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# shell: bash
# run: |
# ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts)
# ARTIFACT_ID=$(echo "$ARTIFACTS" | jq '.artifacts[] | select(.name=="goreleaser-sboms") | .id')
# echo "Artifact ID: $ARTIFACT_ID"
# echo "### SBOM Artifact" | tee -a "$GITHUB_STEP_SUMMARY"
# artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID"
# echo "[Artifact URL]($artifact_url)" | tee -a $GITHUB_STEP_SUMMARY

# - name: Collect Metrics
# if: always()
# id: collect-gha-metrics
# uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
# with:
# id: build-chainlink-publish
# id: goreleaser-build-chainlink-publish
# org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
# basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
# hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
# this-job-name: build-sign-publish-chainlink
# this-job-name: goreleaser-build-sign-publish-chainlink
# continue-on-error: true

goreleaser-build-sign-publish-chainlink:
# needs: [checks]
if: ${{ ! startsWith(github.ref_name, 'release/') }}
runs-on: ubuntu-20.04
environment: build-publish
permissions:
id-token: write
contents: write
attestations: write
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

- name: Configure aws credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
aws-region: ${{ secrets.AWS_REGION }}
mask-aws-account-id: true
role-session-name: goreleaser-build-sign-publish-chainlink

- name: Build, sign, and publish image
id: goreleaser-build-sign-publish
uses: ./.github/actions/goreleaser-build-sign-publish
with:
docker-registry: ${{ env.ECR_HOSTNAME}}
docker-image-name: ${{ env.ECR_IMAGE_NAME }}
docker-image-tag: ${{ github.ref_name }}
goreleaser-exec: ./tools/bin/goreleaser_wrapper
goreleaser-config: .goreleaser.develop.yaml
goreleaser-key: ${{ secrets.GORELEASER_KEY }}
zig-version: 0.11.0
enable-cosign: true
cosign-version: "v2.4.0"

- name: Output image name and digest
id: get-image-name-digest
shell: bash
run: |
artifact_path="dist/artifacts.json"
# temp debug
cat ${artifact_path}
jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${artifact_path} >> output.txt
echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY"
while read -r line; do
echo "$line" | tee -a "$GITHUB_STEP_SUMMARY"
done < output.txt
core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64"
plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64"
core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64"
plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64"
echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
- name: Attest tarballs
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-path: "dist/*.tar.gz"

- name: Attest Docker image (core-amd64)
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }}
subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
push-to-registry: true

- name: Attest Docker image (plugings-amd64)
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }}
subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
push-to-registry: true

- name: Attest Docker image (core-arm64)
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }}
subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
push-to-registry: true

- name: Attest Docker image (plugings-arm64)
uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
with:
subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }}
subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
push-to-registry: true

- name: Upload SBOMs
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: goreleaser-sboms
path: dist/*.sbom.json

- name: Print SBOM artifact to job summary
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts)
ARTIFACT_ID=$(echo "$ARTIFACTS" | jq '.artifacts[] | select(.name=="goreleaser-sboms") | .id')
echo "Artifact ID: $ARTIFACT_ID"
echo "### SBOM Artifact" | tee -a "$GITHUB_STEP_SUMMARY"
artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID"
echo "[Artifact URL]($artifact_url)" | tee -a $GITHUB_STEP_SUMMARY
- name: Collect Metrics
if: always()
id: collect-gha-metrics
uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
with:
id: goreleaser-build-chainlink-publish
org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
this-job-name: goreleaser-build-sign-publish-chainlink
continue-on-error: true

# Notify Slack channel for new git tags.
# slack-notify:
# if: github.ref_type == 'tag'
Expand Down

0 comments on commit 43050f4

Please sign in to comment.