From 43050f4cb26af8a7fd822117b939de8d330acba9 Mon Sep 17 00:00:00 2001 From: frank zhu Date: Thu, 29 Aug 2024 14:40:58 -0500 Subject: [PATCH] add attestation to regular docker image build --- .github/workflows/build-publish.yml | 287 ++++++++++++++-------------- 1 file changed, 146 insertions(+), 141 deletions(-) diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml index 3ae2e1e9d5a..4d7c407efed 100644 --- a/.github/workflows/build-publish.yml +++ b/.github/workflows/build-publish.yml @@ -26,7 +26,57 @@ jobs: # with: # github-token: ${{ secrets.GITHUB_TOKEN }} - # build-sign-publish-chainlink: + build-sign-publish-chainlink: + # needs: [checks] + if: ${{ ! startsWith(github.ref_name, 'release/') }} + runs-on: ubuntu-20.04 + environment: build-publish + permissions: + id-token: write + contents: write + attestations: write + outputs: + docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }} + docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }} + steps: + - name: Checkout repository + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + + - name: Build, sign and publish chainlink image + id: build-sign-publish + uses: ./.github/actions/build-sign-publish-chainlink + with: + publish: true + aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} + aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} + aws-region: ${{ secrets.AWS_REGION }} + ecr-hostname: ${{ env.ECR_HOSTNAME }} + ecr-image-name: ${{ env.ECR_IMAGE_NAME }} + dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} + dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} + sign-images: true + verify-signature: true + + - name: Attest Docker image + uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 + with: + subject-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }} + subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} + push-to-registry: true + + # - name: Collect Metrics + # if: always() + # id: collect-gha-metrics + # uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1 + # with: + # id: build-chainlink-publish + # org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} + # basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} + # hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} + # this-job-name: build-sign-publish-chainlink + # continue-on-error: true + + # goreleaser-build-sign-publish-chainlink: # needs: [checks] # if: ${{ ! startsWith(github.ref_name, 'release/') }} # runs-on: ubuntu-20.04 @@ -35,163 +85,118 @@ jobs: # id-token: write # contents: write # attestations: write - # outputs: - # docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }} - # docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }} # steps: # - name: Checkout repository # uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - # - name: Build, sign and publish chainlink image - # id: build-sign-publish - # uses: ./.github/actions/build-sign-publish-chainlink + # - name: Configure aws credentials + # uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 # with: - # publish: true - # aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} - # aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} + # role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} + # role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} # aws-region: ${{ secrets.AWS_REGION }} - # ecr-hostname: ${{ env.ECR_HOSTNAME }} - # ecr-image-name: ${{ env.ECR_IMAGE_NAME }} - # dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }} - # dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }} - # sign-images: true - # verify-signature: true + # mask-aws-account-id: true + # role-session-name: goreleaser-build-sign-publish-chainlink + + # - name: Build, sign, and publish image + # id: goreleaser-build-sign-publish + # uses: ./.github/actions/goreleaser-build-sign-publish + # with: + # docker-registry: ${{ env.ECR_HOSTNAME}} + # docker-image-name: ${{ env.ECR_IMAGE_NAME }} + # docker-image-tag: ${{ github.ref_name }} + # goreleaser-exec: ./tools/bin/goreleaser_wrapper + # goreleaser-config: .goreleaser.develop.yaml + # goreleaser-key: ${{ secrets.GORELEASER_KEY }} + # zig-version: 0.11.0 + # enable-cosign: true + # cosign-version: "v2.4.0" + + # - name: Output image name and digest + # id: get-image-name-digest + # shell: bash + # run: | + # artifact_path="dist/artifacts.json" + + # jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${artifact_path} >> output.txt + # echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY" + # while read -r line; do + # echo "$line" | tee -a "$GITHUB_STEP_SUMMARY" + # done < output.txt + + # core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64" + # plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64" + # core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64" + # plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64" + + # echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" + # echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" + # echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" + # echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" + + # - name: Attest tarballs + # uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 + # with: + # subject-path: "dist/*.tar.gz" + + # - name: Attest Docker image (core-amd64) + # uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 + # with: + # subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }} + # subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} + # push-to-registry: true + + # - name: Attest Docker image (plugings-amd64) + # uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 + # with: + # subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }} + # subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} + # push-to-registry: true + + # - name: Attest Docker image (core-arm64) + # uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 + # with: + # subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }} + # subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} + # push-to-registry: true + + # - name: Attest Docker image (plugings-arm64) + # uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 + # with: + # subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }} + # subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} + # push-to-registry: true + + # - name: Upload SBOMs + # uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 + # with: + # name: goreleaser-sboms + # path: dist/*.sbom.json + + # - name: Print SBOM artifact to job summary + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # shell: bash + # run: | + # ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts) + # ARTIFACT_ID=$(echo "$ARTIFACTS" | jq '.artifacts[] | select(.name=="goreleaser-sboms") | .id') + # echo "Artifact ID: $ARTIFACT_ID" + # echo "### SBOM Artifact" | tee -a "$GITHUB_STEP_SUMMARY" + # artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID" + # echo "[Artifact URL]($artifact_url)" | tee -a $GITHUB_STEP_SUMMARY # - name: Collect Metrics # if: always() # id: collect-gha-metrics # uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1 # with: - # id: build-chainlink-publish + # id: goreleaser-build-chainlink-publish # org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} # basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} # hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} - # this-job-name: build-sign-publish-chainlink + # this-job-name: goreleaser-build-sign-publish-chainlink # continue-on-error: true - goreleaser-build-sign-publish-chainlink: - # needs: [checks] - if: ${{ ! startsWith(github.ref_name, 'release/') }} - runs-on: ubuntu-20.04 - environment: build-publish - permissions: - id-token: write - contents: write - attestations: write - steps: - - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - - name: Configure aws credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }} - role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }} - aws-region: ${{ secrets.AWS_REGION }} - mask-aws-account-id: true - role-session-name: goreleaser-build-sign-publish-chainlink - - - name: Build, sign, and publish image - id: goreleaser-build-sign-publish - uses: ./.github/actions/goreleaser-build-sign-publish - with: - docker-registry: ${{ env.ECR_HOSTNAME}} - docker-image-name: ${{ env.ECR_IMAGE_NAME }} - docker-image-tag: ${{ github.ref_name }} - goreleaser-exec: ./tools/bin/goreleaser_wrapper - goreleaser-config: .goreleaser.develop.yaml - goreleaser-key: ${{ secrets.GORELEASER_KEY }} - zig-version: 0.11.0 - enable-cosign: true - cosign-version: "v2.4.0" - - - name: Output image name and digest - id: get-image-name-digest - shell: bash - run: | - artifact_path="dist/artifacts.json" - # temp debug - cat ${artifact_path} - - jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${artifact_path} >> output.txt - echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY" - while read -r line; do - echo "$line" | tee -a "$GITHUB_STEP_SUMMARY" - done < output.txt - - core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64" - plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64" - core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64" - plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64" - - echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" - echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" - echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" - echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY" - - - name: Attest tarballs - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 - with: - subject-path: "dist/*.tar.gz" - - - name: Attest Docker image (core-amd64) - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 - with: - subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }} - subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} - push-to-registry: true - - - name: Attest Docker image (plugings-amd64) - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 - with: - subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }} - subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} - push-to-registry: true - - - name: Attest Docker image (core-arm64) - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 - with: - subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }} - subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} - push-to-registry: true - - - name: Attest Docker image (plugings-arm64) - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 - with: - subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }} - subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }} - push-to-registry: true - - - name: Upload SBOMs - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4 - with: - name: goreleaser-sboms - path: dist/*.sbom.json - - - name: Print SBOM artifact to job summary - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - shell: bash - run: | - ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts) - ARTIFACT_ID=$(echo "$ARTIFACTS" | jq '.artifacts[] | select(.name=="goreleaser-sboms") | .id') - echo "Artifact ID: $ARTIFACT_ID" - echo "### SBOM Artifact" | tee -a "$GITHUB_STEP_SUMMARY" - artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID" - echo "[Artifact URL]($artifact_url)" | tee -a $GITHUB_STEP_SUMMARY - - - name: Collect Metrics - if: always() - id: collect-gha-metrics - uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1 - with: - id: goreleaser-build-chainlink-publish - org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }} - basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }} - hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }} - this-job-name: goreleaser-build-sign-publish-chainlink - continue-on-error: true - # Notify Slack channel for new git tags. # slack-notify: # if: github.ref_type == 'tag'