Skip to content

BobyMCbobs/sample-ko-monorepo

Repository files navigation

sample-ko-monorepo

A sample Go app for demonstrating Ko with

Features

  • build each application, where Go package main entrypoints are
  • sign container images with Cosign

Automations

Name Description Link
Build Builds and signs Go based container images (ko, cosign) link
Go test Runs go test against the repo link
Lint Lints for code quality (golangci) link
Image promotion Tags images using image digests link
Conform Ensures that commits in PRs are standardised link
Update Go version Ensures that the Go version which the applications use, is on the latest stable link

all of the actions are implementing reusable workflows.

Usage

Install dependencies

Set up

  1. under Settings -> Code and automation -> Actions -> General, set Allow GitHub Actions to create and approve pull requests to true

  2. add a branch protection rule under Settings -> Code and automation -> Add rule entering

Branch name pattern: main
Require a pull request before merging: true
Require status checks to pass before merging: true
  Require branches to be up to date before merging: true
  Status checks:
    - golangci / lint
    - conform / conform
Require signed commits

Install products

launch a local kind cluster, pre-installed with Knative

kn quickstart kind

apply the pre-built release

kubectl apply -f https://github.com/BobyMCbobs/sample-ko-monorepo/raw/main/deploy/release.yaml

Locally run binaries

go run cmd/webthingy/main.go
go run cmd/mission-critical-service/main.go

Locally build

export KO_DOCKER_REPO=ghcr.io/bobymcbobs/sample-ko-monorepo
ko resolve --bare -f config/

Signatures and attestations

cosign tree IMAGE_REF

Verifying

container images are able to be verified with the following command

cosign verify ghcr.io/bobymcbobs/sample-ko-monorepo/mission-critical-service@sha256:405b54637c79a0b0934d0d7f01464f358fe1fd118fefb1d9b77c8a351e9471b6 --certificate-identity https://github.com/BobyMCbobs/sample-ko-monorepo/.github/workflows/reusable-build.yml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com

SBOMs attestations are able to be verified with the following command

cosign verify-attestation ghcr.io/bobymcbobs/sample-ko-monorepo/mission-critical-service@sha256:405b54637c79a0b0934d0d7f01464f358fe1fd118fefb1d9b77c8a351e9471b6 --certificate-identity https://github.com/BobyMCbobs/sample-ko-monorepo/.github/workflows/reusable-build.yml@refs/heads/main --certificate-oidc-issuer https://token.actions.githubusercontent.com  | jq -r .payload | base64 -d | jq -r .predicate.Data | bom document outline -

Troubleshooting

images fail to push

adjust the actions package access settings in

  1. go to github.com/{{org/user}}
  2. go to the packages tab
  3. click on the package failing
  4. ensure that the Actions repository access is set up to point to the source repo
  5. set manage Actions access role field to write

TODOs

  • dependency security scanning
  • automatic dependency updates
  • Go version upgrade auto-PR
  • add build dependency cache

Related