diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml new file mode 100644 index 0000000..a4feb11 --- /dev/null +++ b/.github/workflows/image.yaml @@ -0,0 +1,47 @@ +name: image + +on: + workflow_dispatch: + release: + types: [created] + +permissions: + contents: read + packages: write + id-token: write + +jobs: + image: + runs-on: ubuntu-latest + outputs: + commit-date: ${{ steps.ldflags.outputs.commit-date }} + commit: ${{ steps.ldflags.outputs.commit }} + version: ${{ steps.ldflags.outputs.version }} + tree-state: ${{ steps.ldflags.outputs.tree-state }} + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + check-latest: true + - uses: sigstore/cosign-installer@v2.8.1 + - uses: ko-build/setup-ko@v0.6 + - id: ldflags + run: | + echo "commit-date=$(git log --date=iso8601-strict -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" + echo "commit=$GITHUB_SHA" >> "$GITHUB_OUTPUT" + echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT" + echo "tree-state=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)" >> "$GITHUB_OUTPUT" + - name: Publish and sign image + env: + KO_DOCKER_REPO: ghcr.io/${{ github.repository }} + COSIGN_EXPERIMENTAL: 'true' + run: | + export LDGLAGS="-X main.Version=${{needs.args.outputs.version}} -X main.Commit=${{needs.args.outputs.commit}} -X main.CommitDate=${{needs.args.outputs.commit-date}} -X main.TreeState=${{needs.args.outputs.tree-state}}" + echo "${{ github.token }}" | ko login ghcr.io --username "${{ github.actor }}" --password-stdin + img=$(ko build --bare --platform=all -t latest -t ${{ github.sha }} ./cmd/sbom-scorecard) + echo "built ${img}" + cosign sign ${img} \ + -a sha=${{ github.sha }} \ + -a run_id=${{ github.run_id }} \ + -a run_attempt=${{ github.run_attempt }} diff --git a/.ko.yaml b/.ko.yaml new file mode 100644 index 0000000..d762b78 --- /dev/null +++ b/.ko.yaml @@ -0,0 +1,6 @@ +baseImageOverride: cgr.dev/chainguard/static:latest + +builds: +- id: sbom-scorecard + ldflags: + - "{{ .Env.LDFLAGS }}" \ No newline at end of file diff --git a/go.mod b/go.mod index 00ca8a6..6e5fb84 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb // indirect + github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect github.com/spf13/pflag v1.0.5 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/go.sum b/go.sum index 291c309..1e64854 100644 --- a/go.sum +++ b/go.sum @@ -12,8 +12,9 @@ github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb h1:bLo8hvc8XFm9J47r690TUKBzcjSWdJDxmjXJZ+/f92U= github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= +github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 h1:dArkMwZ7Mf2JiU8OfdmqIv8QaHT4oyifLIe1UhsF1SY= +github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= github.com/spdx/tools-golang v0.3.1-0.20221108182156-8a01147e6342 h1:6uvaOTv4GeRqQV6O1/znbpziqhctMRLTy3OGeZrNMic= github.com/spdx/tools-golang v0.3.1-0.20221108182156-8a01147e6342/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM= github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=