Add SLSA signing and provenance to release

Signed-off-by: Alexandr Demicev <alexandr.demicev@suse.com>
rancher · Sep 27, 2023 · 2cb0b9d · 2cb0b9d
1 parent 68f5070
commit 2cb0b9d
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 5 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -29,6 +29,9 @@ jobs:
     permissions:
       contents: read
       packages: write
+    outputs:
+      ghcr-images: ${{ steps.ghcr-images.outputs.ghcr-images }}
+      prod-images: ${{ steps.prod-images.outputs.prod-images }}
     steps:
     - name: Checkout
       uses: actions/checkout@v4
@@ -38,27 +41,94 @@ jobs:
       uses: actions/setup-go@v4
       with:
         go-version: '=1.20.7'
-    - name: Docker login
+    - name: Docker login to ghcr registry
       uses: docker/login-action@v3
       with:
         registry: ${{ env.REGISTRY }}
         username: ${{ env.USERNAME }}
         password: ${{ env.PASSWORD }}
-    - name: Build docker image
+    - name: Build docker image for gh registry
       run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }}
     - name: Push docker image to gh registry
       run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.REGISTRY }}
-
+    - name: Store list of ghcr images
+      id: ghcr-images
+      run: |
+        output=$(./scripts/images-digest.sh ${{ env.TAG }} ${{ env.REGISTRY }})
+        echo "ghcr-images=$result" >> "$GITHUB_OUTPUT"
     - name: Docker login to prod registry
       uses: docker/login-action@v3
       with:
         registry: ${{ env.PROD_REGISTRY }}
         username: ${{ env.PROD_USERNAME }}
         password: ${{ env.PROD_PASSWORD }}
-    - name: Build prod docker image
+    - name: Build docker image for prod registry
       run: make docker-build-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }}
     - name: Push docker image to prod registry
       run: make docker-push-all TAG=${{ env.TAG }} REGISTRY=${{ env.PROD_REGISTRY }} ORG=${{ env.PROD_ORG }}
+    - name: Store list of prod images
+      id: prod-images
+      run: |
+        output=$(./scripts/images-digest.sh ${{ env.TAG }} ${{ env.REGISTRY }})
+        echo "prod-images=$result" >> "$GITHUB_OUTPUT"
+  ghcr-sign:
+    runs-on: ubuntu-latest
+    needs: [build]
+    strategy:
+      matrix:
+        images: ${{ needs.build.outputs.ghcr-images }}
+    steps:
+      - uses: sigstore/cosign-installer@v3.1.2
+      - name: Sign manifests
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign --yes ${{ matrix.images.image }}
+  ghcr-provenance:
+    needs: [build, ghcr-sign]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    strategy:
+      matrix:
+        images: ${{ needs.build.outputs.ghcr-images }}
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ${{ matrix.images.image }}
+      digest: ${{ matrix.images.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+  prod-sign:
+    runs-on: ubuntu-latest
+    needs: [build]
+    strategy:
+      matrix:
+        images: ${{ needs.build.outputs.prod-images }}
+    steps:
+      - uses: sigstore/cosign-installer@v3.1.2
+      - name: Sign manifests
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign --yes ${{ matrix.images.image }}
+  prod-provenance:
+    needs: [build, prod-sign]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    strategy:
+      matrix:
+        images: ${{ needs.build.outputs.prod-images }}
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: ${{ matrix.images.image }}
+      digest: ${{ matrix.images.digest }}
+      registry-username: ${{ secrets.REGISTRY_USERNAME }}
+    secrets:
+      registry-password: ${{ secrets.REGISTRY_PASSWORD }}
   release:
     name: Create helm release
     runs-on: ubuntu-latest
@@ -92,4 +162,4 @@ jobs:
         run: cr upload --skip-existing -c "$(git rev-parse HEAD)" --release-notes-file=RELEASE_NOTES.md
 
       - name: Run chart-releaser index
-        run: cr index --push
+        run: cr index --push
diff --git a/Makefile b/Makefile
@@ -294,6 +294,10 @@ docker-build-%:
 docker-build: docker-pull-prerequisites ## Run docker-build-* targets for all providers
 	DOCKER_BUILDKIT=1 docker build --build-arg builder_image=$(GO_CONTAINER_IMAGE) --build-arg goproxy=$(GOPROXY) --build-arg ARCH=$(ARCH) --build-arg package=. --build-arg ldflags="$(LDFLAGS)" . -t $(MANIFEST_IMG):$(TAG)
 
+docker-list-all:
+	@echo $(CONTROLLER_IMG):${TAG}
+	@for arch in $(ALL_ARCH); do echo $(CONTROLLER_IMG)-$${arch}:${TAG}; done
+
 ##@ Deployment
 
 ifndef ignore-not-found