feat: attach sbom/provenance files to GH release, fix clomonitor (#1656)

* feat: attach sbom/provenance files to GH release, fix clomonitor

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

* fix: remove codesee

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

.clomonitor.yml

@@ -0,0 +1,4 @@
+licenseScanning:
+  # License scanning of dependencies is done from a GitHub Action.
+  # You can view the latest results on the main branch following this link
+  url: https://github.com/external-secrets/external-secrets/actions/workflows/dlc.yml?query=branch%3Amain

.github/CODEOWNERS

@@ -0,0 +1 @@
+*       @external-secrets/maintainers

.github/actions/sign/action.yml

@@ -67,11 +67,12 @@ runs:
 
     - name: Attach SBOM to image
       shell: bash
+      id: sbom
       env:
         COSIGN_EXPERIMENTAL: "1"
       run: |
-        syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom-spdx.json
-        cosign attest --predicate sbom-spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
+        syft "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}" -o spdx-json=sbom.${{ inputs.image-tag }}.spdx.json
+        cosign attest --predicate sbom.${{ inputs.image-tag }}.spdx.json --type spdx "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
         cosign verify-attestation --type spdx ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }} | jq '.payload |= @base64d | .payload | fromjson'
 
     - name: Generate provenance
@@ -79,16 +80,17 @@ runs:
       with:
         command: generate
         subcommand: container
-        arguments: --repository "${{ inputs.image-name }}" --output-path provenance.att --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}"
+        arguments: --repository "${{ inputs.image-name }}" --output-path provenance.${{ inputs.image-tag }}.intoto.jsonl --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}"
       env:
         COSIGN_EXPERIMENTAL: "0"
         GITHUB_TOKEN: "${{ inputs.GITHUB_TOKEN }}"
 
     - name: Attach provenance
       shell: bash
+      id: provenance
       env:
         COSIGN_EXPERIMENTAL: "1"
       run: |
-        jq '.predicate' provenance.att > provenance-predicate.att
+        jq '.predicate' provenance.${{ inputs.image-tag }}.intoto.jsonl > provenance-predicate.att
         cosign attest --predicate provenance-predicate.att --type slsaprovenance "${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}"
         cosign verify-attestation --type slsaprovenance ${{ inputs.image-name }}@${{ steps.container_info.outputs.digest }}

.github/workflows/codesee-arch-diagram.yml

@@ -1,87 +0,0 @@
-on:
-  push:
-    branches:
-      - main
-  pull_request_target:
-    types: [opened, synchronize, reopened]
-
-name: CodeSee Map
-
-jobs:
-  test_map_action:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    name: Run CodeSee Map Analysis
-    steps:
-      - name: checkout
-        id: checkout
-        uses: actions/checkout@v2
-        with:
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.event.pull_request.head.ref }}
-          fetch-depth: 0
-
-      # codesee-detect-languages has an output with id languages.
-      - name: Detect Languages
-        id: detect-languages
-        uses: Codesee-io/codesee-detect-languages-action@latest
-
-      - name: Configure JDK 16
-        uses: actions/setup-java@v2
-        if: ${{ fromJSON(steps.detect-languages.outputs.languages).java }}
-        with:
-          java-version: '16'
-          distribution: 'zulu'
-
-      # CodeSee Maps Go support uses a static binary so there's no setup step required.
-
-      - name: Configure Node.js 14
-        uses: actions/setup-node@v2
-        if: ${{ fromJSON(steps.detect-languages.outputs.languages).javascript }}
-        with:
-          node-version: '14'
-
-      - name: Configure Python 3.x
-        uses: actions/setup-python@v4.3.0
-        if: ${{ fromJSON(steps.detect-languages.outputs.languages).python }}
-        with:
-          python-version: '3.10'
-          architecture: 'x64'
-
-      - name: Configure Ruby '3.x'
-        uses: ruby/setup-ruby@v1
-        if: ${{ fromJSON(steps.detect-languages.outputs.languages).ruby }}
-        with:
-          ruby-version: '3.0'
-
-      # We need the rust toolchain because it uses rustc and cargo to inspect the package
-      - name: Configure Rust 1.x stable
-        uses: actions-rs/toolchain@v1
-        if: ${{ fromJSON(steps.detect-languages.outputs.languages).rust }}
-        with:
-          toolchain: stable
-
-      - name: Generate Map
-        id: generate-map
-        uses: Codesee-io/codesee-map-action@latest
-        with:
-          step: map
-          api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
-          github_ref: ${{ github.ref }}
-          languages: ${{ steps.detect-languages.outputs.languages }}
-
-      - name: Upload Map
-        id: upload-map
-        uses: Codesee-io/codesee-map-action@latest
-        with:
-          step: mapUpload
-          api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
-          github_ref: ${{ github.ref }}
-
-      - name: Insights
-        id: insights
-        uses: Codesee-io/codesee-map-action@latest
-        with:
-          step: insights
-          api_token: ${{ secrets.CODESEE_ARCH_DIAG_API_TOKEN }}
-          github_ref: ${{ github.ref }}

.github/workflows/release.yml

@@ -74,7 +74,7 @@ jobs:
 
     permissions:
       id-token: write
-      contents: read
+      contents: write
 
     env:
       SOURCE_TAG: main${{ matrix.tag_suffix }}
@@ -120,6 +120,7 @@ jobs:
         run: make docker.promote
 
       - name: Sign promoted image
+        id: sign
         uses: ./.github/actions/sign
         with:
           image-name: ${{ env.IMAGE_NAME }}
@@ -127,3 +128,13 @@ jobs:
           GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
           GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update Release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ github.event.inputs.version }}
+          files: |
+            provenance.${{ env.RELEASE_TAG }}.intoto.jsonl
+            sbom.${{ env.RELEASE_TAG }}.spdx.json
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

README.md

@@ -44,10 +44,17 @@ Anyone is welcome to join. Feel free to ask questions, request feedback, raise a
 
 Please report vulnerabilities by email to contact@external-secrets.io. Also see our [SECURITY.md file](SECURITY.md) for details.
 
+## software bill of materials
+We attach SBOM and provenance file to our GitHub release. Also, they are attached to container images.
+
 ## Adopters
 
 Please create a PR and add your company or project to our [ADOPTERS.md file](ADOPTERS.md) if you are using our project!
 
+## Roadmap
+
+You can find the roadmap in our documentation: https://external-secrets.io/main/contributing/roadmap/
+
 ## Kicked off by
 
 ![](assets/Godaddylogo_2020.png)