logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118
							name: 'Provenance / SBOM / Sign'

description: 'Creates SBOM & provenance files and signs the image'

inputs:
  image-name:
    description: "name of the image"
    required: true
    default: ''
  image-tag:
    description: "image tag"
    required: true
    default: ""

runs:
  using: "composite"

  steps:

    - name: Install cosign
      # https://github.com/sigstore/cosign-installer/releases/tag/v4.0.0
      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
      with:
        cosign-release: 'v3.0.3'

    - name: Install Syft
      # https://github.com/anchore/sbom-action/releases/tag/v0.22.2
      uses: anchore/sbom-action/download-syft@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
      with:
        syft-version: v1.41.2

    - name: Check Cosign install
      shell: bash
      run: cosign version

    - name: Login to ghcr.io
      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ github.token }}

    - name: Setup Go
      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
      with:
        go-version-file: go.mod

    - name: Set up crane
      shell: bash
      run: go install github.com/google/go-containerregistry/cmd/crane@v0.11.0

    - name: Get docker image tag
      id: container_info
      shell: bash
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_TAG: ${{ inputs.image-tag }}
      run: echo "digest=$(crane digest ${IMAGE_NAME}:${IMAGE_TAG})" >> $GITHUB_OUTPUT

    - name: Sign image
      shell: bash
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
        GITHUB_TRIGGERING_ACTOR: ${{ github.triggering_actor }}
      run: cosign sign --yes -a GITHUB_ACTOR=${GITHUB_TRIGGERING_ACTOR} "${IMAGE_NAME}@${CONTAINER_DIGEST}"

    - name: Attach SBOM to image
      shell: bash
      id: sbom
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_TAG: ${{ inputs.image-tag }}
        CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
      run: |
        # Image SBOM (OS + application libs contained in the image)
        syft "${IMAGE_NAME}@${CONTAINER_DIGEST}" -o spdx-json=sbom.${IMAGE_TAG}.spdx.json
        # cosign attest --predicate sbom.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
        cosign attest --yes --predicate sbom.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
        # cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= @base64d | .payload | fromjson'
        cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} \
            --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/.*" \
            --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq '.payload |= @base64d | .payload | fromjson'
        # Go modules SBOM (dependencies from the source tree)
        # Requires repository to be checked out before this composite action runs.
        syft dir:. -o spdx-json=sbom.gomod.${IMAGE_TAG}.spdx.json
        # cosign attest --predicate sbom.gomod.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
        cosign attest --yes --predicate sbom.gomod.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
        cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} \
            --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/.*" \
            --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq '.payload |= @base64d | .payload | fromjson'

    - name: Generate provenance
      # https://github.com/philips-labs/slsa-provenance-action/releases/tag/v0.7.2
      uses: philips-labs/slsa-provenance-action@dddb40e199ae28d4cd2f17bad7f31545556fdd3d # v0.7.2
      with:
        command: generate
        subcommand: container
        arguments: --repository "${{ inputs.image-name }}" --output-path provenance.${{ inputs.image-tag }}.intoto.jsonl --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}"
      env:
        COSIGN_EXPERIMENTAL: "0"
        GITHUB_TOKEN: "${{ github.token }}"

    - name: Attach provenance
      shell: bash
      id: provenance
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_TAG: ${{ inputs.image-tag }}
        CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
      run: |
        jq '.predicate' provenance.${IMAGE_TAG}.intoto.jsonl > provenance-predicate.att
        # cosign attest --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_NAME}@${CONTAINER_DIGEST}"
        cosign attest --yes --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_NAME}@${CONTAINER_DIGEST}"
        # cosign verify-attestation --type slsaprovenance ${IMAGE_NAME}@${CONTAINER_DIGEST}
        cosign verify-attestation --type slsaprovenance ${IMAGE_NAME}@${CONTAINER_DIGEST} \
            --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/.*" \
            --certificate-oidc-issuer https://token.actions.githubusercontent.com