| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109 |
- name: 'Provenance / SBOM / Sign'
- description: 'Creates SBOM & provenance files and signs the image'
- inputs:
- image-name:
- description: "name of the image"
- required: true
- default: ''
- image-tag:
- description: "image tag"
- required: true
- default: ""
- runs:
- using: "composite"
- steps:
- - name: Install cosign
- # https://github.com/sigstore/cosign-installer/releases/tag/v2.8.1
- uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
- with:
- cosign-release: v1.13.6
- - name: Install Syft
- # https://github.com/anchore/sbom-action/releases/tag/v0.7.0
- uses: anchore/sbom-action/download-syft@ce4a7cf05d7b684693d7b6bba97bfbee56806edb # v0.7.0
- - name: Check Cosign install
- shell: bash
- run: cosign version
- - name: Login to ghcr.io
- uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
- with:
- registry: ghcr.io
- username: ${{ github.actor }}
- password: ${{ github.token }}
- - name: Setup Go
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
- with:
- go-version-file: go.mod
- - name: Set up crane
- shell: bash
- run: go install github.com/google/go-containerregistry/cmd/crane@v0.11.0
- - name: Get docker image tag
- id: container_info
- shell: bash
- env:
- IMAGE_NAME: ${{ inputs.image-name }}
- IMAGE_TAG: ${{ inputs.image-tag }}
- run: echo "digest=$(crane digest ${IMAGE_NAME}:${IMAGE_TAG})" >> $GITHUB_OUTPUT
- - name: Sign image
- shell: bash
- env:
- COSIGN_EXPERIMENTAL: "1"
- IMAGE_NAME: ${{ inputs.image-name }}
- CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
- GITHUB_TRIGGERING_ACTOR: ${{ github.triggering_actor }}
- run: cosign sign -a GITHUB_ACTOR=${GITHUB_TRIGGERING_ACTOR} "${IMAGE_NAME}@${CONTAINER_DIGEST}"
- - name: Attach SBOM to image
- shell: bash
- id: sbom
- env:
- COSIGN_EXPERIMENTAL: "1"
- IMAGE_NAME: ${{ inputs.image-name }}
- IMAGE_TAG: ${{ inputs.image-tag }}
- CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
- run: |
- # Image SBOM (OS + application libs contained in the image)
- syft "${IMAGE_NAME}@${CONTAINER_DIGEST}" -o spdx-json=sbom.${IMAGE_TAG}.spdx.json
- cosign attest --predicate sbom.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
- cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= @base64d | .payload | fromjson'
- # Go modules SBOM (dependencies from the source tree)
- # Requires repository to be checked out before this composite action runs.
- syft dir:. -o spdx-json=sbom.gomod.${IMAGE_TAG}.spdx.json
- cosign attest --predicate sbom.gomod.${IMAGE_TAG}.spdx.json --type spdx "${IMAGE_NAME}@${CONTAINER_DIGEST}"
- cosign verify-attestation --type spdx ${IMAGE_NAME}@${CONTAINER_DIGEST} | jq '.payload |= @base64d | .payload | fromjson'
- - name: Generate provenance
- # https://github.com/philips-labs/slsa-provenance-action/releases/tag/v0.7.2
- uses: philips-labs/slsa-provenance-action@dddb40e199ae28d4cd2f17bad7f31545556fdd3d # v0.7.2
- with:
- command: generate
- subcommand: container
- arguments: --repository "${{ inputs.image-name }}" --output-path provenance.${{ inputs.image-tag }}.intoto.jsonl --digest "${{ steps.container_info.outputs.digest }}" --tags "${{ inputs.image-tag }}"
- env:
- COSIGN_EXPERIMENTAL: "0"
- GITHUB_TOKEN: "${{ github.token }}"
- - name: Attach provenance
- shell: bash
- id: provenance
- env:
- COSIGN_EXPERIMENTAL: "1"
- IMAGE_NAME: ${{ inputs.image-name }}
- IMAGE_TAG: ${{ inputs.image-tag }}
- CONTAINER_DIGEST: ${{ steps.container_info.outputs.digest }}
- run: |
- jq '.predicate' provenance.${IMAGE_TAG}.intoto.jsonl > provenance-predicate.att
- cosign attest --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_NAME}@${CONTAINER_DIGEST}"
- cosign verify-attestation --type slsaprovenance ${IMAGE_NAME}@${CONTAINER_DIGEST}
|
