Merge pull request intelops#207 from intelops/add-checks-for-templates

Add checks for templates

.github/workflows/ci.yml

@@ -17,24 +17,24 @@ jobs:
       actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
           token: ${{ secrets.GH_TOKEN }}
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.20'
+          go-version: '1.22'
           cache-dependency-path: '**/go.sum'
       - name: Build
         run: |
           go build -v ./...
       - name: golangci-lint
         run: |
-          go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.52.2
+          go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.57.2
           golangci-lint run
       - name: Install Protoc
-        uses: arduino/setup-protoc@v2
+        uses: arduino/setup-protoc@v3
         with:
           version: "23.x"
       - name: Test
@@ -51,7 +51,7 @@ jobs:
           go run main.go pullTemplates --all
           go test -v ./... -race -coverprofile=coverage.out -coverpkg=./... -covermode=atomic
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           files: ./coverage.out
           flags: core
@@ -83,14 +83,14 @@ jobs:
       security-events: write
     steps:
       - name: Checkout GitHub Action
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         # setup Docker build action
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Docker metadata
         id: metadata
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}
           tags: |
@@ -100,13 +100,13 @@ jobs:
           flavor: |
             latest=true
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GH_TOKEN }}
       - name: Build image and push to GitHub Container Registry
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           # relative path to the place where source code with Dockerfile is located
           context: .

.github/workflows/release.yml

@@ -28,18 +28,18 @@ jobs:
       - name: Test environment variable
         run: echo ${{ env.RELEASE_VERSION }}
       - name: Check out GitHub repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: recursive
           token: ${{ secrets.GH_TOKEN }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GH_TOKEN }}
       - name: Build image and push to GitHub Container Registry
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           push: true
           context: .
@@ -73,7 +73,7 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
           submodules: 'recursive'
@@ -85,7 +85,7 @@ jobs:
         run: |
           # List all nested directories
           find . -type f
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: 1.21
           cache: true

.gitignore

@@ -17,3 +17,7 @@ compage
 dist/
 /cosign.key
 /cosign.pub
+/myproject/*
+myproject/*
+cmd/artifacts/.DS_Store
+/__debug_bin*

.goreleaser.yaml

@@ -63,7 +63,7 @@ signs:
       - '--output-signature=${signature}'
       - '${artifact}'
       - "--yes"
-    artifacts: checksum
+    artifacts: all
     output: true
 
 changelog:

.vscode/launch.json

@@ -8,7 +8,7 @@
       "mode": "debug",
       "program": "${workspaceRoot}/main.go",
       "cwd": "${workspaceRoot}",
-      "args": ["init", "--language","dotnet"]
+      "args": ["pullTemplates"]
     }
   ]
 }

CONTRIBUTING.md

@@ -27,8 +27,8 @@ To contribute code.
 ## Regenerate the gRPC code from .proto files
 - Install below packages to regenerate the gRPC code.
    ```shell
-   go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28
-   go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2
+   go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+   go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
    ``` 
 - Update below statement in ~/.zshrc or ~/.bashrc depending on the shell you are using.
    ```shell

Makefile

@@ -0,0 +1,2 @@
+proto:
+	if [ -d "gen/api/v1" ]; then rm -rf gen/api/v1; fi && mkdir -p ./gen && protoc --go_out=./gen --go-grpc_opt=paths=source_relative --go_opt=paths=source_relative --go-grpc_out=./gen api/v1/*.proto

api/v1/project.proto

@@ -9,13 +9,14 @@ service ProjectService {
 }
 
 message GenerateCodeRequest {
-  string projectName = 1;
-  string projectJSON = 2;
-  string gitRepositoryName = 3;
-  string gitPlatformName = 4;
-  string gitPlatformURL = 5;
-  string gitPlatformUserName = 6;
-  string projectMetadata = 7;
+  string projectVersion = 1;
+  string projectName = 2;
+  string projectJSON = 3;
+  string gitRepositoryName = 4;
+  string gitPlatformName = 5;
+  string gitPlatformURL = 6;
+  string gitPlatformUserName = 7;
+  string projectMetadata = 8;
 }
 
 message GenerateCodeResponse{

cmd/artifacts/cosign/verifier.go

@@ -0,0 +1,107 @@
+package cosign
+
+import (
+	"context"
+	"github.com/fatih/color"
+	"github.com/google/go-containerregistry/pkg/name"
+	artifactUtils "github.com/intelops/compage/cmd/artifacts/utils"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	sig "github.com/sigstore/cosign/v2/pkg/signature"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	log "github.com/sirupsen/logrus"
+)
+
+func VerifyArtifact(ctx context.Context, key string) error {
+	artifactURL := ctx.Value(artifactUtils.ContextKeyArtifactURL).(string)
+	ref, err := name.ParseReference(artifactURL)
+	if err != nil {
+		log.Errorf("parsing reference: %v", err)
+		return err
+	}
+	chopts := &cosign.CheckOpts{
+		ClaimVerifier: cosign.SimpleClaimVerifier,
+	}
+	chopts.RekorClient, err = rekor.NewClient(options.DefaultRekorURL)
+	if err != nil {
+		log.Errorf("creating Rekor client: %v", err)
+		return err
+	}
+	chopts.RootCerts, err = fulcio.GetRoots()
+	if err != nil {
+		log.Errorf("getting Fulcio root certs: %v", err)
+		return err
+	}
+	ro := options.RegistryOptions{}
+	chopts.RegistryClientOpts, err = ro.ClientOpts(ctx)
+	if err != nil {
+		log.Errorf("getting registry client options: %v", err)
+		return err
+	}
+	chopts.IntermediateCerts, err = fulcio.GetIntermediates()
+	if err != nil {
+		log.Errorf("unable to get Fulcio intermediate certs: %s", err)
+		return err
+	}
+	// Check if PubKey is supplied
+	if key != "" {
+		pub, err := sig.LoadPublicKey(ctx, key)
+		if err != nil {
+			log.Errorf("Error loading Pub Key: %v", err)
+			return err
+		}
+		chopts.SigVerifier = pub
+	}
+	fulcioVerified := chopts.SigVerifier == nil
+	chopts.RekorPubKeys, err = cosign.GetRekorPubs(ctx)
+	if err != nil {
+		log.Errorf("unable to get Rekor public keys: %s", err)
+		return err
+	}
+	chopts.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)
+	if err != nil {
+		log.Errorf("unable to get CTLog public keys: %s", err)
+		return err
+	}
+	sigs, bundleVerified, err := cosign.VerifyImageSignatures(context.Background(), ref, chopts)
+	if err != nil {
+		log.Errorf("verifying image signatures: %v", err)
+		return err
+	}
+
+	if bundleVerified {
+		verify.PrintVerificationHeader(ctx, ref.String(), chopts, bundleVerified, fulcioVerified)
+		for _, signature := range sigs {
+			if cert, err := signature.Cert(); err == nil && cert != nil {
+				ce := cosign.CertExtensions{Cert: cert}
+				sub := ""
+				if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 {
+					sub = sans[0]
+				}
+				color.Green("Certificate subject: %s", sub)
+				if issuerURL := ce.GetIssuer(); issuerURL != "" {
+					color.Green("Certificate issuer URL: %s", issuerURL)
+				}
+				if githubWorkflowTrigger := ce.GetCertExtensionGithubWorkflowTrigger(); githubWorkflowTrigger != "" {
+					color.Green("GitHub Workflow Trigger: %s", githubWorkflowTrigger)
+				}
+				if githubWorkflowSha := ce.GetExtensionGithubWorkflowSha(); githubWorkflowSha != "" {
+					color.Green("GitHub Workflow SHA: %s", githubWorkflowSha)
+				}
+				if githubWorkflowName := ce.GetCertExtensionGithubWorkflowName(); githubWorkflowName != "" {
+					color.Green("GitHub Workflow Name: %s", githubWorkflowName)
+				}
+				if githubWorkflowRepository := ce.GetCertExtensionGithubWorkflowRepository(); githubWorkflowRepository != "" {
+					color.Green("GitHub Workflow Repository: %s", githubWorkflowRepository)
+				}
+				if githubWorkflowRef := ce.GetCertExtensionGithubWorkflowRef(); githubWorkflowRef != "" {
+					color.Green("GitHub Workflow Ref: %s", githubWorkflowRef)
+				}
+			}
+		}
+	}
+	return nil
+}