added release pipeline bits

.github/workflows/build.yaml

@@ -40,20 +40,51 @@ jobs:
           path: target/
           if-no-files-found: error
 
+      - name: Upload runner binary
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4
+        with:
+          name: runner
+          path: target/github-stats-*-runner
+          if-no-files-found: error
+
+      - name: Generate hashes
+        shell: bash
+        id: hash
+        run: |
+          echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT"
+
       - name: Get image tags
         id: image_tags
         uses: redhat-cop/github-actions/get-image-version@main
         with:
           IMAGE_CONTEXT_DIR: src/main/docker
 
       - name: Build image
+        id: build_image
         uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2
         with:
           dockerfiles: src/main/docker/Dockerfile.native-micro
           image: github-stats
           oci: true
           tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"
 
+      - name: Push to ghcr.io
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2
+        id: push_image
+        with:
+          image: ${{ steps.build_image.outputs.image }}
+          registry: ghcr.io/${{ github.repository }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          tags: ${{ steps.build_image.outputs.tags }}
+
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+      image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}"
+      image_digest: "${{ steps.push_image.outputs.digest }}"
+      image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}"
+
   analyze:
     needs: [ build ]
     runs-on: ubuntu-latest
@@ -114,3 +145,96 @@ jobs:
           GITHUB_LOGIN: ${{ github.repository_owner }}
           GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
         run: ./github-stats-*-runner create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --members-csv=tests/members.csv --fail-if-no-vpn=false
+
+  sign-image:
+    needs: [ build ]
+    permissions:
+      id-token: write
+      packages: write
+    if: startsWith(github.ref, 'refs/tags/')
+    env:
+      image_uri: ${{ needs.build.outputs.image_uri }} # todo
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup cosign
+        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3
+
+      - name: Cosign login
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io
+
+      - name: Sign Image
+        run: |
+          cosign sign --yes ${image_uri}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # 0.16.0
+        env:
+          TRIVY_USERNAME: ${{ github.repository_owner }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          scan-type: image
+          image-ref: ${{ env.image_uri }}
+          format: "cosign-vuln"
+          output: "cosign-vuln.json"
+
+      - name: Run Trivy SBOM generator
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # 0.16.0
+        env:
+          TRIVY_USERNAME: ${{ github.repository_owner }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          scan-type: image
+          image-ref: ${{ env.image_uri }}
+          format: "spdx-json"
+          output: "spdx-json.json"
+
+      - name: Attach attestations
+        run: |
+          cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri}
+          cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri}
+
+  provenance_binary:
+    needs: [ build ]
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true
+
+  provenance_image:
+    needs: [ build ]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ needs.build.outputs.image_repo }}
+      digest: ${{ needs.build.outputs.image_digest }}
+      registry-username: ${{ github.repository_owner }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  release:
+    needs: [ build ]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: write
+    steps:
+      - name: Download runner
+        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4
+        with:
+          name: runner
+
+      - name: Upload assets to release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        with:
+          files: |
+            github-stats-*-runner

renovate.json

@@ -3,5 +3,19 @@
   "extends": [
     "config:best-practices",
     "schedule:earlyMondays"
+  ],
+  "packageRules": [
+    {
+      "matchDepTypes": [
+        "action"
+      ],
+      "matchPackageNames": [
+        "slsa-framework/slsa-github-generator"
+      ],
+      "matchUpdateTypes": [
+        "pinDigest"
+      ],
+      "enabled": false
+    }
   ]
 }