-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #24 from natrontech/ci/update-workflows
ci: change to ko and goreleaser, add SLSA3 verification, fix security issues
- Loading branch information
Showing
31 changed files
with
1,215 additions
and
205 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
name: Bug report | ||
about: Create a report to help me improve | ||
title: '' | ||
labels: '' | ||
assignees: '' | ||
|
||
--- | ||
|
||
**Describe the bug** | ||
A clear and concise description of what the bug is. | ||
|
||
**To Reproduce** | ||
Steps to reproduce the behavior. | ||
|
||
**Expected behavior** | ||
A clear and concise description of what you expected to happen. | ||
|
||
**Screenshots** | ||
If applicable, add screenshots to help explain your problem. | ||
|
||
**Additional context** | ||
Add any other context about the problem here. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
--- | ||
name: Feature request | ||
about: Suggest an idea for this project | ||
title: '' | ||
labels: '' | ||
assignees: '' | ||
|
||
--- | ||
|
||
**Is your feature request related to a problem? Please describe.** | ||
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] | ||
|
||
**Describe the solution you'd like** | ||
A clear and concise description of what you want to happen. | ||
|
||
**Describe any alternatives you've considered** | ||
A clear and concise description of any alternative solutions or features you've considered. | ||
|
||
**Additional context** | ||
Add any additional context or screenshots about the feature request here. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
<!-- | ||
Thank you for contributing to natrontech/pbs-exporter. | ||
--> | ||
|
||
**What this PR does**: | ||
|
||
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # | ||
|
||
**Notes for Reviewer**: | ||
|
||
|
||
**Checklist**: | ||
|
||
- [ ] I have read and understood the [CONTRIBUTING](https://github.com/natrontech/pbs-exporter/blob/main/CONTRIBUTING.md) and [CODE_OF_CONDUCT](https://github.com/natrontech/pbs-exporter/blob/main/CODE_OF_CONDUCT.md) documents | ||
- [ ] Pull Request title in the format of [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) e.g. `feat|fix|chore|docs|...: Changed Something` | ||
- [ ] Updated documentation in the `README.md` file (e.g. new parameters, environment variables, return values, ...) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
name: Publish image | ||
|
||
description: Publishes a docker image, SBOM, scans vulns, and signs the image. | ||
|
||
inputs: | ||
makefile-target: | ||
required: true | ||
description: makefile target to invoke for publishing image with ko | ||
registry: | ||
required: true | ||
description: registry to publish image to | ||
registry-username: | ||
required: true | ||
description: registry credentials username | ||
registry-password: | ||
required: true | ||
description: registry credentials password | ||
repository: | ||
required: true | ||
description: repository to publish image to | ||
version: | ||
required: true | ||
description: published image version | ||
sign-image: | ||
required: true | ||
description: sign image | ||
sbom-name: | ||
required: true | ||
description: name of the cyclonedx sbom | ||
sbom-repository: | ||
required: true | ||
description: sbom repository | ||
signature-repository: | ||
required: true | ||
description: signature repository | ||
main-path: | ||
required: true | ||
description: path to main go entry point | ||
|
||
outputs: | ||
digest: | ||
value: ${{ steps.digest.outputs.digest }} | ||
description: published image digest | ||
|
||
runs: | ||
using: composite | ||
steps: | ||
- shell: bash | ||
id: ko-publish | ||
env: | ||
REGISTRY: ${{ inputs.registry }} | ||
REPO: ${{ inputs.repository }} | ||
REGISTRY_PASSWORD: ${{ inputs.registry-password }} | ||
COSIGN_REPOSITORY: ${{ inputs.sbom-repository }} | ||
run: | | ||
set -e | ||
echo "digest=$(VERSION=${{ inputs.version }} make ${{ inputs.makefile-target }})" >> $GITHUB_OUTPUT | ||
- uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0 | ||
with: | ||
version: v1 | ||
args: app -licenses -json -output ${{ inputs.sbom-name }}-bom.cdx.json -main ${{ inputs.main-path }} | ||
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | ||
with: | ||
name: ${{ inputs.sbom-name }}-bom-cdx | ||
path: ${{ inputs.sbom-name }}-bom.cdx.json | ||
- shell: bash | ||
if: ${{ inputs.sign-image == 'true' }} | ||
env: | ||
COSIGN_REPOSITORY: ${{ inputs.signature-repository }} | ||
run: | | ||
set -e | ||
cosign sign --yes \ | ||
-a "repo=${{ github.repository }}" \ | ||
-a "workflow=${{ github.workflow }}" \ | ||
-a "ref=${{ github.sha }}" \ | ||
${{ steps.ko-publish.outputs.digest }} | ||
- shell: bash | ||
env: | ||
COSIGN_REPOSITORY: ${{ inputs.sbom-repository }} | ||
run: | | ||
cosign attest --yes \ | ||
--predicate ./${{ inputs.sbom-name }}-bom.cdx.json \ | ||
--type cyclonedx \ | ||
--oidc-provider github-actions \ | ||
${{ steps.ko-publish.outputs.digest }} | ||
- shell: bash | ||
id: digest | ||
run: | | ||
echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}" | ||
DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2) | ||
echo "Digest from image is: $DIGEST" | ||
echo "digest=$DIGEST" >> $GITHUB_OUTPUT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
# GitHub Workflows | ||
|
||
## Overview | ||
|
||
Following workflows are implemented in the repository. | ||
[SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) is used to store the results for an analysis of code scanning tools in the Security tab of the repository. | ||
|
||
| Workflow | Jobs | Trigger | SARIF upload | Description | | ||
| :----------------------------------------------- | :------------------------------ | :------------------------------------------------------------ | :----------- | ----------------------------------------------------------------------------------------------- | | ||
| [codeql.yml](./codeql.yml) | `analyze` | push/pr to `main`, cron: `00 13 * * 1` | yes | Semantic code analysis | | ||
| [dependency-review.yml](./dependency-review.yml) | `dependency-review` | pr to `main` | - | Check pull request for vulnerabilities in dependencies or invalid licenses are being introduced | | ||
| [golangci-lint.yml](./golangci-lint.yml) | `lint` | push/pr on `*` | - | Lint Go Code | | ||
| [gosec.yml](./gosec.yml) | `analyze` | push/pr on `*` | - | Inspects source code for security problems in Go code | | ||
| [osv-scan.yml](./osv-scan.yml) | `analyze` | push/pr to `main`, cron: `30 13 * * 1` | yes | Scanning for vulnerabilites in dependencies | | ||
| [release.yml](./release.yml) | see [release chapter](#release) | push tag `v*` | - | Create release with go binaries and docker container | | ||
| [scorecard.yml](./scorecard.yml) | `analyze` | push to `main`, cron: `00 14 * * 1`, change branch protection | yes | Create OpenSSF analysis and create project score | | ||
|
||
## CodeQL | ||
|
||
Action: https://github.com/github/codeql-action | ||
|
||
[CodeQL](https://codeql.github.com/) is a semantic code analysis engine that can find security vulnerabilities in codebases. The workflow displays security alerts in the repository's Security tab or in pull requests. | ||
|
||
## Dependency Review | ||
|
||
Action: https://github.com/actions/dependency-review-action | ||
|
||
This action scans the dependency manifest files that change as part of a pull request, revealing known-vulnerable versions of the packages declared or updated in the PR. Pull requests that introduce known-vulnerable packages will be blocked from merging. | ||
It also allows you to define a list of licenses that are allowed or disallowed in the project, and will check if the PR introduces a dependency with a disallowed license. | ||
It also checks the OpenSSF scorecard for all dependencies and allows to warn if a dependency has a low score. | ||
|
||
More information can be found in the [GitHub documentation](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) | ||
|
||
## GolangCI-Lint | ||
|
||
Action: https://github.com/golangci/golangci-lint-action | ||
|
||
[GolangCI-Lint](https://golangci-lint.run/) is a fast Go linters runner. It runs linters in parallel, uses caching, and works on Linux, macOS, and Windows. The workflow runs the linters on the Go code in the repository. | ||
|
||
## Gosec | ||
|
||
Action: https://github.com/securego/gosec | ||
|
||
[Gosec](https://securego.io/) is a security tool that performs static code analysis of Go code. The workflow scans the Go code in the repository for security issues. | ||
|
||
## OSV-Scan | ||
|
||
Action: https://github.com/google/osv-scanner-action | ||
|
||
[OSV-Scan](https://osv.dev/) is a vulnerability database and triage infrastructure for open-source projects. The [OSV-Scanner](https://google.github.io/osv-scanner/) finds vulnerabilities in dependencies of an project and uploads the results to the Security tab of the repository. | ||
|
||
## Release | ||
|
||
The release workflow includes multiple jobs to create a release of the project. Following jobs are implemented: | ||
|
||
| Job | GitHub Action | Description | | ||
| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------- | | ||
| `goreleaser` | [goreleaser-action](https://github.com/goreleaser/goreleaser-action) | Creates the go archives & checksums file | | ||
| `ko-publish` | [publish-image action](../actions/publish-image/action.yaml) | Create the container images & SBOMs, sign images and upload to the GitHub registry | | ||
| `binary-provenance` | [generator_generic_slsa3](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) | Generate provenance for all release artifacts (go archives & SBOMs) | | ||
| `image-provenance` | [generator_container_slsa3](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) | Generates provenance for the container images | | ||
| `verification-with-slsa-verifier` | - | Verifying the cryptographic signatures on provenance for all binary releases | | ||
| `verification-with-cosign` | - | Verifying the cryptographic signatures on provenance for the container image | | ||
|
||
### Go Release | ||
|
||
This repository uses [goreleaser](https://goreleaser.com/) to create all the release artifacts. GoReleaser can build and release Go binaries for multiple platforms, create archives/container images/SBOMs and more. All the configuration for the release is stored in the file [.goreleaser.yml](./../../.goreleaser.yml). | ||
For all the release artifacts (`*.tar.gz`, `*.zip`, `*.sbom.json`), provenance is generated using the [SLSA Generic Generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md). The provenance file is uploaded to the release assets and can be verified using the `slsa-verifier` tool (see [Release Verification](./../../SECURITY.md#release-verification)). | ||
|
||
### Container Release | ||
|
||
The multi-arch container images are built using [ko](https://ko.build/) in the [publish-image](../actions/publish-image/action.yaml) action and uploaded to the GitHub Container Registry. The docker image provenance is generated using the [SLSA Container Generator](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) and uploaded to the registry. The provenance can be verified using the `slsa-verifier` or `cosign` tool (see [Release Verification](./../../SECURITY.md#release-verification)). | ||
|
||
**Credits**: The [publish-image](../actions/publish-image/action.yaml) action is from [Kyverno](https://github.com/kyverno/kyverno). | ||
|
||
### Container SBOM | ||
|
||
[ko](https://ko.build/features/sboms/) only generates a "minimal" SBOM for the container images (see [comment in GitHub Issue](https://github.com/ko-build/ko/pull/587#issuecomment-1034926085)) and lacks some information (e.g. Licensing information or the `version` field which is set to `devel` instead of the actual version). | ||
|
||
To generate a complete SBOM for the container images, the [go-gomod-generate-sbom](https://github.com/CycloneDX/gh-gomod-generate-sbom) action is used instead. | ||
|
||
The SBOMs of the container images are uploaded to a separate package registry (see [SBOM](./../../SECURITY.md#sbom) for more information). | ||
|
||
## Scorecards | ||
|
||
Action: https://github.com/ossf/scorecard-action | ||
|
||
[Scorecards](https://github.com/ossf/scorecard) is a tool that provides a security score for open-source projects. The workflow runs the scorecard on the repository and uploads the results to the Security tab of the repository. There is also a report on the OpenSSF website, the link is available in the README file by clicking on the OpenSSF Scorecard badge. | ||
|
||
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/natrontech/pbs-exporter/badge)](https://securityscorecards.dev/viewer/?uri=github.com/natrontech/pbs-exporter) |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,76 +1,59 @@ | ||
# For most projects, this workflow file will not need changing; you simply need | ||
# to commit it to your repository. | ||
# | ||
# You may wish to alter this file to override the set of languages analyzed, | ||
# or to provide custom queries or build logic. | ||
# | ||
# ******** NOTE ******** | ||
# We have attempted to detect the languages in your repository. Please check | ||
# the `language` matrix defined below to confirm you have the correct set of | ||
# supported CodeQL languages. | ||
# | ||
name: "CodeQL" | ||
|
||
on: | ||
push: | ||
branches: [ "main" ] | ||
pull_request: | ||
# The branches below must be a subset of the branches above | ||
branches: [ "main" ] | ||
schedule: | ||
- cron: '25 4 * * 3' | ||
- cron: '00 13 * * 1' | ||
|
||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.ref }} | ||
cancel-in-progress: true | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
analyze: | ||
name: Analyze | ||
name: Analyze (${{ matrix.language }}) | ||
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | ||
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} | ||
permissions: | ||
actions: read | ||
contents: read | ||
# required for all workflows | ||
security-events: write | ||
# required to fetch internal or private CodeQL packs | ||
packages: read | ||
|
||
strategy: | ||
fail-fast: false | ||
matrix: | ||
language: [ 'go' ] | ||
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] | ||
# Use only 'java' to analyze code written in Java, Kotlin or both | ||
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both | ||
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support | ||
include: | ||
- language: go | ||
build-mode: manual | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | ||
with: | ||
persist-credentials: false | ||
|
||
# Initializes the CodeQL tools for scanning. | ||
- name: Initialize CodeQL | ||
uses: github/codeql-action/init@v3 | ||
uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 | ||
with: | ||
languages: ${{ matrix.language }} | ||
# If you wish to specify custom queries, you can do so here or in a config file. | ||
# By default, queries listed here will override any specified in a config file. | ||
# Prefix the list here with "+" to use these queries and those in the config file. | ||
|
||
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | ||
# queries: security-extended,security-and-quality | ||
|
||
|
||
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). | ||
# If this step fails, then you should remove it and run the build manually (see below) | ||
- name: Autobuild | ||
uses: github/codeql-action/autobuild@v3 | ||
|
||
# ℹ️ Command-line programs to run using the OS shell. | ||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun | ||
|
||
# If the Autobuild fails above, remove it and uncomment the following three lines. | ||
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. | ||
build-mode: ${{ matrix.build-mode }} | ||
|
||
# - run: | | ||
# echo "Run, Build Application using script" | ||
# ./location_of_script_within_repo/buildscript.sh | ||
- if: matrix.build-mode == 'manual' | ||
env: | ||
# fix "go: download go1.22 for linux/amd64: toolchain not available" error | ||
GOTOOLCHAIN: "go1.22.4" | ||
run: | | ||
make go-build | ||
- name: Perform CodeQL Analysis | ||
uses: github/codeql-action/analyze@v3 | ||
uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 | ||
with: | ||
category: "/language:${{matrix.language}}" |
Oops, something went wrong.