From cbebf1cdefc5412526ad640eed84300acf8b82bc Mon Sep 17 00:00:00 2001 From: cpanato Date: Sun, 31 Mar 2024 17:56:35 +0200 Subject: [PATCH] add bom and attestation to release jobs Signed-off-by: cpanato --- .github/workflows/release.yml | 51 +++++++++++++++++++++++++++++++- .github/workflows/snapshot.yaml | 51 +++++++++++++++++++++++++++++--- .goreleaser.yml | 49 ++++++++++++++++++++++++++++++ .krel-bom-config.yaml | 27 +++++++++++++++++ .publish-release-bom-config.yaml | 27 +++++++++++++++++ .release-notes-bom-config.yaml | 27 +++++++++++++++++ 6 files changed, 227 insertions(+), 5 deletions(-) create mode 100644 .krel-bom-config.yaml create mode 100644 .publish-release-bom-config.yaml create mode 100644 .release-notes-bom-config.yaml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8333452ea98..fb5be5f9137 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,8 +6,11 @@ on: tags: - 'v*' +permissions: + contents: read + jobs: - build: + release: runs-on: ubuntu-latest permissions: @@ -34,6 +37,9 @@ jobs: - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 + - name: Install bom + uses: kubernetes-sigs/release-actions/setup-bom@841d76a188a7c121231a863572e27012805715a2 # v0.1.4 + - name: Build and publish release uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 if: contains(github.ref, 'refs/tags') @@ -46,3 +52,46 @@ jobs: with: name: artifacts path: dist/* + + attestation: + runs-on: ubuntu-latest + + permissions: + id-token: write + contents: write + + needs: + - release + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: audit + + - name: Check out code onto GOPATH + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 + + - name: Set tag output + id: tag + run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" + + - name: Install tejolote + uses: kubernetes-sigs/release-actions/setup-tejolote@841d76a188a7c121231a863572e27012805715a2 # v0.1.4 + + - run: | + tejolote attest --artifacts github://kubernetes/release/${{ steps.tag.outputs.tag_name }} github://kubernetes/release/"${GITHUB_RUN_ID}" --output release.intoto.json --sign + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Release + uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4 + with: + files: release.intoto.json + tag_name: "${{ steps.tag.outputs.tag_name }}" + token: ${{ secrets.GITHUB_TOKEN }} + env: + GITHUB_REPOSITORY: kubernetes/release diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml index 2ca80008571..053ed7f279e 100644 --- a/.github/workflows/snapshot.yaml +++ b/.github/workflows/snapshot.yaml @@ -4,13 +4,13 @@ name: test-snapshot-release on: pull_request: +permissions: + contents: read + jobs: - build: + snapshot: runs-on: ubuntu-latest - permissions: - contents: read - steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -29,6 +29,9 @@ jobs: go-version: '1.22' check-latest: true + - name: Install bom + uses: kubernetes-sigs/release-actions/setup-bom@841d76a188a7c121231a863572e27012805715a2 # v0.1.4 + - name: Test release build uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: @@ -36,7 +39,47 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: check binary + run: | + ./dist/krel-amd64-linux version + ./dist/publish-release-amd64-linux help + ./dist/release-notes-amd64-linux version + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: artifacts path: dist/* + + attestation: + runs-on: ubuntu-latest + + permissions: + contents: read + + needs: + - snapshot + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: audit + + - name: Check out code onto GOPATH + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + fetch-depth: 1 + + - name: Install tejolote + uses: kubernetes-sigs/release-actions/setup-tejolote@841d76a188a7c121231a863572e27012805715a2 # v0.1.4 + + - run: | + tejolote attest github://kubernetes/release/"${GITHUB_RUN_ID}" --output release.intoto.json + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: release.intoto.json + path: ./release.intoto.json diff --git a/.goreleaser.yml b/.goreleaser.yml index d0d61ef7108..621cc34ff9b 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -60,6 +60,55 @@ signs: args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"] artifacts: all +sboms: + - id: krel + cmd: bom + args: + - generate + - "--output" + - "krel-bom.json.spdx" + - "-d" + - "../" + - "-c" + - "../.krel-bom-config.yaml" + - "--format" + - "json" + artifacts: any + documents: + - "krel-bom.json.spdx" + + - id: release-notes + cmd: bom + args: + - generate + - "--output" + - "release-notes-bom.json.spdx" + - "-d" + - "../" + - "-c" + - "../.release-notes-bom-config.yaml" + - "--format" + - "json" + artifacts: any + documents: + - "release-notes-bom.json.spdx" + + - id: publish-release + cmd: bom + args: + - generate + - "--output" + - "publish-release-bom.json.spdx" + - "-d" + - "../" + - "-c" + - "../.publish-release-bom-config.yaml" + - "--format" + - "json" + artifacts: any + documents: + - "publish-release-bom.json.spdx" + checksum: name_template: 'checksums.txt' diff --git a/.krel-bom-config.yaml b/.krel-bom-config.yaml new file mode 100644 index 00000000000..393f5db626f --- /dev/null +++ b/.krel-bom-config.yaml @@ -0,0 +1,27 @@ +--- +license: Apache-2.0 +name: krel +creator: + person: The Kubernetes Authors + tool: krel + +artifacts: + - type: file + source: krel-amd64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: krel-amd64-linux + license: Apache-2.0 + gomodules: true + + - type: file + source: krel-arm64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: krel-arm64-linux + license: Apache-2.0 + gomodules: true diff --git a/.publish-release-bom-config.yaml b/.publish-release-bom-config.yaml new file mode 100644 index 00000000000..f3d886ccaa8 --- /dev/null +++ b/.publish-release-bom-config.yaml @@ -0,0 +1,27 @@ +--- +license: Apache-2.0 +name: publish-release +creator: + person: The Kubernetes Authors + tool: publish-release + +artifacts: + - type: file + source: publish-release-amd64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: publish-release-amd64-linux + license: Apache-2.0 + gomodules: true + + - type: file + source: publish-release-arm64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: publish-release-arm64-linux + license: Apache-2.0 + gomodules: true diff --git a/.release-notes-bom-config.yaml b/.release-notes-bom-config.yaml new file mode 100644 index 00000000000..1cbdfdc84df --- /dev/null +++ b/.release-notes-bom-config.yaml @@ -0,0 +1,27 @@ +--- +license: Apache-2.0 +name: release-notes +creator: + person: The Kubernetes Authors + tool: release-notes + +artifacts: + - type: file + source: release-notes-amd64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: release-notes-amd64-linux + license: Apache-2.0 + gomodules: true + + - type: file + source: release-notes-arm64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: release-notes-arm64-linux + license: Apache-2.0 + gomodules: true