Merge pull request kubewarden#904 from viccuad/slsa

ci: Ensure SLSA Lvl 3
fabriziosestito · Oct 21, 2024 · 141a393 · 141a393
2 parents 60f16ca + 33efb6f
commit 141a393
Show file tree

Hide file tree

Showing 8 changed files with 286 additions and 140 deletions.
diff --git a/.github/workflows/attestation.yml b/.github/workflows/attestation.yml
@@ -0,0 +1,106 @@
+name: Sign attestation files
+
+on:
+  workflow_call:
+    inputs:
+      image-digest:
+        type: string
+        required: true
+
+jobs:
+  attestation:
+    name: Sign attestations and upload as artifacts
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    permissions:
+      packages: write
+      id-token: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+
+      - name: Install the crane command
+        uses: kubewarden/github-actions/crane-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Find platform digest
+        shell: bash
+        run: |
+          set -e
+          DIGEST=$(crane digest \
+            --platform "linux/${{ matrix.arch }}" \
+            ghcr.io/${{ github.repository_owner }}/kubewarden-controller@${{ inputs.image-digest }})
+          echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Find attestation digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ inputs.image-digest }} \
+            | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest'
+          )
+          echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Find provenance manifest digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
+            jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
+          echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Sign provenance manifest
+        run: |
+          cosign sign --yes \
+          ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}}
+
+      - name: Find SBOM manifest layer digest
+        run: |
+          set -e
+          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.ATTESTATION_MANIFEST_DIGEST}} |  \
+            jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
+          echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
+
+      - name: Download provenance and SBOM files
+        run: |
+          set -e
+          crane blob ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}} \
+            > kubewarden-controller-attestation-${{ matrix.arch }}-provenance.json
+          sha256sum kubewarden-controller-attestation-${{ matrix.arch }}-provenance.json \
+            >> kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
+
+          crane blob ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.SBOM_DIGEST}} \
+            > kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json
+          sha256sum kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json \
+            >> kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
+
+      - name: Sign checksum file
+        run: |
+          cosign sign-blob --yes \
+            --bundle kubewarden-controller-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
+            kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
+
+          cosign verify-blob \
+            --bundle kubewarden-controller-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }}" \
+            kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
+
+      - name: Upload SBOMs as artifacts
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        with:
+          name: attestation-${{ matrix.arch }}
+          path: kubewarden-controller-attestation-${{ matrix.arch }}*
diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml
@@ -15,23 +15,15 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/container-image.yml
-    permissions:
-      packages: write
-    with:
-      push-image: true
-
-  sign:
-    needs: build
-    uses: ./.github/workflows/sign-image.yml
     permissions:
       packages: write
       id-token: write
     with:
-      image-digest: ${{ needs.build.outputs.digest }}
+      push-image: true
 
   sbom:
     needs: build
-    uses: ./.github/workflows/sbom.yml
+    uses: ./.github/workflows/attestation.yml
     permissions:
       packages: write
       id-token: write

diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
@@ -25,6 +25,7 @@ jobs:
     name: Build container image
     permissions:
       packages: write
+      id-token: write # to mint the OIDC token for Sigstore signatures
     runs-on: ubuntu-latest
     outputs:
       repository: ${{ steps.setoutput.outputs.repository }}
@@ -34,6 +35,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - name: Install cosign
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       - name: Set up Docker Buildx
@@ -65,8 +68,21 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64, linux/arm64
           push: true
+          sbom: true
+          provenance: mode=max
           tags: |
             ghcr.io/${{github.repository_owner}}/kubewarden-controller:${{ env.TAG_NAME }}
+      - name: Sign container image
+        if: ${{ inputs.push-image }}
+        run: |
+          cosign sign --yes \
+            ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ steps.build-image.outputs.digest }}
+
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/container-image.yml@${{ github.ref }}" \
+            ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ steps.build-image.outputs.digest }}
+
       - # Only build amd64 because buildx does not allow multiple platforms when
         # exporting the image to a tarball. As we use this only for end-to-end tests
         # and they run on amd64 arch, let's skip the arm64 build for now.
@@ -77,6 +93,8 @@ jobs:
           context: .
           file: ./Dockerfile
           platforms: linux/amd64
+          sbom: true
+          provenance: mode=max
           outputs: type=docker,dest=/tmp/kubewarden-controller-image-${{ env.TAG_NAME }}.tar
           tags: |
             ghcr.io/${{github.repository_owner}}/kubewarden-controller:${{ env.TAG_NAME }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -93,10 +93,10 @@ jobs:
             }
             core.setFailed(`Draft release not found`)
 
-      - name: Download SBOM artifact
+      - name: Download attestation artifacts
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          pattern: sbom-*
+          pattern: attestation-*
           merge-multiple: true
 
       - name: Download CRDs artifact
@@ -107,6 +107,12 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R
 
+      - name: Create tarball for the attestation files
+        run: |
+          for arch in "amd64" "arm64"; do
+            tar -czf attestation-$arch.tar.gz $(ls kubewarden-controller-attestation-$arch-*)
+          done
+
       - name: Upload release assets
         id: upload_release_assets
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
@@ -116,12 +122,8 @@ jobs:
             let path = require('path');
 
             let files = [
-              'kubewarden-controller-sbom-amd64.spdx',
-              'kubewarden-controller-sbom-amd64.spdx.cert',
-              'kubewarden-controller-sbom-amd64.spdx.sig',
-              'kubewarden-controller-sbom-arm64.spdx',
-              'kubewarden-controller-sbom-arm64.spdx.cert',
-              'kubewarden-controller-sbom-arm64.spdx.sig',
+              'attestation-amd64.tar.gz',
+              'attestation-arm64.tar.gz',
               "CRDS.tar.gz"]
             const {RELEASE_ID} = process.env
 

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
diff --git a/.github/workflows/sign-image.yml b/.github/workflows/sign-image.yml
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,7 @@
+# syntax=docker/dockerfile:1
+
 # Build the manager binary
-FROM golang:1.23 as builder
+FROM golang:1.23 AS build
 
 WORKDIR /workspace
 # Copy the Go Modules manifests
@@ -21,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -a -o manager cmd/main.go
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
-COPY --from=builder /workspace/manager .
+COPY --from=build /workspace/manager .
 # Copy the Go Modules manifests - these are used by BOM generators
 # and by security scanner
 COPY go.mod /go.mod