constellation/.github/workflows/release-cli.yml

278 lines
12 KiB
YAML
Raw Normal View History

name: Build CLI and prepare release
on:
workflow_dispatch:
jobs:
build-cli:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
arch: [amd64, arm64]
os: [linux, darwin]
steps:
- name: Checkout
id: checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
with:
ref: ${{ github.head_ref }}
2022-09-14 09:14:26 -04:00
- name: Setup Go environment
uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
2022-09-14 09:14:26 -04:00
with:
2022-11-02 06:17:29 -04:00
go-version: "1.19.3"
- name: Build CLI
uses: ./.github/actions/build_cli
with:
targetOS: ${{ matrix.os }}
targetArch: ${{ matrix.arch }}
2022-09-13 08:27:38 -04:00
enterpriseCLI: true
cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Upload CLI as artifact
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1
with:
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
path: build/constellation-${{ matrix.os }}-${{ matrix.arch }}
provenance-subjects:
runs-on: ubuntu-22.04
needs:
- build-cli
- signed-sbom
outputs:
provenance-subjects: ${{ steps.provenance-subjects.outputs.provenance-subjects }}
steps:
- name: Download CLI binaries darwin-amd64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-darwin-amd64
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-darwin-arm64
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-linux-amd64
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-linux-arm64
- name: Download CLI SBOM
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation.spdx.sbom
- name: Generate provenance subjects
id: provenance-subjects
run: |
HASHES=$(sha256sum \
constellation-darwin-amd64 \
constellation-darwin-arm64 \
constellation-linux-amd64 \
constellation-linux-arm64 \
constellation.spdx.sbom)
HASHESB64=$(echo "${HASHES}" | base64 -w0)
echo "${HASHES}"
echo "${HASHESB64}"
echo provenance-subjects="${HASHESB64}" >> "$GITHUB_OUTPUT"
versions-manifest:
runs-on: ubuntu-22.04
steps:
- name: Checkout
id: checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
with:
ref: ${{ github.head_ref }}
- name: Login to Azure
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
- name: Login to GCP
uses: ./.github/actions/login_gcp
with:
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- name: Build version manifest
run: |
cd hack/build-manifest/
AZURE_SUBSCRIPTION_ID=0d202bbb-4fa7-4af8-8125-58c269a05435 go run . > versions-manifest.json
cat versions-manifest.json
- name: Upload versions-manifest
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1
with:
name: versions-manifest.json
path: versions-manifest.json
signed-sbom:
runs-on: ubuntu-22.04
steps:
- name: Checkout
id: checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
with:
ref: ${{ github.head_ref }}
- name: Download syft & grype
run: |
SYFT_VERSION=0.62.1
GRYPE_VERSION=0.53.1
curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
./syft version
curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
./grype version
pwd >> "$GITHUB_PATH"
shell: bash
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Build signed SBOM
run: |
syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
grype constellation.spdx.sbom --fail-on high --only-fixed
env:
COSIGN_EXPERIMENTAL: 1
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
- name: Upload Constellation CLI SBOM
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1
with:
name: constellation.spdx.sbom
path: constellation.spdx.sbom
- name: Upload Constellation CLI SBOM's signature
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # tag=v3.1.1
with:
name: constellation.spdx.sbom.sig
path: constellation.spdx.sbom.sig
provenance:
permissions:
actions: read
contents: write
id-token: write
needs:
- provenance-subjects
# This must not be pinned to digest. See:
# https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.2
with:
base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"
provenance-verify:
runs-on: ubuntu-22.04
env:
SLSA_VERIFIER_VERSION: "1.4.1"
needs:
- build-cli
- provenance
steps:
- name: Download CLI binaries darwin-amd64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-darwin-amd64
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-darwin-arm64
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-linux-amd64
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-linux-arm64
- name: Download CLI SBOM
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation.spdx.sbom
- name: Download provenance
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: Install slsa-verifier
run: |
curl -LO https://github.com/slsa-framework/slsa-verifier/releases/download/v${{ env.SLSA_VERIFIER_VERSION }}/slsa-verifier-linux-amd64
install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier
- name: Verify provenance
run: |
slsa-verifier verify-artifact constellation-darwin-amd64 \
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
--source-uri github.com/edgelesssys/constellation
slsa-verifier verify-artifact constellation-darwin-arm64 \
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
--source-uri github.com/edgelesssys/constellation
slsa-verifier verify-artifact constellation-linux-amd64 \
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
--source-uri github.com/edgelesssys/constellation
slsa-verifier verify-artifact constellation-linux-arm64 \
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
--source-uri github.com/edgelesssys/constellation
slsa-verifier verify-artifact constellation.spdx.sbom \
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
--source-uri github.com/edgelesssys/constellation
release:
runs-on: ubuntu-22.04
if: startsWith(github.ref, 'refs/tags/v')
needs:
- build-cli
- provenance
- signed-sbom
- versions-manifest
steps:
- name: Write cosign public key
run: echo "$COSIGN_PUBLIC_KEY" > cosign.pub
env:
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
- name: Download CLI binaries darwin-amd64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-darwin-amd64
- name: Download CLI binaries darwin-arm64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-darwin-arm64
- name: Download CLI binaries linux-amd64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-linux-amd64
- name: Download CLI binaries linux-arm64
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation-linux-arm64
- name: Download versions-manifest.json
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: versions-manifest.json
- name: Download Constellation CLI SBOM
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation.spdx.sbom
- name: Download Constellation CLI SBOM's signature
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: constellation.spdx.sbom.sig
- name: Download Constellation provenance
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # tag=v3.0.1
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: Rename provenance file
run: |
mv ${{ needs.provenance.outputs.provenance-name }} constellation.intoto.jsonl
- name: Create release with artifacts
# GitHub endorsed release project. See: https://github.com/actions/create-release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
draft: true
files: |
constellation-*
cosign.pub
versions-manifest.json
constellation.spdx.sbom
constellation.spdx.sbom.sig
constellation.intoto.jsonl