replace ko sbom generation with manual sbom generation and singing

.github/actions/build_ko/action.yml

@@ -0,0 +1,93 @@
+name: Build micro service using Ko
+description: Build and upload a go micro service using ko
+inputs:
+  name:
+    description: "Name of the micro-service"
+    required: true
+  registry:
+    description: "Name of the repository"
+    required: false
+    default: "ghcr.io"
+  koConfig:
+    description: "Path to the .ko.yaml config file"
+    required: true
+  koTarget:
+    description: "Go package to build with ko"
+    required: true
+  pushTag:
+    description: "Use this image tag"
+    required: false
+  githubToken:
+    description: "GitHub authorization token"
+    required: true
+  generateKoSBOM:
+    description: "Generate unsigned ko SBOM"
+
+outputs:
+  container_full:
+    description: "Full container reference"
+    value: ${{ steps.build.container_full }}
+  container_image:
+    description: "Container image"
+    value: ${{ steps.build.outputs.container_image }}
+  container_tag:
+    description: "Container tag"
+    value: ${{ steps.build.container_tag }}
+
+
+# Linux runner only
+runs:
+  using: "composite"
+  steps:
+    - name: Determine pseudo version
+      id: pseudo-version
+      uses: ./.github/actions/pseudo_version
+
+    - name: Set up ko
+      uses: imjasonh/setup-ko@v0.6
+
+    - name: Build and upload ko container image
+      shell: bash
+      id: build
+      env:
+        KO_USER: ${{ github.actor }}
+        KO_CONFIG_PATH: ${{ inputs.koConfig }}
+        KO_PASSWORD: ${{ inputs.githubToken }}
+        KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/${{ inputs.name }}-ko
+      run: |
+        tags=""
+        sbom=""
+
+        if [ "${{ github.ref }}" == "${{ github.event.repository.default_branch }}" ]; then
+          tags="latest"
+        else:
+          tags="${{ github.sha }}"
+        fi
+
+        if [ -n "${{ inputs.pushTag }}" ]; then
+          if [ -n "${tags}" ]; then
+            tags="${tags},${{ inputs.pushTag }}"
+          else
+            tags="${{ inputs.pushTag }}"
+          fi
+        fi
+
+        if [ -n "${{ steps.pseudo-version.outputs.pseudoVersion }}" ]; then
+          if [ -n "${tags}" ]; then
+            tags="${tags},${{ steps.pseudo-version.outputs.pseudoVersion }}"
+          else
+            tags="${{ steps.pseudo-version.outputs.pseudoVersion }}"
+          fi
+        fi
+
+        if [ "${{ inputs.generateKoSBOM }}" == "false" ]; then
+          sbom="--sbom=none"
+        fi
+
+        container_full=$(ko build ${{ inputs.koTarget }} --bare --tags ${tags} ${sbom})
+        container_image=$(echo $container_full | cut -d: -f1)
+        container_tag=$(echo $container_full | cut -d: -f2)
+
+        echo "container_full=$container_full" >> $GITHUB_OUTPUT
+        echo "container_image=$container_image" >> $GITHUB_OUTPUT
+        echo "container_tag=$container_tag" >> $GITHUB_OUTPUT

.github/actions/build_micro_service_ko/action.yml

@@ -16,6 +16,19 @@ inputs:
   githubToken:
     description: "GitHub authorization token"
     required: true
+  generateKoSBOM:
+    description: "Generate unsigned ko SBOM"
+    required: false
+    default: "false"
+  cosignPublicKey:
+    description: "Cosign public key"
+    required: false
+  cosignPrivateKey:
+    description: "Cosign private key"
+    required: false
+  cosignPassword:
+    description: "Password for Cosign private key"
+    required: false
 
 # Linux runner only
 runs:
@@ -25,39 +38,21 @@ runs:
       id: pseudo-version
       uses: ./.github/actions/pseudo_version
 
-    - name: Set up ko
-      uses: imjasonh/setup-ko@v0.6
+    - name: Build and upload join service container image
+      id: build-and-upload
+      uses: ./.github/actions/build_ko
+      with:
+        name: joinservice
+        koConfig: .ko.yaml
+        koTarget: ./joinservice/cmd
+        githubToken: ${{ inputs.GITHUB_TOKEN }}
+        pushTag: ci-test
 
-    - name: Build and upload ko container image
-      shell: bash
-      id: build
-      env:
-        KO_USER: ${{ github.actor }}
-        KO_CONFIG_PATH: ${{ inputs.koConfig }}
-        KO_PASSWORD: ${{ inputs.githubToken }}
-        KO_DOCKER_REPO: ${{ env.REGISTRY }}/edgelesssys/${{ inputs.name }}-ko
-      run: |
-        tags=""
-        if [ "${{ github.ref }}" == "${{ github.event.repository.default_branch }}" ]; then
-          tags="latest"
-        else:
-          tags="${{ github.sha }}"
-        fi
-
-        if [ -n "${{ inputs.pushTag }}" ]; then
-          if [ -n "${tags}" ]; then
-            tags="${tags},${{ inputs.pushTag }}"
-          else
-            tags="${{ inputs.pushTag }}"
-          fi
-        fi
-
-        if [ -n "${{ steps.pseudo-version.outputs.pseudoVersion }}" ]; then
-          if [ -n "${tags}" ]; then
-            tags="${tags},${{ steps.pseudo-version.outputs.pseudoVersion }}"
-          else
-            tags="${{ steps.pseudo-version.outputs.pseudoVersion }}"
-          fi
-        fi
-
-        ko build ${{ inputs.koTarget }} --bare --tags ${tags}
+    - name: Generate SBOM
+      uses: ./.github/actions/container_sbom
+      with:
+        containerReference: ${{ steps.build-and-upload.outputs.container_full }}
+        cosignPublicKey: ${{ inputs.cosignPublicKey }}
+        cosignPrivateKey: ${{ inputs.cosignPrivateKey }}
+        cosignPassword: ${{ inputs.cosignPassword }}
+      if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false' }}

.github/workflows/build-joinservice-image-ko.yml

@@ -27,9 +27,6 @@ jobs:
         with:
           go-version: "1.19.3"
 
-      - name: Set up ko
-        uses: imjasonh/setup-ko@v0.6
-
       - name: Build and upload join service container image
         id: build-and-upload
         uses: ./.github/actions/build_micro_service_ko
@@ -38,3 +35,6 @@ jobs:
           koConfig: .ko.yaml
           koTarget: ./joinservice/cmd
           githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
+          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
+          cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

.ko.yaml

@@ -5,52 +5,6 @@ baseImageOverrides:
   github.com/edgelesssys/constellation/v2/bootstrapper/cmd/bootstrapper: leongross/alpine-libcryptsetup:base
 
 builds:
-- id: disk-mapper
-  dir: .
-  main: ./disk-mapper/cmd/
-  env:
-  - CGO_ENABLED=1
-  flags:
-  - -trimpath
-  - -buildvcs=false
-  ldflags:
-  - -s -w
-
-- id: bootstrapper
-  dir: .
-  main: ./bootstrapper/cmd/bootstrapper/
-  env:
-  - CGO_ENABLED=1
-  flags:
-  - -trimpath
-  - -buildvcs=false
-  ldflags:
-  - -s -w
-
-- id: debugd
-  dir: .
-  main: ./debugd/cmd/debugd/
-  env:
-  - CGO_ENABLED=0
-  flags:
-  - -trimpath
-  - -buildvcs=false
-  ldflags:
-  - -s -w
-  - -extldlfags "-static"
-
-- id: cdbg
-  dir: .
-  main: ./debugd/cmd/cdbg/
-  env:
-  - CGO_ENABLED=0
-  flags:
-  - -trimpath
-  - -buildvcs=false
-  ldflags:
-  - -s -w
-  - -extldflags "-static"
-
 - id: kms
   dir: .
   main: ./kms/cmd
@@ -76,3 +30,20 @@ builds:
   - -s -w -buildid=''
   - -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}
   - -extldflags "-static"
+
+# currently ignoring USER 65532:65532 from Dockerfile operators/constellation/Dockerfile
+- id: constellation-node-operator
+  dir: .
+  main: ./operators/constellation-node-operator/
+  env:
+  - CGO_ENABLED=0
+  - GOOS=linux
+  - GOARCH=amd64
+  flags:
+  - -trimpath
+  - -buildvcs=false
+  - -a
+  ldflags:
+  - -s -w -buildid=''
+  - -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}
+  - -extldflags "-static"