diff --git a/.github/actions/build_ko/action.yml b/.github/actions/build_ko/action.yml new file mode 100644 index 000000000..c0b5011a0 --- /dev/null +++ b/.github/actions/build_ko/action.yml @@ -0,0 +1,93 @@ +name: Build micro service using Ko +description: Build and upload a go micro service using ko +inputs: + name: + description: "Name of the micro-service" + required: true + registry: + description: "Name of the repository" + required: false + default: "ghcr.io" + koConfig: + description: "Path to the .ko.yaml config file" + required: true + koTarget: + description: "Go package to build with ko" + required: true + pushTag: + description: "Use this image tag" + required: false + githubToken: + description: "GitHub authorization token" + required: true + generateKoSBOM: + description: "Generate unsigned ko SBOM" + +outputs: + container_full: + description: "Full container reference" + value: ${{ steps.build.container_full }} + container_image: + description: "Container image" + value: ${{ steps.build.outputs.container_image }} + container_tag: + description: "Container tag" + value: ${{ steps.build.container_tag }} + + +# Linux runner only +runs: + using: "composite" + steps: + - name: Determine pseudo version + id: pseudo-version + uses: ./.github/actions/pseudo_version + + - name: Set up ko + uses: imjasonh/setup-ko@v0.6 + + - name: Build and upload ko container image + shell: bash + id: build + env: + KO_USER: ${{ github.actor }} + KO_CONFIG_PATH: ${{ inputs.koConfig }} + KO_PASSWORD: ${{ inputs.githubToken }} + KO_DOCKER_REPO: ${{ inputs.registry }}/edgelesssys/${{ inputs.name }}-ko + run: | + tags="" + sbom="" + + if [ "${{ github.ref }}" == "${{ github.event.repository.default_branch }}" ]; then + tags="latest" + else: + tags="${{ github.sha }}" + fi + + if [ -n "${{ inputs.pushTag }}" ]; then + if [ -n "${tags}" ]; then + tags="${tags},${{ inputs.pushTag }}" + else + tags="${{ inputs.pushTag }}" + fi + fi + + if [ -n "${{ steps.pseudo-version.outputs.pseudoVersion }}" ]; then + if [ -n "${tags}" ]; then + tags="${tags},${{ steps.pseudo-version.outputs.pseudoVersion }}" + else + tags="${{ steps.pseudo-version.outputs.pseudoVersion }}" + fi + fi + + if [ "${{ inputs.generateKoSBOM }}" == "false" ]; then + sbom="--sbom=none" + fi + + container_full=$(ko build ${{ inputs.koTarget }} --bare --tags ${tags} ${sbom}) + container_image=$(echo $container_full | cut -d: -f1) + container_tag=$(echo $container_full | cut -d: -f2) + + echo "container_full=$container_full" >> $GITHUB_OUTPUT + echo "container_image=$container_image" >> $GITHUB_OUTPUT + echo "container_tag=$container_tag" >> $GITHUB_OUTPUT diff --git a/.github/actions/build_micro_service_ko/action.yml b/.github/actions/build_micro_service_ko/action.yml index b1e12bc45..0851577a8 100644 --- a/.github/actions/build_micro_service_ko/action.yml +++ b/.github/actions/build_micro_service_ko/action.yml @@ -16,6 +16,19 @@ inputs: githubToken: description: "GitHub authorization token" required: true + generateKoSBOM: + description: "Generate unsigned ko SBOM" + required: false + default: "false" + cosignPublicKey: + description: "Cosign public key" + required: false + cosignPrivateKey: + description: "Cosign private key" + required: false + cosignPassword: + description: "Password for Cosign private key" + required: false # Linux runner only runs: @@ -25,39 +38,21 @@ runs: id: pseudo-version uses: ./.github/actions/pseudo_version - - name: Set up ko - uses: imjasonh/setup-ko@v0.6 + - name: Build and upload join service container image + id: build-and-upload + uses: ./.github/actions/build_ko + with: + name: joinservice + koConfig: .ko.yaml + koTarget: ./joinservice/cmd + githubToken: ${{ inputs.GITHUB_TOKEN }} + pushTag: ci-test - - name: Build and upload ko container image - shell: bash - id: build - env: - KO_USER: ${{ github.actor }} - KO_CONFIG_PATH: ${{ inputs.koConfig }} - KO_PASSWORD: ${{ inputs.githubToken }} - KO_DOCKER_REPO: ${{ env.REGISTRY }}/edgelesssys/${{ inputs.name }}-ko - run: | - tags="" - if [ "${{ github.ref }}" == "${{ github.event.repository.default_branch }}" ]; then - tags="latest" - else: - tags="${{ github.sha }}" - fi - - if [ -n "${{ inputs.pushTag }}" ]; then - if [ -n "${tags}" ]; then - tags="${tags},${{ inputs.pushTag }}" - else - tags="${{ inputs.pushTag }}" - fi - fi - - if [ -n "${{ steps.pseudo-version.outputs.pseudoVersion }}" ]; then - if [ -n "${tags}" ]; then - tags="${tags},${{ steps.pseudo-version.outputs.pseudoVersion }}" - else - tags="${{ steps.pseudo-version.outputs.pseudoVersion }}" - fi - fi - - ko build ${{ inputs.koTarget }} --bare --tags ${tags} + - name: Generate SBOM + uses: ./.github/actions/container_sbom + with: + containerReference: ${{ steps.build-and-upload.outputs.container_full }} + cosignPublicKey: ${{ inputs.cosignPublicKey }} + cosignPrivateKey: ${{ inputs.cosignPrivateKey }} + cosignPassword: ${{ inputs.cosignPassword }} + if: ${{ inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != '' && inputs.generateKoSBOM == 'false' }} diff --git a/.github/workflows/build-joinservice-image-ko.yml b/.github/workflows/build-joinservice-image-ko.yml index 35f1ae395..3e730e51f 100644 --- a/.github/workflows/build-joinservice-image-ko.yml +++ b/.github/workflows/build-joinservice-image-ko.yml @@ -27,9 +27,6 @@ jobs: with: go-version: "1.19.3" - - name: Set up ko - uses: imjasonh/setup-ko@v0.6 - - name: Build and upload join service container image id: build-and-upload uses: ./.github/actions/build_micro_service_ko @@ -38,3 +35,6 @@ jobs: koConfig: .ko.yaml koTarget: ./joinservice/cmd githubToken: ${{ secrets.GITHUB_TOKEN }} + cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} + cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }} + cosignPassword: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }} diff --git a/.ko.yaml b/.ko.yaml index 8605e4d52..47446ed4c 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -5,52 +5,6 @@ baseImageOverrides: github.com/edgelesssys/constellation/v2/bootstrapper/cmd/bootstrapper: leongross/alpine-libcryptsetup:base builds: -- id: disk-mapper - dir: . - main: ./disk-mapper/cmd/ - env: - - CGO_ENABLED=1 - flags: - - -trimpath - - -buildvcs=false - ldflags: - - -s -w - -- id: bootstrapper - dir: . - main: ./bootstrapper/cmd/bootstrapper/ - env: - - CGO_ENABLED=1 - flags: - - -trimpath - - -buildvcs=false - ldflags: - - -s -w - -- id: debugd - dir: . - main: ./debugd/cmd/debugd/ - env: - - CGO_ENABLED=0 - flags: - - -trimpath - - -buildvcs=false - ldflags: - - -s -w - - -extldlfags "-static" - -- id: cdbg - dir: . - main: ./debugd/cmd/cdbg/ - env: - - CGO_ENABLED=0 - flags: - - -trimpath - - -buildvcs=false - ldflags: - - -s -w - - -extldflags "-static" - - id: kms dir: . main: ./kms/cmd @@ -76,3 +30,20 @@ builds: - -s -w -buildid='' - -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION} - -extldflags "-static" + +# currently ignoring USER 65532:65532 from Dockerfile operators/constellation/Dockerfile +- id: constellation-node-operator + dir: . + main: ./operators/constellation-node-operator/ + env: + - CGO_ENABLED=0 + - GOOS=linux + - GOARCH=amd64 + flags: + - -trimpath + - -buildvcs=false + - -a + ldflags: + - -s -w -buildid='' + - -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION} + - -extldflags "-static"