mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-27 08:29:33 -05:00
ci: fix CLI SBOM generation (#1005)
This commit is contained in:
parent
411dfed18f
commit
fc2a285270
57
.github/workflows/release-cli.yml
vendored
57
.github/workflows/release-cli.yml
vendored
@ -100,38 +100,57 @@ jobs:
|
|||||||
signed-sbom:
|
signed-sbom:
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
steps:
|
steps:
|
||||||
|
- name: Setup Go environment
|
||||||
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
||||||
|
with:
|
||||||
|
go-version: "1.19.5"
|
||||||
|
|
||||||
|
- name: Download Syft & Grype
|
||||||
|
shell: bash
|
||||||
|
working-directory: /tmp
|
||||||
|
run: |
|
||||||
|
SYFT_VERSION=0.66.1
|
||||||
|
GRYPE_VERSION=0.55.0
|
||||||
|
curl -Lo syft_${SYFT_VERSION}_linux_amd64.tar.gz https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
|
||||||
|
tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
|
||||||
|
sudo install syft /usr/bin/syft
|
||||||
|
syft version
|
||||||
|
curl -Lo grype_${GRYPE_VERSION}_linux_amd64.tar.gz https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
|
||||||
|
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
|
||||||
|
sudo install grype /usr/bin/grype
|
||||||
|
grype version
|
||||||
|
|
||||||
|
- name: Install Cosign
|
||||||
|
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
|
||||||
|
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
id: checkout
|
id: checkout
|
||||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||||
with:
|
with:
|
||||||
ref: ${{ inputs.ref || github.head_ref }}
|
ref: ${{ inputs.ref || github.head_ref }}
|
||||||
|
|
||||||
- name: Download syft & grype
|
# Build one CLI since Syft's go-module catalog will default to binary parsing.
|
||||||
shell: bash
|
# Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
|
||||||
run: |
|
# This seems to work fine for one OS & one arch as long as we don't have OS specific imports.
|
||||||
SYFT_VERSION=0.62.1
|
# Luckily, so far this does not seem to be the case.
|
||||||
GRYPE_VERSION=0.53.1
|
# As of v2.4.0, all SBOMs seem to have the same packages for [linux|darwin] & [amd64|arm64].
|
||||||
curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
|
# If this changes, this should be split up into multiple builds & multiple SBOMs.
|
||||||
tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
|
- name: Build CLI (amd64, linux)
|
||||||
./syft version
|
uses: ./.github/actions/build_cli
|
||||||
curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
|
with:
|
||||||
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
|
targetOS: "linux"
|
||||||
./grype version
|
targetArch: "amd64"
|
||||||
pwd >> "$GITHUB_PATH"
|
|
||||||
|
|
||||||
- name: Install Cosign
|
|
||||||
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
|
|
||||||
|
|
||||||
- name: Build signed SBOM
|
- name: Build signed SBOM
|
||||||
|
run: |
|
||||||
|
syft build/constellation-linux-amd64 --catalogers go-module --file constellation.spdx.sbom -o spdx-json
|
||||||
|
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
|
||||||
|
grype constellation.spdx.sbom --fail-on high --only-fixed --add-cpes-if-none
|
||||||
env:
|
env:
|
||||||
COSIGN_EXPERIMENTAL: 1
|
COSIGN_EXPERIMENTAL: 1
|
||||||
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||||
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
||||||
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
||||||
run: |
|
|
||||||
syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
|
|
||||||
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
|
|
||||||
grype constellation.spdx.sbom --fail-on high --only-fixed
|
|
||||||
|
|
||||||
- name: Upload Constellation CLI SBOM
|
- name: Upload Constellation CLI SBOM
|
||||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
||||||
|
Loading…
Reference in New Issue
Block a user