Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-12-26 16:09:45 -05:00
Code Issues Packages Projects Releases Wiki Activity

ci: fix CLI SBOM generation (#1005)

Browse Source
This commit is contained in:
Nils Hanke 2023-01-18 11:36:39 +01:00 committed by GitHub
parent 411dfed18f
commit fc2a285270
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 38 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
.github/workflows/release-cli.yml vendored
View File

@ -100,38 +100,57 @@ jobs:
signed-sbom:
runs-on: ubuntu-22.04
steps:
- name: Setup Go environment
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.19.5"
- name: Download Syft & Grype
shell: bash
working-directory: /tmp
run: |
SYFT_VERSION=0.66.1
GRYPE_VERSION=0.55.0
curl -Lo syft_${SYFT_VERSION}_linux_amd64.tar.gz https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
sudo install syft /usr/bin/syft
syft version
curl -Lo grype_${GRYPE_VERSION}_linux_amd64.tar.gz https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
sudo install grype /usr/bin/grype
grype version
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
- name: Checkout
id: checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ inputs.ref || github.head_ref }}
- name: Download syft & grype
shell: bash
run: |
SYFT_VERSION=0.62.1
GRYPE_VERSION=0.53.1
curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
./syft version
curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
./grype version
pwd >> "$GITHUB_PATH"
- name: Install Cosign
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
# Build one CLI since Syft's go-module catalog will default to binary parsing.
# Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
# This seems to work fine for one OS & one arch as long as we don't have OS specific imports.
# Luckily, so far this does not seem to be the case.
# As of v2.4.0, all SBOMs seem to have the same packages for [linux|darwin] & [amd64|arm64].
# If this changes, this should be split up into multiple builds & multiple SBOMs.
- name: Build CLI (amd64, linux)
uses: ./.github/actions/build_cli
with:
targetOS: "linux"
targetArch: "amd64"
- name: Build signed SBOM
run: |
syft build/constellation-linux-amd64 --catalogers go-module --file constellation.spdx.sbom -o spdx-json
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
grype constellation.spdx.sbom --fail-on high --only-fixed --add-cpes-if-none
env:
COSIGN_EXPERIMENTAL: 1
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
run: |
syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
grype constellation.spdx.sbom --fail-on high --only-fixed
- name: Upload Constellation CLI SBOM
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2