update structure of repository. outline missing TODOs #136
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: calculator | |
| on: | |
| push: | |
| workflow_dispatch: | |
| permissions: {} | |
| env: | |
| GO_VERSION: "1.21.4" | |
| SLSA_VERIFIER_VERSION: "2.4.1" | |
| IMAGE_REF: "ghcr.io/${{ github.repository }}/calculator" | |
| jobs: | |
| unit-tests: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| checks: write | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup Go | |
| uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Install go-junit-report | |
| run: go install github.com/jstemmer/go-junit-report/[email protected] | |
| - name: Run Unit Tests | |
| run: go test -v -timeout 60s -count=3 -race 2>&1 ./... | go-junit-report -set-exit-code > report.xml | |
| - name: Test Report | |
| uses: dorny/test-reporter@afe6793191b75b608954023a46831a3fe10048d4 # v1.7.0 | |
| if: always() | |
| with: | |
| name: 📋 Unit test report | |
| path: report.xml | |
| reporter: java-junit | |
| build-calculator: | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| calculator-hash: ${{ steps.calculator-hash.outputs.calculator-hash }} | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup Go | |
| uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Build Calculator | |
| run: | | |
| make build-cli | |
| - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: calculator | |
| path: calculator | |
| - name: Compute calculator hash | |
| id: calculator-hash | |
| run: | | |
| CALCULATOR_HASH=$(sha256sum calculator | base64 -w0) | |
| echo calculator-hash=${CALCULATOR_HASH} >> $GITHUB_OUTPUT | |
| sign-calculator: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| id-token: write | |
| needs: | |
| - build-calculator | |
| steps: | |
| - name: Install Cosign & Rekor CLI | |
| uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 | |
| - name: Download calculator binary | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: calculator | |
| - name: Sign calculator | |
| run: | | |
| cosign sign-blob calculator --output-certificate calculator.pem --output-signature calculator.sig -y | |
| # Verify - as documentation & sanity check | |
| cosign verify-blob calculator \ | |
| --cert calculator.pem \ | |
| --signature calculator.sig \ | |
| --certificate-identity-regexp https://github.com/datosh-org/most-secure-calculator/.github/workflows/calculator.yml.* \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com | |
| - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: calculator.pem | |
| path: calculator.pem | |
| - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: calculator.sig | |
| path: calculator.sig | |
| # TODO: refactor container image related activities into own workflow. | |
| build-calculator-image: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| needs: | |
| - build-calculator | |
| outputs: | |
| digest: ${{ steps.build-container-image.outputs.Digest }} | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 | |
| with: | |
| images: | | |
| ${{ env.IMAGE_REF }} | |
| tags: | | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| type=sha,prefix= | |
| type=sha,format=long,prefix= | |
| type=semver,pattern={{version}} | |
| type=semver,pattern=v{{version}} | |
| type=ref,event=branch | |
| - name: Log in to ghcr.io | |
| id: docker-login | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Download calculator binary | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: calculator | |
| - name: Build and push container image | |
| id: build-container-image | |
| uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
| with: | |
| context: . | |
| file: cmd/calculator-cli/Dockerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| sign-calculator-image: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - build-calculator-image | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Install Cosign CLI | |
| uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 | |
| - name: Log in to ghcr.io | |
| id: docker-login | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Sign calculator-image | |
| run: | | |
| cosign sign -y \ | |
| ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} | |
| cosign verify \ | |
| --certificate-identity-regexp https://github.com/datosh-org/most-secure-calculator/.github/workflows/calculator.yml.* \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} | |
| sbom-image: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - build-calculator-image | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Log in to ghcr.io | |
| id: docker-login | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install syft & grype | |
| uses: ./.github/actions/install_syft_grype | |
| with: | |
| syftVersion: "0.98.0" | |
| grypeVersion: "0.73.3" | |
| - name: Install Cosign CLI | |
| uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 | |
| - name: Generate and sign SBOM | |
| run: | | |
| syft attest -o cyclonedx-json ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} > calculator.att.json | |
| - name: Check for known vulnerabilities | |
| run: | | |
| grype ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} --fail-on critical --only-fixed | |
| provenance: | |
| permissions: | |
| actions: read | |
| contents: write | |
| id-token: write | |
| needs: | |
| - build-calculator | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| base64-subjects: "${{ needs.build-calculator.outputs.calculator-hash }}" | |
| provenance-verify: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - build-calculator | |
| - provenance | |
| steps: | |
| - name: Download calculator binary | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: calculator | |
| - name: Download provenance | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-name }} | |
| - name: Install slsa-verifier | |
| run: | | |
| curl -LO https://github.com/slsa-framework/slsa-verifier/releases/download/v${{ env.SLSA_VERIFIER_VERSION }}/slsa-verifier-linux-amd64 | |
| install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier | |
| - name: Verify provenance | |
| run: | | |
| slsa-verifier verify-artifact calculator \ | |
| --provenance-path calculator.intoto.jsonl \ | |
| --source-uri github.com/datosh-org/most-secure-calculator | |
| release: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write | |
| needs: | |
| - build-calculator | |
| - sign-calculator | |
| - unit-tests | |
| - provenance | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| steps: | |
| - name: Download calculator binary | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: calculator | |
| - name: Download calculator certificate | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: calculator.pem | |
| - name: Download calculator signature | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: calculator.sig | |
| - name: Download provenance | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-name }} | |
| - name: Release | |
| uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0 | |
| with: | |
| draft: true | |
| artifacts: "calculator,calculator.pem,calculator.sig,calculator.intoto.jsonl" |