Skip to content

update

update #137

Workflow file for this run

name: calculator
on:
push:
workflow_dispatch:
permissions: {}
env:
GO_VERSION: "1.21.4"
SLSA_VERIFIER_VERSION: "2.4.1"
IMAGE_REF: "ghcr.io/${{ github.repository }}/calculator"
jobs:
unit-tests:
runs-on: ubuntu-22.04
permissions:
contents: read
checks: write
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Install go-junit-report
run: go install github.com/jstemmer/go-junit-report/[email protected]
- name: Run Unit Tests
run: go test -v -timeout 60s -count=3 -race 2>&1 ./... | go-junit-report -set-exit-code > report.xml
- name: Test Report
uses: dorny/test-reporter@afe6793191b75b608954023a46831a3fe10048d4 # v1.7.0
if: always()
with:
name: 📋 Unit test report
path: report.xml
reporter: java-junit
build-calculator:
runs-on: ubuntu-22.04
outputs:
calculator-hash: ${{ steps.calculator-hash.outputs.calculator-hash }}
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Build Calculator
run: |
make build-cli
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: calculator
path: calculator
- name: Compute calculator hash
id: calculator-hash
run: |
CALCULATOR_HASH=$(sha256sum calculator | base64 -w0)
echo calculator-hash=${CALCULATOR_HASH} >> $GITHUB_OUTPUT
sign-calculator:
runs-on: ubuntu-22.04
permissions:
id-token: write
needs:
- build-calculator
steps:
- name: Install Cosign & Rekor CLI
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
- name: Download calculator binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: calculator
- name: Sign calculator
run: |
cosign sign-blob calculator --output-certificate calculator.pem --output-signature calculator.sig -y
# Verify - as documentation & sanity check
cosign verify-blob calculator \
--cert calculator.pem \
--signature calculator.sig \
--certificate-identity-regexp https://github.com/datosh-org/most-secure-calculator/.github/workflows/calculator.yml.* \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: calculator.pem
path: calculator.pem
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: calculator.sig
path: calculator.sig
# TODO: refactor container image related activities into own workflow.
build-calculator-image:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
needs:
- build-calculator
outputs:
digest: ${{ steps.build-container-image.outputs.Digest }}
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Docker metadata
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: |
${{ env.IMAGE_REF }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=sha,prefix=
type=sha,format=long,prefix=
type=semver,pattern={{version}}
type=semver,pattern=v{{version}}
type=ref,event=branch
- name: Log in to ghcr.io
id: docker-login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download calculator binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: calculator
- name: Build and push container image
id: build-container-image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
context: .
file: cmd/calculator-cli/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
sign-calculator-image:
runs-on: ubuntu-22.04
needs:
- build-calculator-image
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Cosign CLI
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
- name: Log in to ghcr.io
id: docker-login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Sign calculator-image
run: |
cosign sign -y \
${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }}
cosign verify \
--certificate-identity-regexp https://github.com/datosh-org/most-secure-calculator/.github/workflows/calculator.yml.* \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }}
sbom-image:
runs-on: ubuntu-22.04
needs:
- build-calculator-image
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Check out repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Log in to ghcr.io
id: docker-login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install syft & grype
uses: ./.github/actions/install_syft_grype
with:
syftVersion: "0.98.0"
grypeVersion: "0.73.3"
- name: Install Cosign CLI
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
- name: Generate and sign SBOM
run: |
syft attest -o cyclonedx-json ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} > calculator.att.json
- name: Check for known vulnerabilities
run: |
grype ${{ env.IMAGE_REF }}@${{ needs.build-calculator-image.outputs.digest }} --fail-on critical --only-fixed
provenance:
permissions:
actions: read
contents: write
id-token: write
needs:
- build-calculator
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build-calculator.outputs.calculator-hash }}"
provenance-verify:
runs-on: ubuntu-22.04
needs:
- build-calculator
- provenance
steps:
- name: Download calculator binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: calculator
- name: Download provenance
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: Install slsa-verifier
run: |
curl -LO https://github.com/slsa-framework/slsa-verifier/releases/download/v${{ env.SLSA_VERIFIER_VERSION }}/slsa-verifier-linux-amd64
install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier
- name: Verify provenance
run: |
slsa-verifier verify-artifact calculator \
--provenance-path calculator.intoto.jsonl \
--source-uri github.com/datosh-org/most-secure-calculator
release:
runs-on: ubuntu-22.04
permissions:
contents: write
needs:
- build-calculator
- sign-calculator
- unit-tests
- provenance
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Download calculator binary
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: calculator
- name: Download calculator certificate
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: calculator.pem
- name: Download calculator signature
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: calculator.sig
- name: Download provenance
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: Release
uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0
with:
draft: true
artifacts: "calculator,calculator.pem,calculator.sig,calculator.intoto.jsonl"