fluxcd
/
notification-controller
mirror of https://github.com/fluxcd/notification-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Publish SBOM and sign release artifacts 

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan 2022-01-21 17:11:42 +02:00
parent 4016fbf5a5
commit d82666efaf
No known key found for this signature in database
GPG Key ID: 3299AEB0E4085BAF
5 changed files with 97 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/cifuzz.yaml vendored
View File

@ -3,6 +3,10 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
permissions:
contents: read # for actions/checkout to fetch code
jobs: jobs:
Fuzzing: Fuzzing:
runs-on: ubuntu-latest runs-on: ubuntu-latest

4
.github/workflows/e2e.yaml vendored
View File

@ -1,11 +1,13 @@
name: e2e name: e2e
on: on:
pull_request: pull_request:
push: push:
branches: branches:
- main - main
permissions:
contents: read # for actions/checkout to fetch code
jobs: jobs:
kind: kind:
runs-on: ubuntu-latest runs-on: ubuntu-latest

77
.github/workflows/release.yml vendored
View File

@ -3,6 +3,17 @@ on:
push: push:
tags: tags:
- 'v*' - 'v*'
workflow_dispatch:
inputs:
tag:
description: 'image tag prefix'
default: 'rc'
required: true
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
env: env:
CONTROLLER: ${{ github.event.repository.name }} CONTROLLER: ${{ github.event.repository.name }}
@ -13,11 +24,11 @@ jobs:
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Setup Kustomize - name: Setup Kustomize
uses: fluxcd/pkg//actions/kustomize@main uses: fluxcd/pkg/actions/kustomize@main
- name: Prepare - name: Prepare
id: prep id: prep
run: | run: |
VERSION=sha-${GITHUB_SHA::8} VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
if [[ $GITHUB_REF == refs/tags/* ]]; then if [[ $GITHUB_REF == refs/tags/* ]]; then
VERSION=${GITHUB_REF/refs\/tags\//} VERSION=${GITHUB_REF/refs\/tags\//}
fi fi
@ -25,13 +36,9 @@ jobs:
echo ::set-output name=VERSION::${VERSION} echo ::set-output name=VERSION::${VERSION}
- name: Setup QEMU - name: Setup QEMU
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@v1
with:
platforms: all
- name: Setup Docker Buildx - name: Setup Docker Buildx
id: buildx id: buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
with:
buildkitd-flags: "--debug"
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v1 uses: docker/login-action@v1
with: with:
@ -43,7 +50,16 @@ jobs:
with: with:
username: fluxcdbot username: fluxcdbot
password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
- name: Publish multi-arch container image - name: Generate images meta
id: meta
uses: docker/metadata-action@v3
with:
images: |
fluxcd/${{ env.CONTROLLER }}
ghcr.io/fluxcd/${{ env.CONTROLLER }}
tags: |
type=raw,value=${{ steps.prep.outputs.VERSION }}
- name: Publish images
uses: docker/build-push-action@v2 uses: docker/build-push-action@v2
with: with:
push: true push: true
@ -51,33 +67,34 @@ jobs:
context: . context: .
file: ./Dockerfile file: ./Dockerfile
platforms: linux/amd64,linux/arm/v7,linux/arm64 platforms: linux/amd64,linux/arm/v7,linux/arm64
tags: | tags: ${{ steps.meta.outputs.tags }}
ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} labels: ${{ steps.meta.outputs.labels }}
docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
labels: |
org.opencontainers.image.title=${{ github.event.repository.name }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
- name: Check images - name: Check images
run: | run: |
docker buildx imagetools inspect docker.io/fluxcd/${CONTROLLER}:${{ steps.prep.outputs.VERSION }} docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
docker buildx imagetools inspect ghcr.io/fluxcd/${CONTROLLER}:${{ steps.prep.outputs.VERSION }} docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
docker pull docker.io/fluxcd/${CONTROLLER}:${{ steps.prep.outputs.VERSION }} docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
docker pull ghcr.io/fluxcd/${CONTROLLER}:${{ steps.prep.outputs.VERSION }} docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
- name: Generate release manifests - uses: sigstore/cosign-installer@main
- name: Sign images
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
cosign sign ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
- name: Generate release artifacts
if: startsWith(github.ref, 'refs/tags/v')
run: | run: |
mkdir -p config/release mkdir -p config/release
kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
- name: Create release echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md
uses: ncipollo/release-action@v1 - uses: anchore/sbom-action/download-syft@v0
- name: Create release and SBOM
if: startsWith(github.ref, 'refs/tags/v')
uses: goreleaser/goreleaser-action@v2
with: with:
prerelease: true version: latest
artifacts: "config/release/*.yaml" args: release --release-notes=config/release/notes.md --rm-dist --skip-validate
artifactContentType: "text/plain" env:
body: | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)
token: ${{ secrets.GITHUB_TOKEN }}

5
.github/workflows/scan.yml vendored
View File

@ -1,5 +1,4 @@
name: Scan name: Scan
on: on:
push: push:
branches: [ main ] branches: [ main ]
@ -8,6 +7,10 @@ on:
schedule: schedule:
- cron: '18 10 * * 3' - cron: '18 10 * * 3'
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for codeQL to write security events
jobs: jobs:
fossa: fossa:
name: FOSSA name: FOSSA

39
.goreleaser.yaml Normal file
View File

@ -0,0 +1,39 @@
project_name: notification-controller
builds:
- skip: true
release:
prerelease: "true"
extra_files:
- glob: config/release/*.yaml
checksum:
extra_files:
- glob: config/release/*.yaml
source:
enabled: true
name_template: "{{ .ProjectName }}_{{ .Version }}_source_code"
sboms:
- id: source
artifacts: source
documents:
- "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
# signs the checksum file
# all files (including the sboms) are included in the checksum
# https://goreleaser.com/customization/sign
signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
certificate: "${artifact}.pem"
args:
- sign-blob
- "--output-certificate=${certificate}"
- "--output-signature=${signature}"
- "${artifact}"
artifacts: checksum
output: true