add checkout for build step

Author: saisatishkarra

.github/workflows/release.yaml

@@ -16,15 +16,16 @@ on:
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
-  IMAGE_NAME: ${{ github.repository }}
+  # Format as <account>/<repo>
+  # Must be lower case for container tools to parse correctly
+  IMAGE_NAME: kong/insomnia-mockbin
   HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.repository_owner == 'Kong' }}
   # Local docker OCI archive name until the image is pushed to registry
   DOCKER_OCI_ARCHIVE: "docker-archive"
   # Always use Docker Hub for publishing image signatures
   ## docker.io/kong/notary - Use Public Notary repository for release image signatures
   ## docker.io/kong/notary-internal - Use Private Notary repository for internal image signatures 
-  NOTARY_REPOSITORY: format('{0}/{1}', 'docker.io', ${{ github.ref_type == 'tag' && 'kong/notary' || 'kong/notary-internal' }})
+  NOTARY_REPOSITORY: ${{ github.ref_type == 'tag' && 'kong/notary' || 'kong/notary-internal' }}
 
 jobs:
   check:
@@ -40,7 +41,7 @@ jobs:
       # Produces SBOM and CVE report
       # Helps understand vulnerabilities / license compliance across third party dependencies
       - id: sca-project
-        uses: Kong/public-shared-actions/security-actions/sca@556e4d9756442828427007a7171683a99adf9a6a # v2.2.1
+        uses: Kong/public-shared-actions/security-actions/sca@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
         with:
           dir: .
           upload-sbom-release-assets: true
@@ -56,6 +57,9 @@ jobs:
       image_tags: ${{ steps.meta.outputs.tags }}
       image_tag_version: ${{ steps.meta.outputs.version }}
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
       # Set up BuildKit Docker container builder to be able to build
       # multi-platform images and export cache
       # https://github.com/docker/setup-buildx-action
@@ -102,7 +106,6 @@ jobs:
           retention-days: 1
 
   scan-images:
-    name: Scan Images
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -111,78 +114,54 @@ jobs:
     if: >
       github.repository_owner == 'Kong'
       && needs.build-images.result == 'success'
-    outputs:
-      image_name: ${{ env.IMAGE_NAME }}
-      image_manifest_sha: ${{ steps.image_manifest_metadata.outputs.sha }}
-      notary_repository: ${{ env.NOTARY_REPOSITORY }}
     steps:
 
       - name: Download OCI docker TAR artifact
         uses: actions/download-artifact@v3
         with:
           name: ${{ env.DOCKER_OCI_ARCHIVE }}
-          path: ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}
-
+          path: ${{ github.workspace }}
       - name: Load OCI docker TAR artifact
         run: |
-          docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
+          docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
           docker image ls
 
-      # Setup regctl to parse platform specific image digest from image manifest
-      - name: Install regctl
-        uses: regclient/actions/regctl-installer@main
-
-      - name: Parse architecture specific digest from image manifest
-        id: image_manifest_metadata
-        run: |
-          IMAGE=${{ env.IMAGE_NAME }}:${{ needs.build-images.outputs.IMAGE_TAG_VERSION }}
-          sha="$(regctl image digest "${IMAGE})"
-          echo "sha=${sha}" >> $GITHUB_OUTPUT
-          archs=${{ env.PLATFORMS }}
-          for arch in $(echo "$archs" | sed -e 's/,/ /g'); do
-            arch=${arch#*/}
-            echo "Fetching digest for ${arch}..."
-            sha="$(regctl image digest "${IMAGE}" --platform linux/${arch})"
-            echo "${arch}_image_sha=${IMAGE}@${sha}"
-            echo "${arch}_image_sha=${IMAGE}@${sha}" >> $GITHUB_OUTPUT
-          done
-        env:
-          PLATFORMS: "linux/amd64" # Comma separated list of any platforms built
-
-      - name: Scan AMD64 Image digest
-        if: ${{ steps.image_manifest_metadata.outputs.amd64_image_sha != '' }}
+      - name: Scan the docker OCI Tar ball
         id: sbom_action_amd64
-        uses: Kong/public-shared-actions/security-actions/scan-docker-image@556e4d9756442828427007a7171683a99adf9a6a
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
         with:
           asset_prefix: image-${{ env.IMAGE_NAME }}-amd64
-          image: ${{steps.image_manifest_metadata.outputs.image}}:${{ steps.image_manifest_metadata.outputs.amd64_image_sha }}
+          image: ${{ env.DOCKER_OCI_ARCHIVE }}.tar
           upload-sbom-release-assets: true
 
   release-images:
-    name: Publish Images
     runs-on: ubuntu-latest
     permissions:
       contents: write
-      packages: write # needed for signing the images
+      packages: write # needed for publishing the images
+      id-token: write # needed for keyless signing of the images
     needs: [check, build-images, scan-images]
     if: >
       github.repository_owner == 'Kong'
-      && github.event_name != 'pull_request'
       && needs.scan-images.result == 'success'
+      && github.event_name != 'pull_request'
     env:
       IMAGE_TAGS: ${{ needs.build-images.outputs.image_tags }}
-      IMAGE_MANIFEST_SHA: ${{ needs.scan-images.outputs.image_manifest_sha }}
+    outputs:
+      image_name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      image_manifest_sha: ${{ steps.image_manifest_metadata.outputs.image_manifest_sha }}
+      notary_repository: ${{ env.NOTARY_REPOSITORY }}
     steps:
 
       - name: Download OCI docker TAR artifact
         uses: actions/download-artifact@v3
         with:
           name: ${{ env.DOCKER_OCI_ARCHIVE }}
-          path: ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}
+          path: ${{ github.workspace }}
 
       - name: Load OCI docker TAR artifact
         run: |
-          docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
+          docker load -i ${{ github.workspace }}/${{ env.DOCKER_OCI_ARCHIVE }}.tar
           docker image ls
 
       # Login against a Docker registry except on PR
@@ -198,21 +177,37 @@ jobs:
         id: publish_images
         run: |
           for tag in ${IMAGE_TAGS//,/ }; do \
-            docker push $tag \
+            docker push $tag; \
           done
 
+      # Setup regctl to parse platform specific image digest from image manifest
+      - name: Install regctl
+        uses: regclient/actions/regctl-installer@main
+
+      # The image manifest digest/sha is generated only after the image is published to registry
+      - name: Parse architecture specific digest from image manifest
+        id: image_manifest_metadata
+        run: |
+          IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build-images.outputs.IMAGE_TAG_VERSION }}
+          sha="$(regctl image digest "${IMAGE}")"
+          echo "sha=${sha}" >> $GITHUB_OUTPUT
+
+      # Signing images requires image manifest digest
       - name: Sign images
         id: sign_images
-        if: ${{ env.IMAGE_MANIFEST_SHA != '' }}
-        uses: Kong/public-shared-actions/security-actions/sign-docker-image@556e4d9756442828427007a7171683a99adf9a6a # v2.2.1
+        if: ${{ steps.image_manifest_metadata.outputs.sha != '' }}
+        uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
         with:
-          image_digest: ${{ env.IMAGE_MANIFEST_SHA }}
+          image_digest: ${{ steps.image_manifest_metadata.outputs.sha }}
           tags: ${{ env.IMAGE_TAGS }}
+          image_registry_domain: ghcr.io
           registry_username: ${{ github.actor }}
           registry_password: ${{ secrets.GITHUB_TOKEN }}
-          signature_registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
-          signature_registry_password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}
-          signature_registry: ${{ env.NOTARY_REPOSITORY }}
+          # Optional: Central notary repository for image signatures
+          # signature_registry_domain: docker.io
+          # signature_registry_username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
+          # signature_registry_password: ${{ secrets.GHA_DOCKERHUB_PUSH_TOKEN }}
+          # signature_registry: ${{ env.NOTARY_REPOSITORY }}
 
   release-images-provenance:
     needs: ["check", "build-images", "scan-images", "release-images"]
@@ -224,11 +219,11 @@ jobs:
       actions: read # For getting workflow run info to build provenance
       packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
     with:
-      image: ${{ needs.scan-images.outputs.image_name }} # Image repository without tag. Eg: kong/insomnia-mockbins
-      digest: ${{ needs.scan-images.outputs.image_manifest_sha }} # Image manifest digest for the published docker image/TAR
-      provenance-repository: ${{ needs.scan-images.outputs.notary_repository }}
+      image: ${{ needs.release-images.outputs.image_name }} # Image repository without tag. Eg: kong/insomnia-mockbins
+      digest: ${{ needs.release-images.outputs.image_manifest_sha }} # Image manifest digest for the published docker image/TAR
+      #provenance-repository: ${{ needs.release-images.outputs.notary_repository }}
     secrets:
       registry-username: ${{ github.actor }}
       registry-password: ${{ secrets.GITHUB_TOKEN }}
-      provenance-registry-username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
-      provenance-registry-password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}
+      # provenance-registry-username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
+      # provenance-registry-password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}

.github/workflows/sast.yml

@@ -30,4 +30,4 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: Kong/public-shared-actions/security-actions/semgrep@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
+      - uses: Kong/public-shared-actions/security-actions/semgrep@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2

README.md

@@ -6,15 +6,22 @@ Insomnia Mockbin is used internally and maintained by [Kong](https://github.com/
 
 ## Table of contents
 
-- [Features](#features)
-- [Installation](#installation)
-  - [Requirements](#requirements)
-  - [Running with Node](#running-with-node)
+- [Insomnia Mockbin  ](#insomnia-mockbin--)
+  - [Table of contents](#table-of-contents)
+  - [Features](#features)
+  - [Installation](#installation)
+    - [Requirements](#requirements)
+    - [Running with Node](#running-with-node)
   - [Running with Docker Compose](#running-with-docker-compose)
-- [Documentation](#documentation)
-- [Bugs and feature requests](#bugs-and-feature-requests)
-- [Contributing](#contributing)
-- [License](#license)
+  - [Documentation](#documentation)
+    - [API Docs](#api-docs)
+    - [Software Bill of materials](#software-bill-of-materials)
+    - [Verify a container image siganture](#verify-a-container-image-siganture)
+    - [Verify a container image provenance](#verify-a-container-image-provenance)
+  - [Bugs and feature requests](#bugs-and-feature-requests)
+  - [Contributing](#contributing)
+  - [License](#license)
+  - [TODO](#todo)
 
 ## Features
 
@@ -67,8 +74,97 @@ docker compose up
 
 ## Documentation
 
+### API Docs
+
 Read the full API documentation, please review the [API Docs](https://github.com/Kong/mockbin/tree/master/docs).
 
+### Software Bill of materials
+
+Kong Insomnia Mockbin produces SBOMs for the below categories:
+
+- For docker container images
+- For source code repository
+
+The SBOMs are available to download at:
+
+- Github Release / Tag Assets
+- Github workflow assets for other workflow runs
+
+### Verify a container image siganture
+
+Docker container images are now signed using cosign with signatures published to a [Github Container registry](https://ghcr.io) with `insomnia-mockbin` repository.
+
+Steps to verify signatures for signed Kong Insomnia Mockbin Docker container images in two different ways:
+
+A minimal example, used to verify an image without leveraging any annotations. For the minimal example, you only need Docker details, a GitHub repo name, and a GitHub workflow filename.
+
+```code
+cosign verify \
+  ghcr.io/kong/insomnia-mockbin:<tag>@sha256:<digest> \
+  --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
+  --certificate-identity-regexp='https://github.com/Kong/insomnia-mockbin/.github/workflows/release.yaml'
+```
+
+A complete example, leveraging optional annotations for increased trust. For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:
+
+```code
+cosign verify \
+  ghcr.io/kong/insomnia-mockbin:<tag>@sha256:<digest> \
+  --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
+  --certificate-identity-regexp='https://github.com/Kong/insomnia-mockbin/.github/workflows/release.yaml' \
+  -a repo='Kong/insomnia-mockbin' \
+  -a workflow='Package & Release'
+```
+
+### Verify a container image provenance
+
+Kong Insomnia Mockbin produces build provenance for docker container images for `Github tags`, which can be verified using cosign / slsa-verifier with attestations published to a [Github Container registry](https://ghcr.io) with `insomnia-mockbin` repository.
+
+Steps to verify provenance for signed Kong Insomnia Mockbin Docker container images:
+
+1. Fetch the image `<manifest_digest>` using regctl:
+
+    ```code
+    regctl image digest ghcr.io/kong/insomnia-mockbin:<tag>
+    ```
+
+2. A minimal example, used to verify an image without leveraging any annotations. For the minimal example, you only need Docker Image manifest, a GitHub repo name.
+
+    ```code
+    cosign verify-attestation \
+      ghcr.io/kong/insomnia-mockbin:<tag>@sha256:<manifest_digest> \
+      --type='slsaprovenance' \
+      --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
+      --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'
+    ```
+
+    ```code
+    slsa-verifier verify-image \
+      ghcr.io/kong/insomnia-mockbin:<tag>@sha256:<manifest_digest> \
+      --print-provenance \
+      --source-uri 'github.com/Kong/insomnia-mockbin'
+    ```
+
+3. A complete example, leveraging optional annotations for increased trust. For the complete example, you need the same details as the minimal example, as well as any of the optional annotations you wish to verify:
+
+    ```code
+    cosign verify-attestation \
+      ghcr.io/kong/insomnia-mockbin:<tag>@sha256:<manifest_digest> \
+      --type='slsaprovenance' \
+      --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
+      --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
+      --certificate-github-workflow-repository='Kong/insomnia-mockbin' \
+      --certificate-github-workflow-name='Package & Release'
+    ```
+
+    ```code
+    slsa-verifier verify-image \
+      ghcr.io/kong/insomnia-mockbin:<tag>@sha256:<manifest_digest> \
+      --print-provenance \
+      --source-uri 'github.com/Kong/insomnia-mockbin' \
+      --source-tag '<tag>'
+    ```
+
 ## Bugs and feature requests
 
 Have a bug or a feature request? Please first read the [issue guidelines](CONTRIBUTING.md#using-the-issue-tracker) and search for existing and closed issues. If your problem or idea is not addressed yet, [please open a new issue](/issues).