build(ci): release security and workflow updates

projectcapsule · Oct 19, 2023 · 2236281 · 2236281
1 parent 6cdcc48
commit 2236281
Show file tree

Hide file tree

Showing 14 changed files with 304 additions and 219 deletions.
diff --git a/.github/workflows/check-actions.yml b/.github/workflows/check-actions.yml
@@ -0,0 +1,24 @@
+name: Check actions
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
+        with:
+          # slsa-github-generator requires using a semver tag for reusable workflows. 
+          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
+          allowlist: |
+            slsa-framework/slsa-github-generator
diff --git a/.github/workflows/check-commit.yml b/.github/workflows/check-commit.yml
@@ -0,0 +1,23 @@
+name: Check Commit
+permissions: {}
+
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    branches: [ "*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  commit_lint:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+      - uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f #v5.4.3
+        with:
+          firstParent: true
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -0,0 +1,38 @@
+name: Codecov
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  codecov:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+        with:
+          build-cache-key: codecov
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.CODECOV_TOKEN }}
+      - name: Generate Code Coverage Report
+        if: steps.checksecret.outputs.result == 'true'
+        run: make test
+      - name: Upload Report to Codecov
+        if: steps.checksecret.outputs.result == 'true'
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        with:
+          file: ./coverage.out
+          fail_ci_if_error: true
+          verbose: true
diff --git a/.github/workflows/ci.yml → .github/workflows/diff.yml b/.github/workflows/ci.yml → .github/workflows/diff.yml
@@ -1,40 +1,25 @@
-name: CI
+name: Diff checks
+permissions: {}
 
 on:
   push:
     branches: [ "*" ]
   pull_request:
     branches: [ "*" ]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
-  commit_lint:
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v2
-        with:
-          firstParent: true
-  golangci:
-    name: lint
-    runs-on: ubuntu-20.04
-    steps:
-      - uses: actions/checkout@v2
-      - name: Run golangci-lint
-        uses: golangci/[email protected]
-        with:
-          version: v1.51.2
-          only-new-issues: false
-          args: --timeout 5m --config .golangci.yml
   diff:
     name: diff
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: '1.19'
       - run: make installer

diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,69 @@
+name: Publish images
+permissions: {}
+
+on:
+  push:
+    tags:
+      - "v*"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-images:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      id-token: write 
+    outputs:
+      capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+        with:
+          build-cache-key: publish-images
+      - name: Run Trivy vulnerability (Repo)
+        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+      - name: Publish Capsule
+        id: publish-capsule
+        uses: oliverbaehler/github-actions/ko-publish-image@979018716f7d0cbe8d2711f572b350afad4ef211 # v0.1.1
+        with:
+          makefile-target: ko-publish-capsule
+          registry: ghcr.io
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.repository_owner }}
+          version: ${{ github.ref_name }}
+          sign-image: true
+          sbom-name: capsule
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          main-path: ./
+        env:
+          REPOSITORY: ${{ github.repository }}
+  generate-capsule-provenance:
+    needs: publish-images
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/capsule
+      digest: "${{ needs.publish-images.outputs.capsule-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/docs-lint.yml b/.github/workflows/docs-lint.yml
@@ -1,4 +1,5 @@
 name: docs-lint
+permissions: {}
 
 on:
   push:
@@ -12,15 +13,19 @@ on:
       - '.github/workflows/docs-lint.yml'
       - 'docs/content/**'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   spelling:
     name: Spell Check
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: 18
       - run: make docs-lint
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -1,4 +1,5 @@
 name: e2e
+permissions: {}
 
 on:
   push:
@@ -26,6 +27,10 @@ on:
       - 'main.go'
       - 'Makefile'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   kind:
     name: Kubernetes
@@ -35,22 +40,22 @@ jobs:
         k8s-version: ['v1.20.7', 'v1.21.2', 'v1.22.4', 'v1.23.6', 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2']
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: '1.19'
       - run: make manifests
       - name: Checking if manifests are disaligned
         run: test -z "$(git diff 2> /dev/null)"
       - name: Checking if manifests generated untracked files
         run: test -z "$(git ls-files --others --exclude-standard 2> /dev/null)"
-      - uses: engineerd/[email protected]
+      - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           skipClusterCreation: true
           version: v0.14.0
-      - uses: azure/setup-helm@v1
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
         with:
           version: 3.3.4
       - name: e2e testing