add docker image and binary attestation and gen sboms (#14267)

* add docker image and binary attestation and gen sboms * temp remove all other gha workflows for testing * temp comment out docker-build job * temp comment out check job * fix typo * fix getting the right docker image digest * fix docker image digest parse issue and output * add attestation to regular docker image build * get back deleted workflows * refactor
smartcontractkit · Sep 4, 2024 · 74fa74f · 74fa74f
1 parent 8490c96
commit 74fa74f
Show file tree

Hide file tree

Showing 4 changed files with 301 additions and 8 deletions.
diff --git a/.github/actions/goreleaser-build-sign-publish/action.yml b/.github/actions/goreleaser-build-sign-publish/action.yml
@@ -101,6 +101,8 @@ runs:
       run: |
         echo "GOOS=linux" | tee -a $GITHUB_ENV
         echo "GOARCH=${{ inputs.goreleaser-split-arch }}" | tee -a $GITHUB_ENV
+    - name: Install syft
+      uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
     - name: Run goreleaser release
       shell: bash
       env:

diff --git a/.github/workflows/build-publish-develop-pr.yml b/.github/workflows/build-publish-develop-pr.yml
@@ -95,8 +95,7 @@ jobs:
             cat dist/linux_${{ matrix.goarch }}/artifacts.json
           fi
           echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY"
-          jq -r '.[] | select(.type == "Docker Image") | "`\(.goarch)-image`: \(.name)"' ${artifact_path} >> output.txt
-          jq -r '.[] | select(.type == "Archive") | "`\(.goarch)-digest`: \(.extra.Checksum)"' ${artifact_path} >> output.txt
+          jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${artifact_path} >> output.txt
           while read -r line; do
             echo "$line" | tee -a "$GITHUB_STEP_SUMMARY"
           done < output.txt

diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml
@@ -33,7 +33,8 @@ jobs:
     environment: build-publish
     permissions:
       id-token: write
-      contents: read
+      contents: write
+      attestations: write
     outputs:
       docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }}
       docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
@@ -56,6 +57,13 @@ jobs:
           sign-images: true
           verify-signature: true
 
+      - name: Attest Docker image
+        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
+        with:
+          subject-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
+          subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
+          push-to-registry: true
+
       - name: Collect Metrics
         if: always()
         id: collect-gha-metrics
@@ -75,7 +83,8 @@ jobs:
     environment: build-publish
     permissions:
       id-token: write
-      contents: read
+      contents: write
+      attestations: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
@@ -97,23 +106,85 @@ jobs:
           docker-image-name: ${{ env.ECR_IMAGE_NAME }}
           docker-image-tag: ${{ github.ref_name }}
           goreleaser-exec: ./tools/bin/goreleaser_wrapper
-          goreleaser-config: .goreleaser.develop.yaml
+          goreleaser-config: .goreleaser.production.yaml
           goreleaser-key: ${{ secrets.GORELEASER_KEY }}
           zig-version: 0.11.0
           enable-cosign: true
           cosign-version: "v2.4.0"
 
       - name: Output image name and digest
-        shell: sh
+        id: get-image-name-digest
+        shell: bash
         run: |
           artifact_path="dist/artifacts.json"
+          jq -r '.[] | select(.type == "Docker Image") | "\(.name)"' ${artifact_path} >> output.txt
+
           echo "### Docker Images" | tee -a "$GITHUB_STEP_SUMMARY"
-          jq -r '.[] | select(.type == "Docker Image") | "`\(.goarch)-image`: \(.name)"' ${artifact_path} >> output.txt
-          jq -r '.[] | select(.type == "Archive") | "`\(.goarch)-digest`: \(.extra.Checksum)"' ${artifact_path} >> output.txt
           while read -r line; do
             echo "$line" | tee -a "$GITHUB_STEP_SUMMARY"
           done < output.txt
 
+          core_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-amd64"
+          plugins_amd64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-amd64"
+          core_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-arm64"
+          plugins_arm64_name="${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}:${{ github.ref_name }}-plugins-arm64"
+
+          echo "core_amd64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
+          echo "plugins_amd64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
+          echo "core_arm64_digest=$(jq -r --arg name "$core_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
+          echo "plugins_arm64_digest=$(jq -r --arg name "$plugins_amd64_name" '.[]|select(.type=="Published Docker Image" and .name==$name)|.extra.Digest' ${artifact_path})" | tee -a "$GITHUB_OUTPUT" "$GITHUB_STEP_SUMMARY"
+
+      - name: Attest tarballs
+        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
+        with:
+          subject-path: "dist/*.tar.gz"
+
+      - name: Attest Docker image (core-amd64)
+        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
+        with:
+          subject-digest: ${{ steps.get-image-name-digest.outputs.core_amd64_digest }}
+          subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
+          push-to-registry: true
+
+      - name: Attest Docker image (plugins-amd64)
+        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
+        with:
+          subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_amd64_digest }}
+          subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
+          push-to-registry: true
+
+      - name: Attest Docker image (core-arm64)
+        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
+        with:
+          subject-digest: ${{ steps.get-image-name-digest.outputs.core_arm64_digest }}
+          subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
+          push-to-registry: true
+
+      - name: Attest Docker image (plugins-arm64)
+        uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2
+        with:
+          subject-digest: ${{ steps.get-image-name-digest.outputs.plugins_arm64_digest }}
+          subject-name: ${{ env.ECR_HOSTNAME }}/${{ env.ECR_IMAGE_NAME }}
+          push-to-registry: true
+
+      - name: Upload SBOMs
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        with:
+          name: goreleaser-sboms
+          path: dist/*.sbom.json
+
+      - name: Print SBOM artifact to job summary
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          ARTIFACTS=$(gh api -X GET repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts)
+          ARTIFACT_ID=$(echo "$ARTIFACTS" | jq '.artifacts[] | select(.name=="goreleaser-sboms") | .id')
+          echo "Artifact ID: $ARTIFACT_ID"
+          echo "### SBOM Artifact" | tee -a "$GITHUB_STEP_SUMMARY"
+          artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts/$ARTIFACT_ID"
+          echo "[Artifact URL]($artifact_url)" | tee -a $GITHUB_STEP_SUMMARY
+
       - name: Collect Metrics
         if: always()
         id: collect-gha-metrics

diff --git a/.goreleaser.production.yaml b/.goreleaser.production.yaml
@@ -0,0 +1,221 @@
+project_name: chainlink
+
+version: 2
+
+env:
+  - ZIG_EXEC={{ if index .Env "ZIG_EXEC"  }}{{ .Env.ZIG_EXEC }}{{ else }}zig{{ end }}
+  - IMAGE_PREFIX={{ if index .Env "IMAGE_PREFIX"  }}{{ .Env.IMAGE_PREFIX }}{{ else }}localhost:5001{{ end }}
+  - IMAGE_NAME={{ if index .Env "IMAGE_NAME" }}{{ .Env.IMAGE_NAME }}{{ else }}chainlink{{ end }}
+  - IMAGE_TAG={{ if index .Env "IMAGE_TAG" }}{{ .Env.IMAGE_TAG }}{{ else }}develop{{ end }}
+  - IMAGE_LABEL_DESCRIPTION="node of the decentralized oracle network, bridging on and off-chain computation"
+  - IMAGE_LABEL_LICENSES="MIT"
+  - IMAGE_LABEL_SOURCE="https://github.com/smartcontractkit/{{ .ProjectName }}"
+
+before:
+  hooks:
+    - go mod tidy
+    - ./tools/bin/goreleaser_utils before_hook
+
+# See https://goreleaser.com/customization/build/
+builds:
+  - binary: chainlink
+    id: linux-arm64
+    goos:
+      - linux
+    goarch:
+      - arm64
+    hooks:
+      post: ./tools/bin/goreleaser_utils build_post_hook {{ dir .Path }} {{ .Os }} {{ .Arch }}
+    env:
+      - CGO_ENABLED=1
+      - CC=$ZIG_EXEC cc -target aarch64-linux-gnu
+      - CCX=$ZIG_EXEC c++ -target aarch64-linux-gnu
+    flags:
+      - -trimpath
+      - -buildmode=pie
+    ldflags:
+      - -s -w -r=$ORIGIN/libs
+      - -X github.com/smartcontractkit/chainlink/v2/core/static.Version={{ .Env.CHAINLINK_VERSION }}
+      - -X github.com/smartcontractkit/chainlink/v2/core/static.Sha={{ .FullCommit }}
+  - binary: chainlink
+    id: linux-amd64
+    goos:
+      - linux
+    goarch:
+      - amd64
+    hooks:
+      post: ./tools/bin/goreleaser_utils build_post_hook {{ dir .Path }} {{ .Os }} {{ .Arch }}
+    env:
+      - CGO_ENABLED=1
+      - CC=$ZIG_EXEC cc -target x86_64-linux-gnu
+      - CCX=$ZIG_EXEC c++ -target x86_64-linux-gnu
+    flags:
+      - -trimpath
+      - -buildmode=pie
+    ldflags:
+      - -s -w -r=$ORIGIN/libs
+      - -X github.com/smartcontractkit/chainlink/v2/core/static.Version={{ .Env.CHAINLINK_VERSION }}
+      - -X github.com/smartcontractkit/chainlink/v2/core/static.Sha={{ .FullCommit }}
+
+# See https://goreleaser.com/customization/docker/
+dockers:
+  - id: linux-amd64
+    dockerfile: core/chainlink.goreleaser.Dockerfile
+    use: buildx
+    goos: linux
+    goarch: amd64
+    extra_files:
+      - tmp/linux_amd64/libs
+      - tools/bin/ldd_fix
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--pull"
+      - "--build-arg=CHAINLINK_USER=chainlink"
+      - "--build-arg=COMMIT_SHA={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.description={{ .Env.IMAGE_LABEL_DESCRIPTION }}"
+      - "--label=org.opencontainers.image.licenses={{ .Env.IMAGE_LABEL_LICENSES }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.source={{ .Env.IMAGE_LABEL_SOURCE }}"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.version={{ .Env.CHAINLINK_VERSION }}"
+      - "--label=org.opencontainers.image.url={{ .Env.IMAGE_LABEL_SOURCE }}"
+    image_templates:
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}-amd64"
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}-amd64"
+  - id: linux-arm64
+    dockerfile: core/chainlink.goreleaser.Dockerfile
+    use: buildx
+    goos: linux
+    goarch: arm64
+    extra_files:
+      - tmp/linux_arm64/libs
+      - tools/bin/ldd_fix
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--pull"
+      - "--build-arg=CHAINLINK_USER=chainlink"
+      - "--build-arg=COMMIT_SHA={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.description={{ .Env.IMAGE_LABEL_DESCRIPTION }}"
+      - "--label=org.opencontainers.image.licenses={{ .Env.IMAGE_LABEL_LICENSES }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.source={{ .Env.IMAGE_LABEL_SOURCE }}"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.version={{ .Env.CHAINLINK_VERSION }}"
+      - "--label=org.opencontainers.image.url={{ .Env.IMAGE_LABEL_SOURCE }}"
+    image_templates:
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}-arm64"
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}-arm64"
+  - id: linux-amd64-plugins
+    dockerfile: core/chainlink.goreleaser.Dockerfile
+    use: buildx
+    goos: linux
+    goarch: amd64
+    extra_files:
+      - tmp/linux_amd64/libs
+      - tmp/linux_amd64/plugins
+      - tools/bin/ldd_fix
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--pull"
+      - "--build-arg=CHAINLINK_USER=chainlink"
+      - "--build-arg=COMMIT_SHA={{ .FullCommit }}"
+      - "--build-arg=CL_MEDIAN_CMD=chainlink-feeds"
+      - "--build-arg=CL_MERCURY_CMD=chainlink-mercury"
+      - "--build-arg=CL_SOLANA_CMD=chainlink-solana"
+      - "--build-arg=CL_STARKNET_CMD=chainlink-starknet"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.description={{ .Env.IMAGE_LABEL_DESCRIPTION }}"
+      - "--label=org.opencontainers.image.licenses={{ .Env.IMAGE_LABEL_LICENSES }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.source={{ .Env.IMAGE_LABEL_SOURCE }}"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.version={{ .Env.CHAINLINK_VERSION }}"
+      - "--label=org.opencontainers.image.url={{ .Env.IMAGE_LABEL_SOURCE }}"
+    image_templates:
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}-plugins-amd64"
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}-plugins-amd64"
+  - id: linux-arm64-plugins
+    dockerfile: core/chainlink.goreleaser.Dockerfile
+    use: buildx
+    goos: linux
+    goarch: arm64
+    extra_files:
+      - tmp/linux_arm64/libs
+      - tmp/linux_arm64/plugins
+      - tools/bin/ldd_fix
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--pull"
+      - "--build-arg=CHAINLINK_USER=chainlink"
+      - "--build-arg=COMMIT_SHA={{ .FullCommit }}"
+      - "--build-arg=CL_MEDIAN_CMD=chainlink-feeds"
+      - "--build-arg=CL_MERCURY_CMD=chainlink-mercury"
+      - "--build-arg=CL_SOLANA_CMD=chainlink-solana"
+      - "--build-arg=CL_STARKNET_CMD=chainlink-starknet"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.description={{ .Env.IMAGE_LABEL_DESCRIPTION }}"
+      - "--label=org.opencontainers.image.licenses={{ .Env.IMAGE_LABEL_LICENSES }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.source={{ .Env.IMAGE_LABEL_SOURCE }}"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.version={{ .Env.CHAINLINK_VERSION }}"
+      - "--label=org.opencontainers.image.url={{ .Env.IMAGE_LABEL_SOURCE }}"
+    image_templates:
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}-plugins-arm64"
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}-plugins-arm64"
+
+# See https://goreleaser.com/customization/docker_manifest/
+docker_manifests:
+  - name_template: "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}"
+    image_templates:
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}-amd64"
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}-arm64"
+  - name_template: "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}"
+    image_templates:
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}-amd64"
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}-arm64"
+  - name_template: "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}-plugins"
+    image_templates:
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}-plugins-amd64"
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:{{ .Env.IMAGE_TAG }}-plugins-arm64"
+  - name_template: "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}-plugins"
+    image_templates:
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}-plugins-amd64"
+      - "{{ .Env.IMAGE_PREFIX }}/{{ .Env.IMAGE_NAME }}:sha-{{ .ShortCommit }}-plugins-arm64"
+
+# See https://goreleaser.com/customization/docker_sign/
+docker_signs:
+  - artifacts: all
+    args:
+      - "sign"
+      - "${artifact}"
+      - "--yes"
+
+checksum:
+  name_template: "checksums.txt"
+
+# See https://goreleaser.com/customization/sbom
+sboms:
+  - artifacts: archive
+
+snapshot:
+  version_template: "{{ .Env.CHAINLINK_VERSION }}-{{ .ShortCommit }}"
+
+partial:
+  by: target
+
+# See https://goreleaser.com/customization/release/
+release:
+  disable: true
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+# modelines, feel free to remove those if you don't want/use them:
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj