ci(.github): publish slsa artifacts to cloudsmith (#10215)

Signed-off-by: saisatishkarra <[email protected]>

.github/workflows/_build_publish.yaml

@@ -128,15 +128,23 @@ jobs:
           make test/container-structure/${{ matrix.image }}
       - name: scan amd64 image
         id: scan_image-amd64
+<<<<<<< HEAD
         uses: Kong/public-shared-actions/security-actions/scan-docker-image@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
+=======
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
+>>>>>>> cf9b78d2b (ci(.github): publish slsa artifacts to cloudsmith (#10215))
         with:
           asset_prefix: image_${{ matrix.image }}-amd64
           image: ./build/docker/${{ matrix.image }}-amd64.tar
           upload-sbom-release-assets: true
       - name: scan arm64 image
         id: scan_image-arm64
         if: ${{ fromJSON(inputs.FULL_MATRIX) }}
+<<<<<<< HEAD
         uses: Kong/public-shared-actions/security-actions/scan-docker-image@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
+=======
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
+>>>>>>> cf9b78d2b (ci(.github): publish slsa artifacts to cloudsmith (#10215))
         with:
           asset_prefix: image_${{ matrix.image }}-arm64
           image: ./build/docker/${{ matrix.image }}-arm64.tar
@@ -184,7 +192,11 @@ jobs:
       - name: sign image
         if: ${{ fromJSON(inputs.ALLOW_PUSH) }}
         id: sign
+<<<<<<< HEAD
         uses: Kong/public-shared-actions/security-actions/sign-docker-image@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
+=======
+        uses: Kong/public-shared-actions/security-actions/sign-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
+>>>>>>> cf9b78d2b (ci(.github): publish slsa artifacts to cloudsmith (#10215))
         with:
           image_digest: ${{ steps.image_digest.outputs.digest }}
           tags: ${{ steps.image_meta.outputs.image }}

.github/workflows/build-test-distribute.yaml

@@ -37,6 +37,7 @@ jobs:
       REGISTRY: ${{ steps.metadata.outputs.registry }}
       VERSION_NAME: ${{ steps.metadata.outputs.version }}
       NOTARY_REPOSITORY: ${{ (contains(steps.metadata.outputs.version, 'preview') && 'notary-internal') || 'notary' }}
+      CLOUDSMITH_REPOSITORY: ${{ steps.metadata.outputs.distribution_repository }}
     steps:
       - name: "Fail when 'ci/force-publish' label is present on PRs from forks"
         if: ${{ fromJSON(env.FORCE_PUBLISH_FROM_FORK) }}
@@ -69,7 +70,11 @@ jobs:
       - run: |
           make check
       - id: sca-project
+<<<<<<< HEAD
         uses: Kong/public-shared-actions/security-actions/sca@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1
+=======
+        uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
+>>>>>>> cf9b78d2b (ci(.github): publish slsa artifacts to cloudsmith (#10215))
         with:
           dir: .
           config: .syft.yaml
@@ -79,6 +84,7 @@ jobs:
           echo "images=$(make images/info/release/json)" >> $GITHUB_OUTPUT
           echo "registry=$(make docker/info/registry)" >> $GITHUB_OUTPUT
           echo "version=$(make build/info/version)" >> $GITHUB_OUTPUT
+          echo "distribution_repository=$(make build/info/cloudsmith_repository)" >> $GITHUB_OUTPUT
   test:
     permissions:
       contents: read
@@ -125,6 +131,12 @@ jobs:
     timeout-minutes: 10
     if: ${{ always() }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: read # For getting workflow run info
+    env:
+      SECURITY_ASSETS_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets"
+      SECURITY_ASSETS_PACKAGE_NAME: "security-assets" # Cloudsmith package for hosting security assets
     steps:
       - name: "Halt due to previous failures"
         run: |-
@@ -133,3 +145,46 @@ jobs:
           # so we manually check it here. An example could be found here: https://github.com/kumahq/kuma/actions/runs/7044980149
           [[ ${{ contains(needs.*.result, 'failure')|| contains(needs.*.result, 'cancelled') }} == "true" ]] && exit 1
           echo "All dependent jobs succeeded"
+      - name: "Download all SBOM assets"
+        id: collect_sbom
+        if: ${{ needs.build_publish.result == 'success' }}
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
+          pattern: "*sbom.{cyclonedx,spdx}.json"
+          merge-multiple: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Download binary artifact provenance"
+        if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }}
+        id: collect_provenance
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
+          pattern: ${{ github.event.repository.name }}.intoto.jsonl
+          merge-multiple: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Generate security assets TAR"
+        if: ${{ needs.build_publish.result == 'success' }}
+        id: security_assets_metadata
+        run: |
+          cd ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}
+          find . -maxdepth 1 -type f \( -name '*sbom.*.json' -o -name '*.intoto.jsonl' \) -print | tar -cvzf ${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz -T -
+          ls -alR .
+        # Publish aggregated zip file of SBOMs and/or Binary Provenance to artifact regstry
+      - name: Push security assets to cloudsmith
+        id: push_security_assets
+        if: ${{ needs.provenance.result == 'success' || needs.build_publish.result == 'success' }}
+        uses: cloudsmith-io/action@f04b4de7550751e32961ac16543116f8f5f9bfc2 # v0.6.6
+        with:
+          api-key: ${{ secrets.CLOUDSMITH_API_KEY }}
+          command: "push"
+          format: "raw"
+          owner: "kong"
+          repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}"
+          version: "${{ needs.check.outputs.VERSION_NAME }}"
+          file: "${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}/${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz"
+          name: "${{ env.SECURITY_ASSETS_PACKAGE_NAME }}"
+          summary: "SLSA security artifacts for ${{ github.repository }}"
+          description: "SBOM and Binary artifact Provenance for ${{ github.repository }}"

mk/distribution.mk

@@ -107,6 +107,10 @@ endif
 build/distributions/out: $(patsubst %,build/distributions/out/$(DISTRIBUTION_TARGET_NAME)-%.tar.gz,$(ENABLED_DIST_NAMES))
 	cd $@; sha256sum *.tar.gz > $(DISTRIBUTION_TARGET_NAME).sha256
 
+.PHONY: build/info/distribution/repo
+build/info/cloudsmith_repository:
+	@echo $(PULP_PACKAGE_TYPE)-binaries-$(PULP_DIST_VERSION)
+
 # Create a main target which will publish to pulp each to the tar.gz built
 .PHONY: publish/pulp ## Publish to pulp all enabled distributions
 publish/pulp: $(addprefix publish/pulp/$(DISTRIBUTION_TARGET_NAME)-,$(ENABLED_DIST_NAMES))

mk/docker.mk

@@ -19,7 +19,8 @@ KUMA_IMAGES = $(call build_image,$(IMAGES_RELEASE) $(IMAGES_TEST))
 export DOCKER_BUILDKIT := 1
 
 # add targets to build images for each arch
-# $(1) - GOOS to build for
+# $(1) - GOARCH to build for
+
 define IMAGE_TARGETS_BY_ARCH
 .PHONY: image/static/$(1)
 image/static/$(1): ## Dev: Rebuild `kuma-static` Docker image
@@ -65,8 +66,9 @@ $(foreach goarch,$(SUPPORTED_GOARCHES),$(eval $(call IMAGE_TARGETS_BY_ARCH,$(goa
 
 # add targets to generate docker/{save,load,tag,push} for each supported ARCH
 # add targets to build images for each arch
-# $(1) - GOOS to build for
+# $(1) - Image Name to build for
 # $(2) - GOARCH to build for
+# (TODO): Support image platform in output file names
 define DOCKER_TARGETS_BY_ARCH
 .PHONY: docker/save/$(1)/$(2)
 docker/save/$(1)/$(2):