diff --git a/.github/workflows/_build_publish.yaml b/.github/workflows/_build_publish.yaml index 99f212ecd75a..1894e3543fce 100644 --- a/.github/workflows/_build_publish.yaml +++ b/.github/workflows/_build_publish.yaml @@ -128,7 +128,11 @@ jobs: make test/container-structure/${{ matrix.image }} - name: scan amd64 image id: scan_image-amd64 +<<<<<<< HEAD uses: Kong/public-shared-actions/security-actions/scan-docker-image@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1 +======= + uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 +>>>>>>> cf9b78d2b (ci(.github): publish slsa artifacts to cloudsmith (#10215)) with: asset_prefix: image_${{ matrix.image }}-amd64 image: ./build/docker/${{ matrix.image }}-amd64.tar @@ -136,7 +140,11 @@ jobs: - name: scan arm64 image id: scan_image-arm64 if: ${{ fromJSON(inputs.FULL_MATRIX) }} +<<<<<<< HEAD uses: Kong/public-shared-actions/security-actions/scan-docker-image@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1 +======= + uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 +>>>>>>> cf9b78d2b (ci(.github): publish slsa artifacts to cloudsmith (#10215)) with: asset_prefix: image_${{ matrix.image }}-arm64 image: ./build/docker/${{ matrix.image }}-arm64.tar @@ -184,7 +192,11 @@ jobs: - name: sign image if: ${{ fromJSON(inputs.ALLOW_PUSH) }} id: sign +<<<<<<< HEAD uses: Kong/public-shared-actions/security-actions/sign-docker-image@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1 +======= + uses: Kong/public-shared-actions/security-actions/sign-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 +>>>>>>> cf9b78d2b (ci(.github): publish slsa artifacts to cloudsmith (#10215)) with: image_digest: ${{ steps.image_digest.outputs.digest }} tags: ${{ steps.image_meta.outputs.image }} diff --git a/.github/workflows/build-test-distribute.yaml b/.github/workflows/build-test-distribute.yaml index d2e6d8cdf3c7..10638e5d0ac3 100644 --- a/.github/workflows/build-test-distribute.yaml +++ b/.github/workflows/build-test-distribute.yaml @@ -37,6 +37,7 @@ jobs: REGISTRY: ${{ steps.metadata.outputs.registry }} VERSION_NAME: ${{ steps.metadata.outputs.version }} NOTARY_REPOSITORY: ${{ (contains(steps.metadata.outputs.version, 'preview') && 'notary-internal') || 'notary' }} + CLOUDSMITH_REPOSITORY: ${{ steps.metadata.outputs.distribution_repository }} steps: - name: "Fail when 'ci/force-publish' label is present on PRs from forks" if: ${{ fromJSON(env.FORCE_PUBLISH_FROM_FORK) }} @@ -69,7 +70,11 @@ jobs: - run: | make check - id: sca-project +<<<<<<< HEAD uses: Kong/public-shared-actions/security-actions/sca@23929cfda574afc77b018c51794454b6dc99ca57 # v2.2.1 +======= + uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 +>>>>>>> cf9b78d2b (ci(.github): publish slsa artifacts to cloudsmith (#10215)) with: dir: . config: .syft.yaml @@ -79,6 +84,7 @@ jobs: echo "images=$(make images/info/release/json)" >> $GITHUB_OUTPUT echo "registry=$(make docker/info/registry)" >> $GITHUB_OUTPUT echo "version=$(make build/info/version)" >> $GITHUB_OUTPUT + echo "distribution_repository=$(make build/info/cloudsmith_repository)" >> $GITHUB_OUTPUT test: permissions: contents: read @@ -125,6 +131,12 @@ jobs: timeout-minutes: 10 if: ${{ always() }} runs-on: ubuntu-latest + permissions: + contents: write + actions: read # For getting workflow run info + env: + SECURITY_ASSETS_DOWNLOAD_PATH: "${{ github.workspace }}/security-assets" + SECURITY_ASSETS_PACKAGE_NAME: "security-assets" # Cloudsmith package for hosting security assets steps: - name: "Halt due to previous failures" run: |- @@ -133,3 +145,46 @@ jobs: # so we manually check it here. An example could be found here: https://github.com/kumahq/kuma/actions/runs/7044980149 [[ ${{ contains(needs.*.result, 'failure')|| contains(needs.*.result, 'cancelled') }} == "true" ]] && exit 1 echo "All dependent jobs succeeded" + - name: "Download all SBOM assets" + id: collect_sbom + if: ${{ needs.build_publish.result == 'success' }} + uses: actions/download-artifact@v4 + with: + path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }} + pattern: "*sbom.{cyclonedx,spdx}.json" + merge-multiple: true + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: "Download binary artifact provenance" + if: ${{ needs.provenance.result == 'success' && github.ref_type == 'tag' }} + id: collect_provenance + uses: actions/download-artifact@v4 + with: + path: ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }} + pattern: ${{ github.event.repository.name }}.intoto.jsonl + merge-multiple: true + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: "Generate security assets TAR" + if: ${{ needs.build_publish.result == 'success' }} + id: security_assets_metadata + run: | + cd ${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }} + find . -maxdepth 1 -type f \( -name '*sbom.*.json' -o -name '*.intoto.jsonl' \) -print | tar -cvzf ${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz -T - + ls -alR . + # Publish aggregated zip file of SBOMs and/or Binary Provenance to artifact regstry + - name: Push security assets to cloudsmith + id: push_security_assets + if: ${{ needs.provenance.result == 'success' || needs.build_publish.result == 'success' }} + uses: cloudsmith-io/action@f04b4de7550751e32961ac16543116f8f5f9bfc2 # v0.6.6 + with: + api-key: ${{ secrets.CLOUDSMITH_API_KEY }} + command: "push" + format: "raw" + owner: "kong" + repo: "${{ needs.check.outputs.CLOUDSMITH_REPOSITORY }}" + version: "${{ needs.check.outputs.VERSION_NAME }}" + file: "${{ env.SECURITY_ASSETS_DOWNLOAD_PATH }}/${{ env.SECURITY_ASSETS_PACKAGE_NAME }}.tar.gz" + name: "${{ env.SECURITY_ASSETS_PACKAGE_NAME }}" + summary: "SLSA security artifacts for ${{ github.repository }}" + description: "SBOM and Binary artifact Provenance for ${{ github.repository }}" diff --git a/mk/distribution.mk b/mk/distribution.mk index c5ef70cc0b6d..4a62e7341fc9 100644 --- a/mk/distribution.mk +++ b/mk/distribution.mk @@ -107,6 +107,10 @@ endif build/distributions/out: $(patsubst %,build/distributions/out/$(DISTRIBUTION_TARGET_NAME)-%.tar.gz,$(ENABLED_DIST_NAMES)) cd $@; sha256sum *.tar.gz > $(DISTRIBUTION_TARGET_NAME).sha256 +.PHONY: build/info/distribution/repo +build/info/cloudsmith_repository: + @echo $(PULP_PACKAGE_TYPE)-binaries-$(PULP_DIST_VERSION) + # Create a main target which will publish to pulp each to the tar.gz built .PHONY: publish/pulp ## Publish to pulp all enabled distributions publish/pulp: $(addprefix publish/pulp/$(DISTRIBUTION_TARGET_NAME)-,$(ENABLED_DIST_NAMES)) diff --git a/mk/docker.mk b/mk/docker.mk index 1a07bf3b290d..3644ec53c213 100644 --- a/mk/docker.mk +++ b/mk/docker.mk @@ -19,7 +19,8 @@ KUMA_IMAGES = $(call build_image,$(IMAGES_RELEASE) $(IMAGES_TEST)) export DOCKER_BUILDKIT := 1 # add targets to build images for each arch -# $(1) - GOOS to build for +# $(1) - GOARCH to build for + define IMAGE_TARGETS_BY_ARCH .PHONY: image/static/$(1) image/static/$(1): ## Dev: Rebuild `kuma-static` Docker image @@ -65,8 +66,9 @@ $(foreach goarch,$(SUPPORTED_GOARCHES),$(eval $(call IMAGE_TARGETS_BY_ARCH,$(goa # add targets to generate docker/{save,load,tag,push} for each supported ARCH # add targets to build images for each arch -# $(1) - GOOS to build for +# $(1) - Image Name to build for # $(2) - GOARCH to build for +# (TODO): Support image platform in output file names define DOCKER_TARGETS_BY_ARCH .PHONY: docker/save/$(1)/$(2) docker/save/$(1)/$(2):