From 9e71cf6778207b775850d255dac2a2801118daa3 Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Wed, 6 Mar 2024 17:55:30 +0200 Subject: [PATCH] Add workflows and make targets for building container images Signed-off-by: Radoslav Dimitrov --- .../build-binary-signed-ghat-malicious.yml | 36 +++++++++++ .../workflows/build-binary-signed-ghat.yml | 32 ++++++++++ .github/workflows/build-binary-unsigned.yml | 32 ++++++++++ .../build-image-signed-cosign-malicious.yml | 64 +++++++++++++++++++ ...uild-image-signed-cosign-static-copied.yml | 57 +++++++++++++++++ .../build-image-signed-cosign-static.yml | 57 +++++++++++++++++ .../workflows/build-image-signed-cosign.yml | 60 +++++++++++++++++ .../build-image-signed-ghat-malicious.yml | 41 ++++++++++++ .../build-image-signed-ghat-static-copied.yml | 38 +++++++++++ .../build-image-signed-ghat-static.yml | 38 +++++++++++ .github/workflows/build-image-signed-ghat.yml | 37 +++++++++++ .github/workflows/build-image-unsigned.yml | 59 +++++++++++++++++ .gitignore | 2 + Cargo.lock | 7 ++ Cargo.toml | 2 +- Dockerfile | 16 +++++ Dockerfile.static | 1 + Makefile | 57 +++++++++++++++++ README.md | 39 ++++++++--- 19 files changed, 664 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/build-binary-signed-ghat-malicious.yml create mode 100644 .github/workflows/build-binary-signed-ghat.yml create mode 100644 .github/workflows/build-binary-unsigned.yml create mode 100644 .github/workflows/build-image-signed-cosign-malicious.yml create mode 100644 .github/workflows/build-image-signed-cosign-static-copied.yml create mode 100644 .github/workflows/build-image-signed-cosign-static.yml create mode 100644 .github/workflows/build-image-signed-cosign.yml create mode 100644 .github/workflows/build-image-signed-ghat-malicious.yml create mode 100644 .github/workflows/build-image-signed-ghat-static-copied.yml create mode 100644 .github/workflows/build-image-signed-ghat-static.yml create mode 100644 .github/workflows/build-image-signed-ghat.yml create mode 100644 .github/workflows/build-image-unsigned.yml create mode 100644 Cargo.lock create mode 100644 Dockerfile create mode 100644 Dockerfile.static create mode 100644 Makefile diff --git a/.github/workflows/build-binary-signed-ghat-malicious.yml b/.github/workflows/build-binary-signed-ghat-malicious.yml new file mode 100644 index 0000000..37927a3 --- /dev/null +++ b/.github/workflows/build-binary-signed-ghat-malicious.yml @@ -0,0 +1,36 @@ +name: binary-signed-ghat-malicious + +on: + workflow_dispatch: + +jobs: + build: + permissions: + id-token: write + packages: write + contents: write + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: The malicious step + run: | + echo "// Maliciously altered on $$(date)" >> ./src/main.rs + +# TODO: add that when we support artifacts other than containers +# +# - name: Build the binary +# run: | +# ... +# +# - name: Sign artifact +# uses: github-early-access/generate-build-provenance@main +# with: +# subject-path: '${{ github.workspace }}/demo-repo-go-binary' +# +# - name: Upload artifact +# uses: actions/upload-artifact@v3 +# with: +# name: demo-repo-python-binary +# path: demo-repo-python-binary diff --git a/.github/workflows/build-binary-signed-ghat.yml b/.github/workflows/build-binary-signed-ghat.yml new file mode 100644 index 0000000..e815acb --- /dev/null +++ b/.github/workflows/build-binary-signed-ghat.yml @@ -0,0 +1,32 @@ +name: binary-signed-ghat + +on: + workflow_dispatch: + +jobs: + build: + permissions: + id-token: write + packages: write + contents: write + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + +# TODO: add that when we support artifacts other than containers +# +# - name: Build the binary +# run: | +# ... +# +# - name: Sign artifact +# uses: github-early-access/generate-build-provenance@main +# with: +# subject-path: '${{ github.workspace }}/demo-repo-go-binary' +# +# - name: Upload artifact +# uses: actions/upload-artifact@v3 +# with: +# name: demo-repo-python-binary +# path: demo-repo-python-binary diff --git a/.github/workflows/build-binary-unsigned.yml b/.github/workflows/build-binary-unsigned.yml new file mode 100644 index 0000000..db5b8ec --- /dev/null +++ b/.github/workflows/build-binary-unsigned.yml @@ -0,0 +1,32 @@ +name: binary-unsigned + +on: + workflow_dispatch: + +jobs: + build: + permissions: + id-token: write + packages: write + contents: write + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + +# TODO: add that when we support artifacts other than containers +# +# - name: Build the binary +# run: | +# ... +# +# - name: Sign artifact +# uses: github-early-access/generate-build-provenance@main +# with: +# subject-path: '${{ github.workspace }}/demo-repo-go-binary' +# +# - name: Upload artifact +# uses: actions/upload-artifact@v3 +# with: +# name: demo-repo-python-binary +# path: demo-repo-python-binary diff --git a/.github/workflows/build-image-signed-cosign-malicious.yml b/.github/workflows/build-image-signed-cosign-malicious.yml new file mode 100644 index 0000000..0441c3b --- /dev/null +++ b/.github/workflows/build-image-signed-cosign-malicious.yml @@ -0,0 +1,64 @@ +name: image-signed-cosign(latest,daily)-malicious +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: The malicious step + run: | + echo "// Maliciously altered on $$(date)" >> ./src/main.rs + + - name: Install Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + + - name: Sign the published Docker image + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST} + echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-cosign-static-copied.yml b/.github/workflows/build-image-signed-cosign-static-copied.yml new file mode 100644 index 0000000..962bac0 --- /dev/null +++ b/.github/workflows/build-image-signed-cosign-static-copied.yml @@ -0,0 +1,57 @@ +name: image-signed-cosign(static)-copied +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Install Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:static + context: . + file : Dockerfile.static + + + - name: Sign the published Docker image + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "ghcr.io/${{ github.repository }}:static" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-cosign-static.yml b/.github/workflows/build-image-signed-cosign-static.yml new file mode 100644 index 0000000..3d3eb82 --- /dev/null +++ b/.github/workflows/build-image-signed-cosign-static.yml @@ -0,0 +1,57 @@ +name: image-signed-cosign(static) +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Install Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:static + context: . + file : Dockerfile.static + + + - name: Sign the published Docker image + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "ghcr.io/${{ github.repository }}:static" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-cosign.yml b/.github/workflows/build-image-signed-cosign.yml new file mode 100644 index 0000000..036b156 --- /dev/null +++ b/.github/workflows/build-image-signed-cosign.yml @@ -0,0 +1,60 @@ +name: image-signed-cosign(latest,daily) +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Install Cosign + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 + with: + cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + + - name: Sign the published Docker image + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST} + echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.github/workflows/build-image-signed-ghat-malicious.yml b/.github/workflows/build-image-signed-ghat-malicious.yml new file mode 100644 index 0000000..0921ea9 --- /dev/null +++ b/.github/workflows/build-image-signed-ghat-malicious.yml @@ -0,0 +1,41 @@ +name: image-signed-ghat(latest)-malicious +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: The malicious step + run: | + make build-malicious-image + + - name: Log into ghcr.io + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + id: push-step + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:latest + context: . + + - name: Attest image + uses: github-early-access/generate-build-provenance@main + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push-step.outputs.digest }} + push-to-registry: true \ No newline at end of file diff --git a/.github/workflows/build-image-signed-ghat-static-copied.yml b/.github/workflows/build-image-signed-ghat-static-copied.yml new file mode 100644 index 0000000..d03734e --- /dev/null +++ b/.github/workflows/build-image-signed-ghat-static-copied.yml @@ -0,0 +1,38 @@ +name: image-signed-ghat(static)-copied +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Log into ghcr.io + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + id: push-step + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:static + context: . + file : Dockerfile.static + + - name: Attest image + uses: github-early-access/generate-build-provenance@main + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push-step.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/build-image-signed-ghat-static.yml b/.github/workflows/build-image-signed-ghat-static.yml new file mode 100644 index 0000000..bfc3eac --- /dev/null +++ b/.github/workflows/build-image-signed-ghat-static.yml @@ -0,0 +1,38 @@ +name: image-signed-ghat(static) +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Log into ghcr.io + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + id: push-step + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:static + context: . + file : Dockerfile.static + + - name: Attest image + uses: github-early-access/generate-build-provenance@main + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push-step.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/build-image-signed-ghat.yml b/.github/workflows/build-image-signed-ghat.yml new file mode 100644 index 0000000..0edc6b6 --- /dev/null +++ b/.github/workflows/build-image-signed-ghat.yml @@ -0,0 +1,37 @@ +name: image-signed-ghat(latest) +on: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + + - name: Log into ghcr.io + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push image + id: push-step + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + push: true + tags: ghcr.io/${{ github.repository }}:latest + context: . + + - name: Attest image + uses: github-early-access/generate-build-provenance@main + with: + subject-name: ghcr.io/${{ github.repository }} + subject-digest: ${{ steps.push-step.outputs.digest }} + push-to-registry: true \ No newline at end of file diff --git a/.github/workflows/build-image-unsigned.yml b/.github/workflows/build-image-unsigned.yml new file mode 100644 index 0000000..255ccb2 --- /dev/null +++ b/.github/workflows/build-image-unsigned.yml @@ -0,0 +1,59 @@ +name: image-unsigned(latest,daily) +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + +# - name: Install Cosign +# uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1 +# with: +# cosign-release: 'v2.1.1' + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + + - name: Log into registry ${{ env.REGISTRY }} + uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ghcr.io/${{ github.repository }}:latest,ghcr.io/${{ github.repository }}:daily + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + +# - name: Sign the published Docker image +# env: +# DIGEST: ${{ steps.build-and-push.outputs.digest }} +# run: | +# echo "ghcr.io/${{ github.repository }}:daily" | xargs -I {} cosign sign --yes {}@${DIGEST} +# echo "ghcr.io/${{ github.repository }}:latest" | xargs -I {} cosign sign --yes {}@${DIGEST} diff --git a/.gitignore b/.gitignore index ea8c4bf..871590d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ /target + +.idea/ \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock new file mode 100644 index 0000000..5fa3d73 --- /dev/null +++ b/Cargo.lock @@ -0,0 +1,7 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "demo-repo-rust" +version = "0.1.0" diff --git a/Cargo.toml b/Cargo.toml index 9575015..7a75474 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,5 @@ [package] -name = "dummyrepo-rust" +name = "demo-repo-rust" version = "0.1.0" edition = "2021" diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..8d78d83 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,16 @@ +# Use the official Rust image as a builder stage +# to compile our application +FROM rust:1.62 + +WORKDIR /my-rust-app + +# Copy our manifests +COPY ./Cargo.lock ./Cargo.lock +COPY ./Cargo.toml ./Cargo.toml +COPY ./src ./src + +# Build +RUN cargo build --release + +# Set the CMD to your binary +CMD ["./my-rust-app/target/release/demo-repo-rust"] diff --git a/Dockerfile.static b/Dockerfile.static new file mode 100644 index 0000000..f48912d --- /dev/null +++ b/Dockerfile.static @@ -0,0 +1 @@ +docker.io/library/rust:1.62@sha256:2cd5c8517d0640bd287b2cfb4c0e62f1a8ed86174764d88280bc2a106d6835db \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..7588a61 --- /dev/null +++ b/Makefile @@ -0,0 +1,57 @@ +# Replace this with your image name, i.e. ghcr.io//demo-repo-rust:latest +IMAGE_NAME?=ghcr.io/stacklok/demo-repo-rust:latest + +# Replace this with your GitHub username and PAT. +# This is used to authenticate with GitHub Container Registry (GHCR) +# and push the image to your repository. +# The PAT should have read/write access for packages. +CR_USERNAME?=stacklok +CR_PAT?=ghp_1234567890abcdefghij1234567890abcdefghij + +.PHONY: login +login: + @echo "Logging in to GitHub Container Registry" + @echo "${CR_PAT}" | docker login ghcr.io -u $(CR_USERNAME) --password-stdin + +.PHONY: build-image +build-image: + @echo "Building a safe image..." + docker build -t $(IMAGE_NAME) . + +.PHONY: build-malicious-image +build-malicious-image: + @echo "Building a malicious image..." + @echo "// Maliciously altered on $$(date)" >> ./src/main.rs + docker build -t $(IMAGE_NAME) . + + +.PHONY: push-image +push-image: + @echo "Pushing image..." + docker push $(IMAGE_NAME) + +.PHONY: keygen +keygen: + @cosign generate-key-pair + + +.PHONY: sign-keypair +sign-keypair: + @cosign sign $(IMAGE_NAME) --key cosign.key + +.PHONY: sign-oidc +sign-oidc: + @cosign sign $(IMAGE_NAME) + +.PHONY: build-binary +build-binary: + @echo "Building a safe binary..." + @echo "Not implemented yet" + # TODO: Implement this when we need it for the rust example + +.PHONY: build-malicious-binary +build-malicious-binary: + @echo "Building a malicious binary..." + @echo "// Maliciously altered on $$(date)" >> ./src/main.rs + @echo "Not implemented yet" + # TODO: Implement this when we need it for the rust example \ No newline at end of file diff --git a/README.md b/README.md index fda5e31..4c29205 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,34 @@ -# Demo-Repo-Rust 🦀 +# demo-repo-rust 🦦 ## Overview -`dummyrepo-rust`, is a template is primarily intended for testing and -demonstration purposes with stacklok projects. It is a simple Rust project. +The `demo-repo-rust` project is a repository template primarily intended for testing and +demonstration purposes with stacklok projects. It is a simple Python project that allows you to +quickly get started with testing and demonstrating how you can use Minder and Trusty with +your Python projects. It features continuous integration (CI) workflows that demonstrate how to +build, test, and sign artifacts using Sigstore and GitHub Attestations. + + +## Features + +- Pre-configured `Cargo.toml` +- Sample Rust code in `src/main.rs` +- Dockerfile for building a container image + +GitHub Actions workflows for: +- Producing signed and unsigned artifacts using Sigstore and GitHub attestations API +- Producing artifacts such as container images and binaries +- Producing container images that are reproducible (always the same digest) +- Producing "malicious" container images for testing purposes (e.g., code content was altered while building the image) + +Makefile targets for simulating out-of-band signing of artifacts (both intended and not): +- Generating signed container images and "malicious" images +- Pushing container images to container registry (GHCR) +- Generating a local key pair for signing container images +- Sign container images using Sigstore by using a local key pair or by going through the Sigstore OIDC sign-in flow + +Branches: +- Set of pre-created branches to use for opening PRs each demonstrating a different feature or use case with Minder and Trusty ## How to Use This Template @@ -15,10 +40,4 @@ demonstration purposes with stacklok projects. It is a simple Rust project. 2. **Create New Repository**: Provide your repository with a name, description, and set the privacy settings. Click "Create repository from template." -## Features - -- Pre-configured `Cargo.toml` -- Sample Rust code in `src/main.rs` -- `.gitignore` file suitable for Rust projects - -Happy testing! 🦀🎉 +Happy testing! 🦦🎉