SBOM file generation.

Adds new steps in the build and release workflow to generate, sign and
publish a SBOM file for Policy Server.

.github/workflows/binary-build.yml

@@ -0,0 +1,103 @@
+name: Build container image
+
+on:
+  workflow_call:
+
+jobs:
+  build-policy-server-binaries:
+    name: Build container image
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        targetarch: [ "aarch64", "x86_64" ]
+        include:
+          - targetarch: aarch64
+            arch: arm64
+            rustflags: ""
+          - targetarch: x86_64
+            arch: amd64
+            rustflags: "-C target-feature=+crt-static"
+    permissions:
+      packages: write
+      id-token: write
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+
+      - name: Configure Ubuntu repositories
+        run: |
+          sudo dpkg --add-architecture arm64
+
+          sudo sed -i "s/deb h/deb [arch=amd64] h/g" /etc/apt/sources.list
+
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy main restricted" /etc/apt/sources.list
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted" /etc/apt/sources.list
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy universe" /etc/apt/sources.list
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates universe" /etc/apt/sources.list
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy multiverse" /etc/apt/sources.list
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates multiverse" /etc/apt/sources.list
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-backports main restricted universe multiverse" /etc/apt/sources.list
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted" /etc/apt/sources.list
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security universe" /etc/apt/sources.list
+          sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security multiverse" /etc/apt/sources.list
+
+          sudo apt update -y
+      - name: Install Musl and configure gcc spec
+        run: |
+          sudo apt install -y musl-dev:${{ matrix.arch }}
+          # patching the .spec file, as by default it has a bug where it tries to
+          # set old_cpp_options but it already exists. using *+cpp_options achieves
+          # the same desired functionality of appending preexisting options
+          sudo sed -i 1d /usr/lib/${{ matrix.targetarch }}-linux-musl/musl-gcc.specs
+          sudo sed -i "s/*cpp_options/+cpp_options/g" /usr/lib/${{ matrix.targetarch }}-linux-musl/musl-gcc.specs
+          sudo sed -i "s/ %(old_cpp_options)//g" /usr/lib/${{ matrix.targetarch }}-linux-musl/musl-gcc.specs
+
+      - name: Configure gcc spec for x86_64
+        if: ${{ matrix.targetarch == 'x86_64' }}
+        run: |
+          # The cargo configuration to build static binaries is not working. Thus,
+          # update the spec file to ensure that.
+          sudo sed -i "s/-dynamic-linker.*/-no-dynamic-linker  -nostdlib %{shared:-shared} %{static:-static} %{rdynamic:-no-export-dynamic}/g" /usr/lib/${{ matrix.targetarch }}-linux-musl/musl-gcc.specs
+
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup rust toolchain
+        uses: actions-rs/toolchain@v1
+        with:
+          toolchain: stable
+
+      - name: Install rust target
+        run: rustup target add ${{ matrix.targetarch }}-unknown-linux-musl
+
+      - name: Build policy-server
+        env:
+          CC: ${{ matrix.targetarch }}-linux-musl-gcc
+          RUSTFLAGS: "-C link_arg=-lgcc -C link_arg=-specs -C link_arg=/usr/lib/${{ matrix.targetarch}}-linux-musl/musl-gcc.specs ${{ matrix.rustflags }}"
+        run: |
+          cargo build --release --target ${{ matrix.targetarch }}-unknown-linux-musl
+          mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/policy-server policy-server-${{ matrix.targetarch }}
+
+      - name: Generate SBOM
+        run: |
+          make TAG=${{github.ref_name}} sbom
+          cp _manifest/spdx_2.2/manifest.spdx.json policy-server-${{ matrix.targetarch }}.spdx.json
+
+      - name: Sign BOM file
+        run: |
+          cosign sign-blob --output-certificate policy-server-${{ matrix.targetarch }}.spdx.cert \
+            --output-signature policy-server-${{ matrix.targetarch }}.spdx.sig \
+            policy-server-${{ matrix.targetarch }}.spdx.json
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Upload policy-server
+        uses: actions/upload-artifact@v2
+        with:
+          name: policy-server-${{ matrix.targetarch }}
+          path: |
+            policy-server-${{ matrix.targetarch }}
+            policy-server-${{ matrix.targetarch }}.spdx.json
+            policy-server-${{ matrix.targetarch }}.spdx.cert
+            policy-server-${{ matrix.targetarch }}.spdx.sig
+

.github/workflows/ci.yml

@@ -0,0 +1,20 @@
+name: Build Policy Server with latest changes
+on:
+  push:
+    branches:
+    - main
+jobs:
+  ci:
+    # A branch is required, and cannot be dynamic - https://github.com/actions/runner/issues/1493
+    uses: jvanz/policy-server/.github/workflows/tests.yml@main
+
+  build-policy-server-binaries:
+    needs:
+      - ci
+    name: Build container image
+    uses: jvanz/policy-server/.github/workflows/binary-build.yml@main
+
+  build-container-image:
+    needs:
+      - build-policy-server-binaries
+    uses: jvanz/policy-server/.github/workflows/container-build.yml@main

.github/workflows/container-build.yml

@@ -0,0 +1,80 @@
+name: Build container image
+
+on:
+  workflow_call:
+
+jobs:
+  build-container-image:
+    name: Build policy server container image
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: policy-server-x86_64
+        uses: actions/download-artifact@v2
+        with:
+          name: policy-server-x86_64
+
+      - name: policy-server-aarch64
+        uses: actions/download-artifact@v2
+        with:
+          name: policy-server-aarch64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push development container image
+        if: ${{ startsWith(github.ref, 'refs/heads/') }}
+        id: build-latest
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64, linux/arm64
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/policy-server:latest
+
+      - name: Retrieve tag name
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        run: |
+          echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV
+
+      - name: Build and push tagged container image
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        id: build-tag
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64, linux/arm64
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/policy-server:${{ env.TAG_NAME }}
+
+      - uses: sigstore/cosign-installer@main
+
+      - name: Sign the images for releases
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        run: |
+          cosign sign \
+            ghcr.io/${{ github.repository_owner }}/policy-server@${{ steps.build-tag.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
+      - name: Sign latest image
+        if: ${{ startsWith(github.ref, 'refs/heads/') }}
+        run: |
+          cosign sign \
+            ghcr.io/${{ github.repository_owner }}/policy-server@${{ steps.build-latest.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: 1

.github/workflows/container-image.yml

@@ -1,4 +1,4 @@
-name: Build container image
+name: Build and release policy server
 on:
   push:
     branches:
@@ -28,6 +28,9 @@ jobs:
     needs:
       - ci
     steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+
       - name: Configure Ubuntu repositories
         run: |
           sudo dpkg --add-architecture arm64
@@ -82,11 +85,28 @@ jobs:
           cargo build --release --target ${{ matrix.targetarch }}-unknown-linux-musl
           mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/policy-server policy-server-${{ matrix.targetarch }}
 
+      - name: Generate SBOM
+        run: |
+          make TAG=${{github.ref_name}} sbom
+          cp _manifest/spdx_2.2/manifest.spdx.json policy-server-${{ matrix.targetarch }}.spdx.json
+
+      - name: Sign BOM file
+        run: |
+          cosign sign-blob --output-certificate policy-server-${{ matrix.targetarch }}.spdx.cert \
+            --output-signature policy-server-${{ matrix.targetarch }}.spdx.sig \
+            policy-server-${{ matrix.targetarch }}.spdx.json
+        env:
+          COSIGN_EXPERIMENTAL: 1
+
       - name: Upload policy-server
         uses: actions/upload-artifact@v2
         with:
           name: policy-server-${{ matrix.targetarch }}
-          path: policy-server-${{ matrix.targetarch }}
+          path: |
+            policy-server-${{ matrix.targetarch }}
+            policy-server-${{ matrix.targetarch }}.spdx.json
+            policy-server-${{ matrix.targetarch }}.spdx.cert
+            policy-server-${{ matrix.targetarch }}.spdx.sig
 
   build-container-image:
     name: Build policy server container image
@@ -154,3 +174,33 @@ jobs:
             ghcr.io/${{ github.repository_owner }}/policy-server@${{ steps.build-latest.outputs.digest }}
         env:
           COSIGN_EXPERIMENTAL: 1
+
+  release:
+    name: Create release
+    runs-on: ubuntu-latest
+    if: github.ref_type == 'tag'
+    needs:
+      - build-container-image
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Download build artefacts
+        id: download
+        uses: actions/download-artifact@v2
+
+      - name: Create release
+        uses: softprops/action-gh-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          name: Release policy-server ${{ github.ref_name }}
+          draft: false
+          prerelease: ${{ contains(github.ref, '-alpha') || contains(github.ref, '-beta') || contains(github.ref, '-rc') }}
+          files: |
+            ${{ steps.download.outputs.download-path}}/policy-server*/policy-server-*.spdx.json
+            ${{ steps.download.outputs.download-path}}/policy-server*/policy-server-*.spdx.cert
+            ${{ steps.download.outputs.download-path}}/policy-server*/policy-server-*.spdx.sig
+
+

.github/workflows/release.yml

@@ -1,23 +1,49 @@
-name: policy-server release
+name: Build and release policy server
 on:
   push:
     tags:
     - 'v*'
 jobs:
   ci:
+    # A branch is required, and cannot be dynamic - https://github.com/actions/runner/issues/1493
     uses: kubewarden/policy-server/.github/workflows/tests.yml@main
+
+  build-policy-server-binaries:
+    name: Build container image
+    needs:
+      - ci
+    uses: kubewarden/policy-server/.github/workflows/binary-build.yml@main
+
+  build-container-image:
+    needs:
+      - build-policy-server-binaries
+    uses: kubewarden/policy-server/.github/workflows/container-build.yml@main
+
   release:
     name: Create release
     runs-on: ubuntu-latest
     needs:
-      - ci
+      - build-container-image
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Download build artefacts
+        id: download
+        uses: actions/download-artifact@v2
+
       - name: Create release
-        uses: actions/create-release@v1
+        uses: softprops/action-gh-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag_name: ${{ github.ref }}
-          release_name: Release policy-server ${{ github.ref }}
+          name: Release policy-server ${{ github.ref_name }}
           draft: false
           prerelease: ${{ contains(github.ref, '-alpha') || contains(github.ref, '-beta') || contains(github.ref, '-rc') }}
+          files: |
+            ${{ steps.download.outputs.download-path}}/policy-server*/policy-server-*.spdx.json
+            ${{ steps.download.outputs.download-path}}/policy-server*/policy-server-*.spdx.cert
+            ${{ steps.download.outputs.download-path}}/policy-server*/policy-server-*.spdx.sig
+
+

.gitignore

@@ -1 +1,2 @@
-/target
+/target
+sbom-tool

Makefile

@@ -31,3 +31,21 @@ tag:
 .PHONY: docker-build
 docker-build: test ## Build docker image with the manager.
 	docker build -t ${IMG} .
+
+sbom-tool:
+	curl -Lo sbom-tool https://github.com/microsoft/sbom-tool/releases/download/latest/sbom-tool-linux-x64
+	chmod +x sbom-tool
+
+.PHONY: sbom
+sbom: sbom-tool
+	./sbom-tool generate \
+		-D true \
+		-V Verbose \
+		-b ./target/release \
+		-bc . \
+		-m . \
+		-di ${IMG} \
+		-nsb https://kubewarden.io \
+		-nsu policy-server \
+		-pn policy-server \
+		-pv ${TAG}