-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds new steps in the build and release workflow to generate, sign and publish a SBOM file for Policy Server.
- Loading branch information
Showing
7 changed files
with
305 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
name: Build container image | ||
|
||
on: | ||
workflow_call: | ||
|
||
jobs: | ||
build-policy-server-binaries: | ||
name: Build container image | ||
runs-on: ubuntu-22.04 | ||
strategy: | ||
matrix: | ||
targetarch: [ "aarch64", "x86_64" ] | ||
include: | ||
- targetarch: aarch64 | ||
arch: arm64 | ||
rustflags: "" | ||
- targetarch: x86_64 | ||
arch: amd64 | ||
rustflags: "-C target-feature=+crt-static" | ||
permissions: | ||
packages: write | ||
id-token: write | ||
steps: | ||
- name: Install cosign | ||
uses: sigstore/cosign-installer@main | ||
|
||
- name: Configure Ubuntu repositories | ||
run: | | ||
sudo dpkg --add-architecture arm64 | ||
sudo sed -i "s/deb h/deb [arch=amd64] h/g" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy main restricted" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy universe" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates universe" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy multiverse" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates multiverse" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-backports main restricted universe multiverse" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security universe" /etc/apt/sources.list | ||
sudo sed -i "$ a deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security multiverse" /etc/apt/sources.list | ||
sudo apt update -y | ||
- name: Install Musl and configure gcc spec | ||
run: | | ||
sudo apt install -y musl-dev:${{ matrix.arch }} | ||
# patching the .spec file, as by default it has a bug where it tries to | ||
# set old_cpp_options but it already exists. using *+cpp_options achieves | ||
# the same desired functionality of appending preexisting options | ||
sudo sed -i 1d /usr/lib/${{ matrix.targetarch }}-linux-musl/musl-gcc.specs | ||
sudo sed -i "s/*cpp_options/+cpp_options/g" /usr/lib/${{ matrix.targetarch }}-linux-musl/musl-gcc.specs | ||
sudo sed -i "s/ %(old_cpp_options)//g" /usr/lib/${{ matrix.targetarch }}-linux-musl/musl-gcc.specs | ||
- name: Configure gcc spec for x86_64 | ||
if: ${{ matrix.targetarch == 'x86_64' }} | ||
run: | | ||
# The cargo configuration to build static binaries is not working. Thus, | ||
# update the spec file to ensure that. | ||
sudo sed -i "s/-dynamic-linker.*/-no-dynamic-linker -nostdlib %{shared:-shared} %{static:-static} %{rdynamic:-no-export-dynamic}/g" /usr/lib/${{ matrix.targetarch }}-linux-musl/musl-gcc.specs | ||
- name: Checkout code | ||
uses: actions/checkout@v2 | ||
|
||
- name: Setup rust toolchain | ||
uses: actions-rs/toolchain@v1 | ||
with: | ||
toolchain: stable | ||
|
||
- name: Install rust target | ||
run: rustup target add ${{ matrix.targetarch }}-unknown-linux-musl | ||
|
||
- name: Build policy-server | ||
env: | ||
CC: ${{ matrix.targetarch }}-linux-musl-gcc | ||
RUSTFLAGS: "-C link_arg=-lgcc -C link_arg=-specs -C link_arg=/usr/lib/${{ matrix.targetarch}}-linux-musl/musl-gcc.specs ${{ matrix.rustflags }}" | ||
run: | | ||
cargo build --release --target ${{ matrix.targetarch }}-unknown-linux-musl | ||
mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/policy-server policy-server-${{ matrix.targetarch }} | ||
- name: Generate SBOM | ||
run: | | ||
make TAG=${{github.ref_name}} sbom | ||
cp _manifest/spdx_2.2/manifest.spdx.json policy-server-${{ matrix.targetarch }}.spdx.json | ||
- name: Sign BOM file | ||
run: | | ||
cosign sign-blob --output-certificate policy-server-${{ matrix.targetarch }}.spdx.cert \ | ||
--output-signature policy-server-${{ matrix.targetarch }}.spdx.sig \ | ||
policy-server-${{ matrix.targetarch }}.spdx.json | ||
env: | ||
COSIGN_EXPERIMENTAL: 1 | ||
|
||
- name: Upload policy-server | ||
uses: actions/upload-artifact@v2 | ||
with: | ||
name: policy-server-${{ matrix.targetarch }} | ||
path: | | ||
policy-server-${{ matrix.targetarch }} | ||
policy-server-${{ matrix.targetarch }}.spdx.json | ||
policy-server-${{ matrix.targetarch }}.spdx.cert | ||
policy-server-${{ matrix.targetarch }}.spdx.sig | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
name: Build Policy Server with latest changes | ||
on: | ||
push: | ||
branches: | ||
- main | ||
jobs: | ||
ci: | ||
# A branch is required, and cannot be dynamic - https://github.com/actions/runner/issues/1493 | ||
uses: jvanz/policy-server/.github/workflows/tests.yml@main | ||
|
||
build-policy-server-binaries: | ||
needs: | ||
- ci | ||
name: Build container image | ||
uses: jvanz/policy-server/.github/workflows/binary-build.yml@main | ||
|
||
build-container-image: | ||
needs: | ||
- build-policy-server-binaries | ||
uses: jvanz/policy-server/.github/workflows/container-build.yml@main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
name: Build container image | ||
|
||
on: | ||
workflow_call: | ||
|
||
jobs: | ||
build-container-image: | ||
name: Build policy server container image | ||
runs-on: ubuntu-latest | ||
permissions: | ||
packages: write | ||
id-token: write | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v2 | ||
|
||
- name: policy-server-x86_64 | ||
uses: actions/download-artifact@v2 | ||
with: | ||
name: policy-server-x86_64 | ||
|
||
- name: policy-server-aarch64 | ||
uses: actions/download-artifact@v2 | ||
with: | ||
name: policy-server-aarch64 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v1 | ||
|
||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@v1 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Build and push development container image | ||
if: ${{ startsWith(github.ref, 'refs/heads/') }} | ||
id: build-latest | ||
uses: docker/build-push-action@v2 | ||
with: | ||
context: . | ||
platforms: linux/amd64, linux/arm64 | ||
push: true | ||
tags: | | ||
ghcr.io/${{ github.repository_owner }}/policy-server:latest | ||
- name: Retrieve tag name | ||
if: ${{ startsWith(github.ref, 'refs/tags/') }} | ||
run: | | ||
echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV | ||
- name: Build and push tagged container image | ||
if: ${{ startsWith(github.ref, 'refs/tags/') }} | ||
id: build-tag | ||
uses: docker/build-push-action@v2 | ||
with: | ||
context: . | ||
platforms: linux/amd64, linux/arm64 | ||
push: true | ||
tags: | | ||
ghcr.io/${{ github.repository_owner }}/policy-server:${{ env.TAG_NAME }} | ||
- uses: sigstore/cosign-installer@main | ||
|
||
- name: Sign the images for releases | ||
if: ${{ startsWith(github.ref, 'refs/tags/') }} | ||
run: | | ||
cosign sign \ | ||
ghcr.io/${{ github.repository_owner }}/policy-server@${{ steps.build-tag.outputs.digest }} | ||
env: | ||
COSIGN_EXPERIMENTAL: 1 | ||
|
||
- name: Sign latest image | ||
if: ${{ startsWith(github.ref, 'refs/heads/') }} | ||
run: | | ||
cosign sign \ | ||
ghcr.io/${{ github.repository_owner }}/policy-server@${{ steps.build-latest.outputs.digest }} | ||
env: | ||
COSIGN_EXPERIMENTAL: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,49 @@ | ||
name: policy-server release | ||
name: Build and release policy server | ||
on: | ||
push: | ||
tags: | ||
- 'v*' | ||
jobs: | ||
ci: | ||
# A branch is required, and cannot be dynamic - https://github.com/actions/runner/issues/1493 | ||
uses: kubewarden/policy-server/.github/workflows/tests.yml@main | ||
|
||
build-policy-server-binaries: | ||
name: Build container image | ||
needs: | ||
- ci | ||
uses: kubewarden/policy-server/.github/workflows/binary-build.yml@main | ||
|
||
build-container-image: | ||
needs: | ||
- build-policy-server-binaries | ||
uses: kubewarden/policy-server/.github/workflows/container-build.yml@main | ||
|
||
release: | ||
name: Create release | ||
runs-on: ubuntu-latest | ||
needs: | ||
- ci | ||
- build-container-image | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Download build artefacts | ||
id: download | ||
uses: actions/download-artifact@v2 | ||
|
||
- name: Create release | ||
uses: actions/create-release@v1 | ||
uses: softprops/action-gh-release@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
tag_name: ${{ github.ref }} | ||
release_name: Release policy-server ${{ github.ref }} | ||
name: Release policy-server ${{ github.ref_name }} | ||
draft: false | ||
prerelease: ${{ contains(github.ref, '-alpha') || contains(github.ref, '-beta') || contains(github.ref, '-rc') }} | ||
files: | | ||
${{ steps.download.outputs.download-path}}/policy-server*/policy-server-*.spdx.json | ||
${{ steps.download.outputs.download-path}}/policy-server*/policy-server-*.spdx.cert | ||
${{ steps.download.outputs.download-path}}/policy-server*/policy-server-*.spdx.sig | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,2 @@ | ||
/target | ||
/target | ||
sbom-tool |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters