From bc4d1a2c2d874951b9577c4dc53f0244ed690732 Mon Sep 17 00:00:00 2001 From: cpanato Date: Sun, 31 Mar 2024 17:56:35 +0200 Subject: [PATCH] add bom and attestation to release jobs Signed-off-by: cpanato --- .github/workflows/release.yml | 49 +++++++++++++++++++++++++++++++- .github/workflows/snapshot.yaml | 49 +++++++++++++++++++++++++++++--- .goreleaser.yml | 49 ++++++++++++++++++++++++++++++++ .krel-bom-config.yaml | 28 ++++++++++++++++++ .publish-release-bom-config.yaml | 28 ++++++++++++++++++ .release-notes-bom-config.yaml | 28 ++++++++++++++++++ 6 files changed, 226 insertions(+), 5 deletions(-) create mode 100644 .krel-bom-config.yaml create mode 100644 .publish-release-bom-config.yaml create mode 100644 .release-notes-bom-config.yaml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8333452ea981..95547989a324 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,8 +6,11 @@ on: tags: - 'v*' +permissions: + contents: read + jobs: - build: + release: runs-on: ubuntu-latest permissions: @@ -34,6 +37,9 @@ jobs: - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 + - name: Install bom + uses: kubernetes-sigs/release-actions/setup-bom@10fecc1c66829d291b2f2fb1a27329d152f212e6 # v0.1.3 + - name: Build and publish release uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 if: contains(github.ref, 'refs/tags') @@ -46,3 +52,44 @@ jobs: with: name: artifacts path: dist/* + + attestation: + runs-on: ubuntu-latest + + permissions: + id-token: write + contents: write + + needs: + - release + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: audit + + - name: Check out code onto GOPATH + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 + + - name: Set tag output + id: tag + run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" + + - name: Install tejolote + uses: kubernetes-sigs/release-actions/setup-tejolote@10fecc1c66829d291b2f2fb1a27329d152f212e6 # v0.1.3 + + - run: | + tejolote attest --artifacts github://kubernetes/release/${{ steps.tag.outputs.tag_name }} github://kubernetes/release/"${GITHUB_RUN_ID}" --output release.intoto.json --sign + + - name: Release + uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4 + with: + files: release.intoto.json + tag_name: "${{ steps.tag.outputs.tag_name }}" + token: ${{ secrets.GITHUB_TOKEN }} + env: + GITHUB_REPOSITORY: kubernetes/release \ No newline at end of file diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml index 2ca800085715..b4ab1d570ce8 100644 --- a/.github/workflows/snapshot.yaml +++ b/.github/workflows/snapshot.yaml @@ -4,13 +4,13 @@ name: test-snapshot-release on: pull_request: +permissions: + contents: read + jobs: - build: + snapshot: runs-on: ubuntu-latest - permissions: - contents: read - steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -29,6 +29,9 @@ jobs: go-version: '1.22' check-latest: true + - name: Install bom + uses: kubernetes-sigs/release-actions/setup-bom@10fecc1c66829d291b2f2fb1a27329d152f212e6 # v0.1.3 + - name: Test release build uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: @@ -36,7 +39,45 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: check binary + run: | + ./dist/krel-amd64-linux version + ./dist/publish-release-amd64-linux help + ./dist/release-notes-amd64-linux version + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: artifacts path: dist/* + + attestation: + runs-on: ubuntu-latest + + permissions: + contents: read + + needs: + - snapshot + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: audit + + - name: Check out code onto GOPATH + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + fetch-depth: 1 + + - name: Install tejolote + uses: kubernetes-sigs/release-actions/setup-tejolote@841d76a188a7c121231a863572e27012805715a2 # v0.1.4 + + - run: | + tejolote attest github://kubernetes/release/"${GITHUB_RUN_ID}" --output release.intoto.json + + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: release.intoto.json + path: ./release.intoto.json \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml index d0d61ef71082..621cc34ff9b8 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -60,6 +60,55 @@ signs: args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"] artifacts: all +sboms: + - id: krel + cmd: bom + args: + - generate + - "--output" + - "krel-bom.json.spdx" + - "-d" + - "../" + - "-c" + - "../.krel-bom-config.yaml" + - "--format" + - "json" + artifacts: any + documents: + - "krel-bom.json.spdx" + + - id: release-notes + cmd: bom + args: + - generate + - "--output" + - "release-notes-bom.json.spdx" + - "-d" + - "../" + - "-c" + - "../.release-notes-bom-config.yaml" + - "--format" + - "json" + artifacts: any + documents: + - "release-notes-bom.json.spdx" + + - id: publish-release + cmd: bom + args: + - generate + - "--output" + - "publish-release-bom.json.spdx" + - "-d" + - "../" + - "-c" + - "../.publish-release-bom-config.yaml" + - "--format" + - "json" + artifacts: any + documents: + - "publish-release-bom.json.spdx" + checksum: name_template: 'checksums.txt' diff --git a/.krel-bom-config.yaml b/.krel-bom-config.yaml new file mode 100644 index 000000000000..421c501acf08 --- /dev/null +++ b/.krel-bom-config.yaml @@ -0,0 +1,28 @@ +--- +namespace: https://k8s.io/release +license: Apache-2.0 +name: krel +creator: + person: The Kubernetes Authors + tool: krel + +artifacts: + - type: file + source: krel-amd64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: krel-amd64-linux + license: Apache-2.0 + gomodules: true + + - type: file + source: krel-arm64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: krel-arm64-linux + license: Apache-2.0 + gomodules: true diff --git a/.publish-release-bom-config.yaml b/.publish-release-bom-config.yaml new file mode 100644 index 000000000000..6b96e9d29a9e --- /dev/null +++ b/.publish-release-bom-config.yaml @@ -0,0 +1,28 @@ +--- +namespace: https://k8s.io/release +license: Apache-2.0 +name: publish-release +creator: + person: The Kubernetes Authors + tool: publish-release + +artifacts: + - type: file + source: publish-release-amd64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: publish-release-amd64-linux + license: Apache-2.0 + gomodules: true + + - type: file + source: publish-release-arm64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: publish-release-arm64-linux + license: Apache-2.0 + gomodules: true diff --git a/.release-notes-bom-config.yaml b/.release-notes-bom-config.yaml new file mode 100644 index 000000000000..f89292bf0ca5 --- /dev/null +++ b/.release-notes-bom-config.yaml @@ -0,0 +1,28 @@ +--- +namespace: https://k8s.io/release +license: Apache-2.0 +name: release-notes +creator: + person: The Kubernetes Authors + tool: release-notes + +artifacts: + - type: file + source: release-notes-amd64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: release-notes-amd64-linux + license: Apache-2.0 + gomodules: true + + - type: file + source: release-notes-arm64-darwin + license: Apache-2.0 + gomodules: true + + - type: file + source: release-notes-arm64-linux + license: Apache-2.0 + gomodules: true