ci: sign images and generate sbom (#3766) (#3771)

* ci: sign images and generate sbom Signed-off-by: Yue Yang <g1enyy0ung@gmail.com> * chore: update changelog Signed-off-by: Yue Yang <g1enyy0ung@gmail.com> Signed-off-by: Yue Yang <g1enyy0ung@gmail.com> Co-authored-by: Yue Yang <g1enyy0ung@gmail.com>

ci: sign images and generate sbom (#3766) (#3771)
* ci: sign images and generate sbom Signed-off-by: Yue Yang <g1enyy0ung@gmail.com> * chore: update changelog Signed-off-by: Yue Yang <g1enyy0ung@gmail.com> Signed-off-by: Yue Yang <g1enyy0ung@gmail.com> Co-authored-by: Yue Yang <g1enyy0ung@gmail.com>
c084155a · Ti Chi Robot · GitHub · 9685160c · c084155a · c084155a
Unverified Commit c084155a authored 2 years ago by Ti Chi Robot Committed by GitHub 2 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 82 additions and 52 deletions
+82 -52
--- a/.github/workflows/e2e_test.yml
+++ b/.github/workflows/e2e_test.yml
@@ -34,7 +34,6 @@ jobs:
            .github/workflows/codecov_unittest.yaml
            .github/workflows/integration_test.yml
            .github/workflows/license_checker.yml
-            .github/workflows/manually-sign-container-images.yaml
            .github/workflows/must_update_changelog.yml
            .github/workflows/release_helm_chart.yml
            .github/workflows/stale.yml

--- a/.github/workflows/e2e_test_upload_cache.yml
+++ b/.github/workflows/e2e_test_upload_cache.yml
@@ -17,7 +17,6 @@ on:
      - .github/workflows/codecov_unittest.yaml
      - .github/workflows/integration_test.yml
      - .github/workflows/license_checker.yml
-      - .github/workflows/manually-sign-container-images.yaml
      - .github/workflows/must_update_changelog.yml
      - .github/workflows/release_helm_chart.yml
      - .github/workflows/stale.yml

--- a/.github/workflows/integration_test.yml
+++ b/.github/workflows/integration_test.yml
@@ -15,7 +15,6 @@ on:
      - .github/workflows/e2e_test.yml
      - .github/workflows/e2e_test_upload_cache.yml
      - .github/workflows/license_checker.yml
-      - .github/workflows/manually-sign-container-images.yaml
      - .github/workflows/must_update_changelog.yml
      - .github/workflows/release_helm_chart.yml
      - .github/workflows/stale.yml

--- a/.github/workflows/manually-sign-container-images.yaml
+++ b/.github/workflows/manually-sign-container-images.yaml
-name: Manually Sign Container Images
-permissions: read-all
-on:
-  workflow_dispatch:
-    inputs:
-      imageTag:
-        description: The container image tag to be signed.
-        required: true
-        default: latest
-jobs:
-  sign:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Install cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: "v1.13.1"
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Sign Chaos Mesh Container Images
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-mesh:${{ github.event.inputs.imageTag }}
-          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-daemon:${{ github.event.inputs.imageTag }}
-          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-dashboard:${{ github.event.inputs.imageTag }}
-          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-kernel:${{ github.event.inputs.imageTag }}
-          cosign public-key --key env://COSIGN_PRIVATE_KEY
--- a/.github/workflows/upload_image.yml
+++ b/.github/workflows/upload_image.yml
@@ -29,6 +29,7 @@ jobs:
          fetch-depth: 0

      - name: Extract Image Tag
+        id: image_tag
        shell: bash
        run: |
          IMAGE_TAG=${GITHUB_REF##*/}
@@ -37,9 +38,8 @@ jobs:
          fi

          echo "::set-output name=image_tag::$(echo $IMAGE_TAG)"
-        id: image_tag

-      - name: Log in to GitHub Docker Registry
+      - name: Login to GitHub Container registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
@@ -82,21 +82,22 @@ jobs:
          docker push ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/$IMAGE:$IMAGE_TAG-$ARCH

  upload-manifest:
+    needs: build-specific-architecture
+    runs-on: ubuntu-latest
    permissions:
      # https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-on-github
      packages: write
-    runs-on: ubuntu-latest
    strategy:
      matrix:
        image:
          [chaos-daemon, chaos-mesh, chaos-dashboard, chaos-kernel, chaos-dlv]
-    needs: build-specific-architecture
+    env:
+      IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }}
+      GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
    steps:
-      - name: Build Chaos Mesh manifest
+      - name: Create the manifest list
        env:
          IMAGE: ${{ matrix.image }}
-          IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }}
-          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
        run: |
          # ${VAR,,} convert VAR to lower case
          docker manifest create ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/$IMAGE:$IMAGE_TAG \
@@ -110,18 +111,86 @@ jobs:
            ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/$IMAGE:$IMAGE_TAG-arm64 \
            --os linux --arch arm64

-      - name: Log in to GitHub Docker Registry
+      - name: Login to GitHub Container registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Upload Chaos Mesh
+      - name: Push the manifest list
        env:
          IMAGE: ${{ matrix.image }}
-          IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }}
-          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
        run: |
          # ${VAR,,} convert VAR to lower case
          docker manifest push ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/$IMAGE:$IMAGE_TAG
+
+  sign:
+    needs:
+      - build-specific-architecture
+      - upload-manifest
+    if: needs.build-specific-architecture.outputs.image_tag != 'latest'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Need to upload files to the related release.
+      # https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-on-github
+      packages: write
+    env:
+      IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }}
+    steps:
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v1.13.1"
+      - name: Login to GitHub Container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Sign Chaos Mesh Container images
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-mesh:$IMAGE_TAG --output-signature ghcr.io-chaos-mesh-chaos-mesh-$IMAGE_TAG.sig
+          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-daemon:$IMAGE_TAG --output-signature ghcr.io-chaos-mesh-chaos-daemon-$IMAGE_TAG.sig
+          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-dashboard:$IMAGE_TAG --output-signature ghcr.io-chaos-mesh-chaos-dashboard-$IMAGE_TAG.sig
+          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-kernel:$IMAGE_TAG --output-signature ghcr.io-chaos-mesh-chaos-kernel-$IMAGE_TAG.sig
+          cosign public-key --key env://COSIGN_PRIVATE_KEY > cosign.pub
+      - name: Upload cosign.pub and sigs
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            cosign.pub
+            ghcr.io-chaos-mesh-chaos-mesh-$IMAGE_TAG.sig
+            ghcr.io-chaos-mesh-chaos-daemon-$IMAGE_TAG.sig
+            ghcr.io-chaos-mesh-chaos-dashboard-$IMAGE_TAG.sig
+            ghcr.io-chaos-mesh-chaos-kernel-$IMAGE_TAG.sig
+
+  sbom:
+    needs: build-specific-architecture
+    if: needs.build-specific-architecture.outputs.image_tag != 'latest'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Need to upload files to the related release.
+    env:
+      IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "1.18"
+
+      - name: Install bom
+        run: go install sigs.k8s.io/bom/cmd/bom
+
+      - name: Generate SBOM
+        run: bom generate -n https://chaos-mesh.org/chaos-mesh.spdx -o chaos-mesh-$IMAGE_TAG-sbom.spdx .
+
+      - name: Upload SBOM
+        uses: softprops/action-gh-release@v1
+        with:
+          files: chaos-mesh-$IMAGE_TAG-sbom.spdx
--- a/.gitignore
+++ b/.gitignore
@@ -22,7 +22,7 @@ core.sqlite
 # But it is just tools that can be installed with make setup
 /_tools/

-/node_modules
+node_modules
 # FIXME: comment this line temporarily to get e2e_test.yml working.
 # /yarn.lock


--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,7 +38,7 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/

 ### Security

- Nothing
+- Sign images and generate sbom when uploading images in CI [#3766](https://github.com/chaos-mesh/chaos-mesh/pull/3766)

 ## [2.4.0] - 2022-09-23