diff --git a/.github/workflows/e2e_test.yml b/.github/workflows/e2e_test.yml index bc471c973e6d1ff301b4f23551500b67dc730c79..2e7f4d22578ad6dd02ce3cf1a936b57aa25b2d3f 100644 --- a/.github/workflows/e2e_test.yml +++ b/.github/workflows/e2e_test.yml @@ -34,7 +34,6 @@ jobs: .github/workflows/codecov_unittest.yaml .github/workflows/integration_test.yml .github/workflows/license_checker.yml - .github/workflows/manually-sign-container-images.yaml .github/workflows/must_update_changelog.yml .github/workflows/release_helm_chart.yml .github/workflows/stale.yml diff --git a/.github/workflows/e2e_test_upload_cache.yml b/.github/workflows/e2e_test_upload_cache.yml index 04d1978dd71ecaf0d709cbf8001f9d148eb8f6a6..aa882a6e9f870973f14f631bda5aee0a502e7553 100644 --- a/.github/workflows/e2e_test_upload_cache.yml +++ b/.github/workflows/e2e_test_upload_cache.yml @@ -17,7 +17,6 @@ on: - .github/workflows/codecov_unittest.yaml - .github/workflows/integration_test.yml - .github/workflows/license_checker.yml - - .github/workflows/manually-sign-container-images.yaml - .github/workflows/must_update_changelog.yml - .github/workflows/release_helm_chart.yml - .github/workflows/stale.yml diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml index 33bf561a137cad188d59c02a2a363b86c6b1e650..a1b8e5d18dd120d4df5d470965938b548fe37cd9 100644 --- a/.github/workflows/integration_test.yml +++ b/.github/workflows/integration_test.yml @@ -15,7 +15,6 @@ on: - .github/workflows/e2e_test.yml - .github/workflows/e2e_test_upload_cache.yml - .github/workflows/license_checker.yml - - .github/workflows/manually-sign-container-images.yaml - .github/workflows/must_update_changelog.yml - .github/workflows/release_helm_chart.yml - .github/workflows/stale.yml diff --git a/.github/workflows/manually-sign-container-images.yaml b/.github/workflows/manually-sign-container-images.yaml deleted file mode 100644 index b9d638fb6a62210b5d33711c477c9cb4f42b9c75..0000000000000000000000000000000000000000 --- a/.github/workflows/manually-sign-container-images.yaml +++ /dev/null @@ -1,36 +0,0 @@ -name: Manually Sign Container Images -permissions: read-all -on: - workflow_dispatch: - inputs: - imageTag: - description: The container image tag to be signed. - required: true - default: latest -jobs: - sign: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - name: Install cosign - uses: sigstore/cosign-installer@main - with: - cosign-release: "v1.13.1" - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Sign Chaos Mesh Container Images - env: - COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} - COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} - run: | - cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-mesh:${{ github.event.inputs.imageTag }} - cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-daemon:${{ github.event.inputs.imageTag }} - cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-dashboard:${{ github.event.inputs.imageTag }} - cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-kernel:${{ github.event.inputs.imageTag }} - cosign public-key --key env://COSIGN_PRIVATE_KEY diff --git a/.github/workflows/upload_image.yml b/.github/workflows/upload_image.yml index 87195b8a1db6c4683d298d25d865bc6631854a6c..8be94ac13a7bd213fd7c0a8e7e040f04b35ddca1 100644 --- a/.github/workflows/upload_image.yml +++ b/.github/workflows/upload_image.yml @@ -29,6 +29,7 @@ jobs: fetch-depth: 0 - name: Extract Image Tag + id: image_tag shell: bash run: | IMAGE_TAG=${GITHUB_REF##*/} @@ -37,9 +38,8 @@ jobs: fi echo "::set-output name=image_tag::$(echo $IMAGE_TAG)" - id: image_tag - - name: Log in to GitHub Docker Registry + - name: Login to GitHub Container registry uses: docker/login-action@v1 with: registry: ghcr.io @@ -82,21 +82,22 @@ jobs: docker push ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/$IMAGE:$IMAGE_TAG-$ARCH upload-manifest: + needs: build-specific-architecture + runs-on: ubuntu-latest permissions: # https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-on-github packages: write - runs-on: ubuntu-latest strategy: matrix: image: [chaos-daemon, chaos-mesh, chaos-dashboard, chaos-kernel, chaos-dlv] - needs: build-specific-architecture + env: + IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }} + GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} steps: - - name: Build Chaos Mesh manifest + - name: Create the manifest list env: IMAGE: ${{ matrix.image }} - IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }} - GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} run: | # ${VAR,,} convert VAR to lower case docker manifest create ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/$IMAGE:$IMAGE_TAG \ @@ -110,18 +111,86 @@ jobs: ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/$IMAGE:$IMAGE_TAG-arm64 \ --os linux --arch arm64 - - name: Log in to GitHub Docker Registry + - name: Login to GitHub Container registry uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Upload Chaos Mesh + - name: Push the manifest list env: IMAGE: ${{ matrix.image }} - IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }} - GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} run: | # ${VAR,,} convert VAR to lower case docker manifest push ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/$IMAGE:$IMAGE_TAG + + sign: + needs: + - build-specific-architecture + - upload-manifest + if: needs.build-specific-architecture.outputs.image_tag != 'latest' + runs-on: ubuntu-latest + permissions: + contents: write # Need to upload files to the related release. + # https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-on-github + packages: write + env: + IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }} + steps: + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: "v1.13.1" + - name: Login to GitHub Container registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Sign Chaos Mesh Container images + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + run: | + cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-mesh:$IMAGE_TAG --output-signature ghcr.io-chaos-mesh-chaos-mesh-$IMAGE_TAG.sig + cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-daemon:$IMAGE_TAG --output-signature ghcr.io-chaos-mesh-chaos-daemon-$IMAGE_TAG.sig + cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-dashboard:$IMAGE_TAG --output-signature ghcr.io-chaos-mesh-chaos-dashboard-$IMAGE_TAG.sig + cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/chaos-mesh/chaos-kernel:$IMAGE_TAG --output-signature ghcr.io-chaos-mesh-chaos-kernel-$IMAGE_TAG.sig + cosign public-key --key env://COSIGN_PRIVATE_KEY > cosign.pub + - name: Upload cosign.pub and sigs + uses: softprops/action-gh-release@v1 + with: + files: | + cosign.pub + ghcr.io-chaos-mesh-chaos-mesh-$IMAGE_TAG.sig + ghcr.io-chaos-mesh-chaos-daemon-$IMAGE_TAG.sig + ghcr.io-chaos-mesh-chaos-dashboard-$IMAGE_TAG.sig + ghcr.io-chaos-mesh-chaos-kernel-$IMAGE_TAG.sig + + sbom: + needs: build-specific-architecture + if: needs.build-specific-architecture.outputs.image_tag != 'latest' + runs-on: ubuntu-latest + permissions: + contents: write # Need to upload files to the related release. + env: + IMAGE_TAG: ${{ needs.build-specific-architecture.outputs.image_tag }} + steps: + - uses: actions/checkout@v3 + + - name: Set up Go + uses: actions/setup-go@v3 + with: + go-version: "1.18" + + - name: Install bom + run: go install sigs.k8s.io/bom/cmd/bom + + - name: Generate SBOM + run: bom generate -n https://chaos-mesh.org/chaos-mesh.spdx -o chaos-mesh-$IMAGE_TAG-sbom.spdx . + + - name: Upload SBOM + uses: softprops/action-gh-release@v1 + with: + files: chaos-mesh-$IMAGE_TAG-sbom.spdx diff --git a/.gitignore b/.gitignore index 6571250b78c5166ba7707c12044bf72d18eb3eff..9bbc4793562d873b54843a3a05158b70d7e8979d 100644 --- a/.gitignore +++ b/.gitignore @@ -22,7 +22,7 @@ core.sqlite # But it is just tools that can be installed with make setup /_tools/ -/node_modules +node_modules # FIXME: comment this line temporarily to get e2e_test.yml working. # /yarn.lock diff --git a/CHANGELOG.md b/CHANGELOG.md index aa0f01b64617b3dd947576b70087545a53b5b0ec..7d6c8c78bd2c4083a69de344b51f8fec5025ae29 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,7 +38,7 @@ For more information and how-to, see [RFC: Keep A Changelog](https://github.com/ ### Security -- Nothing +- Sign images and generate sbom when uploading images in CI [#3766](https://github.com/chaos-mesh/chaos-mesh/pull/3766) ## [2.4.0] - 2022-09-23