miracum · chgl · Sep 8, 2023 · Sep 8, 2023 · Sep 8, 2023 · Sep 8, 2023
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -59,8 +59,8 @@ jobs:
         id: build
         uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
         with:
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:buildcache
+          cache-to: type=inline
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.container_meta.outputs.tags }}
           labels: ${{ steps.container_meta.outputs.labels }}

diff --git a/.github/workflows/chaos-test.yaml b/.github/workflows/chaos-test.yaml
@@ -19,8 +19,6 @@ jobs:
       - name: Build image
         uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
         with:
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
           push: false
           load: true
           context: tests/chaos/tester

diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml
@@ -4,9 +4,6 @@ on:
   pull_request:
     branches:
       - master
-  push:
-    branches:
-      - master
 
 permissions: read-all
 

diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -4,9 +4,9 @@
 name: MegaLinter
 
 on:
-  # Trigger mega-linter at every push. Action will also be visible from Pull Requests to master
   pull_request:
-    branches: [master, main]
+    branches:
+      - master
 
 env: # Comment env block if you do not want to apply fixes
   # Apply linter fixes configuration
@@ -31,7 +31,7 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
         with:
-          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           fetch-depth: 0
 
       # MegaLinter
@@ -43,7 +43,7 @@ jobs:
         env:
           # All available variables are described in documentation
           # https://oxsecurity.github.io/megalinter/configuration/
-          VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+          VALIDATE_ALL_CODEBASE: "true"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
 

diff --git a/.github/workflows/reset-chart-changelog-annotations.yaml b/.github/workflows/reset-chart-changelog-annotations.yaml
@@ -6,6 +6,9 @@ on:
       # If you want a workflow to run when stable and pre-releases publish, subscribe to published instead of released and prereleased.
       # <https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#release>
       - published
+  pull_request:
+    branches:
+      - master
 
 permissions: read-all
 
@@ -17,8 +20,14 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Add workspace as safe directory
+        run: |
+          git config --global --add safe.directory /__w/recruit/recruit
+
       - name: Checkout
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          fetch-depth: 0
 
       # currently defaults to just the one chart, "recruit", needs to be updated if
       # more charts are added in the future. See <https://github.com/chgl/kube-powertools/blob/master/scripts/generate-chart-changelog.sh>
@@ -37,6 +46,8 @@ jobs:
           yq -i '.annotations["artifacthub.io/changes"] |= strenv(FIRST_CHANGELOG_ENTRY)' charts/recruit/Chart.yaml
 
       - uses: EndBug/add-and-commit@1bad3abcf0d6ec49a5857d124b0bfb52dc7bb081 # v9.1.3
+        # run everything above in PRs to make sure it works, but only actually commit it on releases
+        if: ${{ github.event_name != 'pull_request' }}
         with:
           add: "charts/"
           message: "chore(helm): reset Chart.yaml changelog annotations"
diff --git a/.github/workflows/test-k8s-installation.yaml b/.github/workflows/test-k8s-installation.yaml
@@ -22,8 +22,6 @@ jobs:
       - name: Build tester image
         uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
         with:
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
           push: false
           load: true
           context: tests/chaos/tester

diff --git a/.mega-linter.yml b/.mega-linter.yml
@@ -19,6 +19,8 @@ DISABLE_LINTERS:
   - PYTHON_PYRIGHT
   # error - python package "--hash" is available for public registration. /github/workspace/src/query/tests/e2e/requirements.txt
   - REPOSITORY_DUSTILOCK
+  # too many false-positives and takes forever
+  - YAML_V8R
   # seems to ignore yamllint config file entirely
   - YAML_YAMLLINT
 

diff --git a/docs/configuration/security.md b/docs/configuration/security.md
@@ -54,7 +54,7 @@ Any user with the `admin` role inside the screening list client in Keycloak is a
 You can disable authorization by not mounting the `notify-rules.yaml` inside the container; if no config is found,
 then no permissions are checked.
 
-## Configuring the Query Module to access a secured WebAPI Instance
+## Configuring the Query Module to access a secured WebAPI instance
 
 If the [OHDSI WebAPI requires authentication](https://github.com/OHDSI/WebAPI/wiki/Security-Configuration),
 you need to configure the query module accordingly. The relevant environment variables to set start with
@@ -66,17 +66,38 @@ and generate cohorts.
 You can also combine multiple authentication methods, for example use OpenID to allow users to login via the
 Atlas UI but create a dedicated service account for the query module which uses WebAPI basic security.
 
-## Verify container image integrity
+## Verify container image signatures and SLSA provenance
 
-All released images are signed via [cosign](https://github.com/sigstore/cosign). To verify the integrity of the images, run:
+Prerequisites:
+
+- [cosign](https://github.com/sigstore/cosign/releases)
+- [slsa-verifier](https://github.com/slsa-framework/slsa-verifier/releases)
+- [crane](https://github.com/google/go-containerregistry/releases)
+
+All released container images are signed using [cosign](https://github.com/sigstore/cosign) and SLSA Level 3 provenance
+is available for verification.
 
 <!-- x-release-please-start-version -->
+
 ```sh
-cosign verify -key recruit-image-signing.pub ghcr.io/miracum/recruit/list:v10.1.4
+# for example, verify the `list` module's container image. Same workflow applies to `query` and `notify`.
+IMAGE=ghcr.io/miracum/recruit/list:v10.1.4
+DIGEST=$(crane digest "${IMAGE}")
+IMAGE_DIGEST_PINNED="ghcr.io/miracum/recruit/list@${DIGEST}"
+IMAGE_TAG="${IMAGE#*:}"
+
+cosign verify \
+   --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+   --certificate-identity="https://github.com/miracum/recruit/.github/workflows/build.yaml@refs/tags/${IMAGE_TAG}" \
+   "${IMAGE_DIGEST_PINNED}"
+
+slsa-verifier verify-image \
+    --source-uri github.com/miracum/recruit \
+    --source-tag ${IMAGE_TAG} \
+    "${IMAGE_DIGEST_PINNED}"
 ```
-<!-- x-release-please-end -->
 
-where `recruit-image-signing.pub` is located in the root of the main repository.
+<!-- x-release-please-end -->
 
-Tools such as [connaisseur](https://github.com/sse-secure-systems/connaisseur) allow you to automatically verify these
-signatures when deploying to Kubernetes.
+See also <https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#verification>
+for details on verifying the image integrity using automated policy controllers.