From 95bd31beab6bf32c11d394e817a23ee9469ff389 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Apr 2024 21:40:36 +0100 Subject: [PATCH 01/10] Create reusable workflow for security scans --- .github/actions/generate-sbom/action.yml | 5 ++- .github/workflows/_security-scan.yml | 44 ++++++++++++++++++++++++ .github/workflows/security-scan.yml | 16 +++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/_security-scan.yml create mode 100644 .github/workflows/security-scan.yml diff --git a/.github/actions/generate-sbom/action.yml b/.github/actions/generate-sbom/action.yml index c036bd8c..04f025e2 100644 --- a/.github/actions/generate-sbom/action.yml +++ b/.github/actions/generate-sbom/action.yml @@ -22,7 +22,10 @@ outputs: value: ${{ inputs.output-file }} artifact-url: description: 'The URL to the uploaded artifact' - value: ${{ steps.upload.outputs.artifact_url }} + value: ${{ steps.upload.outputs.artifact-url }} + artifact-id: + description: 'The ID of the uploaded artifact' + value: ${{ steps.upload.outputs.artifact-id }} runs: using: composite diff --git a/.github/workflows/_security-scan.yml b/.github/workflows/_security-scan.yml new file mode 100644 index 00000000..700258a3 --- /dev/null +++ b/.github/workflows/_security-scan.yml @@ -0,0 +1,44 @@ +name: Security Scan + +on: + workflow_call: + inputs: + image-ref: + description: 'The image reference to scan' + required: true + type: string + +jobs: + generate-sbom: + runs-on: ubuntu-latest + outputs: + sbom-file: ${{ steps.generate-sbom.outputs.output-file }} + steps: + - name: Pull Image + shell: bash + run: | + docker pull ${{ github.event.inputs.image-ref }} + + - name: Generate SBOM + id: generate-sbom + uses: ./.github/actions/generate-sbom + with: + image-ref: ${{ github.event.inputs.image-ref }} + output-file: sbom.json + artifact-name: sbom + + scan-sbom: + runs-on: ubuntu-latest + needs: generate-sbom + steps: + - name: Download SBOM + uses: actions/download-artifact@v2 + with: + name: sbom + path: . + + - name: Scan SBOM + uses: ./.github/actions/scan-sbom + with: + sbom-file: ${{ needs.generate-sbom.outputs.sbom-file }} + artifact-name: scan-results diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 00000000..6f5a5ae8 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,16 @@ +name: Security Scan + +on: + registry_package: + types: [published] + pull_request: + branches: + - main + +jobs: + security-scan: + name: Security Scan + if: ${{ github.event.registry_package.package_version.container_metadata.tag.name != '' }} + uses: ./.github/workflows/_security-scan.yml + with: + image-ref: ghcr.io/${{ github.repository }}/eternal-linux/main/silverblue:latest From cc6bf5dfa5ea19633e455a822c9a977a5e9ddff7 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Apr 2024 21:41:25 +0100 Subject: [PATCH 02/10] Remove if condition --- .github/workflows/security-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 6f5a5ae8..d7620d26 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -10,7 +10,7 @@ on: jobs: security-scan: name: Security Scan - if: ${{ github.event.registry_package.package_version.container_metadata.tag.name != '' }} + # if: ${{ github.event.registry_package.package_version.container_metadata.tag.name != '' }} uses: ./.github/workflows/_security-scan.yml with: image-ref: ghcr.io/${{ github.repository }}/eternal-linux/main/silverblue:latest From 8084bf1d4b59383fd5b7300c53f68282493a9078 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Apr 2024 21:43:45 +0100 Subject: [PATCH 03/10] Don't use github.event when referencing workflow variable --- .github/workflows/_security-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/_security-scan.yml b/.github/workflows/_security-scan.yml index 700258a3..cfb596a6 100644 --- a/.github/workflows/_security-scan.yml +++ b/.github/workflows/_security-scan.yml @@ -17,13 +17,13 @@ jobs: - name: Pull Image shell: bash run: | - docker pull ${{ github.event.inputs.image-ref }} + docker pull ${{ inputs.image-ref }} - name: Generate SBOM id: generate-sbom uses: ./.github/actions/generate-sbom with: - image-ref: ${{ github.event.inputs.image-ref }} + image-ref: ${{ inputs.image-ref }} output-file: sbom.json artifact-name: sbom From 0140f73d3b521fd75b409ff59afa648e1c225fa5 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Apr 2024 21:44:56 +0100 Subject: [PATCH 04/10] Provide packages:read permissions --- .github/workflows/_security-scan.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/_security-scan.yml b/.github/workflows/_security-scan.yml index cfb596a6..7227353b 100644 --- a/.github/workflows/_security-scan.yml +++ b/.github/workflows/_security-scan.yml @@ -8,6 +8,10 @@ on: required: true type: string +permissions: + contents: read + packages: read + jobs: generate-sbom: runs-on: ubuntu-latest From c3e90cd02d9c2b26f43ff72d51ae45c5c60bba54 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Apr 2024 21:45:46 +0100 Subject: [PATCH 05/10] Fix image ref --- .github/workflows/security-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index d7620d26..7dbab8da 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -13,4 +13,4 @@ jobs: # if: ${{ github.event.registry_package.package_version.container_metadata.tag.name != '' }} uses: ./.github/workflows/_security-scan.yml with: - image-ref: ghcr.io/${{ github.repository }}/eternal-linux/main/silverblue:latest + image-ref: ghcr.io/${{ github.repository_owner }}/eternal-linux/main/silverblue:latest From 7027ec2a633b5a96a3e18e6e4a3659843d2bb61a Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Apr 2024 21:46:22 +0100 Subject: [PATCH 06/10] Add concurrency on build workflow! --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4d0e4f94..d3b1fd3a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,9 @@ on: env: IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + jobs: build-base: runs-on: ubuntu-latest From 8278d4fff90a22e059ccd04de0d908943eb20858 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Apr 2024 21:47:06 +0100 Subject: [PATCH 07/10] latest tag does not exist --- .github/workflows/security-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 7dbab8da..1d00dfa5 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -13,4 +13,4 @@ jobs: # if: ${{ github.event.registry_package.package_version.container_metadata.tag.name != '' }} uses: ./.github/workflows/_security-scan.yml with: - image-ref: ghcr.io/${{ github.repository_owner }}/eternal-linux/main/silverblue:latest + image-ref: ghcr.io/${{ github.repository_owner }}/eternal-linux/main/silverblue:39 From b0bedcfdc5631ae5ff42ccd7030f6c9553b86660 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Apr 2024 21:47:50 +0100 Subject: [PATCH 08/10] Cancel builds in progress --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d3b1fd3a..49e05b57 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,6 +16,7 @@ env: concurrency: group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: build-base: From 322274e68279cf97dd880eae9f632fe11eff5fb7 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Apr 2024 21:49:55 +0100 Subject: [PATCH 09/10] Add checkout step --- .github/workflows/_security-scan.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/_security-scan.yml b/.github/workflows/_security-scan.yml index 7227353b..80e84358 100644 --- a/.github/workflows/_security-scan.yml +++ b/.github/workflows/_security-scan.yml @@ -18,6 +18,9 @@ jobs: outputs: sbom-file: ${{ steps.generate-sbom.outputs.output-file }} steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Pull Image shell: bash run: | @@ -35,6 +38,9 @@ jobs: runs-on: ubuntu-latest needs: generate-sbom steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Download SBOM uses: actions/download-artifact@v2 with: From 5443b21ed43eecd63b3070ccbe24ebb1842c789d Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Sat, 4 May 2024 16:51:08 +0100 Subject: [PATCH 10/10] Some refactoring --- .github/workflows/_security-scan.yml | 16 +++++++- .github/workflows/build.yml | 56 ++++++++++++++++++++++------ .github/workflows/security-scan.yml | 16 -------- 3 files changed, 58 insertions(+), 30 deletions(-) delete mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/_security-scan.yml b/.github/workflows/_security-scan.yml index 80e84358..d9c437be 100644 --- a/.github/workflows/_security-scan.yml +++ b/.github/workflows/_security-scan.yml @@ -3,8 +3,8 @@ name: Security Scan on: workflow_call: inputs: - image-ref: - description: 'The image reference to scan' + images: + description: "A comma-separated list of images to scan. E.G. '[\"docker.io/library/alpine:3.14.0\", \"docker.io/library/alpine:3.13.6\"]'" required: true type: string @@ -13,6 +13,18 @@ permissions: packages: read jobs: + generate-matrix: + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Set matrix + id: set-matrix + env: + IMAGES: ${{ inputs.images }} + run: | + echo "matrix=$IMAGES" >> $GITHUB_OUTPUT + generate-sbom: runs-on: ubuntu-latest outputs: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f0d03366..3607d463 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -137,6 +137,8 @@ jobs: contents: read packages: write id-token: write + outputs: + images: ${{ steps.generate-outputs.outputs.images }} env: IMAGE_NAME: eternal-linux/main/${{ matrix.fedora-edition }} FEDORA_VERSION: ${{ matrix.fedora-version }} @@ -229,20 +231,24 @@ jobs: private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }} private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }} - - name: Generate SBOM - id: generate-sbom - uses: ./.github/actions/generate-sbom - if: github.event_name != 'pull_request' - with: - image-ref: ${{ steps.push.outputs.registry-path }} - artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-sbom + - name: Generate file containing outputs + env: + DIGEST: ${{ steps.push.outputs.digest }} + IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} + IMAGE_NAME: ${{ env.IMAGE_NAME }} + FEDORA_VERSION: ${{ matrix.fedora-version }} + FEDORA_EDITION: ${{ matrix.fedora-edition }} + run: + echo "${IMAGE_REGISTRY}@${DIGEST}" > "${IMAGE_NAME}-${FEDORA_EDITION}-${FEDORA_VERSION}-nvidia" - - name: Scan SBOM - uses: ./.github/actions/scan-sbom - if: github.event_name != 'pull_request' + - name: Upload outputs + uses: actions/upload-artifact@v4 with: - sbom-file: ${{ steps.generate-sbom.outputs.output-file }} - artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia${{ matrix.nvidia-version }}-scan + name: output-build-nvidia-${{ env.IMAGE_NAME }}-${{ matrix.fedora-edition }}-${{ matrix.fedora-version }} + retention-days: 1 + if-no-files-found: error + path: | + ${{ env.IMAGE_NAME }}-${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia.txt check: needs: [build-base, build-nvidia] @@ -252,6 +258,32 @@ jobs: - name: Checkout uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 + - name: Download artifacts + id: download-artifacts + uses: actions/download-artifact@v4 + with: + pattern: output-build-* + merge-multiple: true + + - name: Create output + id: generate-outputs + env: + JOBS: ${{ toJson(needs) }} + ARTIFACT_PATH: ${{ steps.download-artifacts.outputs.download-path }} + run: | + # Initialize the array + images=() + + # Populate the array with each line from each file in the artifacts directory + for file in $ARTIFACT_PATH/*; do + while IFS= read -r line; do + images+=("$line") + done < "$file" + done + + # Create the GITHUB_OUTPUT in the format '["image1", "image2", ...]' + echo "images=$(printf '%s\n' "${images[@]}" | jq -R -s -c 'split("\n") | .[:-1]')" >> $GITHUB_OUTPUT + - name: Check Job Status uses: ./.github/actions/check-jobs-success with: diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml deleted file mode 100644 index 1d00dfa5..00000000 --- a/.github/workflows/security-scan.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: Security Scan - -on: - registry_package: - types: [published] - pull_request: - branches: - - main - -jobs: - security-scan: - name: Security Scan - # if: ${{ github.event.registry_package.package_version.container_metadata.tag.name != '' }} - uses: ./.github/workflows/_security-scan.yml - with: - image-ref: ghcr.io/${{ github.repository_owner }}/eternal-linux/main/silverblue:39