e53a282fbe
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
- Introduced `NativeTestBase` class for ELF, PE, and Mach-O binary parsing helpers and assertions. - Created `TestCryptoFactory` for SM2 cryptographic provider setup and key generation. - Implemented `Sm2SigningTests` to validate signing functionality with environment gate checks. - Developed console export service and store with comprehensive unit tests for export status management.
129 lines
3.7 KiB
YAML
129 lines
3.7 KiB
YAML
name: Artifact Signing
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
workflow_dispatch:
|
|
inputs:
|
|
artifact_path:
|
|
description: 'Path to artifact to sign'
|
|
required: false
|
|
default: ''
|
|
|
|
env:
|
|
COSIGN_VERSION: 'v2.2.0'
|
|
|
|
jobs:
|
|
sign-containers:
|
|
name: Sign Container Images
|
|
runs-on: ubuntu-latest
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
packages: write
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
with:
|
|
cosign-release: ${{ env.COSIGN_VERSION }}
|
|
|
|
- name: Log in to registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Sign images (keyless)
|
|
if: ${{ !env.COSIGN_PRIVATE_KEY_B64 }}
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "1"
|
|
run: |
|
|
IMAGES=(
|
|
"ghcr.io/${{ github.repository }}/concelier"
|
|
"ghcr.io/${{ github.repository }}/scanner"
|
|
"ghcr.io/${{ github.repository }}/authority"
|
|
)
|
|
for img in "${IMAGES[@]}"; do
|
|
if docker manifest inspect "${img}:${{ github.ref_name }}" > /dev/null 2>&1; then
|
|
echo "Signing ${img}:${{ github.ref_name }}..."
|
|
cosign sign --yes "${img}:${{ github.ref_name }}"
|
|
fi
|
|
done
|
|
|
|
- name: Sign images (with key)
|
|
if: ${{ env.COSIGN_PRIVATE_KEY_B64 }}
|
|
env:
|
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
run: |
|
|
echo "$COSIGN_PRIVATE_KEY" | base64 -d > /tmp/cosign.key
|
|
IMAGES=(
|
|
"ghcr.io/${{ github.repository }}/concelier"
|
|
"ghcr.io/${{ github.repository }}/scanner"
|
|
"ghcr.io/${{ github.repository }}/authority"
|
|
)
|
|
for img in "${IMAGES[@]}"; do
|
|
if docker manifest inspect "${img}:${{ github.ref_name }}" > /dev/null 2>&1; then
|
|
echo "Signing ${img}:${{ github.ref_name }}..."
|
|
cosign sign --key /tmp/cosign.key "${img}:${{ github.ref_name }}"
|
|
fi
|
|
done
|
|
rm -f /tmp/cosign.key
|
|
|
|
sign-sbom:
|
|
name: Sign SBOM Artifacts
|
|
runs-on: ubuntu-latest
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
with:
|
|
cosign-release: ${{ env.COSIGN_VERSION }}
|
|
|
|
- name: Generate and sign SBOM
|
|
run: |
|
|
# Generate SBOM using syft
|
|
if command -v syft &> /dev/null; then
|
|
syft . -o cyclonedx-json > sbom.cdx.json
|
|
cosign sign-blob --yes sbom.cdx.json --output-signature sbom.cdx.json.sig
|
|
else
|
|
echo "syft not installed, skipping SBOM generation"
|
|
fi
|
|
|
|
- name: Upload signed artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: signed-sbom
|
|
path: |
|
|
sbom.cdx.json
|
|
sbom.cdx.json.sig
|
|
if-no-files-found: ignore
|
|
|
|
verify-signatures:
|
|
name: Verify Existing Signatures
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
with:
|
|
cosign-release: ${{ env.COSIGN_VERSION }}
|
|
|
|
- name: Verify DSSE envelopes
|
|
run: |
|
|
find . -name "*.dsse" -o -name "*.dsse.json" | while read f; do
|
|
echo "Checking $f..."
|
|
# Basic JSON validation
|
|
if ! jq empty "$f" 2>/dev/null; then
|
|
echo "Warning: Invalid JSON in $f"
|
|
fi
|
|
done
|