Skip to content

v0.0.12

v0.0.12 #14

Workflow file for this run

name: Release falco_plugin (OCI)
on:
release:
types: [published]
workflow_dispatch:
push:
branches: ["asher/sbom"] # remove after testing
permissions:
contents: read # Default token to read
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
with:
persist-credentials: false
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v3.6
- name: docker setup buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: docker login ghcr.io
if: github.event_name != 'pull_request'
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ghcr.io
username: "${{ github.actor }}"
password: '${{ github.token }}'
- name: extract metadata
id: meta
working-directory: ${{ env.CONTAINERFILE_DIR }}
run: |
REPO_NAME=${{ github.event.repository.name }}
FULL_IMAGE_NAME=ghcr.io/${{ github.repository_owner }}/edera_falco_plugin
echo "full-image-name=${FULL_IMAGE_NAME,,}" >> $GITHUB_OUTPUT
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
TAGS="${FULL_IMAGE_NAME,,}:pr-${{ github.event.number }}"
else
TAGS="${FULL_IMAGE_NAME,,}:${{ github.sha }},${FULL_IMAGE_NAME,,}:latest"
fi
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
- name: build and push Docker image
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
id: push
with:
context: .
file: ./Containerfile
platforms: "linux/amd64,linux/arm64"
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
cache-from: type=gha
cache-to: type=gha,mode=max
labels: |
org.opencontainers.image.title=${{ steps.meta.outputs.target-name }}
org.opencontainers.image.source=${{ github.event.repository.html_url }}
org.opencontainers.image.revision=${{ github.sha }}
- name: cosign all images
if: github.event_name != 'pull_request'
shell: bash
run: |
IFS=',' read -ra TAGS <<< '${{ steps.meta.outputs.tags }}'
for tag in "${TAGS[@]}"; do
pullstring="${tag}@${{ steps.push.outputs.digest }}"
echo "Signing ${pullstring}"
cosign sign --yes "${pullstring}"
done
env:
DIGEST: '${{ steps.push.outputs.digest }}'
COSIGN_EXPERIMENTAL: 'true'
- name: install syft
if: github.event_name != 'pull_request'
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610
id: syft
- name: generate and attest CycloneDX SBOM
if: github.event_name != 'pull_request'
shell: bash
env:
DIGEST: '${{ steps.push.outputs.digest }}'
IMAGE: '${{ steps.meta.outputs.full-image-name }}'
SYFT_CMD: '${{ steps.syft.outputs.cmd }}'
COMPONENT: edera_falco_plugin
run: |
set -euo pipefail
ref="${IMAGE}@${DIGEST}"
version="${GITHUB_SHA::7}"
pairs=()
for plat in linux/amd64 linux/arm64; do
out="${COMPONENT}.${plat##*/}.cdx.json"
echo "scanning ${plat}"
"${SYFT_CMD}" "registry:${ref}" \
--platform "${plat}" \
--select-catalogers "-file" \
-o "cyclonedx-json=${out}"
n="$(jq '(.components // []) | length' "${out}")"
echo " ${plat}: ${n} components"
[ "${n}" -gt 0 ] || { echo "::error::no SBOM components for ${plat}"; exit 1; }
pairs+=("${plat}=${out}")
done
python3 merge-cdx.py "${COMPONENT}.cdx.json" "${COMPONENT}" "${version}" "${pairs[@]}"
jq -e '.bomFormat == "CycloneDX" and ((.components // []) | length > 0)' \
"${COMPONENT}.cdx.json" >/dev/null \
|| { echo "::error::SBOM for ${COMPONENT} is empty or invalid"; exit 1; }
jq '{component: env.COMPONENT, components: (.components | length)}' \
"${COMPONENT}.cdx.json"
cosign attest --yes --type cyclonedx \
--predicate "${COMPONENT}.cdx.json" \
"${ref}"