Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce OCI artifacts signatures #296

Merged
merged 11 commits into from
Jul 10, 2023
Merged
42 changes: 41 additions & 1 deletion .github/workflows/upload-oci-artifacts.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ jobs:
publish-oci-artifacts:
runs-on: ubuntu-latest

outputs:
matrix: ${{ steps.oci_build.outputs.REGISTRY_UPDATE_STATUS }}

steps:
- name: Checkout Plugins
uses: actions/checkout@v3
Expand All @@ -22,10 +25,47 @@ jobs:
run: make

- name: Upload OCI artifacts to GitHub packages
id: oci_build
env:
REGISTRY: ghcr.io
REGISTRY_USER: ${{ github.repository_owner }}
REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO_GITHUB: https://github.com/${{ github.repository_owner }}/plugins.git
working-directory: build/registry
run: ./bin/registry update-oci-registry ../../registry.yaml
run: >-
echo "REGISTRY_UPDATE_STATUS=$(
./bin/registry update-oci-registry ../../registry.yaml
)" >> $GITHUB_OUTPUT

# Create signatures of the plugin artifacts as OCI artifacts
sign-oci-artifacts:
needs: [ publish-oci-artifacts ]
runs-on: ubuntu-latest

if: ${{ needs.publish-oci-artifacts.outputs.matrix != '[]' }}
strategy:
matrix:
value: ${{ fromJson(needs.publish-oci-artifacts.outputs.matrix) }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome 🤩


permissions:
contents: read
id-token: write
packages: write

steps:
- name: Install Cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.1.0'
- run: cosign version

- name: Log into ghcr.io
uses: docker/login-action@master
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Sign the artifacts with GitHub OIDC Token
run: cosign sign --yes ${{ matrix.value.repository.ref }}@${{ matrix.value.artifact.digest }}

26 changes: 23 additions & 3 deletions build/registry/cmd/registry/registry.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,21 +17,36 @@ limitations under the License.
package main

import (
"bufio"
"context"
"fmt"
"os"

"github.com/spf13/cobra"

"github.com/falcosecurity/plugins/build/registry/internal/options"
"github.com/falcosecurity/plugins/build/registry/pkg/check"
"github.com/falcosecurity/plugins/build/registry/pkg/distribution"
"github.com/falcosecurity/plugins/build/registry/pkg/oci"
"github.com/falcosecurity/plugins/build/registry/pkg/table"
"github.com/spf13/cobra"
"os"
)

const (
defaultTableSubTag = "<!-- REGISTRY -->"
)

var (
out = bufio.NewWriter(os.Stdout)
)

func main() {
defer out.Flush()

opts := options.NewCommonOptions(
options.WithContext(context.Background()),
options.WithOutput(out),
)

checkCmd := &cobra.Command{
Use: "check <filename>",
Short: "Verify the correctness of a plugin registry YAML file",
Expand Down Expand Up @@ -72,7 +87,12 @@ func main() {
Args: cobra.ExactArgs(1),
DisableFlagsInUseLine: true,
RunE: func(c *cobra.Command, args []string) error {
return oci.DoUpdateOCIRegistry(context.Background(), args[0])
status, err := oci.DoUpdateOCIRegistry(opts.Context, args[0])
if err != nil {
return err
}

return oci.PrintUpdateStatus(status, opts.Output)
},
}

Expand Down
7 changes: 4 additions & 3 deletions build/registry/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ require (
github.com/blang/semver v3.5.1+incompatible
github.com/falcosecurity/falcoctl v0.3.0-rc6
github.com/falcosecurity/plugin-sdk-go v0.7.1
github.com/onsi/ginkgo/v2 v2.1.6
github.com/onsi/gomega v1.20.1
github.com/pkg/errors v0.9.1
github.com/spf13/cobra v1.5.0
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
Expand Down Expand Up @@ -50,6 +53,7 @@ require (
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/btree v1.0.1 // indirect
github.com/google/gnostic v0.5.7-v3refs // indirect
github.com/google/go-cmp v0.5.8 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/uuid v1.2.0 // indirect
Expand All @@ -72,14 +76,11 @@ require (
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/onsi/ginkgo/v2 v2.1.6 // indirect
github.com/onsi/gomega v1.20.1 // indirect
github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220923150930-b76b3447c510 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
github.com/oras-project/artifacts-spec v1.0.0-rc.2 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/pterm/pterm v0.12.45 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
Expand Down
51 changes: 51 additions & 0 deletions build/registry/internal/options/options.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
/*
Copyright (C) 2022 The Falco Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package options

import (
"context"
"io"
)

type CommonOptions struct {
Output io.Writer
Context context.Context
}

type CommonOption func(opts *CommonOptions)

func NewCommonOptions(opts ...CommonOption) *CommonOptions {
o := &CommonOptions{}

for _, f := range opts {
f(o)
}

return o
}

func WithOutput(out io.Writer) CommonOption {
return func(opts *CommonOptions) {
opts.Output = out
}
}

func WithContext(ctx context.Context) CommonOption {
return func(opts *CommonOptions) {
opts.Context = ctx
}
}
Loading