From b684c16201aa490ee09417e003c0809fd773f494 Mon Sep 17 00:00:00 2001 From: remcosnijders Date: Tue, 26 Nov 2024 15:42:43 +0100 Subject: [PATCH] Software supply chain security feature cosign added and splitting of workflows --- .github/workflows/cicd.yaml | 81 ------------------ .github/workflows/pull_request.yaml | 128 ++++++++++++++++++++++++++++ .github/workflows/push.yaml | 117 +++++++++++++++++++++++++ 3 files changed, 245 insertions(+), 81 deletions(-) delete mode 100644 .github/workflows/cicd.yaml create mode 100644 .github/workflows/pull_request.yaml create mode 100644 .github/workflows/push.yaml diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml deleted file mode 100644 index 67ac475..0000000 --- a/.github/workflows/cicd.yaml +++ /dev/null @@ -1,81 +0,0 @@ -name: NPM Build and Push Docker Image - -on: - push: - branches: - - 'feature/**' - - 'bugfix/**' - pull_request: - branches: - - development - - 'rc/**' - - 'hotfix/**' - workflow_dispatch: - -env: - GITHUB_REGISTRY: ghcr.io - DOCKER_IMAGE_NAME: - GITHUB_NAMESPACE: valtimo-cloud - -jobs: - build: - runs-on: ubuntu-latest - outputs: - tagToDeploy: ${{ steps.prep.outputs.image_tag }} - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Set up Node.js version - uses: actions/setup-node@v2 - with: - node-version: "16.x" - - - name: 'Generate unique docker tag to deploy' - id: prep - run: | - branch=${GITHUB_REF##*/} - sha=${GITHUB_SHA::8} - ts=$(date +'%Y%m%d%H%M') - echo "image_tag=${branch}-${ts}-${sha}" >> "$GITHUB_OUTPUT" - - - name: NPM install and build - run: | - npm install - npm run build - - - name: Build artifacts - run: ./gradlew build - - - name: Archive dist folder - uses: actions/upload-artifact@v2 - with: - name: valtimo-frontend-dist - path: deployment/ - - deploy: - runs-on: ubuntu-latest - needs: [build] - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Download dist artifact - uses: actions/download-artifact@v2 - with: - name: valtimo-frontend-dist - - - name: 'Login to github packages' - uses: docker/login-action@v1 - with: - registry: ${{ env.GITHUB_REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push Docker image - uses: docker/build-push-action@v2 - with: - file: Dockerfile - context: . - push: true - tags: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }} diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml new file mode 100644 index 0000000..3a78cff --- /dev/null +++ b/.github/workflows/pull_request.yaml @@ -0,0 +1,128 @@ +name: NPM Build and Push Docker Image On PR + +on: + pull_request_target: + types: + - closed + branches: + - 'development' + - 'rc/**' + - 'hotfix/**' + workflow_dispatch: + +env: + GITHUB_REGISTRY: ghcr.io + DOCKER_IMAGE_NAME: + GITHUB_NAMESPACE: valtimo-cloud + +jobs: + if_merged: + if: github.event.pull_request.merged == true + runs-on: ubuntu-latest + steps: + - run: | + echo "The PR was merged" + + build: + runs-on: ubuntu-latest + needs: [ if_merged ] + outputs: + tagToDeploy: ${{ steps.prep.outputs.image_tag }} + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up Node.js version + uses: actions/setup-node@v2 + with: + node-version: "16.x" + + - name: 'Generate unique docker tag to deploy' + id: prep + run: | + branch=${GITHUB_REF##*/} + sha=${GITHUB_SHA::8} + ts=$(date +'%Y%m%d%H%M') + echo "image_tag=${branch}-${ts}-${sha}" >> "$GITHUB_OUTPUT" + + - name: NPM install and build + run: | + npm install + npm run build + + - name: Build artifacts + run: ./gradlew build + + - name: Archive dist folder + uses: actions/upload-artifact@v4 + with: + name: valtimo-frontend-dist + path: deployment/ + + deploy: + runs-on: ubuntu-latest + needs: [build] + permissions: + contents: read + packages: write + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@v3.5.2 + with: + fetch-depth: 1 + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.5.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2.1.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2.5.0 + + - name: Download dist artifact + uses: actions/download-artifact@v4 + with: + name: valtimo-frontend-dist + + - name: 'Login to github packages' + uses: docker/login-action@v1 + with: + registry: ${{ env.GITHUB_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - id: docker_meta + uses: docker/metadata-action@v4.4.0 + with: + images: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }} + tags: type=raw,value=${{ needs.build.outputs.tagToDeploy }} + + - name: Build and push Docker image + uses: docker/build-push-action@v4.0.0 + id: build-and-push + with: + file: Dockerfile + context: . + push: true + tags: ${{ steps.docker_meta.outputs.tags }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.docker_meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + + - name: Verify the images + run: | + branch=${GITHUB_REF##*/} + cosign verify ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }} \ + --certificate-identity https://github.com/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}/.github/workflows/cicd.yaml@refs/heads/${branch} \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq + diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml new file mode 100644 index 0000000..c60bc5e --- /dev/null +++ b/.github/workflows/push.yaml @@ -0,0 +1,117 @@ +name: NPM Build and Push Docker Image On Push + +on: + push: + branches: + - 'feature/**' + - 'bugfix/**' + workflow_dispatch: + +env: + GITHUB_REGISTRY: ghcr.io + DOCKER_IMAGE_NAME: + GITHUB_NAMESPACE: valtimo-cloud + +jobs: + build: + runs-on: ubuntu-latest + outputs: + tagToDeploy: ${{ steps.prep.outputs.image_tag }} + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up Node.js version + uses: actions/setup-node@v2 + with: + node-version: "16.x" + + - name: 'Generate unique docker tag to deploy' + id: prep + run: | + branch=${GITHUB_REF##*/} + sha=${GITHUB_SHA::8} + ts=$(date +'%Y%m%d%H%M') + echo "image_tag=${branch}-${ts}-${sha}" >> "$GITHUB_OUTPUT" + + - name: NPM install and build + run: | + npm install + npm run build + + - name: Build artifacts + run: ./gradlew build + + - name: Archive dist folder + uses: actions/upload-artifact@v4 + with: + name: valtimo-frontend-dist + path: deployment/ + + deploy: + runs-on: ubuntu-latest + needs: [build] + permissions: + contents: read + packages: write + id-token: write + steps: + - name: Checkout code + uses: actions/checkout@v3.5.2 + with: + fetch-depth: 1 + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.5.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2.1.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2.5.0 + + - name: Download dist artifact + uses: actions/download-artifact@v4 + with: + name: valtimo-frontend-dist + + - name: 'Login to github packages' + uses: docker/login-action@v1 + with: + registry: ${{ env.GITHUB_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - id: docker_meta + uses: docker/metadata-action@v4.4.0 + with: + images: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }} + tags: type=raw,value=${{ needs.build.outputs.tagToDeploy }} + + - name: Build and push Docker image + uses: docker/build-push-action@v4.0.0 + id: build-and-push + with: + file: Dockerfile + context: . + push: true + tags: ${{ steps.docker_meta.outputs.tags }} + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.docker_meta.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} + + - name: Verify the images + run: | + branch=${GITHUB_REF##*/} + cosign verify ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ needs.build.outputs.tagToDeploy }} \ + --certificate-identity https://github.com/${{ env.GITHUB_NAMESPACE }}/${{ env.DOCKER_IMAGE_NAME }}/.github/workflows/cicd.yaml@refs/heads/${branch} \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com | jq +