-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Ensure SLSA Lvl 3 #904
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #904 +/- ##
=======================================
Coverage 70.53% 70.53%
=======================================
Files 30 30
Lines 2559 2559
=======================================
Hits 1805 1805
Misses 584 584
Partials 170 170
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
7a8109e
to
30fba55
Compare
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
.github/workflows/sign-image.yml
Outdated
|
||
cosign verify \ | ||
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | ||
--certificate-identity-regexp="https://github.com/${{github.repository_owner}}/kubewarden-controller*" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fully qualify the identity as per this comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applied.
README.md
Outdated
[release assets](https://github.com/kubewarden/kubewarden-controller/releases) | ||
```shell | ||
cosign verify-blob --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | ||
--certificate-identity-regexp="https://github.com/kubewarden/kubewarden-controller*" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This example needs to be fully qualified, otherwise users may be checking against the wrong identity.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applied.
README.md
Outdated
|
||
```shell | ||
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | ||
--certificate-identity-regexp="https://github.com/kubewarden/kubewarden-controller*" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applied.
README.md
Outdated
} | ||
|
||
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | ||
--certificate-identity-regexp="https://github.com/kubewarden/kubewarden-controller*" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applied.
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
efac9fe
to
fe1f8c1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some minor suggestions for consideration.
Applied suggestions and rebased, as it was easier to keep the Co-authored-by. Sorry for the inconvenience. |
.github/workflows/attestation.yml
Outdated
- name: Sign attestation manifest | ||
run: | | ||
cosign sign --yes \ | ||
ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.ATTESTATION_MANIFEST_DIGEST}} | ||
|
||
cosign verify \ | ||
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | ||
--certificate-identity-regexp="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }}" \ | ||
ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.ATTESTATION_MANIFEST_DIGEST}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've removed this signing from the audit-scanner and policy-server PR as suggested by @pjbgf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
.github/workflows/attestation.yml
Outdated
- name: Sign SBOM layer | ||
run: | | ||
cosign sign --yes \ | ||
ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.SBOM_DIGEST}} | ||
|
||
- name: Verify SBOM layer | ||
run: | | ||
cosign verify \ | ||
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | ||
--certificate-identity-regexp="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/attestation.yml@${{ github.ref }}" \ | ||
ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.SBOM_DIGEST}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've removed this signing from the audit-scanner and policy-server PR as suggested by @pjbgf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
- name: Sign container image | ||
run: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you need to run this step only if the container image is pushed to the repository. See the previous step building the container image. It has this if
as well.
- name: Sign container image | |
run: | | |
- name: Sign container image | |
if: ${{ inputs.push-image }} | |
run: | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done!
fe709c7
to
c79fc29
Compare
Signed-off-by: Víctor Cuadrado Juan <[email protected]> Co-authored-by: José Guilherme Vanz <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]> Co-authored-by: José Guilherme Vanz <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]> Co-authored-by: José Guilherme Vanz <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Co-authored-by: John Krug <[email protected]> Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
We are not making use of a regexp anymore and provide fully qualified identities. Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Description
Fix #898.
Adapted the work already done by @jvanz from kubewarden/audit-scanner#387 (hence, set @jvanz as Co-authored-by).
Test
Tested by tagging on my fork as
v1.18.0-viccuad
.See:
https://github.com/viccuad/kubewarden-controller/actions/runs/11294623076 (release only fails in the last bot pr step)
https://github.com/viccuad/kubewarden-controller/releases/tag/v1.18.0-viccuad7
Additional Information
Tradeoff
Potential improvement