From c3c12f195022fed5b024d1c014e36f3370119723 Mon Sep 17 00:00:00 2001 From: Abir Majumdar Date: Wed, 27 Oct 2021 15:35:18 -0400 Subject: [PATCH 01/13] Adding pmd --- code-scanning/pmd.yml | 58 ++++++++++++++++++++ code-scanning/properties/pmd.properties.json | 19 +++++++ 2 files changed, 77 insertions(+) create mode 100644 code-scanning/pmd.yml create mode 100644 code-scanning/properties/pmd.properties.json diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml new file mode 100644 index 0000000..69596a4 --- /dev/null +++ b/code-scanning/pmd.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: pmd + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + mobile-security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Setup python + uses: actions/setup-python@v2 + with: + python-version: 3.8 + + - name: Run Full PMD Analysis on Apex Code + if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + id: pmd-full-analysis + uses: abirismyname/pmd@master + with: + analyse-all-code: 'true' + pmd-version: 'latest' + file-path: './src' + rules-path: 'rulesets/apex/quickstart.xml' + + # - name: Run Full PMD Analysis on Java Code + # if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' + # id: pmd-full-analysis + # uses: abirismyname/pmd@master + # with: + # analyse-all-code: 'true' + # pmd-version: 'latest' + # file-path: './src' + # rules-path: 'rulesets/java/quickstart.xml' + + - name: Upload pmdscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: pmd-output.sarif + + - name: No PMD Errors? + run: | + if ${{ steps.pmd-full-analysis.outputs.error-found }} ${{ steps.pmd-partial-analysis.outputs.error-found }} + then + exit 3 + fi diff --git a/code-scanning/properties/pmd.properties.json b/code-scanning/properties/pmd.properties.json new file mode 100644 index 0000000..8608022 --- /dev/null +++ b/code-scanning/properties/pmd.properties.json @@ -0,0 +1,19 @@ +{ + "name": "pmd", + "creator": "pmd", + "description": "PMD is a static source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It supports Java, JavaScript, Salesforce.com Apex and Visualforce, Modelica, PLSQL, Apache Velocity, XML, XSL, Scala.", + "iconName": "pmd", + "categories": [ + "Code Scanning", + "Java", + "JavaScript", + "Apex", + "Modelica", + "PLSQL", + "Apache Velocity", + "XML", + "XSl", + "Scala", + "Apex" + ] +} \ No newline at end of file From 499e38bc3ee1fea3ced5760aa8d1668e781b768e Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 20:35:15 +0530 Subject: [PATCH 02/13] Added starter workflow to help you get started with APIsec-Scan Actions. --- code-scanning/apisec-scan.yml | 63 +++++++++++++++++++ .../properties/apisec-scan.properties.json | 24 +++++++ icons/apisec.svg | 17 +++++ 3 files changed, 104 insertions(+) create mode 100644 code-scanning/apisec-scan.yml create mode 100644 code-scanning/properties/apisec-scan.properties.json create mode 100644 icons/apisec.svg diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml new file mode 100644 index 0000000..55356ad --- /dev/null +++ b/code-scanning/apisec-scan.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. + +# How to Get Started with APIsec.ai +# 1. Schedule a demo at https://www.apisec.ai/request-a-demo . +# +# 2. Register your account at https://cloud.fxlabs.io/#/signup . +# +# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. +# +# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions +# +# apisec-run-scan +# +# This action triggers the on-demand scans for projects registered in APIsec. +# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings. +# Else you can view the scan results from the project home page in APIsec Platform. +# The link to view the scan results is also displayed on the console on successful completion of action. + +# This is a starter workflow to help you get started with APIsec-Scan Actions + +name: APIsec + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the $default-branch branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +jobs: + Trigger-APIsec-Scan: + runs-on: ubuntu-latest + + steps: + - name: APIsec Scan + uses: apisec-inc/apisec-run-scan@master + with: + # The APIsec username with which the scans will be executed + apisec-username: ${{ secrets.apisec_username }} + # The Password of the APIsec user with which the scans will be executed + apisec-password: ${{ secrets.apisec_password}} + # The name of the project for security scan + apisec-project: "VAmPI" + # The name of the sarif format result file The file is written only if this property is provided. + sarif-result-file: "apisec-results.sarif" + + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./apisec-results.sarif \ No newline at end of file diff --git a/code-scanning/properties/apisec-scan.properties.json b/code-scanning/properties/apisec-scan.properties.json new file mode 100644 index 0000000..9e7db58 --- /dev/null +++ b/code-scanning/properties/apisec-scan.properties.json @@ -0,0 +1,24 @@ +{ + "name": "APIsec Scan", + "creator": "APIsec", + "description": "APIsec addresses the critical need to secure APIs before they reach production. APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.", + "iconName": "apisec", + "categories": [ + "Code Scanning", + "C", + "C#", + "C++", + "Go", + "Java", + "JavaScript", + "Kotlin", + "Objective C", + "PHP", + "Python", + "Ruby", + "Rust", + "Scala", + "Swift", + "TypeScript" + ] +} diff --git a/icons/apisec.svg b/icons/apisec.svg new file mode 100644 index 0000000..664dfa9 --- /dev/null +++ b/icons/apisec.svg @@ -0,0 +1,17 @@ + + + Group + + + + \ No newline at end of file From 6439d558f42430c1a7e94c9ca7aa587dcbe8d1ed Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Mon, 22 Nov 2021 21:14:54 +0530 Subject: [PATCH 03/13] Updated the names as per the pull request checklist. --- code-scanning/apisec-scan.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 55356ad..67937ac 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -32,21 +32,23 @@ on: # Triggers the workflow on push or pull request events but only for the $default-branch branch # Customize trigger events based on your DevSecOps processes. push: - branches: [ $default-branch ] + branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] + schedule: + - cron: $cron-weekly # Allows you to run this workflow manually from the Actions tab workflow_dispatch: jobs: - Trigger-APIsec-Scan: + Trigger APIsec scan: runs-on: ubuntu-latest steps: - - name: APIsec Scan - uses: apisec-inc/apisec-run-scan@master + - name: APIsec scan + uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993 with: # The APIsec username with which the scans will be executed apisec-username: ${{ secrets.apisec_username }} @@ -57,7 +59,7 @@ jobs: # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import Results + - name: Import results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ./apisec-results.sarif \ No newline at end of file From 3f39a5a76b03f05e551caec5165369544e4bf35f Mon Sep 17 00:00:00 2001 From: abdul-hai-apisec Date: Wed, 1 Dec 2021 13:27:02 +0530 Subject: [PATCH 04/13] Removed the unwanted space in actions file. Updated the logo to have only the shield portion. --- code-scanning/apisec-scan.yml | 1 - icons/apisec.svg | 16 ++++------------ 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/code-scanning/apisec-scan.yml b/code-scanning/apisec-scan.yml index 67937ac..3aa06ca 100644 --- a/code-scanning/apisec-scan.yml +++ b/code-scanning/apisec-scan.yml @@ -58,7 +58,6 @@ jobs: apisec-project: "VAmPI" # The name of the sarif format result file The file is written only if this property is provided. sarif-result-file: "apisec-results.sarif" - - name: Import results uses: github/codeql-action/upload-sarif@v1 with: diff --git a/icons/apisec.svg b/icons/apisec.svg index 664dfa9..8b2760b 100644 --- a/icons/apisec.svg +++ b/icons/apisec.svg @@ -1,17 +1,9 @@ - - Group + + Fill 11 - \ No newline at end of file From 4238ac653e5124c1e1f118cc0b0bd428b8973953 Mon Sep 17 00:00:00 2001 From: Myles Borins Date: Wed, 1 Dec 2021 14:38:35 -0500 Subject: [PATCH 05/13] chore: split npm publish into 2 workflows (#1281) Currently we suggest that folks dual publish to both npm + gpr. There are a large number of edge cases related to doing this and IMHO it is not the best practice. Let's make two separate workflows. --- ci/npm-publish-github-packages.yml | 36 +++++++++++++++++++ ci/npm-publish.yml | 21 ++--------- ...pm-publish-github-packages.properties.json | 6 ++++ ci/properties/npm-publish.properties.json | 2 +- 4 files changed, 45 insertions(+), 20 deletions(-) create mode 100644 ci/npm-publish-github-packages.yml create mode 100644 ci/properties/npm-publish-github-packages.properties.json diff --git a/ci/npm-publish-github-packages.yml b/ci/npm-publish-github-packages.yml new file mode 100644 index 0000000..09ff0b3 --- /dev/null +++ b/ci/npm-publish-github-packages.yml @@ -0,0 +1,36 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v2 + with: + node-version: 16 + - run: npm ci + - run: npm test + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-node@v2 + with: + node-version: 16 + registry-url: $registry-url(npm) + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/ci/npm-publish.yml b/ci/npm-publish.yml index 025976d..ef8c690 100644 --- a/ci/npm-publish.yml +++ b/ci/npm-publish.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: - node-version: 14 + node-version: 16 - run: npm ci - run: npm test @@ -25,26 +25,9 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: - node-version: 14 + node-version: 16 registry-url: https://registry.npmjs.org/ - run: npm ci - run: npm publish env: NODE_AUTH_TOKEN: ${{secrets.npm_token}} - - publish-gpr: - needs: build - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 - with: - node-version: 14 - registry-url: $registry-url(npm) - - run: npm ci - - run: npm publish - env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/ci/properties/npm-publish-github-packages.properties.json b/ci/properties/npm-publish-github-packages.properties.json new file mode 100644 index 0000000..180b73a --- /dev/null +++ b/ci/properties/npm-publish-github-packages.properties.json @@ -0,0 +1,6 @@ +{ + "name": "Publish Node.js Package to GitHub Packages", + "description": "Publishes a Node.js package to GitHub Packages.", + "iconName": "node-package-transparent", + "categories": ["Continuous integration", "JavaScript", "npm"] +} diff --git a/ci/properties/npm-publish.properties.json b/ci/properties/npm-publish.properties.json index 9371d7b..cc2c707 100644 --- a/ci/properties/npm-publish.properties.json +++ b/ci/properties/npm-publish.properties.json @@ -1,6 +1,6 @@ { "name": "Publish Node.js Package", - "description": "Publishes a Node.js package to npm and GitHub Packages.", + "description": "Publishes a Node.js package to npm.", "iconName": "node-package-transparent", "categories": ["Continuous integration", "JavaScript", "npm"] } From ce771c75d8e1fe4b0075873cdcfb9b55117af9d9 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 15:50:22 -0500 Subject: [PATCH 06/13] Referencing new official PMD github action --- code-scanning/pmd.yml | 52 ++++++++++++++----------------------------- 1 file changed, 17 insertions(+), 35 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 69596a4..8689961 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -14,45 +14,27 @@ on: - cron: $cron-weekly jobs: - mobile-security: + pmd-code-scan: runs-on: ubuntu-latest - steps: - uses: actions/checkout@v2 - - - name: Setup python - uses: actions/setup-python@v2 + - name: Set up JDK 11 + uses: actions/setup-java@v2 with: - python-version: 3.8 - - - name: Run Full PMD Analysis on Apex Code - if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - id: pmd-full-analysis - uses: abirismyname/pmd@master + java-version: '11' + distribution: 'adopt' + cache: maven + - name: Run PMD + id: pmd + uses: pmd/pmd-github-action@v1 with: - analyse-all-code: 'true' - pmd-version: 'latest' - file-path: './src' - rules-path: 'rulesets/apex/quickstart.xml' - - # - name: Run Full PMD Analysis on Java Code - # if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - # id: pmd-full-analysis - # uses: abirismyname/pmd@master - # with: - # analyse-all-code: 'true' - # pmd-version: 'latest' - # file-path: './src' - # rules-path: 'rulesets/java/quickstart.xml' - - - name: Upload pmdscan report + rulesets: 'rulesets/java/quickstart.xml' + sourcePath: 'src/main/java' + - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v1 with: - sarif_file: pmd-output.sarif - - - name: No PMD Errors? - run: | - if ${{ steps.pmd-full-analysis.outputs.error-found }} ${{ steps.pmd-partial-analysis.outputs.error-found }} - then - exit 3 - fi + sarif_file: pmd-report.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: pmd-report.sarif \ No newline at end of file From d2bba6f2d932e0692a43de925bef2c57274303c8 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 16:03:49 -0500 Subject: [PATCH 07/13] Adding icon --- icons/pmd.svg | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 icons/pmd.svg diff --git a/icons/pmd.svg b/icons/pmd.svg new file mode 100644 index 0000000..c0b3415 --- /dev/null +++ b/icons/pmd.svg @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file From 435b265ae0e53ff80428fe76b33752eb76074cac Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Wed, 1 Dec 2021 17:02:40 -0500 Subject: [PATCH 08/13] Removing dupe --- code-scanning/pmd.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index 8689961..c876da5 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -34,7 +34,3 @@ jobs: uses: github/codeql-action/upload-sarif@v1 with: sarif_file: pmd-report.sarif - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: pmd-report.sarif \ No newline at end of file From 9920cac8e993e7080faf048ed69586c2e5aa8103 Mon Sep 17 00:00:00 2001 From: Marcel Wagner Date: Thu, 2 Dec 2021 04:51:29 +0100 Subject: [PATCH 09/13] Update text flow for cmake comment (#1054) --- ci/cmake.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ci/cmake.yml b/ci/cmake.yml index 1634140..6c858b9 100644 --- a/ci/cmake.yml +++ b/ci/cmake.yml @@ -12,9 +12,8 @@ env: jobs: build: - # The CMake configure and build commands are platform agnostic and should work equally - # well on Windows or Mac. You can convert this to a matrix build if you need - # cross-platform coverage. + # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac. + # You can convert this to a matrix build if you need cross-platform coverage. # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix runs-on: ubuntu-latest From f7b1f1515d467adea6cbb6ea0b0b419c69a3ef7b Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Thu, 2 Dec 2021 15:22:55 -0700 Subject: [PATCH 10/13] Use `gradle-build-action` in starter workflows (#1237) The `gradle-build-action` provides enhanced execution and caching functionality for Gradle. This change updates starter workflows to use `v2.0.0` of `gradle-build-action`. Improvements over invoking Gradle directly include: - Easier to run the workflow with a particular Gradle version - More sophisticated and more efficient caching of Gradle User Home between invocations - Detailed reporting of cache usage and cache configuration options - Automatic capture of Build Scan links Co-authored-by: Josh Gross --- ci/gradle-publish.yml | 12 ++++++++++-- ci/gradle.yml | 11 +++++++---- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml index a74a1ce..f24c004 100644 --- a/ci/gradle-publish.yml +++ b/ci/gradle-publish.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. # This workflow will build a package using Gradle and then publish it to GitHub packages when a release is created # For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-gradle @@ -26,12 +30,16 @@ jobs: settings-path: ${{ github.workspace }} # location for the settings.xml file - name: Build with Gradle - run: gradle build + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: build # The USERNAME and TOKEN need to correspond to the credentials environment variables used in # the publishing section of your build.gradle - name: Publish to GitHub Packages - run: gradle publish + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: publish env: USERNAME: ${{ github.actor }} TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/ci/gradle.yml b/ci/gradle.yml index 5ecabba..b83458c 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -1,3 +1,7 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. # This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-gradle @@ -21,8 +25,7 @@ jobs: with: java-version: '11' distribution: 'adopt' - cache: gradle - - name: Grant execute permission for gradlew - run: chmod +x gradlew - name: Build with Gradle - run: ./gradlew build + uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + with: + arguments: build From 649bca8dab3f93f2fa14671d79d813ef6d5e2c73 Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Fri, 3 Dec 2021 10:33:18 -0500 Subject: [PATCH 11/13] Updating logo and adding sha to workflow --- code-scanning/pmd.yml | 2 +- icons/pmd.svg | 79 +++++++++++++++++++++++++++++++++++++++---- 2 files changed, 73 insertions(+), 8 deletions(-) diff --git a/code-scanning/pmd.yml b/code-scanning/pmd.yml index c876da5..7920c88 100644 --- a/code-scanning/pmd.yml +++ b/code-scanning/pmd.yml @@ -26,7 +26,7 @@ jobs: cache: maven - name: Run PMD id: pmd - uses: pmd/pmd-github-action@v1 + uses: pmd/pmd-github-action@7ed79622882840855e297f090460face22328ece with: rulesets: 'rulesets/java/quickstart.xml' sourcePath: 'src/main/java' diff --git a/icons/pmd.svg b/icons/pmd.svg index c0b3415..bc1cb58 100644 --- a/icons/pmd.svg +++ b/icons/pmd.svg @@ -1,8 +1,73 @@ - - - - - - + +image/svg+xml + + + + + - \ No newline at end of file + From 4e6641ed7425cb2c2e9beb20339a03b9955d286d Mon Sep 17 00:00:00 2001 From: Abir Majumdar <83433840+abirismyname@users.noreply.github.com> Date: Fri, 3 Dec 2021 13:19:43 -0500 Subject: [PATCH 12/13] Updating pmd logo --- icons/pmd.svg | 72 +++++++++++++++++---------------------------------- 1 file changed, 24 insertions(+), 48 deletions(-) diff --git a/icons/pmd.svg b/icons/pmd.svg index bc1cb58..61f1842 100644 --- a/icons/pmd.svg +++ b/icons/pmd.svg @@ -1,72 +1,48 @@ image/svg+xml + rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> From 60d206d0900a9e3b4de3779cb2f5277c6304c887 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 6 Dec 2021 09:05:19 -0800 Subject: [PATCH 13/13] Have the starter `docker-publish` action sign digests. (#1255) * Have the starter `docker-publish` action sign digests. This change installs `sigstore/cosign` using the `cosign-installer` action, and uses sigstore's "keyless" signing process to sign the resulting image digest using the action's identity token (see: `id-token: write`). Signed-off-by: Matt Moore * Fully qualify the digest, add setup-buildx-action as workaround * Drop --force, add public repo check * Use built-in 'private' bit --- ci/docker-publish.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml index ab266ef..3b55fce 100644 --- a/ci/docker-publish.yml +++ b/ci/docker-publish.yml @@ -29,11 +29,24 @@ jobs: permissions: contents: read packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write steps: - name: Checkout repository uses: actions/checkout@v2 + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@1e95c1de343b5b0c23352d6417ee3e48d5bcd422 + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf + # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} @@ -55,9 +68,26 @@ jobs: # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image + id: build-and-push uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + # Sign the resulting Docker image digest except on PRs and private repos + # The keyless signing process records signatures on the Rekor public + # transparency log, so signing is disabled for private repos by default + # to avoid leaking private data. If you wish to sign things anyways, + # then this check can be removed and --force can be added to the cosign + # command below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' && !github.event.repository.private }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance, and records it to the + # sigstore community Rekor transparency log. + run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}