mirror of
https://github.com/securego/gosec.git
synced 2024-12-25 03:55:54 +00:00
Extend the release action to sign the docker image and binary files with cosign (#781)
* Extend the release action to sign the docker image and binary files with cosign * Fix lint warnings * Fix the ling warnings * Fix the lint warnings
This commit is contained in:
parent
7d539ed494
commit
26f10e0a7a
6 changed files with 68 additions and 17 deletions
50
.github/workflows/release.yml
vendored
50
.github/workflows/release.yml
vendored
|
@ -18,14 +18,39 @@ jobs:
|
||||||
uses: actions/setup-go@v2
|
uses: actions/setup-go@v2
|
||||||
with:
|
with:
|
||||||
go-version: 1.17
|
go-version: 1.17
|
||||||
- name : Get release version
|
- name: Install Cosign
|
||||||
id: get_version
|
uses: sigstore/cosign-installer@main
|
||||||
run: echo ::set-env name=RELEASE_VERSION::$(echo ${GITHUB_REF:10})
|
with:
|
||||||
|
cosign-release: 'v1.5.2'
|
||||||
|
- name: Store Cosign private key in a file
|
||||||
|
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
|
||||||
|
shell: bash
|
||||||
|
env:
|
||||||
|
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
|
||||||
|
- name: Set up QEMU
|
||||||
|
uses: docker/setup-qemu-action@v1
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v1
|
||||||
|
- name: Login to DockerHub
|
||||||
|
uses: docker/login-action@v1
|
||||||
|
with:
|
||||||
|
username: ${{secrets.DOCKER_USERNAME}}
|
||||||
|
password: ${{secrets.DOCKER_PASSWORD}}
|
||||||
- name: Generate SBOM
|
- name: Generate SBOM
|
||||||
uses: CycloneDX/gh-gomod-generate-sbom@v1
|
uses: CycloneDX/gh-gomod-generate-sbom@v1
|
||||||
with:
|
with:
|
||||||
version: v1
|
version: v1
|
||||||
args: mod -licenses -json -output bom.json
|
args: mod -licenses -json -output bom.json
|
||||||
|
- name: Docker meta
|
||||||
|
uses: docker/metadata-action@v3
|
||||||
|
id: meta
|
||||||
|
with:
|
||||||
|
images: securego/gosec
|
||||||
|
flavor: |
|
||||||
|
latest=true
|
||||||
|
tags: |
|
||||||
|
type=sha,format=long
|
||||||
|
type=semver,pattern={{version}}
|
||||||
- name: Release Binaries
|
- name: Release Binaries
|
||||||
uses: goreleaser/goreleaser-action@v2
|
uses: goreleaser/goreleaser-action@v2
|
||||||
with:
|
with:
|
||||||
|
@ -33,12 +58,17 @@ jobs:
|
||||||
args: release --rm-dist
|
args: release --rm-dist
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
||||||
|
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
|
||||||
- name: Release Docker Image
|
- name: Release Docker Image
|
||||||
uses: elgohr/Publish-Docker-Github-Action@master
|
uses: docker/build-push-action@v2
|
||||||
with:
|
with:
|
||||||
name: securego/gosec
|
platforms: linux/amd64,linux/arm/v7,linux/arm64
|
||||||
username: ${{ secrets.DOCKER_USERNAME }}
|
tags: ${{steps.meta.outputs.tags}}
|
||||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
labels: ${{steps.meta.outputs.labels}}
|
||||||
buildargs: GO_VERSION=1.17
|
push: true
|
||||||
tags: "latest,${{ env.RELEASE_VERSION }}"
|
build-args: GO_VERSION=1.17
|
||||||
tag_names: true
|
- name: Sign Docker Image
|
||||||
|
run: cosign sign -key /tmp/cosign.key ${TAGS}
|
||||||
|
env:
|
||||||
|
TAGS: ${{steps.meta.outputs.tags}}
|
||||||
|
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
|
||||||
|
|
|
@ -21,3 +21,10 @@ builds:
|
||||||
ldflags: -X main.Version={{.Version}} -X main.GitTag={{.Tag}} -X main.BuildDate={{.Date}}
|
ldflags: -X main.Version={{.Version}} -X main.GitTag={{.Tag}} -X main.BuildDate={{.Date}}
|
||||||
env:
|
env:
|
||||||
- CGO_ENABLED=0
|
- CGO_ENABLED=0
|
||||||
|
|
||||||
|
signs:
|
||||||
|
- cmd: cosign
|
||||||
|
stdin: '{{ .Env.COSIGN_PASSWORD}}'
|
||||||
|
args: ["sign-blob", "--key=/tmp/cosign.key", "--output=${signature}", "${artifact}"]
|
||||||
|
artifacts: all
|
||||||
|
|
||||||
|
|
13
README.md
13
README.md
|
@ -407,6 +407,19 @@ git push origin v1.0.0
|
||||||
The GitHub [release workflow](.github/workflows/release.yml) triggers immediately after the tag is pushed upstream. This flow will
|
The GitHub [release workflow](.github/workflows/release.yml) triggers immediately after the tag is pushed upstream. This flow will
|
||||||
release the binaries using the [goreleaser](https://goreleaser.com/actions/) action and then it will build and publish the docker image into Docker Hub.
|
release the binaries using the [goreleaser](https://goreleaser.com/actions/) action and then it will build and publish the docker image into Docker Hub.
|
||||||
|
|
||||||
|
The released artifacts are signed using [cosign](https://docs.sigstore.dev/). You can use the public key from [cosign.pub](cosign.pub)
|
||||||
|
file to verify the signature of docker image and binaries files.
|
||||||
|
|
||||||
|
The docker image signature can be verified with the following command:
|
||||||
|
```
|
||||||
|
cosign verify --key cosign.pub securego/gosec:<TAG>
|
||||||
|
```
|
||||||
|
|
||||||
|
The binary files signature can be verified with the following command:
|
||||||
|
```
|
||||||
|
cosign verify-blob --key cosign.pub --signature gosec_<VERSION>_darwin_amd64.tar.gz.sig gosec_<VERSION>_darwin_amd64.tar.gz
|
||||||
|
```
|
||||||
|
|
||||||
### Docker image
|
### Docker image
|
||||||
|
|
||||||
You can also build locally the docker image by using the command:
|
You can also build locally the docker image by using the command:
|
||||||
|
|
4
cosign.pub
Normal file
4
cosign.pub
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
-----BEGIN PUBLIC KEY-----
|
||||||
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFphl7f2VuFRfsi4wqiLUCQ9xHQgV
|
||||||
|
O2VMDNcvh+kxiymLXa+GkPzSKExFYIlVwfg13URvCiB+kFvITmLzuLiGQg==
|
||||||
|
-----END PUBLIC KEY-----
|
|
@ -1,7 +1,6 @@
|
||||||
package html
|
package html
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
|
||||||
// use go embed to import template
|
// use go embed to import template
|
||||||
_ "embed"
|
_ "embed"
|
||||||
"html/template"
|
"html/template"
|
||||||
|
|
|
@ -3,9 +3,7 @@ package text
|
||||||
import (
|
import (
|
||||||
"bufio"
|
"bufio"
|
||||||
"bytes"
|
"bytes"
|
||||||
|
_ "embed" // use go embed to import template
|
||||||
// use go embed to import template
|
|
||||||
_ "embed"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
|
Loading…
Reference in a new issue