add tf, img build

Author: mchmarny

.github/workflows/build.yaml

@@ -0,0 +1,92 @@
+name: build-image
+
+on:
+  workflow_call:
+    inputs:
+      image_repo:
+        description: 'Fully-qualified image repo (registry/project/repo)'
+        required: true
+        type: string
+      image_name:
+        description: 'Image name (e.g. my-image)'
+        required: true
+        type: string
+      auth_provider:
+        description: 'OIDC provider ID'
+        required: true
+        type: string
+      auth_user:
+        description: 'OIDC user ID'
+        required: true
+        type: string
+    outputs:
+      digest:
+        value: ${{ jobs.build.outputs.digest }}
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    outputs:
+      digest: ${{ steps.image.outputs.digest }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      id-token: write
+    steps:
+
+    - name: Checkout Code
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c  # v3.3.0
+
+    - name: Get Version
+      run: |-
+        set -euo pipefail
+        echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+        echo "CURRENT_DATE=$(date '+%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
+        echo "RELEASE_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV
+
+    - id: auth
+      name: Auth GCP
+      uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d  # v1.0.0
+      with:
+        token_format: "access_token"
+        workload_identity_provider: ${{ inputs.auth_provider }}
+        service_account: ${{ inputs.auth_user }}
+
+    - name: Define Metadata
+      id: meta
+      uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96  # v4.3.0
+      with:
+        images: |
+          ${{ inputs.image_repo }}/${{ inputs.image_name }}
+        tags: |
+          type=raw,enable=true,value=${{ env.RELEASE_VERSION }}
+          type=raw,enable=true,value=${{ env.RELEASE_COMMIT }}
+          type=raw,enable=true,value=latest
+
+    - name: Registry Auth
+      uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a  # v2.1.0
+      with:
+        registry: ${{ inputs.image_repo }}
+        username: oauth2accesstoken
+        password: ${{ steps.auth.outputs.access_token }}
+
+    - name: Image Push
+      id: push
+      uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671  # v4.0.0
+      with:
+        context: .
+        file: internal/cmd/Dockerfile
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        build-args: |
+          VERSION=${{ env.RELEASE_VERSION }}
+          COMMIT=${{ env.RELEASE_COMMIT }}
+          DATE=${{ env.CURRENT_DATE }}
+
+    - name: Export Digest
+      id: image
+      run: |
+        echo "digest=${{ inputs.image_repo }}/${{ inputs.image_name }}@${{ steps.push.outputs.digest }}" >> $GITHUB_OUTPUT

.github/workflows/on-tag.yaml renamed to .github/workflows/on-tag-cli.yaml

@@ -1,4 +1,4 @@
-name: release
+name: release-cli
 on:
   push:
     tags:

.github/workflows/on-tag-img.yaml

@@ -0,0 +1,111 @@
+name: release-img
+on:
+  push:
+    tags:
+    - 'v[0-9]+.[0-9]+.[0-9]+'  # Only build tag with semantic versioning format
+
+permissions:
+  contents: read
+
+jobs:
+
+  conf:
+    env:
+      IMG_NAME: vulctl
+      PROVIDER_ID: projects/689738033528/locations/global/workloadIdentityPools/vulctl-github-pool/providers/github-provider
+      REG_URI: us-west1-docker.pkg.dev/cloudy-build/vulctl
+      SA_EMAIL: [email protected]
+      PROJECT_ID: cloudy-build
+
+      # Defaults
+      BUILDER_VERSION: v1.4.0
+      COSIGN_VERSION: v1.13.1
+      ERR_VULNERABILITY_SEV: "CRITICAL,HIGH,MEDIUM"
+      GO_VERSION: "^1.20.2"
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      builder_version: ${{ steps.conf.outputs.builder_version }}
+      cosign_version: ${{ steps.conf.outputs.cosign_version }}
+      err_on_vulnerability_sev: ${{ steps.conf.outputs.err_on_vulnerability_sev }}
+      go_version: ${{ steps.conf.outputs.go_version }}
+      image_name: ${{ steps.conf.outputs.image_name }}
+      provider_id: ${{ steps.conf.outputs.provider_id }}
+      registry_uri: ${{ steps.conf.outputs.registry_uri }}
+      service_account: ${{ steps.conf.outputs.service_account }}
+      project_id: ${{ steps.conf.outputs.project_id }}
+    steps:
+
+    - name: Export Config
+      id: conf
+      run: |
+        echo "builder_version=${{ env.BUILDER_VERSION }}" >> $GITHUB_OUTPUT
+        echo "cosign_version=${{ env.COSIGN_VERSION }}" >> $GITHUB_OUTPUT
+        echo "err_on_vulnerability_sev=${{ env.ERR_VULNERABILITY_SEV }}" >> $GITHUB_OUTPUT
+        echo "go_version=${{ env.GO_VERSION }}" >> $GITHUB_OUTPUT
+        echo "image_name=${{ env.IMG_NAME }}" >> $GITHUB_OUTPUT
+        echo "provider_id=${{ env.PROVIDER_ID }}" >> $GITHUB_OUTPUT
+        echo "registry_uri=${{ env.REG_URI }}" >> $GITHUB_OUTPUT
+        echo "service_account=${{ env.SA_EMAIL }}" >> $GITHUB_OUTPUT
+        echo "project_id=${{ env.PROJECT_ID }}" >> $GITHUB_OUTPUT
+
+  test:
+    needs:
+    - conf
+    uses: ./.github/workflows/test.yaml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      go-version: ${{ needs.conf.outputs.go_version }}
+      scan-severity: ${{ needs.conf.outputs.err_on_vulnerability_sev }}
+
+  image:
+    needs:
+    - conf
+    - test
+    permissions:
+      contents: read
+      actions: read
+      id-token: write
+      packages: write
+    uses: ./.github/workflows/build.yaml
+    with:
+      auth_provider: ${{ needs.conf.outputs.provider_id }}
+      auth_user: ${{ needs.conf.outputs.service_account }}
+      image_name: ${{ needs.conf.outputs.image_name }}
+      image_repo: ${{ needs.conf.outputs.registry_uri }}
+
+  sign:
+    needs:
+    - conf
+    - image
+    permissions:
+      contents: read
+      actions: read
+      id-token: write
+    uses: ./.github/workflows/sign.yaml
+    with:
+      auth_provider: ${{ needs.conf.outputs.provider_id }}
+      auth_user: ${{ needs.conf.outputs.service_account }}
+      cosign_version: ${{ needs.conf.outputs.cosign_version }}
+      image_digest: ${{ needs.image.outputs.digest }}
+      scan_severity: ${{ needs.conf.outputs.err_on_vulnerability_sev }}
+
+  provenance:
+    needs:
+    - conf
+    - sign
+    - image
+    permissions:
+      contents: read
+      actions: read
+      id-token: write
+      packages: write
+    uses: ./.github/workflows/slsa.yaml
+    with:
+      auth_provider: ${{ needs.conf.outputs.provider_id }}
+      auth_user: ${{ needs.conf.outputs.service_account }}
+      image_digest: ${{ needs.image.outputs.digest }}

.github/workflows/sign.yaml

@@ -0,0 +1,87 @@
+name: sign-image
+
+on:
+  workflow_call:
+    inputs:
+      image_digest:
+        description: 'Fully-qualified image digest to verify (registry/image@sha256:digest)'
+        required: true
+        type: string
+      auth_provider:
+        description: 'OIDC provider ID'
+        required: true
+        type: string
+      auth_user:
+        description: 'OIDC user ID'
+        required: true
+        type: string
+      cosign_version:
+        description: 'The version of cosign to use'
+        required: false
+        type: string
+        default: 'v1.13.1'
+      scan_severity:
+        description: 'Error on vulnerability scan severity'
+        required: false
+        type: string
+        default: 'CRITICAL,HIGH,MEDIUM'
+
+permissions:
+  contents: read
+
+jobs:
+
+  sign:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      id-token: write
+    steps:
+
+    - id: auth
+      name: Auth GCP
+      uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d  # v1.0.0
+      with:
+        token_format: "access_token"
+        workload_identity_provider: ${{ inputs.auth_provider }}
+        service_account: ${{ inputs.auth_user }}
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65  # v3.0.1
+      with:
+        cosign-release: ${{ inputs.cosign_version }}
+
+    - name: Auth Cosign
+      run: |
+        set -euo pipefail
+        cosign version
+        reg=$(echo ${{ inputs.image_digest }} | cut -d/ -f1)
+        cosign login ${reg} --username=oauth2accesstoken --password=${{ steps.auth.outputs.access_token }}
+
+    - name: Generate Keys
+      run: |
+        set -euo pipefail
+        COSIGN_PASSWORD=$(openssl rand -base64 12)
+        cosign generate-key-pair
+
+    - name: Attest Image
+      env:
+        COSIGN_EXPERIMENTAL: "true"
+      run: |
+        set -euo pipefail
+        cosign sign ${{ inputs.image_digest }} \
+            --force \
+            --key cosign.key \
+            -a sha=${{ github.sha }} \
+            -a run_id=${{ github.run_id }} \
+            -a run_attempt=${{ github.run_attempt }} \
+            -a tag=${{ env.GITHUB_REF_NAME }}
+
+    - name: Attest Image
+      env:
+        COSIGN_EXPERIMENTAL: "true"
+      run: |
+        set -euo pipefail
+          cosign verify \
+          --key cosign.pub \
+          ${{ inputs.image_digest }}

.github/workflows/slsa.yaml

@@ -0,0 +1,87 @@
+name: slsa-provenance-create
+
+on:
+  workflow_call:
+    inputs:
+      image_digest:
+        description: 'Fully-qualified image digest to verify (registry/image@sha256:digest)'
+        required: true
+        type: string
+      auth_provider:
+        description: 'OIDC provider ID'
+        required: true
+        type: string
+      auth_user:
+        description: 'OIDC user ID'
+        required: true
+        type: string
+      cosign_version:
+        description: 'The version of cosign to use'
+        required: false
+        type: string
+        default: 'v1.13.1'
+
+permissions:
+  contents: read
+
+jobs:
+
+  conf:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      image: ${{ steps.conf.outputs.image }}
+      digest: ${{ steps.conf.outputs.digest }}
+    steps:
+    - name: Export Config
+      id: conf
+      run: |
+        echo "image=$(echo ${{ inputs.image_digest }} | cut -d@ -f1)" >> $GITHUB_OUTPUT
+        echo "digest=$(echo ${{ inputs.image_digest }} | cut -d@ -f2)" >> $GITHUB_OUTPUT
+
+  provenance:
+    needs:
+    - conf
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ needs.conf.outputs.image }}
+      digest: ${{ needs.conf.outputs.digest }}
+      registry-username: ${{ github.actor }}
+      gcp-workload-identity-provider: ${{ inputs.auth_provider }}
+      gcp-service-account: ${{ inputs.auth_user }}
+
+  verify:
+    needs:
+    - provenance
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      id-token: write
+    steps:
+
+    - name: Checkout Code
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c  # v3.3.0
+
+    - id: auth
+      name: Auth GCP
+      uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d  # v1.0.0
+      with:
+        token_format: "access_token"
+        workload_identity_provider: ${{ inputs.auth_provider }}
+        service_account: ${{ inputs.auth_user }}
+
+    - uses: slsa-framework/slsa-verifier/actions/installer@a43888265e1f6aae98c924538298944f2721dcf0  # v2.0.1
+
+    # SLSA provenance verification using slsa-verifier.
+    - name: Verify SLSA Provenance
+      run: |-
+        set -euo pipefail
+        slsa-verifier version
+        slsa-verifier verify-image ${{ inputs.image_digest }} \
+          --source-uri "github.com/$GITHUB_REPOSITORY" \
+          --source-tag "$GITHUB_REF_NAME"