Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/author_verification.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ jobs:

- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- name: Initialize Attestation
run: |
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/build_external_container_images.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false

- name: Checkout Bitnami containers repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
Expand All @@ -89,6 +91,7 @@ jobs:
ref: ${{ matrix.image.ref }}
sparse-checkout: ${{ matrix.image.sparse_checkout }}
sparse-checkout-cone-mode: false
persist-credentials: false

- name: Extract version from Bitnami Dockerfile
id: extract_version
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ jobs:

- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- name: Initialize Attestation
if: ${{ github.event_name != 'pull_request' }}
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,21 +25,23 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: 'go.mod'

- name: Lint main module
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # 9.2.0
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
if: ${{ matrix.app == 'main-module' }}
with:
version: v2.9.0
only-new-issues: 'true'

- name: Lint ${{ matrix.app }}
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # 9.2.0
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
if: ${{ matrix.app != 'main-module' }}
with:
working-directory: app/${{ matrix.app }}
Expand All @@ -50,6 +52,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- uses: bufbuild/buf-action@5150a1eef5c10b6a5cf8a69fc872f24a09473195 # v1.1.1
with:
version: 1.49.0
Expand All @@ -67,6 +71,8 @@ jobs:
curl -L https://dl.dagger.io/dagger/install.sh | DAGGER_VERSION=0.19.11 sh

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
Expand All @@ -78,7 +84,7 @@ jobs:
make -C extras/dagger module-init

- name: Lint
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # 9.2.0
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
working-directory: extras/dagger
version: v2.9.0
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/package_chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ jobs:
cosign-release: "v2.4.1"

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- name: Package Chart
run: helm package deployment/chainloop/
Expand Down
26 changes: 19 additions & 7 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ jobs:
id-token: write # required for SLSA provenance
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- name: Install Chainloop
run: |
Expand Down Expand Up @@ -59,7 +61,7 @@ jobs:

steps:
- name: Install Cosign
uses: sigstore/cosign-installer@ef6a6b364bbad08abd36a5f8af60b595d12702f8 # main
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
with:
cosign-release: "v2.2.3"

Expand All @@ -69,6 +71,8 @@ jobs:

- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- name: Initialize Attestation
id: init_attestation
Expand All @@ -92,6 +96,7 @@ jobs:
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version-file: 'go.mod'
cache: false

# install qemu binaries for multiarch builds (needed by goreleaser/buildx)
- name: Setup qemu
Expand Down Expand Up @@ -125,6 +130,7 @@ jobs:
env:
SYFT_GOLANG_SEARCH_REMOTE_LICENSES: "true"
ATTESTATION_ID: ${{ steps.init_attestation.outputs.attestation_id }}
RELEASE_TAG: ${{ github.ref_name }}
run: |
# goreleaser output resides in dist/artifacts.json
# Attest all built containers and manifests
Expand Down Expand Up @@ -162,7 +168,7 @@ jobs:
chainloop attestation add --name $sbom_name --value /tmp/sbom-$material_name.cyclonedx.json --kind SBOM_CYCLONEDX_JSON --attestation-id ${{ env.ATTESTATION_ID }}

# Upload the SBOM to the release
gh release upload ${{ github.ref_name }} /tmp/sbom-$material_name.cyclonedx.json --clobber
gh release upload $RELEASE_TAG /tmp/sbom-$material_name.cyclonedx.json --clobber

# Run Grype vulnerability scan and attest result
grype --only-fixed -o sarif --file ./vuln-${container_name}.json $entry
Expand All @@ -188,10 +194,11 @@ jobs:
- name: Include source code on attestation
env:
ATTESTATION_ID: ${{ steps.init_attestation.outputs.attestation_id }}
RELEASE_TAG: ${{ github.ref_name }}
run: |
# This needs to run AFTER goreleaser to make sure the source code is available

gh release download ${{ github.ref_name }} -A tar.gz -O /tmp/source-code.tar.gz
gh release download $RELEASE_TAG -A tar.gz -O /tmp/source-code.tar.gz
chainloop attestation add --name source-code --value /tmp/source-code.tar.gz --kind ARTIFACT --attestation-id ${{ env.ATTESTATION_ID }}

- name: Read current project version
Expand All @@ -201,9 +208,13 @@ jobs:
echo "current_version=$current_version" >> $GITHUB_OUTPUT

- name: Bump Chart and Dagger Version
run: .github/workflows/utils/bump-chart-and-dagger-version.sh deployment/chainloop extras/dagger ${{ github.ref_name }}
env:
RELEASE_TAG: ${{ github.ref_name }}
run: .github/workflows/utils/bump-chart-and-dagger-version.sh deployment/chainloop extras/dagger $RELEASE_TAG
- name: Bump Project Version
run: .github/workflows/utils/bump-project-version.sh ${{ github.ref_name }}
env:
RELEASE_TAG: ${{ github.ref_name }}
run: .github/workflows/utils/bump-project-version.sh $RELEASE_TAG

- name: Create Pull Request
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
Expand Down Expand Up @@ -248,9 +259,10 @@ jobs:
if: ${{ success() }}
env:
ATTESTATION_SHA: ${{ steps.attestation_push.outputs.attestation_sha }}
RELEASE_TAG: ${{ github.ref_name }}
run: |
chainloop_release_url="## Chainloop Attestation"$'\n'"[View the attestation of this release](https://app.chainloop.dev/attestation/${{ env.ATTESTATION_SHA }})"
current_notes=$(gh release view ${{github.ref_name}} --json body -q '.body')
current_notes=$(gh release view $RELEASE_TAG --json body -q '.body')

if echo "$current_notes" | grep -q "## Chainloop Attestation"; then
# Replace the existing Chainloop Attestation section with the new URL
Expand All @@ -261,7 +273,7 @@ jobs:
fi

# Update the release notes and ignore if it fails since we might be lacking permissions to update the release notes
gh release edit ${{github.ref_name}} -n "$modified_notes" || echo -n "Not enough permissions to edit the release notes. Skipping..."
gh release edit $RELEASE_TAG -n "$modified_notes" || echo -n "Not enough permissions to edit the release notes. Skipping..."

- name: Mark attestation as failed
if: ${{ failure() }}
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/scm_configuration_check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ jobs:

steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false

- name: Install Chainloop
run: |
Expand All @@ -33,10 +35,12 @@ jobs:

- name: Generate a token
id: generate-token
uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ vars.CHAINLOOP_GATHERER_APP_ID }}
private-key: ${{ secrets.GATHERER_APP_PRIVATE_KEY }}
permission-contents: read
permission-metadata: read

- name: Gather runner context data
run: |
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ jobs:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.3.1
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
Expand All @@ -69,7 +69,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v3.1.3
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
# When downloading if not name is set the artifact name will be "artifact"
# We need to specify the name to download it later
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/secrets-scan-daily.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ jobs:

steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false

- name: Install Chainloop
run: |
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/sync_contracts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false
- name: Install Chainloop
run: |
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ jobs:
- artifact-cas
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
Expand All @@ -51,7 +53,7 @@ jobs:

# Check that the generated ent code is up to date
# see https://entgo.io/docs/ci/
- uses: ent/contrib/ci@e38dfb6484dfbe64b8bd060fe6a219a1aa5da770 # master
- uses: ent/contrib/ci@4ec197664a206890a44245f5c0cbcb8110d68cb5 # v0.5.0
name: "Check all ent generated code is checked in"
if: ${{ matrix.app != 'main-module' }}
with:
Expand Down
Loading