cli/.github/workflows/binary_provenance.yml at main · kosli-dev/cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Binary Provenance
on:
    workflow_call:
        inputs:
          artifacts:
            required: true
            type: string
          dir:
            required: true
            type: string
          kosli_org:
            required: true
            type: string
          flow_name:
            required: true
            type: string
          trail_name:
            required: true
            type: string
        secrets:
            kosli_api_token:
                required: true


jobs:
    binary-provenance:
        runs-on: ubuntu-latest
        permissions:
            id-token: write
            contents: write
            pull-requests: read
            attestations: write
        strategy:
            matrix:
                artifact: ${{fromJson(inputs.artifacts)}}
        steps:
        - name: Harden Runner
          uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
          with:
            egress-policy: audit

        - uses: actions/checkout@v6

        - uses: actions/download-artifact@v8
          with:
            name: ${{inputs.dir}}
            path: ${{ github.workspace }}/${{inputs.dir}}

        - name: setup-kosli-cli
          uses: kosli-dev/setup-cli-action@v3
          with:
            version:
                ${{ vars.KOSLI_CLI_VERSION }}

        - name: Make the artifact fingerprint available for following steps
          run: |
            ARTIFACT_SHA=$(kosli fingerprint ${{matrix.artifact.path}} --artifact-type file)
            echo "FINGERPRINT=$ARTIFACT_SHA" >> ${GITHUB_ENV}

        - name: Attest Build Provenance
          id: artifact-gh-attest
          uses: actions/attest@v4
          with:
            subject-name: ${{matrix.artifact.template_name}}
            subject-digest: sha256:${{ env.FINGERPRINT }}

        - name: Make artifact GH sigstore attestation index available to next steps
          run: |
            TRANSPARENCY_LOG_INDEX=$(jq '.verificationMaterial.tlogEntries[0].logIndex' ${{ steps.artifact-gh-attest.outputs.bundle-path }})
            echo "ARTIFACT_TLOG_INDEX=$TRANSPARENCY_LOG_INDEX" >> ${GITHUB_ENV}

        - name: Generate SBOM for the binary
          uses: anchore/sbom-action@v0
          with:
            file: ${{matrix.artifact.path}}
            format: 'spdx-json'
            output-file: '${{matrix.artifact.template_name}}-sbom.spdx.json'
            upload-artifact: false
            upload-release-assets: false

        - name: Generate Cyclone-dx SBOM for the binary
          uses: anchore/sbom-action@v0
          with:
            file: ${{matrix.artifact.path}}
            format: 'cyclonedx-json'
            output-file: '${{matrix.artifact.template_name}}-sbom.cyclonedx.json'
            upload-artifact: false
            upload-release-assets: false

        - name: Publish SBOM
          uses: anchore/sbom-action/publish-sbom@v0
          with:
            sbom-artifact-match: ".*\\.spdx.json$"

        - name: Attest SBOM to Github
          id: sbom-gh-attest
          uses: actions/attest@v4
          with:
            sbom-path: '${{matrix.artifact.template_name}}-sbom.spdx.json'
            subject-name: ${{matrix.artifact.template_name}}
            subject-digest: sha256:${{ env.FINGERPRINT }}

        - name: Make sbom GH sigstore attestation index available to next steps
          run: |
            TRANSPARENCY_LOG_INDEX=$(jq '.verificationMaterial.tlogEntries[0].logIndex' ${{ steps.sbom-gh-attest.outputs.bundle-path }})
            echo "SBOM_TLOG_INDEX=$TRANSPARENCY_LOG_INDEX" >> ${GITHUB_ENV}

        - name: Report artifact to Kosli
          env:
            KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
          run:
            kosli attest artifact
                ${{matrix.artifact.path}}
                --flow ${{ inputs.flow_name }}
                --trail ${{ inputs.trail_name }}
                --name ${{matrix.artifact.template_name}}
                --fingerprint ${{ env.FINGERPRINT }}
                --external-url sigstore=https://search.sigstore.dev/?hash=${{ env.FINGERPRINT }}
                --org ${{ inputs.kosli_org }}

        - name: Report spdx SBOM attestation from sigstore to Kosli
          env:
            KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
          run:
            kosli attest generic
              --flow ${{ inputs.flow_name }}
              --trail ${{ inputs.trail_name }}
              --name sbom
              --fingerprint ${{ env.FINGERPRINT }}
              --attachments  ${{matrix.artifact.template_name}}-sbom.spdx.json
              --external-url sigstore=https://search.sigstore.dev/?logIndex=${{ env.SBOM_TLOG_INDEX }}
              --org ${{ inputs.kosli_org }}

        - name: Report cyclonedx SBOM attestation from sigstore to Kosli
          env:
            KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
          run:
            kosli attest custom
              --flow ${{ inputs.flow_name }}
              --trail ${{ inputs.trail_name }}
              --name cyclone-dx-sbom
              --type cyclone-dx-1-6
              --fingerprint ${{ env.FINGERPRINT }}
              --attestation-data ${{matrix.artifact.template_name}}-sbom.cyclonedx.json
              --org ${{ inputs.kosli_org }}