add attestation

Signed-off-by: cpanato <ctadeu@gmail.com>
2025-08-31 22:28:22 +00:00 · 2024-05-27 12:16:48 +02:00
parent 35d8618373
commit 257ae9a8c0
3 changed files with 46 additions and 29 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -6,13 +6,13 @@ on:
 # Checks if any concurrent jobs is running for release CI and eventually cancel it.
 concurrency:
  group: ci-release
-  cancel-in-progress: true  
+  cancel-in-progress: true
-  
+
 jobs:
  release-settings:
    runs-on: ubuntu-latest
    outputs:
-      is_latest: ${{ steps.get_settings.outputs.is_latest }} 
+      is_latest: ${{ steps.get_settings.outputs.is_latest }}
      bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
    steps:
      - name: Get latest release
@@ -80,14 +80,14 @@ jobs:
      arch: x86_64
      # static: ${{ matrix.static != '' && true || false }}
      version: ${{ github.event.release.tag_name }}
-  
+
  test-packages-arm64:
    needs: [release-settings, build-packages-arm64]
    uses: ./.github/workflows/reusable_test_packages.yaml
    with:
      arch: aarch64
      version: ${{ github.event.release.tag_name }}
-    
+
  publish-packages:
    needs: [release-settings, test-packages, test-packages-arm64]
    uses: ./.github/workflows/reusable_publish_packages.yaml
@@ -95,7 +95,7 @@ jobs:
      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
      version: ${{ github.event.release.tag_name }}
    secrets: inherit
-  
+
  # Both build-docker and its arm64 counterpart require build-packages because they use its output
  build-docker:
    needs: [release-settings, build-packages, publish-packages]
@@ -106,7 +106,7 @@ jobs:
      version: ${{ github.event.release.tag_name }}
      tag: ${{ github.event.release.tag_name }}
    secrets: inherit
-    
+
  build-docker-arm64:
    needs: [release-settings, build-packages, publish-packages]
    uses: ./.github/workflows/reusable_build_docker.yaml
@@ -125,7 +125,7 @@ jobs:
      is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
      tag: ${{ github.event.release.tag_name }}
      sign: true
-      
+
  release-body:
    needs: [release-settings, publish-docker]
    if: ${{ needs.release-settings.outputs.is_latest == 'true' }} # only for latest releases
@@ -135,7 +135,7 @@ jobs:
    steps:
      - name: Clone repo
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-          
+
      - name: Extract LIBS and DRIVER versions
        run: |
          cp .github/release_template.md release-body.md
@@ -143,26 +143,26 @@ jobs:
          DRIVER_VERS=$(cat cmake/modules/driver.cmake | grep 'set(DRIVER_VERSION' | tail -n1 | grep -o '[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*+driver')
          sed -i s/LIBSVER/$LIBS_VERS/g release-body.md
          sed -i s/DRIVERVER/$DRIVER_VERS/g release-body.md
-          
+
      - name: Append release matrixes
        run: |
          sed -i s/FALCOBUCKET/${{ needs.release-settings.outputs.bucket_suffix }}/g release-body.md
          sed -i s/FALCOVER/${{ github.event.release.tag_name }}/g release-body.md
-          
+
      - name: Generate release notes
        uses: leodido/rn2md@9c351d81278644c0e17b1ca68edbdba305276c73
        with:
          milestone: ${{ github.event.release.tag_name }}
          output: ./notes.md
-        
+
      - name: Merge release notes to pre existent body
        run: cat notes.md >> release-body.md
-        
+
      - name: Attach release creator to release body
        run: |
          echo "" >> release-body.md
          echo "#### Release Manager @${{ github.event.release.author.login }}" >> release-body.md
-        
+
      - name: Release
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
        with:
--- a/.github/workflows/reusable_build_docker.yaml
+++ b/.github/workflows/reusable_build_docker.yaml
@@ -20,12 +20,12 @@ on:
        required: true
        type: string
-# Here we just build all docker images as tarballs, 
+# Here we just build all docker images as tarballs,
 # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
-# In this way, we don't need to publish any arch specific image, 
+# In this way, we don't need to publish any arch specific image,
 # and this "build" workflow is actually only building images.
-permissions:  
+permissions:
  contents: read
 jobs:
@@ -37,10 +37,10 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-        
+
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-          
+
      - name: Build falco image
        run: |
          cd ${{ github.workspace }}/docker/falco/
--- a/.github/workflows/reusable_publish_docker.yaml
+++ b/.github/workflows/reusable_publish_docker.yaml
@@ -18,44 +18,49 @@ on:
        default: false
 permissions:
  id-token: write
  contents: read
-  
+
 jobs:
  publish-docker:
    runs-on: ubuntu-latest
    permissions:
      attestations: write
      id-token: write
      contents: read
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-    
+
      - name: Download images tarballs
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: falco-images
          path: /tmp/falco-images
-      
+
      - name: Load all images
        run: |
          for img in /tmp/falco-images/falco-*.tar; do docker load --input $img; done
-    
+
      - name: Login to Docker Hub
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_SECRET }}
-      
+
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
        with:
          role-to-assume: "arn:aws:iam::292999226676:role/github_actions-falco-ecr"
          aws-region: us-east-1 # The region must be set to us-east-1 in order to access ECR Public.
-          
+
      - name: Login to Amazon ECR
        id: login-ecr-public
        uses: aws-actions/amazon-ecr-login@2f9f10ea3fa2eed41ac443fee8bfbd059af2d0a4 # v1.6.0
        with:
-          registry-type: public    
+          registry-type: public
-      
+
      - name: Setup Crane
        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
        with:
@@ -86,7 +91,7 @@ jobs:
          inputs: docker.io/falcosecurity/falco:${{ inputs.tag }}-debian
          images: docker.io/falcosecurity/falco:aarch64-${{ inputs.tag }}-debian,docker.io/falcosecurity/falco:x86_64-${{ inputs.tag }}-debian
          push: true
-          
+
      - name: Create falco-driver-loader manifest on Docker Hub
        uses: Noelware/docker-manifest-action@8e337e3cb9656abfcf20146b99706fd88716e942 # v0.4.0
        with:
@@ -149,3 +154,15 @@ jobs:
          cosign sign public.ecr.aws/falcosecurity/falco:latest-debian@${{ steps.digests.outputs.falco-debian }}
          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest@${{ steps.digests.outputs.falco-driver-loader }}
          cosign sign public.ecr.aws/falcosecurity/falco-driver-loader:latest-buster@${{ steps.digests.outputs.falco-driver-loader-buster }}
      - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
        with:
          subject-name: docker.io/falcosecurity/falco
          subject-digest: ${{ steps.digests.outputs.falco }}
          push-to-registry: true
      - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
        with:
          subject-name: docker.io/falcosecurity/falco-driver-loader
          subject-digest: ${{ steps.digests.outputs.falco-driver-loader }}
          push-to-registry: true