Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
demo-john authored Jul 30, 2024
0 parents commit f8e77cc
Show file tree
Hide file tree
Showing 12 changed files with 274 additions and 0 deletions.
56 changes: 56 additions & 0 deletions .github/workflows/pipeline.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

name: pipeline

on:
push:
branches:
- 'main'

jobs:
build-image:
runs-on: ubuntu-latest

permissions:
packages: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

steps:
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}/swf

- name: Docker Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Buildx
uses: docker/setup-buildx-action@v3

- name: Checkout Code
uses: actions/checkout@v4.1.1

- name: Build Image
shell: bash
run: |
docker buildx build -t ${{ steps.meta.outputs.tags }} --push .
- name: Generate SBOM
shell: bash
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
syft ${{ steps.meta.outputs.tags }} --source-name=pkg:oci/${{ github.repository }} -o cyclonedx-json --file sbom.cdx.json
- name: Upload SBOM
uses: actions/upload-artifact@v4.3.3
with:
name: sbom
path: sbom.cdx.json
37 changes: 37 additions & 0 deletions .github/workflows/vex.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

name: vex

on:
workflow_dispatch

jobs:
generate-vex:
runs-on: ubuntu-latest

steps:
- name: Setup Go
uses: actions/setup-go@v5.0.0
with:
go-version: 1.22.x
- run: go install github.com/openvex/vexctl@latest

- name: Checkout Code
uses: actions/checkout@v4.1.1

- name: Generate VEX
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
with:
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
step: gen-vex
attestations: "environment git github vex"
command: |
/bin/sh -c 'vexctl create --product="pkg:oci/${{ github.repository }}@main" --vuln="CVE-2023-45285" --status="not_affected" --justification="inline_mitigations_already_exist" --file="./openvex.json"'
- name: Upload VEX
uses: actions/upload-artifact@v4.3.3
with:
name: vex
path: openvex.json
25 changes: 25 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
FROM cgr.dev/chainguard/go@sha256:605d81422aba573c17bfd6029a217e94a9575179a98355a99acbb6e028ca883b AS builder

ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT=""
ARG LDFLAGS

ENV GO111MODULE=on \
CGO_ENABLED=0 \
GOOS=${TARGETOS} \
GOARCH=${TARGETARCH} \
GOARM=${TARGETVARIANT}

WORKDIR /build

COPY . .

RUN go build -o bin/software

FROM golang:alpine3.18

COPY --from=builder /build/bin/software /software

ENTRYPOINT ["/software"]
12 changes: 12 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# demo-repo

## Welcome to a JUDGE On-boarding Demo

This is a template repository that is best used to create your own repo to customize.

## "Typical" workflow experience (WIP)

1. Take a look at the pipeline.yaml to see what the current build process looks like. It's a simple Docker build of a container image with a subsequent SBOM generation step.
2. Next look at PR1
3. Next look at PR2
4. Finally kick off the manual VEX workflow.
5 changes: 5 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
module github.com/demo-john/demo-repo/swf

go 1.21.1

require github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=
14 changes: 14 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package main

import (
"github.com/common-nighthawk/go-figure"
)

func Hello() string {
return "Hello Demo!"
}

func main() {
myFigure := figure.NewFigure(Hello(), "starwars", true)
myFigure.Print()
}
14 changes: 14 additions & 0 deletions main_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package main

import (
"testing"
)

func TestHello(t *testing.T) {
got := Hello()
want := "Hello KubeCon!"

if got != want {
t.Errorf("got %q want %q", got, want)
}
}
63 changes: 63 additions & 0 deletions pr-1/pipeline.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

name: pipeline

on:
push:
branches:
- 'main'

jobs:
build-image:
runs-on: ubuntu-latest

permissions:
packages: write
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

steps:
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}/swf

- name: Docker Login
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Buildx
uses: docker/setup-buildx-action@v3

- name: Checkout Code
uses: actions/checkout@v4.1.1

- name: Build Image
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
with:
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
step: build-image
attestations: "environment git github slsa"
command: /bin/sh -c "docker buildx build -t ${{ steps.meta.outputs.tags }} --push ."

- name: Generate SBOM
uses: testifysec/witness-run-action@reusable-workflow # v0.2.0
with:
archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
step: gen-sbom
attestations: "environment git github sbom"
command: |
/bin/sh -c "curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.7.0 && \
syft ${{ steps.meta.outputs.tags }} --source-name=pkg:oci/${{ github.repository }} -o cyclonedx-json --file sbom.cdx.json"
- name: Upload SBOM
uses: actions/upload-artifact@v4.3.3
with:
name: sbom
path: sbom.cdx.json
25 changes: 25 additions & 0 deletions pr-2/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
FROM cgr.dev/chainguard/go@sha256:605d81422aba573c17bfd6029a217e94a9575179a98355a99acbb6e028ca883b AS builder

ARG TARGETPLATFORM
ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT=""
ARG LDFLAGS

ENV GO111MODULE=on \
CGO_ENABLED=0 \
GOOS=${TARGETOS} \
GOARCH=${TARGETARCH} \
GOARM=${TARGETVARIANT}

WORKDIR /build

COPY . .

RUN go build -o bin/software

FROM cgr.dev/chainguard/static@sha256:676e989769aa9a5254fbfe14abb698804674b91c4d574bb33368d87930c5c472

COPY --from=builder /build/bin/software /software

ENTRYPOINT ["/software"]
18 changes: 18 additions & 0 deletions scripts/prepare.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
#!/bin/sh

# Create the first PR
git checkout -b enable-witness main
cp ./pr-1/pipeline.yml ./.github/workflows/pipeline.yml
git add ./.github/workflows/pipeline.yml
git commit -m "Enable witness"
git push origin enable-witness
gh pr create --base main --head enable-witness --fill

# Create the second PR
git checkout -b reduce-cves main
cp ./pr-2/Dockerfile ./Dockerfile
git add ./Dockerfile
git commit -m "Reduce CVEs"
git push origin reduce-cves
gh pr create --base main --head reduce-cves --fill

3 changes: 3 additions & 0 deletions scripts/tear-down.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash

gh repo delete --confirm

0 comments on commit f8e77cc

Please sign in to comment.