feature: SLSA Level 3 provenance generation for Kyverno images: kyver…

…no init, kyverno and kyvernopre (kyverno#4268) Signed-off-by: zurrehma <zahid.chashma@gmail.com> Signed-off-by: zurrehma <zahid.chashma@gmail.com> Co-authored-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
infracloudio · Oct 28, 2022 · 1fef873 · 1fef873
1 parent 2c4a2da
commit 1fef873
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 1 deletion.
diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
@@ -20,7 +20,7 @@ jobs:
     secrets:
       registry_username: ${{ github.actor }}
       registry_password: ${{ secrets.CR_PAT }}
-
+      
   push-kyverno:
     uses: ./.github/workflows/reuse.yaml
     with:
@@ -40,3 +40,51 @@ jobs:
     secrets:
       registry_username: ${{ github.actor }}
       registry_password: ${{ secrets.CR_PAT }}
+
+  generate-init-kyverno-provenance:
+    needs: push-init-kyverno
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
+      digest: "${{ needs.push-init-kyverno.outputs.init_sha256_digest }}"
+      registry-username: ${{ github.actor }}
+    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
+      compile-generator: true
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+
+  generate-kyverno-provenance:
+    needs: push-kyverno
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno
+      digest: "${{ needs.push-kyverno.outputs.kyverno_sha256_digest }}"
+      registry-username: ${{ github.actor }}
+    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
+      compile-generator: true
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+
+  generate-kyverno-cli-provenance:
+    needs: push-kyverno-cli
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
+      digest: "${{ needs.push-kyverno-cli.outputs.cli_sha256_digest }}"
+      registry-username: ${{ github.actor }}
+    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
+      compile-generator: true
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
@@ -19,13 +19,28 @@ on:
         required: true
       registry_password:
         required: true
+    outputs:
+      init_sha256_digest:
+        description: "sha256 digest of kyverno init docker image"
+        value: ${{ jobs.build.outputs.init-container-digest }}
+      kyverno_sha256_digest:
+        description: "sha256 digest of kyverno docker image"
+        value: ${{ jobs.build.outputs.kyverno-digest }}
+      cli_sha256_digest:
+        description: "sha256 digest of kyverno docker image"
+        value: ${{ jobs.build.outputs.cli-digest }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
       id-token: write
+    outputs:
+      init-container-digest: ${{ steps.set-sha256-digest.outputs.init-container-digest }}
+      kyverno-digest: ${{ steps.set-sha256-digest.outputs.kyverno-digest }}
+      cli-digest: ${{ steps.set-sha256-digest.outputs.cli-digest }}
     steps:
       - name: Checkout release
         if: ${{ inputs.tag == 'release'}}
@@ -154,3 +169,18 @@ jobs:
         env:
           COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
         run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
+
+      - name: get sha256sum image digest
+        if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
+        id: set-sha256sum-digest
+        run: |
+          echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
+          DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
+          echo "Digest from image is: $DIGEST"
+          if [[ "${{inputs.publish_command}}" = "ko-publish-kyvernopre" ]]; then
+            echo "::set-output name=init-container-digest::$DIGEST"
+          elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then
+            echo "::set-output name=kyverno-digest::$DIGEST"
+          else
+            echo "::set-output name=cli-digest::$DIGEST"
+          fi