From 1fef873762985597901465439a15334e6540e0f2 Mon Sep 17 00:00:00 2001
From: Zahid Khan <zahid.chashma@gmail.com>
Date: Fri, 28 Oct 2022 19:19:15 +0500
Subject: [PATCH] feature: SLSA Level 3 provenance generation for Kyverno
 images: kyverno init, kyverno and kyvernopre (#4268)

Signed-off-by: zurrehma <zahid.chashma@gmail.com>

Signed-off-by: zurrehma <zahid.chashma@gmail.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
---
 .github/workflows/image.yaml | 50 +++++++++++++++++++++++++++++++++++-
 .github/workflows/reuse.yaml | 30 ++++++++++++++++++++++
 2 files changed, 79 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index 84f168a8a568..ef8b468e5019 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -20,7 +20,7 @@ jobs:
     secrets:
       registry_username: ${{ github.actor }}
       registry_password: ${{ secrets.CR_PAT }}
-
+      
   push-kyverno:
     uses: ./.github/workflows/reuse.yaml
     with:
@@ -40,3 +40,51 @@ jobs:
     secrets:
       registry_username: ${{ github.actor }}
       registry_password: ${{ secrets.CR_PAT }}
+
+  generate-init-kyverno-provenance:
+    needs: push-init-kyverno
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
+      digest: "${{ needs.push-init-kyverno.outputs.init_sha256_digest }}"
+      registry-username: ${{ github.actor }}
+    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
+      compile-generator: true
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+
+  generate-kyverno-provenance:
+    needs: push-kyverno
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno
+      digest: "${{ needs.push-kyverno.outputs.kyverno_sha256_digest }}"
+      registry-username: ${{ github.actor }}
+    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
+      compile-generator: true
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
+      
+  generate-kyverno-cli-provenance:
+    needs: push-kyverno-cli
+    permissions:
+      id-token: write # To sign the provenance.
+      packages: write # To upload assets to release.
+      actions: read #To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
+      digest: "${{ needs.push-kyverno-cli.outputs.cli_sha256_digest }}"
+      registry-username: ${{ github.actor }}
+    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
+      compile-generator: true
+    secrets:
+      registry-password: ${{ secrets.CR_PAT }}
\ No newline at end of file
diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
index c8e8a956eaad..ee1cee2851b0 100644
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@@ -19,6 +19,17 @@ on:
         required: true
       registry_password:
         required: true
+    outputs:
+      init_sha256_digest:
+        description: "sha256 digest of kyverno init docker image"
+        value: ${{ jobs.build.outputs.init-container-digest }}
+      kyverno_sha256_digest:
+        description: "sha256 digest of kyverno docker image"
+        value: ${{ jobs.build.outputs.kyverno-digest }}
+      cli_sha256_digest:
+        description: "sha256 digest of kyverno docker image"
+        value: ${{ jobs.build.outputs.cli-digest }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -26,6 +37,10 @@ jobs:
       contents: read
       packages: write
       id-token: write
+    outputs:
+      init-container-digest: ${{ steps.set-sha256-digest.outputs.init-container-digest }}
+      kyverno-digest: ${{ steps.set-sha256-digest.outputs.kyverno-digest }}
+      cli-digest: ${{ steps.set-sha256-digest.outputs.cli-digest }}
     steps:
       - name: Checkout release
         if: ${{ inputs.tag == 'release'}}
@@ -154,3 +169,18 @@ jobs:
         env:
           COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom"
         run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }}
+
+      - name: get sha256sum image digest
+        if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}}
+        id: set-sha256sum-digest
+        run: |
+          echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
+          DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
+          echo "Digest from image is: $DIGEST"
+          if [[ "${{inputs.publish_command}}" = "ko-publish-kyvernopre" ]]; then
+            echo "::set-output name=init-container-digest::$DIGEST"
+          elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then
+            echo "::set-output name=kyverno-digest::$DIGEST"
+          else
+            echo "::set-output name=cli-digest::$DIGEST"
+          fi