From e5ab797a1f939e229b8514da2802d4c1718395ed Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 26 Feb 2025 02:06:01 -0500 Subject: [PATCH 1/3] attest container image provenance --- .github/workflows/publish-docker-images.yml | 61 +++++++++++++++++---- 1 file changed, 49 insertions(+), 12 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 78cb9bf0b..6bed62772 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -11,7 +11,11 @@ on: jobs: publish-docker-images: runs-on: ubuntu-24.04 + permissions: + id-token: write # need write to get OIDC token for generating attestations + attestations: write # need write to create attestations env: + REGISTRY: docker.io ZITI_CLI_TAG: ${{ inputs.ziti-tag || github.event.inputs.ziti-tag }} ZITI_CLI_IMAGE: ${{ vars.ZITI_CLI_IMAGE || 'docker.io/openziti/ziti-cli' }} ZITI_CONTROLLER_IMAGE: ${{ vars.ZITI_CONTROLLER_IMAGE || 'docker.io/openziti/ziti-controller' }} @@ -39,8 +43,7 @@ jobs: - name: Login to Docker Hub uses: docker/login-action@v3 with: - # it is preferable to obtain the username from a var so that - # recurrences of the same string are not masked in CI output + registry: ${{ env.REGISTRY}} username: ${{ vars.DOCKER_HUB_API_USER || secrets.DOCKER_HUB_API_USER }} password: ${{ secrets.DOCKER_HUB_API_TOKEN }} @@ -54,11 +57,9 @@ jobs: DOCKER_TAGS="${IMAGE_REPO}:${IMAGE_TAG}" echo DOCKER_TAGS="${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT - # this is the base image into which is stuffed the Linux binary for each - # arch that was downloaded in ./release/, hence the need to specify the - # Dockerfile and DOCKER_BUILD_DIR - - name: Build & Push Multi-Platform CLI Container Image to Hub + - name: Push CLI Image to Hub uses: docker/build-push-action@v6 + id: push_cli with: builder: ${{ steps.buildx.outputs.name }} context: ${{ github.workspace }}/ @@ -67,8 +68,17 @@ jobs: tags: ${{ steps.tagprep_cli.outputs.DOCKER_TAGS }} build-args: | DOCKER_BUILD_DIR=./dist/docker-images/ziti-cli + provenance: mode=max + sbom: true push: true + - name: Publish Attestations to GitHub + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.ZITI_CLI_IMAGE }} + subject-digest: ${{ steps.push_cli.outputs.digest }} + push-to-registry: true + - name: Set Up Container Image Tags for Controller Container env: IMAGE_REPO: ${{ env. ZITI_CONTROLLER_IMAGE }} @@ -79,11 +89,9 @@ jobs: DOCKER_TAGS="${IMAGE_REPO}:${IMAGE_TAG}" echo DOCKER_TAGS="${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT - # This is a use-case image based on the minimal CLI image. It needs the - # ZITI_CLI_TAG env var so it can build from the versioned image that - # we pushed in the prior step. - - name: Build & Push Multi-Platform Controller Container Image to Hub + - name: Push Controller Image to Hub uses: docker/build-push-action@v6 + id: push_ctrl with: builder: ${{ steps.buildx.outputs.name }} context: ${{ github.workspace }}/ @@ -94,8 +102,17 @@ jobs: ZITI_CLI_TAG=${{ env.ZITI_CLI_TAG }} ZITI_CLI_IMAGE=${{ env.ZITI_CLI_IMAGE }} DOCKER_BUILD_DIR=./dist/docker-images/ziti-controller + provenance: mode=max + sbom: true push: true + - name: Publish Attestations to GitHub + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.ZITI_CONTROLLER_IMAGE }} + subject-digest: ${{ steps.push_ctrl.outputs.digest }} + push-to-registry: true + - name: Set Up Container Image Tags for Router Container env: IMAGE_REPO: ${{ env.ZITI_ROUTER_IMAGE }} @@ -106,8 +123,9 @@ jobs: DOCKER_TAGS="${IMAGE_REPO}:${IMAGE_TAG}" echo DOCKER_TAGS="${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT - - name: Build & Push Multi-Platform Router Container Image to Hub + - name: Push Router Image to Hub uses: docker/build-push-action@v6 + id: push_router with: builder: ${{ steps.buildx.outputs.name }} context: ${{ github.workspace }}/ @@ -118,8 +136,17 @@ jobs: ZITI_CLI_TAG=${{ env.ZITI_CLI_TAG }} ZITI_CLI_IMAGE=${{ env.ZITI_CLI_IMAGE }} DOCKER_BUILD_DIR=./dist/docker-images/ziti-router + provenance: mode=max + sbom: true push: true + - name: Publish Attestations to GitHub + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.ZITI_ROUTER_IMAGE }} + subject-digest: ${{ steps.push_router.outputs.digest }} + push-to-registry: true + - name: Set Up Container Image Tags for Go Tunneler Container env: IMAGE_REPO: ${{ env.ZITI_TUNNEL_IMAGE }} @@ -130,8 +157,9 @@ jobs: DOCKER_TAGS="${IMAGE_REPO}:${IMAGE_TAG}" echo DOCKER_TAGS="${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT - - name: Build & Push Multi-Platform Go Tunneler Container Image to Hub + - name: Push Tunneler Image to Hub uses: docker/build-push-action@v6 + id: push_tunnel with: builder: ${{ steps.buildx.outputs.name }} context: ${{ github.workspace }}/ @@ -141,4 +169,13 @@ jobs: build-args: | ZITI_CLI_TAG=${{ env.ZITI_CLI_TAG }} ZITI_CLI_IMAGE=${{ env.ZITI_CLI_IMAGE }} + provenance: mode=max + sbom: true push: true + + - name: Publish Attestations to GitHub + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ env.REGISTRY }}/${{ env.ZITI_TUNNEL_IMAGE }} + subject-digest: ${{ steps.push_tunnel.outputs.digest }} + push-to-registry: true From 79f2f7137f79ddc6beb275222bfb83c26cfdcd54 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 26 Feb 2025 02:29:17 -0500 Subject: [PATCH 2/3] set registry separately --- .github/workflows/publish-docker-images.yml | 22 ++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 6bed62772..5e0299c4a 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -17,10 +17,10 @@ jobs: env: REGISTRY: docker.io ZITI_CLI_TAG: ${{ inputs.ziti-tag || github.event.inputs.ziti-tag }} - ZITI_CLI_IMAGE: ${{ vars.ZITI_CLI_IMAGE || 'docker.io/openziti/ziti-cli' }} - ZITI_CONTROLLER_IMAGE: ${{ vars.ZITI_CONTROLLER_IMAGE || 'docker.io/openziti/ziti-controller' }} - ZITI_ROUTER_IMAGE: ${{ vars.ZITI_ROUTER_IMAGE || 'docker.io/openziti/ziti-router' }} - ZITI_TUNNEL_IMAGE: ${{ vars.ZITI_TUNNEL_IMAGE || 'docker.io/openziti/ziti-tunnel' }} + ZITI_CLI_IMAGE: ${{ vars.ZITI_CLI_IMAGE || 'openziti/ziti-cli' }} + ZITI_CONTROLLER_IMAGE: ${{ vars.ZITI_CONTROLLER_IMAGE || 'openziti/ziti-controller' }} + ZITI_ROUTER_IMAGE: ${{ vars.ZITI_ROUTER_IMAGE || 'openziti/ziti-router' }} + ZITI_TUNNEL_IMAGE: ${{ vars.ZITI_TUNNEL_IMAGE || 'openziti/ziti-tunnel' }} steps: - name: Checkout Workspace uses: actions/checkout@v4 @@ -49,7 +49,7 @@ jobs: - name: Set Up Container Image Tags for Base CLI Container env: - IMAGE_REPO: ${{ env.ZITI_CLI_IMAGE }} + IMAGE_REPO: ${{ env.REGISTRY }}/${{ env.ZITI_CLI_IMAGE }} IMAGE_TAG: ${{ env.ZITI_CLI_TAG }} id: tagprep_cli shell: bash @@ -81,7 +81,7 @@ jobs: - name: Set Up Container Image Tags for Controller Container env: - IMAGE_REPO: ${{ env. ZITI_CONTROLLER_IMAGE }} + IMAGE_REPO: ${{ env.REGISTRY }}/${{ env.ZITI_CONTROLLER_IMAGE }} IMAGE_TAG: ${{ env.ZITI_CLI_TAG }} id: tagprep_ctrl shell: bash @@ -100,7 +100,7 @@ jobs: tags: ${{ steps.tagprep_ctrl.outputs.DOCKER_TAGS }} build-args: | ZITI_CLI_TAG=${{ env.ZITI_CLI_TAG }} - ZITI_CLI_IMAGE=${{ env.ZITI_CLI_IMAGE }} + ZITI_CLI_IMAGE=${{ env.REGISTRY }}/${{ env.ZITI_CLI_IMAGE }} DOCKER_BUILD_DIR=./dist/docker-images/ziti-controller provenance: mode=max sbom: true @@ -115,7 +115,7 @@ jobs: - name: Set Up Container Image Tags for Router Container env: - IMAGE_REPO: ${{ env.ZITI_ROUTER_IMAGE }} + IMAGE_REPO: ${{ env.REGISTRY }}/${{ env.ZITI_ROUTER_IMAGE }} IMAGE_TAG: ${{ env.ZITI_CLI_TAG }} id: tagprep_router shell: bash @@ -134,7 +134,7 @@ jobs: tags: ${{ steps.tagprep_router.outputs.DOCKER_TAGS }} build-args: | ZITI_CLI_TAG=${{ env.ZITI_CLI_TAG }} - ZITI_CLI_IMAGE=${{ env.ZITI_CLI_IMAGE }} + ZITI_CLI_IMAGE=${{ env.REGISTRY }}/${{ env.ZITI_CLI_IMAGE }} DOCKER_BUILD_DIR=./dist/docker-images/ziti-router provenance: mode=max sbom: true @@ -149,7 +149,7 @@ jobs: - name: Set Up Container Image Tags for Go Tunneler Container env: - IMAGE_REPO: ${{ env.ZITI_TUNNEL_IMAGE }} + IMAGE_REPO: ${{ env.REGISTRY }}/${{ env.ZITI_TUNNEL_IMAGE }} IMAGE_TAG: ${{ env.ZITI_CLI_TAG }} id: tagprep_tun shell: bash @@ -168,7 +168,7 @@ jobs: tags: ${{ steps.tagprep_tun.outputs.DOCKER_TAGS }} build-args: | ZITI_CLI_TAG=${{ env.ZITI_CLI_TAG }} - ZITI_CLI_IMAGE=${{ env.ZITI_CLI_IMAGE }} + ZITI_CLI_IMAGE=${{ env.REGISTRY }}/${{ env.ZITI_CLI_IMAGE }} provenance: mode=max sbom: true push: true From 1f8f0c6a9170163e640fa5fae83701ad55d4037b Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 26 Feb 2025 08:33:43 -0500 Subject: [PATCH 3/3] revert ziti-ci version override --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 13b632494..1538bfd4d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -107,7 +107,7 @@ jobs: - name: Install Ziti CI uses: openziti/ziti-ci@v1 with: - ziti-ci-version: 5060ad52f1e83837a15bd234bbe65b4f7595831e + ziti-ci-version: latest - name: Build and Test env: @@ -208,7 +208,7 @@ jobs: - name: Install Ziti CI uses: openziti/ziti-ci@v1 with: - ziti-ci-version: 5060ad52f1e83837a15bd234bbe65b4f7595831e + ziti-ci-version: latest - name: Download linux release artifact uses: actions/download-artifact@v4