buildsafedev · dipankardas011 · Oct 2, 2024 · Oct 2, 2024 · Oct 3, 2024 · Oct 4, 2024
diff --git a/.github/workflows/go-base-amd64.yaml b/.github/workflows/go-base-amd64.yaml
@@ -0,0 +1,215 @@
+name: go-base
+env:
+  image_tag: v1
+  REGISTRY: ghcr.io
+  owner: buildsafedev
+  runtime_image: go-base-runtime
+  dev_image: go-base-dev
+  final_image: go-final
+  final_arm64_image: go-final-arm64
+  final_amd64_image: go-final-amd64
+
+on:
+  push:
+
+jobs:
+  prepare-go-dev:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run Prepare Action
+        uses: buildsafedev/multiarch-build--action/prepare-action@main
+        with:
+          oci_registry_username: ${{ env.owner}}
+          oci_registry_password: ${{ secrets.GITHUB_TOKEN }}
+          image_name: ${{ env.owner }}/${{ env.dev_image }}
+          ociBlock: go-dev
+          tag: ${{ env.image_tag }}
+
+  prepare-go-runtime:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run Prepare Action
+        uses: buildsafedev/multiarch-build--action/prepare-action@main
+        with:
+          oci_registry_username: ${{ env.owner }}
+          oci_registry_password: ${{ secrets.GITHUB_TOKEN }}
+          image_name: ${{ env.owner }}/${{ env.runtime_image }}
+          ociBlock: go-runtime
+          tag: ${{ env.image_tag }}
+
+  build:
+    needs: [prepare-go-dev, prepare-go-runtime]
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: [ubuntu-latest]
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Build Action
+        uses: buildsafedev/multiarch-build--action/build-action@main
+        with:
+          oci_registry_username: ${{ env.owner }}
+          oci_registry_password: ${{ secrets.GITHUB_TOKEN }}
+          ociBlocks: go-dev go-runtime
+          directory: "go-server-example"
+          registry: ghcr.io
+
+  hermetic_builds:
+    runs-on: ubuntu-latest
+    needs: build
+    outputs:
+      amd64_digest: ${{ steps.build_amd64.outputs.digest }}
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{env.owner}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Download meta bake definition
+        uses: actions/download-artifact@v4
+        with:
+          name: bake-meta-${{ format('go-dev', 'go-runtime') }}
+          path: /tmp
+
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Verify digest files after download
+        shell: bash
+        run: |
+          echo "Downloaded digest files:"
+      - name: Build hermetic image amd64
+        id: build_amd64
+        working-directory: go-server-example
+        run: |
+          base_img_digest=$(printf "sha256:%s" "$(basename /tmp/digests/go-dev/*)")
+          runtime_img_digest=$(printf "sha256:%s" "$(basename /tmp/digests/go-runtime/*)")
+          docker buildx create --name mybuilder --use --driver docker-container
+          docker buildx build \
+            --build-arg BASE_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.dev_image }}@${base_img_digest} \
+            --build-arg RUNTIME_IMAGE=${{ env.REGISTRY }}/${{ env.owner }}/${{ env.runtime_image }}@${runtime_img_digest} \
+            --no-cache \
+            --tag ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} \
+            --network=none \
+            --attest type=provenance,mode=min \
+            --platform=linux/amd64 \
+            --push \
+            --output type=image \
+            https://github.com/buildsafedev/examples.git\#multiarch-builds:go-server-example
+          # Get the digest of the built image
+          amd64_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{ env.owner }}/${{ env.final_amd64_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
+          echo "digest=$amd64_digest" >> $GITHUB_OUTPUT
+  artifact:
+    runs-on: ubuntu-latest
+    needs: hermetic_builds
+    permissions:
+      id-token: write
+      packages: write
+      contents: read
+      attestations: write
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{env.owner}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Attest-amd64
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}
+          subject-digest: ${{ needs.hermetic_builds.outputs.amd64_digest }}
+          push-to-registry: true
+
+  scan_image:
+    needs: artifact
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write 
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Setup Nix development environment
+        uses: nicknovitski/nix-develop@v1
+        with:
+          arguments: ./go-server-example/bsf/.#devShell
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{env.owner}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Is hermetic build
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} --format "{{ json .Provenance.SLSA }}" > slsa.json
+          cat slsa.json
+          if grep -q "https://mobyproject.org/buildkit@v1#hermetic\": true" slsa.json; then
+            echo "Hermetic build"
+          else
+            echo "Not a hermetic build"
+            exit 1
+          fi
+
+      - name: Check for vulnerabilities
+        run: grype ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} --only-fixed --fail-on low
+
+
+  sign_image:
+    needs: scan_image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{env.owner}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+         cosign-release: 'v2.4.1'
+
+      - name: Sign and push image
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+        run: |
+           final_img_digest=$(docker manifest inspect ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}:${{ env.image_tag }} | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')
+           cosign sign --yes ${{ env.REGISTRY }}/${{env.owner}}/${{ env.final_amd64_image }}@${final_img_digest}    
+
+