diff --git a/.github/workflows/github_release.yaml b/.github/workflows/github_release.yaml new file mode 100644 index 0000000..ff40e11 --- /dev/null +++ b/.github/workflows/github_release.yaml @@ -0,0 +1,21 @@ +name: Release + +on: + release: + types: [published] + +permissions: + contents: write + +jobs: + release: + name: Attest GitHub Release + uses: chainloop-dev/labs/.github/workflows/chainloop_github_release.yml@417bad33ca08beaa785ae6a6b933406cd7b935cb + with: + project: "chainloop" + workflow_name: "chainloop-vault-release" + additional_materials: "ghcr.io/chainloop-dev/chainloop/control-plane:${{ github.ref_name }},ghcr.io/chainloop-dev/chainloop/artifact-cas:${{ github.ref_name }},ghcr.io/chainloop-dev/chainloop/cli:${{ github.ref_name }}" + secrets: + api_token: ${{ secrets.CHAINLOOP_API_TOKEN }} + cosign_key: ${{ secrets.COSIGN_PRIVATE_KEY }} + cosign_password: ${{ secrets.COSIGN_PASSWORD }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index 92834da..0000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,97 +0,0 @@ -name: Release - -on: - push: - tags: - - "v*.*.*" - -jobs: - release: - name: Release - runs-on: ubuntu-latest - if: github.ref_type == 'tag' - permissions: - packages: write - contents: write # required for goreleaser - steps: - - name: Install Cosign - uses: sigstore/cosign-installer@v2.5.0 - - - name: Install Chainloop - run: | - curl -sfL https://docs.chainloop.dev/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }} - - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Initialize Attestation - run: chainloop attestation init # --contract-revision 2 - - - name: Set up Go - uses: actions/setup-go@v3 - with: - go-version: 1.19 - - - name: Docker login to Github Packages - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Run Go Releaser - id: release - uses: goreleaser/goreleaser-action@v3 - with: - distribution: goreleaser - version: latest - args: release --rm-dist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - - - uses: anchore/sbom-action@v0 - with: - image: ${{ env.IMAGE }} - format: cyclonedx-json - artifact-name: sbom.cyclonedx.json - output-file: /tmp/sbom.cyclonedx.json - env: - IMAGE: ghcr.io/chainloop-dev/integration-demo:${{ github.ref_name }} - - - name: Add Container Image Artifact - run: chainloop attestation add --name image --value ghcr.io/chainloop-dev/integration-demo:${{ github.ref_name }} - - - name: Add SBOM Artifact - run: chainloop attestation add --name sbom --value /tmp/sbom.cyclonedx.json - - - name: Add Binary Artifact - run: | - BINARY_PATH="$(echo -n '${{ steps.release.outputs.metadata }}' | jq -r '"dist/" + .project_name + "_" + .version + "_" + .runtime.goos + "_" + .runtime.goarch + ".tar.gz"')" - - chainloop attestation add --name binary --value ${BINARY_PATH} - - - name: Finish and Record Attestation - if: ${{ success() }} - run: | - chainloop attestation status --full - chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY - env: - CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} - CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - - - name: Mark attestation as failed - if: ${{ failure() }} - run: | - chainloop attestation reset - - - name: Mark attestation as cancelled - if: ${{ cancelled() }} - run: | - chainloop attestation reset --trigger cancellation - env: - CHAINLOOP_VERSION: 0.8.95 - CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT }} diff --git a/.github/workflows/release_dagger.yaml b/.github/workflows/release_dagger.yaml new file mode 100644 index 0000000..6dfdc02 --- /dev/null +++ b/.github/workflows/release_dagger.yaml @@ -0,0 +1,37 @@ +name: Release using Dagger + +on: + push: + branches: + - main + +jobs: + release: + name: Release + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Install Dagger CLI + run: | + curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh + + - name: Build and Publish + run: | + dagger call -m github.com/chainloop-dev/integration-demo/chainloop-demo/dagger build-and-publish \ + --proj . \ + --chainloop-workflow-name $CHAINLOOP_WORKFLOW_NAME \ + --chainloop-token env:CHAINLOOP_TOKEN \ + --chainloop-signing-key env:CHAINLOOP_SIGNING_KEY \ + --chainloop-passphrase env:CHAINLOOP_SIGNING_PASSWORD + env: + CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} + DAGGER_CLOUD_TOKEN: ${{ secrets.DAGGER_CLOUD_TOKEN }} + CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + CHAINLOOP_WORKFLOW_NAME: "build-and-release" diff --git a/.goreleaser.yml b/.goreleaser.yml index bba9d0e..6127515 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -16,13 +16,14 @@ signs: "sign-blob", "--key=env://COSIGN_PRIVATE_KEY", "--output-signature=${signature}", + "--yes", "${artifact}", ] artifacts: all docker_signs: - cmd: cosign - args: ["sign", "--key=env://COSIGN_PRIVATE_KEY", "${artifact}"] + args: ["sign", "--yes", "--key=env://COSIGN_PRIVATE_KEY", "${artifact}"] artifacts: all dockers: diff --git a/chainloop-demo/dagger/README.md b/chainloop-demo/dagger/README.md new file mode 100644 index 0000000..dc9a39c --- /dev/null +++ b/chainloop-demo/dagger/README.md @@ -0,0 +1,12 @@ + +Dagger Module that builds a Go application, packages it in a container image, generates its Software Bill Of Materials (SBOM) and attests the result using the Chainloop platform. + +More info about attestation crafting [here](https://docs.chainloop.dev/getting-started/attestation-crafting) + +```sh +$ dagger call -m github.com/chainloop-dev/integration-demo/chainloop-demo/dagger build-and-publish \ + --proj path/to/go-project \ + --chainloop-token env:CHAINLOOP_TOKEN \ + --chainloop-signing-key file:path/to/cosign.key \ + --chainloop-passphrase env:CHAINLOOP_SIGNING_PASSWORD +``` \ No newline at end of file diff --git a/chainloop-demo/dagger/dagger.json b/chainloop-demo/dagger/dagger.json new file mode 100644 index 0000000..0b15597 --- /dev/null +++ b/chainloop-demo/dagger/dagger.json @@ -0,0 +1,24 @@ +{ + "name": "build-and-release", + "sdk": "go", + "dependencies": [ + { + "name": "chainloop", + "source": "github.com/chainloop-dev/chainloop@122e8a4e8643ea2f9632ba246544d274e2de4344" + }, + { + "name": "golang", + "source": "github.com/kpenfound/dagger-modules/golang@5cb802660efb1242e5d7beb382f772f0a3f34616" + }, + { + "name": "syft", + "source": "github.com/fluent-ci-templates/syft-pipeline@5cfd62b6070ff68731875fe7aacdbfd7910e5a95" + }, + { + "name": "wolfi", + "source": "github.com/shykes/daggerverse/wolfi@f678bfe29024559abec0ac77fbbd558bc8402cdf" + } + ], + "source": "src", + "engineVersion": "v0.11.6" +} diff --git a/chainloop-demo/dagger/src/.gitattributes b/chainloop-demo/dagger/src/.gitattributes new file mode 100644 index 0000000..738cf71 --- /dev/null +++ b/chainloop-demo/dagger/src/.gitattributes @@ -0,0 +1,5 @@ +/dagger.gen.go linguist-generated +/querybuilder/** linguist-generated +/internal/dagger/** linguist-generated +/internal/querybuilder/** linguist-generated +/internal/telemetry/** linguist-generated diff --git a/chainloop-demo/dagger/src/.gitignore b/chainloop-demo/dagger/src/.gitignore new file mode 100644 index 0000000..6440b09 --- /dev/null +++ b/chainloop-demo/dagger/src/.gitignore @@ -0,0 +1,6 @@ +/querybuilder/ +/dagger.gen.go +/internal +/internal/dagger +/internal/querybuilder +/internal/telemetry diff --git a/chainloop-demo/dagger/src/go.mod b/chainloop-demo/dagger/src/go.mod new file mode 100644 index 0000000..a07f780 --- /dev/null +++ b/chainloop-demo/dagger/src/go.mod @@ -0,0 +1,35 @@ +module demo + +go 1.21.1 + +require ( + github.com/99designs/gqlgen v0.17.44 + github.com/Khan/genqlient v0.7.0 + github.com/vektah/gqlparser/v2 v2.5.11 + golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa + golang.org/x/sync v0.7.0 +) + +require ( + github.com/cenkalti/backoff/v4 v4.3.0 // indirect + github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect + github.com/sosodev/duration v1.2.0 // indirect + go.opentelemetry.io/otel v1.26.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0 + go.opentelemetry.io/otel/metric v1.26.0 // indirect + go.opentelemetry.io/otel/sdk v1.26.0 + go.opentelemetry.io/otel/trace v1.26.0 + go.opentelemetry.io/proto/otlp v1.2.0 // indirect + golang.org/x/net v0.23.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/text v0.14.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect + google.golang.org/grpc v1.63.2 + google.golang.org/protobuf v1.33.0 // indirect +) diff --git a/chainloop-demo/dagger/src/go.sum b/chainloop-demo/dagger/src/go.sum new file mode 100644 index 0000000..ac31010 --- /dev/null +++ b/chainloop-demo/dagger/src/go.sum @@ -0,0 +1,71 @@ +github.com/99designs/gqlgen v0.17.44 h1:OS2wLk/67Y+vXM75XHbwRnNYJcbuJd4OBL76RX3NQQA= +github.com/99designs/gqlgen v0.17.44/go.mod h1:UTCu3xpK2mLI5qcMNw+HKDiEL77it/1XtAjisC4sLwM= +github.com/Khan/genqlient v0.7.0 h1:GZ1meyRnzcDTK48EjqB8t3bcfYvHArCUUvgOwpz1D4w= +github.com/Khan/genqlient v0.7.0/go.mod h1:HNyy3wZvuYwmW3Y7mkoQLZsa/R5n5yIRajS1kPBvSFM= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= +github.com/sosodev/duration v1.2.0 h1:pqK/FLSjsAADWY74SyWDCjOcd5l7H8GSnnOGEB9A1Us= +github.com/sosodev/duration v1.2.0/go.mod h1:RQIBBX0+fMLc/D9+Jb/fwvVmo0eZvDDEERAikUR6SDg= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/vektah/gqlparser/v2 v2.5.11 h1:JJxLtXIoN7+3x6MBdtIP59TP1RANnY7pXOaDnADQSf8= +github.com/vektah/gqlparser/v2 v2.5.11/go.mod h1:1rCcfwB2ekJofmluGWXMSEnPMZgbxzwj6FaZ/4OT8Cc= +go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs= +go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 h1:1u/AyyOqAWzy+SkPxDpahCNZParHV8Vid1RnI2clyDE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0/go.mod h1:z46paqbJ9l7c9fIPCXTqTGwhQZ5XoTIsfeFYWboizjs= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0 h1:Waw9Wfpo/IXzOI8bCB7DIk+0JZcqqsyn1JFnAc+iam8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0/go.mod h1:wnJIG4fOqyynOnnQF/eQb4/16VlX2EJAHhHgqIqWfAo= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0 h1:1wp/gyxsuYtuE/JFxsQRtcCDtMrO2qMvlfXALU5wkzI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0/go.mod h1:gbTHmghkGgqxMomVQQMur1Nba4M0MQ8AYThXDUjsJ38= +go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30= +go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4= +go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8= +go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs= +go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA= +go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0= +go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94= +go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ= +golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= +google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de h1:jFNzHPIeuzhdRwVhbZdiym9q0ory/xY3sA+v2wPg8I0= +google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda h1:LI5DOvAxUPMv/50agcLLoo+AdWc1irS9Rzz4vPuD1V4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= +google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM= +google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/chainloop-demo/dagger/src/main.go b/chainloop-demo/dagger/src/main.go new file mode 100644 index 0000000..0df7a21 --- /dev/null +++ b/chainloop-demo/dagger/src/main.go @@ -0,0 +1,87 @@ +package main + +import ( + "context" + "demo/internal/dagger" + "fmt" + "math" + "math/rand" +) + +type BuildAndRelease struct{} + +// - Build, package and publish a Go application as a container image +// - Generate a CycloneDX Software Bill Of Materials using Syft +// - Attest the pieces of evidence (binary, container image, and SBOM) using Chainloop +// https://docs.chainloop.dev/getting-started/attestation-crafting +func (m *BuildAndRelease) BuildAndPublish(ctx context.Context, proj *Directory, chainloopWorkflowName string, chainloopToken, chainloopSigningKey, chainloopPassphrase *Secret) (status string, err error) { + // Initialize the attestation + attestation := dag.Chainloop().Init(chainloopToken, chainloopWorkflowName, dagger.ChainloopInitOpts{Repository: proj}) + // Force the execution of the init method + // If Sync is not executed, init will happen at the end of the function + _, err = attestation.Sync(ctx) + if err != nil { + return "", fmt.Errorf("failed to initialize attestation: %w", err) + } + + // Finish/Mark as failed the attestation once we are done + defer func() { + // If there was an error in the process, mark the attestation as failed in Chainloop + if err != nil { + _, _ = attestation.MarkFailed(ctx, dagger.ChainloopAttestationMarkFailedOpts{Reason: err.Error()}) + } else { + // Push the attestation to Chainloop + _, err = attestation.Push(ctx, dagger.ChainloopAttestationPushOpts{ + Key: chainloopSigningKey, + Passphrase: chainloopPassphrase, + }) + } + }() + + // Build software artifacts + res, err := m.doBuildAndPublish(ctx, proj) + if err != nil { + return "", fmt.Errorf("failed to build and publish artifacts: %w", err) + } + + // Attest the pieces of evidence + attestation = attestation. + // Container image + AddRawEvidence(res.imageRepo, dagger.ChainloopAttestationAddRawEvidenceOpts{Name: "image"}). + // Binary + AddFileEvidence(res.binary, dagger.ChainloopAttestationAddFileEvidenceOpts{Name: "binary"}) + if _, err := attestation.Sync(ctx); err != nil { + return "", fmt.Errorf("failed to add evidence to attestation: %w", err) + } + + // Return information about the attestation + return attestation.Status(ctx) +} + +type buildResult struct { + // Go binary + binary *File + // Path to the container image repository + imageRepo string + // SBOM file + sbom *File +} + +func (m *BuildAndRelease) doBuildAndPublish(ctx context.Context, proj *Directory) (*buildResult, error) { + // Build the go binary + binary := dag.Golang().WithProject(proj).Build([]string{"-o", "server"}).File("server") + + // Generate a CycloneDX SBOM from the source code + sbom := dag.Syft().Sbom(proj, "sbom.json", SyftSbomOpts{Output: "cyclonedx-json"}) + + // Build and publish a container image + imageRepo, err := dag.Wolfi().Container(). + WithFile("/server", binary). + WithEntrypoint([]string{"/server"}). + Publish(ctx, fmt.Sprintf("ttl.sh/chainloop-demo-%.0f", math.Floor(rand.Float64()*10000000))) //#nosec + if err != nil { + return nil, fmt.Errorf("failed to build and publish container image: %w", err) + } + + return &buildResult{imageRepo: imageRepo, sbom: sbom, binary: binary}, nil +} diff --git a/chainloop-demo/github-workflow/release.v1.yaml b/chainloop-demo/github-workflow/release.v1.yaml index 36fac53..b813927 100644 --- a/chainloop-demo/github-workflow/release.v1.yaml +++ b/chainloop-demo/github-workflow/release.v1.yaml @@ -81,5 +81,5 @@ jobs: run: | chainloop attestation reset --trigger cancellation env: - CHAINLOOP_VERSION: 0.8.92 + CHAINLOOP_VERSION: 0.12.0 CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT }} diff --git a/chainloop-demo/github-workflow/release.v2.yaml b/chainloop-demo/github-workflow/release.v2.yaml index a0923b3..8e154ff 100644 --- a/chainloop-demo/github-workflow/release.v2.yaml +++ b/chainloop-demo/github-workflow/release.v2.yaml @@ -93,5 +93,5 @@ jobs: run: | chainloop attestation reset --trigger cancellation env: - CHAINLOOP_VERSION: 0.8.92 + CHAINLOOP_VERSION: 0.12.0 CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT }} diff --git a/go.mod b/go.mod index 365172f..6705826 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/chainloop-dev/integration-demo -go 1.19 +go 1.21 require ( github.com/bmizerany/pat v0.0.0-20210406213842-e4b6760bdd6f