attest 4.63.0 images

fleetdm · Feb 4, 2025 · de1e675 · de1e675
1 parent f4c9c04
commit de1e675
Show file tree

Hide file tree

Showing 2 changed files with 791 additions and 0 deletions.
diff --git a/.github/workflows/attest-images.yaml b/.github/workflows/attest-images.yaml
@@ -0,0 +1,89 @@
+# This workflow file is a modified version of the goreleaser workflow file which runs during releases. 
+# Its purpose is to attest the Docker images produced in https://github.com/fleetdm/fleet/actions/runs/13139072879,
+# which successfully built the images but failed to upload an attestation due to an error in the attest-build-provenance action.
+# Under normal circumstances, the attest-build-provenance action would be run in the goreleaser workflow file.
+name: attest 4.63.0 docker images
+
+on:
+  push:
+    branches:
+      - attest-4.63.0-images
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+    shell: bash
+
+permissions:
+  contents: read
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-20.04-4-cores
+    environment: Docker Hub
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+      packages: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          fetch-depth: 0 # Needed for goreleaser
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
+
+      - name: Copy artifacts file # this is the artifacts file from the goreleaser run
+        run: |
+          mkdir ./dist
+          cp ./.github/workflows/config/artifacts.json ./dist/artifacts.json
+
+      - name: Get tag
+        run: |
+          echo "TAG=v4.63.0" >> $GITHUB_OUTPUT
+        id: docker
+
+      # Get the image digests from the goreleaser artifacts
+      - name: Get image digests
+        continue-on-error: true
+        id: image_digests
+        run: |
+          digest_fleet=$(cat ./dist/artifacts.json | jq -r 'first(.[]|select(.type == "Published Docker Image" and (.name == "fleetdm/fleet:${{ steps.docker.outputs.tag }}")) | select(. != null)|.extra.Digest)')
+          echo "digest_fleet=$digest_fleet" >> "$GITHUB_OUTPUT"
+          digest_fleetctl=$(cat ./dist/artifacts.json | jq -r 'first(.[]|select(.type == "Published Docker Image" and (.name  == "fleetdm/fleetctl:${{ steps.docker.outputs.tag }}")) | select(. != null)|.extra.Digest)')
+          echo "digest_fleetctl=$digest_fleetctl" >> "$GITHUB_OUTPUT"
+
+      - name: Pull Docker images
+        run: |
+          docker pull fleetdm/fleet:${{ steps.docker.outputs.tag }} 
+          docker pull fleetdm/fleetctl:${{ steps.docker.outputs.tag }} 
+
+      - name: Attest Fleet image
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        continue-on-error: true
+        with:
+          subject-digest: ${{steps.image_digests.outputs.digest_fleet}}
+          subject-name: "fleetdm/fleet"
+          push-to-registry: true
+
+      - name: Attest FleetCtl image
+        uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
+        continue-on-error: true
+        with:
+          subject-digest: ${{steps.image_digests.outputs.digest_fleetctl}}
+          subject-name: "fleetdm/fleetctl"
+          push-to-registry: true