mirror of
https://github.com/getnora-io/nora.git
synced 2026-04-12 13:50:31 +00:00
security: pin Docker base images by SHA, cosign signing in release, branch protection
- Pin alpine:3.20 by SHA digest in all Dockerfiles (Pinned-Dependencies) - Add cosign keyless signing for Docker images and binary (Signed-Releases) - Enable branch protection: strict status checks, linear history, no force push - Add .sig and .pem to GitHub Release assets
This commit is contained in:
23
.github/workflows/release.yml
vendored
23
.github/workflows/release.yml
vendored
@@ -18,6 +18,7 @@ jobs:
|
|||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
packages: write
|
packages: write
|
||||||
|
id-token: write # Sigstore cosign keyless signing
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||||
@@ -130,6 +131,17 @@ jobs:
|
|||||||
cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,mode=max
|
cache-to: type=registry,ref=${{ env.NORA }}/${{ env.IMAGE_NAME }}-cache:astra,mode=max
|
||||||
|
|
||||||
# ── Smoke test ──────────────────────────────────────────────────────────
|
# ── Smoke test ──────────────────────────────────────────────────────────
|
||||||
|
- name: Install cosign
|
||||||
|
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd1d5ad67616c25 # v3
|
||||||
|
|
||||||
|
- name: Sign Docker images (keyless Sigstore)
|
||||||
|
run: |
|
||||||
|
TAGS=($(echo "${{ steps.meta-alpine.outputs.tags }}" | tr "\n" " "))
|
||||||
|
for tag in "${TAGS[@]}"; do
|
||||||
|
[[ "$tag" == *"localhost"* ]] && continue
|
||||||
|
cosign sign --yes "$tag"
|
||||||
|
done
|
||||||
|
|
||||||
- name: Smoke test — verify alpine image starts and responds
|
- name: Smoke test — verify alpine image starts and responds
|
||||||
run: |
|
run: |
|
||||||
docker rm -f nora-smoke 2>/dev/null || true
|
docker rm -f nora-smoke 2>/dev/null || true
|
||||||
@@ -189,7 +201,8 @@ jobs:
|
|||||||
needs: [build, scan]
|
needs: [build, scan]
|
||||||
permissions:
|
permissions:
|
||||||
contents: write
|
contents: write
|
||||||
packages: read
|
id-token: write # Sigstore cosign keyless signing
|
||||||
|
packages: write # cosign needs push for signatures
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||||
@@ -226,6 +239,12 @@ jobs:
|
|||||||
format: cyclonedx-json
|
format: cyclonedx-json
|
||||||
output-file: nora-${{ github.ref_name }}.sbom.cdx.json
|
output-file: nora-${{ github.ref_name }}.sbom.cdx.json
|
||||||
|
|
||||||
|
- name: Install cosign
|
||||||
|
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd1d5ad67616c25 # v3
|
||||||
|
|
||||||
|
- name: Sign binary with cosign (keyless Sigstore)
|
||||||
|
run: cosign sign-blob --yes --output-signature nora-linux-amd64.sig --output-certificate nora-linux-amd64.pem ./nora-linux-amd64
|
||||||
|
|
||||||
- name: Create Release
|
- name: Create Release
|
||||||
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
|
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
|
||||||
with:
|
with:
|
||||||
@@ -233,6 +252,8 @@ jobs:
|
|||||||
files: |
|
files: |
|
||||||
nora-linux-amd64
|
nora-linux-amd64
|
||||||
nora-linux-amd64.sha256
|
nora-linux-amd64.sha256
|
||||||
|
nora-linux-amd64.sig
|
||||||
|
nora-linux-amd64.pem
|
||||||
nora-${{ github.ref_name }}.sbom.spdx.json
|
nora-${{ github.ref_name }}.sbom.spdx.json
|
||||||
nora-${{ github.ref_name }}.sbom.cdx.json
|
nora-${{ github.ref_name }}.sbom.cdx.json
|
||||||
body: |
|
body: |
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
# syntax=docker/dockerfile:1.4
|
# syntax=docker/dockerfile:1.4
|
||||||
# Binary is pre-built by CI (cargo build --release) and passed via context
|
# Binary is pre-built by CI (cargo build --release) and passed via context
|
||||||
FROM alpine:3.20
|
FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805
|
||||||
|
|
||||||
RUN apk add --no-cache ca-certificates && mkdir -p /data
|
RUN apk add --no-cache ca-certificates && mkdir -p /data
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
# FROM registry.astralinux.ru/library/alse:latest
|
# FROM registry.astralinux.ru/library/alse:latest
|
||||||
# RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
|
# RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
FROM alpine:3.20 AS certs
|
FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805 AS certs
|
||||||
RUN apk add --no-cache ca-certificates
|
RUN apk add --no-cache ca-certificates
|
||||||
|
|
||||||
FROM scratch
|
FROM scratch
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
# FROM registry.red-soft.ru/redos/redos:8
|
# FROM registry.red-soft.ru/redos/redos:8
|
||||||
# RUN dnf install -y ca-certificates && dnf clean all
|
# RUN dnf install -y ca-certificates && dnf clean all
|
||||||
|
|
||||||
FROM alpine:3.20 AS certs
|
FROM alpine:3.20@sha256:a4f4213abb84c497377b8544c81b3564f313746700372ec4fe84653e4fb03805 AS certs
|
||||||
RUN apk add --no-cache ca-certificates
|
RUN apk add --no-cache ca-certificates
|
||||||
|
|
||||||
FROM scratch
|
FROM scratch
|
||||||
|
|||||||
Reference in New Issue
Block a user