Merge branch 'main' of github.com:IBM/mcp-context-forge

crivetimihai · crivetimihai · commit fbd1308656f4 · 2025-05-31T16:51:45.000+01:00
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -0,0 +1,209 @@
+# ===============================================================
+# 📦 Secure Docker Build & Scan Workflow
+# ===============================================================
+#
+# This workflow:
+#   • Builds and tags the container image (`latest` + timestamp)
+#   • Re-uses a BuildKit layer cache for faster rebuilds
+#   • Lints the Dockerfile with **Hadolint** (CLI) → SARIF
+#   • Lints the finished image with **Dockle** (CLI) → SARIF
+#   • Generates an SPDX SBOM with **Syft**
+#   • Scans the image for CRITICAL/HIGH CVEs with **Trivy**
+#   • Uploads Hadolint, Dockle and Trivy results as SARIF files
+#   • Pushes the image to **GitHub Container Registry (GHCR)**
+#   • Signs & attests the image with **Cosign (key-less OIDC)**
+#
+# Triggers:
+#   • Every push / PR to `main`
+#   • Weekly scheduled run (Tue 18:17 UTC) to catch new CVEs
+# ---------------------------------------------------------------
+
+name: Secure Docker Build
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '17 18 * * 2'   # Tuesday @ 18:17 UTC
+
+# -----------------------------------------------------------------
+# Minimal permissions – keep the principle of least privilege
+# -----------------------------------------------------------------
+permissions:
+  contents:        read
+  packages:        write   # push to ghcr.io via GITHUB_TOKEN
+  security-events: write   # upload SARIF to “Code scanning”
+  actions:         read    # needed by upload-sarif in private repos
+  id-token: write  # required for OIDC token generation
+
+jobs:
+  build-scan-sign:
+    runs-on: ubuntu-latest
+
+    env:
+      CACHE_DIR: /tmp/.buildx-cache   # BuildKit layer cache dir
+
+    steps:
+    # -------------------------------------------------------------
+    # 0️⃣  Checkout source
+    # -------------------------------------------------------------
+    - name: ⬇️  Checkout code
+      uses: actions/checkout@v4
+
+    # -------------------------------------------------------------
+    # 0️⃣.5️⃣  Derive lower-case IMAGE_NAME for Docker tag
+    # -------------------------------------------------------------
+    - name: 🏷️  Set IMAGE_NAME (lower-case repo path)
+      run: |
+        IMAGE="ghcr.io/$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
+        echo "IMAGE_NAME=$IMAGE" >> "$GITHUB_ENV"
+        echo "Will build & push: $IMAGE_NAME"
+
+    # -------------------------------------------------------------
+    # 1️⃣  Dockerfile lint (Hadolint CLI → SARIF)
+    # -------------------------------------------------------------
+    - name: 🔍  Dockerfile lint (Hadolint)
+      id: hadolint
+      continue-on-error: true
+      run: |
+        curl -sSL https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint
+        chmod +x /usr/local/bin/hadolint
+        hadolint -f sarif Containerfile.lite > hadolint-results.sarif
+        echo "HADOLINT_EXIT=$?" >> "$GITHUB_ENV"
+        exit 0
+    - name: ☁️  Upload Hadolint SARIF
+      if: always()
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: hadolint-results.sarif
+
+    # -------------------------------------------------------------
+    # 2️⃣  Set up Buildx & restore cache
+    # -------------------------------------------------------------
+    - name: 🛠️  Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: 🔄  Restore BuildKit layer cache
+      uses: actions/cache@v4
+      with:
+        path: ${{ env.CACHE_DIR }}
+        key:  ${{ runner.os }}-buildx-${{ github.sha }}
+        restore-keys: ${{ runner.os }}-buildx-
+
+    # -------------------------------------------------------------
+    # 3️⃣  Build & tag image (timestamp + latest)
+    # -------------------------------------------------------------
+    - name: 🏗️  Build Docker image
+      run: |
+        TAG=$(date +%s)
+        echo "TAG=$TAG" >> "$GITHUB_ENV"
+        docker buildx build \
+          --file Containerfile.lite \
+          --tag $IMAGE_NAME:$TAG \
+          --tag $IMAGE_NAME:latest \
+          --cache-from type=local,src=${{ env.CACHE_DIR }} \
+          --cache-to   type=local,dest=${{ env.CACHE_DIR }},mode=max \
+          --load \
+          .   # build context is mandatory
+
+    # -------------------------------------------------------------
+    # 4️⃣  Image lint (Dockle CLI → SARIF)
+    # -------------------------------------------------------------
+    - name: 🔍  Image lint (Dockle)
+      id: dockle
+      continue-on-error: true
+      env:
+        DOCKLE_VERSION: 0.4.15
+      run: |
+        curl -sSL "https://github.com/goodwithtech/dockle/releases/download/v${DOCKLE_VERSION}/dockle_${DOCKLE_VERSION}_Linux-64bit.tar.gz" \
+          | tar -xz -C /usr/local/bin dockle
+        dockle --exit-code 1 --format sarif \
+               --output dockle-results.sarif \
+               $IMAGE_NAME:latest
+        echo "DOCKLE_EXIT=$?" >> "$GITHUB_ENV"
+        exit 0
+    - name: ☁️  Upload Dockle SARIF
+      if: always()
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: dockle-results.sarif
+
+    # -------------------------------------------------------------
+    # 5️⃣  Generate SPDX SBOM with Syft
+    # -------------------------------------------------------------
+    - name: 📄  Generate SBOM (Syft)
+      uses: anchore/sbom-action@v0
+      with:
+        image: ${{ env.IMAGE_NAME }}:latest
+        output-file: sbom.spdx.json
+
+    # -------------------------------------------------------------
+    # 6️⃣  Trivy CVE scan → SARIF
+    # -------------------------------------------------------------
+    - name: 🛡️  Trivy vulnerability scan
+      id: trivy
+      continue-on-error: true
+      uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+      with:
+        image-ref: ${{ env.IMAGE_NAME }}:latest
+        format: sarif
+        output: trivy-results.sarif
+        severity: CRITICAL,HIGH
+        exit-code: 1
+    - name: ☁️  Upload Trivy SARIF
+      if: always()
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: trivy-results.sarif
+
+    # -------------------------------------------------------------
+    # 7️⃣  Push both tags to GHCR
+    # -------------------------------------------------------------
+    - name: 🔑  Log in to GHCR
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: 🚀  Push image to GHCR
+      run: |
+        docker push $IMAGE_NAME:${{ env.TAG }}
+        docker push $IMAGE_NAME:latest
+
+    # -------------------------------------------------------------
+    # 8️⃣  Key-less Cosign sign + attest  (latest **and** timestamp)
+    # -------------------------------------------------------------
+    - name: 📥 Install Cosign
+      uses: sigstore/cosign-installer@v3   # provides the matching CLI
+
+    - name: 🔏 Sign & attest images (latest + timestamp)
+      env:
+        COSIGN_EXPERIMENTAL: "1"
+      run: |
+        for REF in $IMAGE_NAME:latest $IMAGE_NAME:${{ env.TAG }}; do
+          echo "🔑 Signing $REF"
+          cosign sign --yes "$REF"
+          
+          echo "📝 Attesting SBOM for $REF"
+          cosign attest --yes \
+                       --predicate sbom.spdx.json \
+                       --type spdxjson \
+                       "$REF"
+        done
+
+    # -------------------------------------------------------------
+    # 9️⃣  Single gate – fail job on any scanner error
+    # -------------------------------------------------------------
+    - name: ⛔  Enforce lint & vuln gates
+      if: |
+        env.HADOLINT_EXIT != '0' ||
+        env.DOCKLE_EXIT   != '0' ||
+        steps.trivy.outcome == 'failure'
+      run: |
+        echo "Hadolint exit: $HADOLINT_EXIT"
+        echo "Dockle  exit: $DOCKLE_EXIT"
+        echo "Trivy   status: ${{ steps.trivy.outcome }}"
+        exit 1
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
@@ -0,0 +1,47 @@
+# Build-only workflow — runs `make dist` to create sdist & wheel, no lint/tests
+# Docs: https://docs.github.com/en/actions  |  PyPA build: https://pypi.org/project/build
+
+name: Build Python Package
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build-package:
+    runs-on: ubuntu-latest
+
+    # Build the package under multiple Python versions to catch ABI issues early
+    strategy:
+      matrix:
+        python-version: [ "3.10", "3.11", "3.12" ]  # Extend as needed
+
+    steps:
+      # 1️⃣  Check out repository so Makefile & sources are available
+      - name: Checkout code
+        uses: actions/checkout@v4     # Standard checkout step
+
+      # 2️⃣  Set up the requested Python version from the runner tool-cache
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5  # Recommended approach for consistent PATH
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      # 3️⃣  Install build front-end; Keep pip current
+      - name: Install build tool
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install build   # PyPA-endorsed PEP 517 builder
+
+      # 4️⃣  Invoke the Makefile ‘dist’ target (creates ./dist/*.whl & *.tar.gz)
+      - name: Build distributions
+        run: make dist                 # Uses the Makefile’s `dist` rule
+
+      # 5️⃣  Upload built artifacts so they can be downloaded from the run page
+      - name: Upload distributions
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-package-${{ matrix.python-version }}
+          path: dist/*
