feat(workflows): attest all release artifacts at build time (#1743)

Signed-off-by: Javier Rodriguez <[email protected]>
Signed-off-by: Jose I. Paris <[email protected]>
Co-authored-by: Javier Rodriguez <[email protected]>

Author: jiparis

.github/workflows/build_and_package.yaml

@@ -13,9 +13,31 @@ jobs:
   test:
     uses: chainloop-dev/chainloop/.github/workflows/test.yml@main
 
+  init_attestation:
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.ref_type == 'tag' # Guard to make sure we are releasing once
+    outputs:
+      attestation_id: ${{ steps.init_attestation.outputs.attestation_id }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://docs.chainloop.dev/install.sh | bash -s
+
+      - name: Initialize Attestation
+        id: init_attestation
+        run: |
+          attestation_id=$(chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME} --release --remote-state -o json | jq -r .attestationID)
+          echo "attestation_id=$attestation_id" >> $GITHUB_OUTPUT
+        env:
+          CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
+          CHAINLOOP_WORKFLOW_NAME: "chainloop-vault-build-and-package"
+          CHAINLOOP_PROJECT_NAME: "chainloop"
+
   release:
     name: Release CLI and control-plane/artifact-cas container images
-    needs: test
+    needs: init_attestation
     runs-on: ubuntu-latest
     if: github.ref_type == 'tag' # Guard to make sure we are releasing once
     permissions:
@@ -24,12 +46,10 @@ jobs:
       pull-requests: write
     env:
       CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
-      CONTAINER_IMAGE_CP: ghcr.io/chainloop-dev/chainloop/control-plane:${{ github.ref_name }}
-      CONTAINER_IMAGE_CAS: ghcr.io/chainloop-dev/chainloop/artifact-cas:${{ github.ref_name }}
-      CONTAINER_IMAGE_CLI: ghcr.io/chainloop-dev/chainloop/cli:${{ github.ref_name }}
-      GH_TOKEN: ${{ github.token }}
-      CHAINLOOP_WORKFLOW_NAME: "chainloop-vault-build-and-package"
-      CHAINLOOP_PROJECT: "chainloop"
+      ATTESTATION_ID: ${{ needs.init_attestation.outputs.attestation_id }}
+    outputs:
+      matrix: ${{ steps.attest_goreleaser.outputs.matrix }}
+
     steps:
       - name: Install Cosign
         uses: sigstore/cosign-installer@ef6a6b364bbad08abd36a5f8af60b595d12702f8 # main
@@ -38,21 +58,11 @@ jobs:
 
       - name: Install Chainloop
         run: |
-          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
-
-      - name: Download jq
-        run: |
-          sudo wget -q https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -O /usr/local/bin/jq
-          sudo chmod u+x /usr/local/bin/jq
+          curl -sfL https://docs.chainloop.dev/install.sh | bash -s
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      # mark this attestation as a release
-      - name: Initialize Attestation
-        run: |
-          chainloop attestation init --workflow $CHAINLOOP_WORKFLOW_NAME --project $CHAINLOOP_PROJECT --release
-
       - name: Docker login to Github Packages
         uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
         with:
@@ -84,40 +94,19 @@ jobs:
           POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
           POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
 
-      - uses: anchore/sbom-action@c6aed38a4323b393d05372c58a74c39ae8386d02 # v0.15.6
-        with:
-          image: ${{ env.CONTAINER_IMAGE_CP }}
-          format: cyclonedx-json
-          artifact-name: controlplane.cyclonedx.json
-          output-file: /tmp/sbom.cp.cyclonedx.json
-
-      - uses: anchore/sbom-action@c6aed38a4323b393d05372c58a74c39ae8386d02 # v0.15.6
-        with:
-          image: ${{ env.CONTAINER_IMAGE_CAS }}
-          format: cyclonedx-json
-          artifact-name: cas.cyclonedx.json
-          output-file: /tmp/sbom.cas.cyclonedx.json
-
-      - uses: anchore/sbom-action@c6aed38a4323b393d05372c58a74c39ae8386d02 # v0.15.6
-        with:
-          image: ${{ env.CONTAINER_IMAGE_CLI }}
-          format: cyclonedx-json
-          artifact-name: cli.cyclonedx.json
-          output-file: /tmp/sbom.cli.cyclonedx.json
-
-      - name: Add Attestation from Goreleaser Output
-        run: |
-          jq -r . <<< '${{ steps.release.outputs.artifacts }}' > /tmp/artifacts.json
-          chainloop attestation add --name goreleaser-output --value /tmp/artifacts.json
-
-      - name: Finish and Record Attestation
-        if: ${{ success() }}
+      - name: Attest GoReleaser outputs
+        id: attest_goreleaser
         run: |
-          chainloop attestation status --full
-          chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY
-        env:
-          CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }}
+          # goreleaser output resides in dist/artifacts.json
+          # Attest all built containers and manifests
+          images=$(cat dist/artifacts.json | jq -r '[.[] | select(.type=="Docker Image" or .type=="Docker Manifest") | {"type": "image", "path": .path}]')
+          
+          # Attest CLI archives
+          archives=$(cat dist/artifacts.json | jq -r '[.[] | select(.type=="Archive") | {"type": "archive", "path": .path}]')
+          
+          # convert them to json and join arrays
+          artifacts_json=$(jq -c -s 'add' <(echo "$images") <(echo "$archives"))
+          echo "matrix=$artifacts_json" >> $GITHUB_OUTPUT
 
       - name: Bump Chart and Dagger Version
         run: .github/workflows/utils/bump-chart-and-dagger-version.sh deployment/chainloop extras/dagger ${{ github.ref_name }}
@@ -137,14 +126,76 @@ jobs:
             automated
             helm
 
+  generate_sboms_and_attest:
+    name: ${{ matrix.artifact.path }}
+    permissions:
+      packages: read
+      contents: read
+    needs: release
+    runs-on: ubuntu-latest
+    env:
+      CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
+      ATTESTATION_ID: ${{ needs.init_attestation.outputs.attestation_id }}
+    strategy:
+      matrix:
+        artifact: ${{ fromJson(needs.release.outputs.matrix) }}
+
+    steps:
+      - name: Docker login to Github Packages
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://docs.chainloop.dev/install.sh | bash -s
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
+        if: ${{ matrix.artifact.type == 'image' }}
+        with:
+          image: ${{ matrix.artifact.path }}
+          format: cyclonedx-json
+          output-file: /tmp/sbom.cyclonedx.json
+
+      - uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
+        if: ${{ matrix.artifact.type == 'archive' }}
+        with:
+          file: ${{ matrix.artifact.path }}
+          format: cyclonedx-json
+          output-file: /tmp/sbom.cyclonedx.json
+
+      - name: Add Artifact and SBOM to attestation
+        run: |
+          chainloop attestation add --value ${{ matrix.artifact.path }} --attestation-id ${{ env.ATTESTATION_ID }}
+          chainloop attestation add --value /tmp/sbom.cyclonedx.json --attestation-id ${{ env.ATTESTATION_ID }}
+
+  finish_attestation:
+    name: Finish Attestation
+    runs-on: ubuntu-latest
+    needs: generate_sboms_and_attest
+    steps:
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://docs.chainloop.dev/install.sh | bash -s
+
+      - name: Finish and Record Attestation
+        if: ${{ success() }}
+        run: |
+          chainloop attestation push --attestation-id ${{ needs.init_attestation.outputs.attestation_id }}
+
       - name: Mark attestation as failed
         if: ${{ failure() }}
         run: |
-          chainloop attestation reset
+          chainloop attestation reset --attestation-id ${{ needs.init_attestation.outputs.attestation_id }}
+
       - name: Mark attestation as cancelled
         if: ${{ cancelled() }}
         run: |
-          chainloop attestation reset --trigger cancellation
+          chainloop attestation reset --trigger cancellation --attestation-id ${{ needs.init_attestation.outputs.attestation_id }}
 
   github-release:
     needs: release

.github/workflows/contracts/chainloop-chainloop-github-release.yaml

@@ -3,19 +3,6 @@ schemaVersion: v1
 policies:
   attestation:
     - ref: source-commit
-policyGroups:
-  - ref: sbom-quality
-    with:
-      sbom_name: cas-cyclonedx
-      bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
-      bannedComponents: [email protected]
-  - ref: sbom-quality
-    with:
-      sbom_name: cli-cyclonedx
-      bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
-      bannedComponents: [email protected]
-  - ref: sbom-quality
-    with:
-      sbom_name: controlplane-cyclonedx
-      bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
-      bannedComponents: [email protected]
+      with:
+        check_signature: yes
+

.github/workflows/contracts/chainloop-vault-release.yml

@@ -1,11 +1,22 @@
 # Contract for the chainloop-vault-build-and-package workflow
 schemaVersion: v1
-runner:
-  type: GITHUB_ACTION
-materials:
-  - type: ARTIFACT
-    name: goreleaser-output
-    output: true
 policies:
   attestation:
     - ref: source-commit
+      with:
+        check_signature: yes
+    - ref: containers-with-sbom
+  materials:
+    - ref: artifact-signed
+    - ref: sbom-banned-licenses
+      with:
+        licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
+    - ref: sbom-banned-components
+      with:
+        components: [email protected]
+    - ref: sbom-ntia
+    - ref: sbom-with-licenses
+    - ref: sbom-freshness
+
+runner:
+  type: GITHUB_ACTION

.github/workflows/release.yaml

@@ -60,15 +60,6 @@ jobs:
           gh release download $tag -A tar.gz -D /tmp
           chainloop attestation add --value "/tmp/chainloop-$version.tar.gz"
 
-          # Include control-plane image
-          chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/control-plane:$tag"
-
-          # Include cas image
-          chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/artifact-cas:$tag"
-
-          # Include cli image
-          chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/cli:$tag"
-
       - name: Finish and Record Attestation
         id: attestation-push
         if: ${{ success() }}