github · kommendorkapten · Apr 8, 2025 · Apr 4, 2025 · Apr 4, 2025 · Apr 4, 2025
@@ -23,3 +23,17 @@ jobs:
       - name: Build
         run: |
           make build
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Install Go
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        with:
+          go-version-file: go.mod
+      - name: Tetst
+        run: |
+          make test
@@ -0,0 +1,41 @@
+name: Build and push Docker image
+
+on:
+  push:
+    branches:
+      - main
+  pull_request: {}
+
+permissions: {}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+      packages: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set tag
+        run: |
+          BRANCH=`git branch --show-current`
+          if [ "${BRANCH}" = "main" ]; then
+              TAG=latest
+          else
+              TAG=${BRANCH}
+          fi
+          export TAG
+      - name: Build and push image
+        id: push
+        uses: docker/build-push-action@v5.0.0
+        with:
+          context: .
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
@@ -1,3 +1,4 @@
+# v3.21.3
 FROM alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c as builder
 
 RUN apk add go make
@@ -11,6 +12,7 @@ RUN go env -w GOMODCACHE=/gomod-cache
 COPY . .
 RUN --mount=type=cache,target=/gomod-cache --mount=type=cache,target=/go-cache make build
 
+ # v3.21.3
 FROM alpine@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
 
 WORKDIR /

@@ -1,6 +1,6 @@
 REPOSITORY ?= github/artifact-attestations-opa-provider
-IMG := $(REPOSITORY):dev
-CLUSTER = kind # or gatekeeper
+TAG := $(or $(TAG), dev)
+IMG := $(REPOSITORY):$(TAG)
 
 all: aaop
 
@@ -11,36 +11,22 @@ build: aaop
 aaop:
 	go build -o $@ cmd/aaop/$@.go
 
+.PHONY: tidy
 tidy:
 	go mod tidy
 
+.PHONY: lint
 lint:
 	golangci-lint run
 
+.PHONY: test
 test:
 	go test ./... -race
 
-snapshot:
-	goreleaser release --clean --snapshot --skip-sign --skip-publish
-
-release:
-	goreleaser release --clean
-
+.PHONY: fmt
 fmt:
 	go fmt ./...
 
-.PHONY: cver
-cver:
-	go build -o $@ cmd/cver/$@.go
-
 .PHONY: docker
 docker:
-	docker build --platform linux/arm64 -t ${IMG} .
-
-.PHONY: docker-arm
-docker-arm:
-	docker build --platform linux/arm64 -t ${IMG_ARM} -f Dockerfile.arm .
-
-.PHONY: kind-load-image-arm
-kind-load-image:
-	kind load docker-image ${IMG} --name ${CLUSTER}
+	docker build -t ${IMG} .
@@ -5,6 +5,7 @@
 	"flag"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -38,6 +39,10 @@
 	p *provider.Provider
 }
 
+func init() {
+	log.SetFlags(log.LstdFlags | log.Lshortfile | log.LUTC)
+}
+
 func main() {
 	var kc *authn.KeyChainProvider
 	var v provider.Verifier
@@ -48,7 +53,7 @@
 	if *tufRepo != "" && *tufRoot != "" {
 		v = loadCustomVerifier(*tufRepo, *tufRoot, *trustDomain)
 	} else {
-		v = loadVerifier(!*noPGI, *trustDomain)
+		v = loadVerifiers(!*noPGI, *trustDomain)
 	}
 
 	kc = authn.NewKeyChainProvider(*ns, []string{*ips})
@@ -68,9 +73,9 @@
 	var cf = filepath.Join(*certsDir, certName)
 	var kf = filepath.Join(*certsDir, keyName)
 
-	fmt.Println("starting server...")
+	log.Println("starting server...")
 	if err = srv.ListenAndServeTLS(cf, kf); err != nil {
-		panic(err)
+		log.Fatalf("failed to start HTTP server: %v", err)
 	}
 }
 
@@ -86,21 +91,21 @@
 	var err error
 
 	if rb, err = os.ReadFile(root); err != nil {
-		panic(err)
+		log.Fatalf("failed to load verifier: %v", err)
 	}
 
 	if v, err = verifier.New(rb, repo, td, vo); err != nil {
-		panic(err)
+		log.Fatalf("failed to create verifier: %v", err)
 	}
 
 	return v
 }
 
-// loadVerfier returns the default verifiers. If pgi is true and tr is
+// loadVerfiers returns the default verifiers. If pgi is true and tr is
 // the empty string, pgi and gh verifiers are returned.
 // if the provided trust domain is set, only gh verifier is returend,
 // with the set trust domain.
-func loadVerifier(pgi bool, td string) provider.Verifier {
+func loadVerifiers(pgi bool, td string) provider.Verifier {
 	var mv = verifier.Multi{
 		V: map[string]*verifier.Verifier{},
 	}
@@ -110,17 +115,20 @@
 	// only load PGI if no tenant's trust domain is selected
 	if pgi && td == "" {
 		if v, err = verifier.PGIVerifier(); err != nil {
-			panic(err)
+			log.Fatalf("failed to load PGI verifier: %v", err)
 		}
 		mv.V[verifier.PublicGoodIssuer] = v
-		fmt.Println("loaded verfier for public good Sigstore")
+		log.Println("loaded verfier for public good Sigstore")
 	}
 
 	if v, err = verifier.GHVerifier(td); err != nil {
-		panic(err)
+		log.Fatalf("failed to load GitHub verifier: %v", err)
 	}
 	mv.V[verifier.GitHubIssuer] = v
-	fmt.Println("loaded verfier for GitHub Sigstore")
+	if td == "" {
+		td = "dotcom"
+	}
+	log.Printf("loaded verfier for GitHub Sigstore: %s", td)
 
 	return &mv
 }
@@ -163,10 +171,10 @@
 			msg,
 			r.Response.SystemError)
 	}
-	fmt.Printf("%s\n", msg)
+	log.Print(msg)
 
 	w.WriteHeader(http.StatusOK)
 	if err := json.NewEncoder(w).Encode(r); err != nil {
-		panic(err)
+		log.Printf("ERROR: failed to write response: %v", err)
 	}
 }
@@ -0,0 +1,63 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/sigstore/sigstore-go/pkg/bundle"
+	"github.com/sigstore/sigstore-go/pkg/verify"
+
+	"github.com/github/artifact-attestations-opa-provider/pkg/fetcher"
+	"github.com/github/artifact-attestations-opa-provider/pkg/verifier"
+)
+
+var (
+	img = flag.String("i", "", "image to verify")
+)
+
+func main() {
+	var mv = &verifier.Multi{
+		V: map[string]*verifier.Verifier{},
+	}
+	var v *verifier.Verifier
+	var res []*verify.VerificationResult
+	var ref name.Reference
+	var remoteOpts = []remote.Option{}
+	var b []*bundle.Bundle
+	var h *v1.Hash
+	var err error
+
+	flag.Parse()
+
+	if *img == "" {
+		fmt.Println("no image provided")
+	}
+
+	if v, err = verifier.PGIVerifier(); err != nil {
+		log.Print(err)
+	}
+
+	mv.V[verifier.PublicGoodIssuer] = v
+
+	if v, err = verifier.GHVerifier(""); err != nil {
+		log.Print(err)
+	}
+	mv.V[verifier.GitHubIssuer] = v
+
+	if ref, err = name.ParseReference(*img); err != nil {
+		log.Print(err)
+	}
+	if b, h, err = fetcher.BundleFromName(ref, remoteOpts); err != nil {
+		log.Print(err)
+	}
+	if res, err = mv.Verify(b, h); err != nil {
+		log.Print(err)
+	}
+	for _, r := range res {
+		log.Printf("%+v\n", r)
+	}
+}
@@ -186,8 +186,6 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
-github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=

@@ -2,7 +2,7 @@ package authn
 
 import (
 	"context"
-	"fmt"
+	"log"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/authn/k8schain"
@@ -22,7 +22,7 @@ type KeyChainProvider struct {
 // references are provided, the default keychain is will be used for further
 // requests to get a key chain.
 func NewKeyChainProvider(ns string, ips []string) *KeyChainProvider {
-	fmt.Printf("configure authn with image pull secrets %+v for namespace %s\n",
+	log.Printf("configure authn with image pull secrets %+v for namespace %s",
 		ips, ns)
 
 	return &KeyChainProvider{
@@ -45,7 +45,7 @@ func (k *KeyChainProvider) KeyChain(ctx context.Context) (authn.Keychain, error)
 		ImagePullSecrets: k.imagePullSecrets,
 	})
 	if err != nil {
-		fmt.Printf("can't add kubernetes key chain: %s\n", err)
+		log.Printf("WARN: can't add kubernetes key chain: %s", err)
 	} else {
 		kcs = append(kcs, kc)
 	}
@@ -55,7 +55,7 @@ func (k *KeyChainProvider) KeyChain(ctx context.Context) (authn.Keychain, error)
 		Namespace: k.namespace,
 	})
 	if err != nil {
-		fmt.Printf("can't add k8schain key chain: %s\n", err)
+		log.Printf("WARN: can't add k8schain key chain: %s", err)
 	} else {
 		kcs = append(kcs, kc)
 	}

@@ -3,6 +3,7 @@ package provider
 import (
 	"context"
 	"fmt"
+	"log"
 
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -65,7 +66,7 @@ func (p *Provider) Validate(ctx context.Context, r *externaldata.ProviderRequest
 	// If the keychain configured is empty, the default keychain is used
 	// which works for public registries.
 	if kc, err = p.kc.KeyChain(ctx); err != nil {
-		fmt.Printf("provider::validate error retrieving key chain: %s\n", err)
+		log.Printf("validate: error retrieving key chain: %s", err)
 		return ErrorResponse(fmt.Sprintf("ERROR: KeyChain: %s", err))
 	}
 	var ro = fetcher.GetRemoteOptions(ctx, kc)
@@ -75,34 +76,34 @@ func (p *Provider) Validate(ctx context.Context, r *externaldata.ProviderRequest
 		var res []*verify.VerificationResult
 		var ref name.Reference
 
-		fmt.Println("provider::validate verify signature for:", key)
+		log.Printf("validate: verify signature for: %v", key)
 		if ref, err = name.ParseReference(key); err != nil {
-			fmt.Printf("provider::validate error parsing reference: %s\n", err)
+			log.Printf("validate: error parsing reference: %s", err)
 			return ErrorResponse(fmt.Sprintf("ERROR: ParseReference(%q): %v", key, err))
 		}
 
 		b, h, err := fetcher.BundleFromName(ref, ro)
 		if err != nil {
-			fmt.Printf("provider::validate error fetching bundles: %s\n", err)
+			log.Printf("validate: error fetching bundles: %s", err)
 			return ErrorResponse(fmt.Sprintf("ERROR: FromBundle(%q): %v", key, err))
 		}
 
 		if res, err = p.v.Verify(b, h); err != nil {
-			fmt.Printf("provider::validate error calling verify: %s\n", err)
+			log.Printf("validate: error calling verify: %s", err)
 			return ErrorResponse(fmt.Sprintf("ERROR: VerifyImageSignatures(%q): %v", key, err))
 		}
 
 		var bundleVerified = len(res) > 0
 		if bundleVerified {
-			fmt.Printf("provider::validate %d valid signatures found for %s\n",
+			log.Printf("validate: %d valid signatures found for %s",
 				len(res),
 				key)
 			results = append(results, externaldata.Item{
 				Key:   key,
 				Value: res,
 			})
 		} else {
-			fmt.Printf("provider::validate no valid signatures found for: %s\n", key)
+			log.Printf("validate no valid signatures found for: %s", key)
 			results = append(results, externaldata.Item{
 				Key:   key,
 				Error: key + "_unsigned",