@@ -13,6 +13,7 @@ permissions:
1313 packages : write
1414
1515jobs :
16+ # Step 1: Build Docker images
1617 build-docker :
1718 name : Build Docker Images
1819 runs-on : ubuntu-latest
8485 name : image-digests
8586 path : image-digests.txt
8687
88+ # Step 2: Generate SBOMs and scan for vulnerabilities
8789 generate-sboms-and-scan :
8890 name : Generate SBOMs and Scan
89- needs : build-docker
91+ needs : build-docker # This job depends on build-docker
9092 runs-on : ubuntu-latest
9193
9294 steps :
@@ -135,9 +137,11 @@ jobs:
135137 name : trivy-scans
136138 path : trivy-*.json
137139
140+ # Step 3: Create validation policies
138141 create-policies :
139142 name : Create Validation Policies
140143 runs-on : ubuntu-latest
144+ # No dependency specified - runs in parallel with build-docker and generate-sboms-and-scan
141145
142146 steps :
143147 - name : Checkout code
@@ -420,22 +424,23 @@ jobs:
420424 signed-policies.tar.gz
421425 cosign.*
422426
427+ # Step 4: Generate attestations after policies are created and SBOMs are generated
423428 generate-attestations :
424429 name : Generate Attestations
425- needs : [build-docker, generate-sboms-and-scan, create-policies]
430+ needs : [build-docker, generate-sboms-and-scan, create-policies] # Depends on all previous jobs
426431 runs-on : ubuntu-latest
427432
428433 steps :
429434 - name : Checkout code
430435 uses : actions/checkout@v3
431436
432- - name : Download Artifacts
437+ - name : Download All Artifacts
433438 uses : actions/download-artifact@v3
434-
435- - name : List Downloaded Artifacts
439+
440+ - name : Debug Downloaded Artifacts
436441 run : |
437442 echo "Downloaded artifacts:"
438- find . -type f -name "*.*" | sort
443+ find . -type f | sort
439444
440445 - name : Install OPA and Cosign
441446 run : |
@@ -465,11 +470,15 @@ jobs:
465470
466471 - name : Create Image Data Files
467472 run : |
473+ cat image-digests/image-digests.txt
474+
468475 # Read image digests
469476 EXTERNAL_DIGEST=$(cat image-digests/image-digests.txt | grep EXTERNAL_DIGEST | cut -d= -f2)
470477 BUILDER_DIGEST=$(cat image-digests/image-digests.txt | grep BUILDER_DIGEST | cut -d= -f2)
471478 WEBGEN_DIGEST=$(cat image-digests/image-digests.txt | grep WEBGEN_DIGEST | cut -d= -f2)
472479
480+ echo "Found digests: $EXTERNAL_DIGEST, $BUILDER_DIGEST, $WEBGEN_DIGEST"
481+
473482 # Create image metadata files for in-toto attestations
474483 cat > external-image-data.json << EOF
475484 {
@@ -492,12 +501,16 @@ jobs:
492501 }
493502 EOF
494503
504+ - name : Prepare Policies
505+ run : |
506+ # Extract the signed-policies
507+ mkdir -p temp-policies
508+ tar -xf signed-policies/signed-policies.tar.gz -C temp-policies
509+ cp -r temp-policies/policies/rego policies/ || mkdir -p policies/rego
510+ ls -la policies/rego/
511+
495512 - name : Generate Attestations
496513 run : |
497- # Create the signed-policies directory structure
498- mkdir -p policies/rego
499- cp -r signed-policies/policies/rego/* policies/rego/ || echo "Could not copy policies"
500-
501514 # Generate Regular Attestations
502515 opa eval -i build-metadata.json -d policies/rego/build_attestation_policy.rego "data.build_attestation.attestation" -f json > build-attestation-raw.json
503516
@@ -532,7 +545,7 @@ jobs:
532545
533546 # Sign the in-toto attestations
534547 for file in *-intoto-*.json; do
535- cosign attest --key cosign.key --type custom < "$file" > "$file.signed" || echo "Signing failed"
548+ cosign attest --key cosign.key --type custom < "$file" > "$file.signed" || echo "Signing failed for $file "
536549 cosign sign-blob --key cosign.key "$file" > "$file.sig"
537550 done
538551
@@ -560,9 +573,10 @@ jobs:
560573 name : all-signatures
561574 path : ' all-signatures.tar.gz'
562575
576+ # Step 5: Publish artifacts to registry
563577 publish-artifacts :
564578 name : Publish Artifacts to Registry
565- needs : [build-docker, generate-sboms-and-scan, create-policies, generate-attestations]
579+ needs : [generate-attestations] # Only depends on generate-attestations, which already depends on all others
566580 runs-on : ubuntu-latest
567581
568582 steps :
@@ -584,13 +598,13 @@ jobs:
584598 echo "VERSION=$VERSION" >> $GITHUB_ENV
585599 echo "Using version: $VERSION"
586600
587- - name : Download Artifacts
601+ - name : Download All Artifacts
588602 uses : actions/download-artifact@v3
589-
590- - name : List Downloaded Artifacts
603+
604+ - name : Debug Downloaded Artifacts
591605 run : |
592606 echo "Downloaded artifacts for publishing:"
593- find . -type f -name "*.*" | sort
607+ find . -type f | sort
594608
595609 - name : Install Required Tools
596610 run : |
@@ -631,17 +645,17 @@ jobs:
631645 # Extract signatures
632646 mkdir -p temp-signatures
633647 tar -xf all-signatures/all-signatures.tar.gz -C temp-signatures
634- cp -r temp-signatures/all-signatures/* artifacts/signatures/
648+ cp -r temp-signatures/all-signatures/* artifacts/signatures/ || echo "No signatures found"
635649
636650 # Extract policies
637651 mkdir -p temp-policies
638652 tar -xf signed-policies/signed-policies.tar.gz -C temp-policies
639- cp -r temp-policies/policies/* artifacts/policies/
653+ cp -r temp-policies/policies/* artifacts/policies/ || echo "No policies found"
640654
641655 # Create archives for pushing
642656 tar -czf artifacts/archives/signatures.tar.gz -C artifacts/signatures . || echo "No signatures to archive"
643657 tar -czf artifacts/archives/policies.tar.gz -C artifacts/policies . || echo "No policies to archive"
644- ls -la artifacts/archives/
658+ ls -la artifacts/archives/ || echo "No archives created"
645659
646660 - name : Calculate Artifact Sizes
647661 run : |
@@ -763,7 +777,7 @@ jobs:
763777 REPOSITORY="ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}-test"
764778
765779 # Read image digests
766- EXTERNAL_DIGEST=$(cat image-digests/image-digests.txt | grep EXTERNAL_DIGEST | cut -d= -f2)
780+ EXTERNAL_DIGEST=$(cat image-digests/image-digests.txt | grep EXTERNAL_DIGEST | cut -d= -f2 || echo "sha256:unknown" )
767781
768782 # Create reference manifest pointing to all published artifacts
769783 cat > reference-manifest.json << EOF
0 commit comments