Merge pull request #31 from manzil-infinity180/ci/cd-helm-release

manzil-infinity180 · web-flow · commit 7789cfd8980b · 2025-08-10T01:25:38.000+05:30
wip: build, push
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,27 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directories:
+      - /
+    schedule:
+      interval: weekly
+    rebase-strategy: disabled
+    groups:
+      kubernetes:
+        patterns:
+          - k8s.io/*
+#      sigstore:
+#        patterns:
+#          - github.com/sigstore/sigstore/*
+  - package-ecosystem: github-actions
+    directories:
+      - /
+      - /.github/actions/*/
+    schedule:
+      interval: weekly
+    rebase-strategy: disabled
+#  - package-ecosystem: docker
+#    directory: /.devcontainer
+#    schedule:
+#      interval: daily
+#    rebase-strategy: disabled
diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml
@@ -0,0 +1,54 @@
+name: helm-release
+
+#on:
+#   pull_request:
+
+on:
+  push:
+    tags:
+      - 'defender-v*'
+
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+  pages: write
+
+jobs:
+  helm-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set Release Version
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+      - name: Lint chart
+        run: helm lint ./chart
+      - name: Package chart
+        run: |
+          mkdir -p .dist
+          helm package ./chart --destination .dist
+
+      - name: Login to GHCR (OCI)
+        run: |
+          helm registry login ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
+      - name: Push to GHCR (OCI)
+        run: |
+           helm push .dist/deploydefender-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts
+
+      - name: Upload to GitHub Pages (static Helm repo)
+        uses: stefanprodan/helm-gh-pages@v1.7.0
+        with:
+          token: "${{ secrets.GITHUB_TOKEN }}"
+          linting: off
+          charts_dir: .dist
+
+    #   - name: Publish to ArtifactHub
+    #     run: |
+    #       curl -sSfL https://github.com/artifacthub/hub/releases/download/v1.12.0/ah_Linux_x86_64.tar.gz | tar -xz -C /usr/local/bin ah
+    #       ah lint && ah publish
diff --git a/.github/workflows/release-security.yml b/.github/workflows/release-security.yml
@@ -0,0 +1,134 @@
+name: Secure Supply Chain Pipeline
+
+on:
+  workflow_dispatch:
+
+#on:
+#  push:
+#    branches: [main]
+#    tags: ['v*']
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  security-scan-and-build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write  # For cosign keyless signing
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21
+
+      # Static analysis and security scanning
+      - name: Run Gosec Security Scanner
+        uses: securecodewarrior/github-action-gosec@master
+        with:
+          args: './...'
+
+      - name: Run Nancy (dependency vulnerability scanner)
+        run: |
+          go list -json -deps ./... | nancy sleuth
+
+      # Ko setup for Go builds
+      - name: Setup Ko
+        uses: ko-build/setup-ko@v0.6
+        with:
+          version: v0.15.1
+
+      # Cosign setup
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.1.1
+        with:
+          cosign-release: 'v2.2.0'
+
+      # Syft for SBOM generation
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@v0.14.3
+
+      - name: Login to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Build with Ko
+      - name: Build and Push with Ko
+        run: |
+          export KO_DOCKER_REPO=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          IMAGE=$(ko build ./cmd/myapp --bare)
+          echo "IMAGE=$IMAGE" >> $GITHUB_ENV
+
+      # Generate SBOM
+      - name: Generate SBOM
+        run: |
+          syft ${{ env.IMAGE }} -o spdx-json > sbom.spdx.json
+
+      # Sign image and attach SBOM attestation
+      - name: Sign Image and Create SBOM Attestation
+        run: |
+          # Keyless signing
+          cosign sign --yes ${{ env.IMAGE }}
+          
+          # Create SBOM attestation
+          cosign attest --yes --predicate sbom.spdx.json --type spdx ${{ env.IMAGE }}
+
+      # Vulnerability scan of final image
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  # Deployment job with verification
+  deploy:
+    needs: security-scan-and-build
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+
+    steps:
+      - name: Checkout K8s manifests
+        uses: actions/checkout@v4
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v3
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.1.1
+
+      # Verify signatures before deployment
+      - name: Verify Image Signatures
+        run: |
+          cosign verify \
+            --certificate-identity-regexp="${{ github.server_url }}/${{ github.repository }}" \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          
+          # Verify SBOM attestation
+          cosign verify-attestation \
+            --certificate-identity-regexp="${{ github.server_url }}/${{ github.repository }}" \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --type=spdx \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+
+      - name: Deploy to Kubernetes
+        run: |
+          # Update image in manifests and deploy
+          sed -i 's|IMAGE_PLACEHOLDER|${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest|g' k8s/*.yaml
+          kubectl apply -f k8s/
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,52 @@
+name: DeployDefender
+
+#on:
+#   pull_request:
+
+on:
+  push:
+    tags:
+      - v*
+
+permissions:
+  contents: read
+  packages: write
+
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: deploydefender
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and Push image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          push: true
+          # ${{ github.event_name != 'pull_request' }}
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          provenance: false
+
diff --git a/.nojekyll b/.nojekyll
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-name: chart
+name: deploydefender
 description: A Helm chart for Kubernetes
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
