wip: build, push

Signed-off-by: Rahul Vishwakarma <[email protected]>

Author: manzil-infinity180

.github/dependabot.yml

@@ -0,0 +1,27 @@
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directories:
+      - /
+    schedule:
+      interval: weekly
+    rebase-strategy: disabled
+    groups:
+      kubernetes:
+        patterns:
+          - k8s.io/*
+#      sigstore:
+#        patterns:
+#          - github.com/sigstore/sigstore/*
+  - package-ecosystem: github-actions
+    directories:
+      - /
+      - /.github/actions/*/
+    schedule:
+      interval: weekly
+    rebase-strategy: disabled
+#  - package-ecosystem: docker
+#    directory: /.devcontainer
+#    schedule:
+#      interval: daily
+#    rebase-strategy: disabled

.github/workflows/helm-release.yml

@@ -0,0 +1,54 @@
+name: helm-release
+
+on:
+   pull_request:
+
+#on:
+#  push:
+#    tags:
+#      - 'defender-v*'
+
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+  pages: write
+
+jobs:
+  helm-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set Release Version
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.0
+      - name: Lint chart
+        run: helm lint ./chart
+      - name: Package chart
+        run: |
+          mkdir -p .dist
+          helm package ./chart --destination .dist
+
+      - name: Login to GHCR (OCI)
+        run: |
+          helm registry login ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }}
+      - name: Push to GHCR (OCI)
+        run: |
+          helm push .dist/defender-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts
+
+      - name: Upload to GitHub Pages (static Helm repo)
+        uses: stefanprodan/[email protected]
+        with:
+          token: "${{ secrets.GITHUB_TOKEN }}"
+          linting: off
+          charts_dir: helm
+
+    #   - name: Publish to ArtifactHub
+    #     run: |
+    #       curl -sSfL https://github.com/artifacthub/hub/releases/download/v1.12.0/ah_Linux_x86_64.tar.gz | tar -xz -C /usr/local/bin ah
+    #       ah lint && ah publish

.github/workflows/release-security.yml

@@ -0,0 +1,134 @@
+name: Secure Supply Chain Pipeline
+
+on:
+  pull_request:
+
+#on:
+#  push:
+#    branches: [main]
+#    tags: ['v*']
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  security-scan-and-build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write  # For cosign keyless signing
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.21
+
+      # Static analysis and security scanning
+      - name: Run Gosec Security Scanner
+        uses: securecodewarrior/github-action-gosec@master
+        with:
+          args: './...'
+
+      - name: Run Nancy (dependency vulnerability scanner)
+        run: |
+          go list -json -deps ./... | nancy sleuth
+
+      # Ko setup for Go builds
+      - name: Setup Ko
+        uses: ko-build/[email protected]
+        with:
+          version: v0.15.1
+
+      # Cosign setup
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.2.0'
+
+      # Syft for SBOM generation
+      - name: Install Syft
+        uses: anchore/sbom-action/[email protected]
+
+      - name: Login to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Build with Ko
+      - name: Build and Push with Ko
+        run: |
+          export KO_DOCKER_REPO=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          IMAGE=$(ko build ./cmd/myapp --bare)
+          echo "IMAGE=$IMAGE" >> $GITHUB_ENV
+
+      # Generate SBOM
+      - name: Generate SBOM
+        run: |
+          syft ${{ env.IMAGE }} -o spdx-json > sbom.spdx.json
+
+      # Sign image and attach SBOM attestation
+      - name: Sign Image and Create SBOM Attestation
+        run: |
+          # Keyless signing
+          cosign sign --yes ${{ env.IMAGE }}
+          
+          # Create SBOM attestation
+          cosign attest --yes --predicate sbom.spdx.json --type spdx ${{ env.IMAGE }}
+
+      # Vulnerability scan of final image
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  # Deployment job with verification
+  deploy:
+    needs: security-scan-and-build
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+
+    steps:
+      - name: Checkout K8s manifests
+        uses: actions/checkout@v4
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v3
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      # Verify signatures before deployment
+      - name: Verify Image Signatures
+        run: |
+          cosign verify \
+            --certificate-identity-regexp="${{ github.server_url }}/${{ github.repository }}" \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          
+          # Verify SBOM attestation
+          cosign verify-attestation \
+            --certificate-identity-regexp="${{ github.server_url }}/${{ github.repository }}" \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --type=spdx \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+
+      - name: Deploy to Kubernetes
+        run: |
+          # Update image in manifests and deploy
+          sed -i 's|IMAGE_PLACEHOLDER|${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest|g' k8s/*.yaml
+          kubectl apply -f k8s/

.github/workflows/release.yml

@@ -0,0 +1,50 @@
+name: DeployDefender
+
+on:
+   pull_request:
+
+#on:
+#  push:
+#    tags:
+#      - v*
+permissions:
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: deployDefender
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and Push image
+        uses: docker/build-push-action@v6
+        with:
+          context: /
+          file: Dockerfile
+          push: true
+          # ${{ github.event_name != 'pull_request' }}
+          platforms: linux/amd64,linux/arm64
+          tags: |
+            ghcr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          provenance: false
+