diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index c9510d7c..5f9f7f84 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -18,6 +18,7 @@ jobs: uses: ./.github/workflows/wc-build-push-test.yml secrets: inherit permissions: + actions: read attestations: write checks: write contents: write diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index f1d642f1..75d15d2e 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -19,6 +19,7 @@ jobs: uses: ./.github/workflows/wc-build-push-test.yml secrets: inherit permissions: + actions: read attestations: write checks: write contents: write @@ -49,6 +50,9 @@ jobs: env: REGISTRY: ghcr.io steps: + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit - name: Inspect manifest and extract digest id: inspect-manifest run: | diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 4a51230b..77a513ef 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -21,6 +21,9 @@ jobs: contents: write pull-requests: write steps: + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml index 2cc9f971..dc35ff7d 100644 --- a/.github/workflows/wc-acceptance-test.yml +++ b/.github/workflows/wc-acceptance-test.yml @@ -30,7 +30,15 @@ jobs: - name: Start Codespace run: | set -Eeuo pipefail - gh secret set -a codespaces IMAGE_VERSION --body "pr-${{ github.event.pull_request.number }}" + + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + gh secret set -a codespaces IMAGE_VERSION --body "pr-${{ github.event.pull_request.number }}" + elif [[ "${{ github.event_name }}" == "push" && "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then + gh secret set -a codespaces IMAGE_VERSION --body "${GITHUB_REF#refs/tags/}" + else + gh secret set -a codespaces IMAGE_VERSION --body "edge" + fi + echo CODESPACE_NAME="$(gh codespace create -R "${{ github.repository }}" -b "$HEAD_REF" -m basicLinux32gb --devcontainer-path ".devcontainer/${{ inputs.flavor }}-test/devcontainer.json" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV" env: GH_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index 249a9628..b13e56ad 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -15,6 +15,7 @@ jobs: uses: ./.github/workflows/wc-build-push.yml secrets: inherit permissions: + actions: read attestations: write contents: write id-token: write @@ -23,6 +24,25 @@ jobs: with: flavor: ${{ matrix.flavor }} + dependency-review: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + needs: build-push + if: github.event_name == 'pull_request' + steps: + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 + with: + comment-summary-in-pr: on-failure + fail-on-severity: critical + integration-test: strategy: matrix: diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index dfa667a9..a1e37df4 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -81,6 +81,7 @@ jobs: runs-on: ubuntu-latest needs: build-push permissions: + actions: read attestations: write # dependency-submission needs contents write permission. contents: write @@ -123,12 +124,25 @@ jobs: type=semver,pattern={{major}} - name: Create manifest list and push working-directory: ${{ runner.temp }}/digests + shell: python run: | - set -Eeuo pipefail - # shellcheck disable=SC2046 - docker buildx imagetools create \ - $(echo '${{ steps.metadata.outputs.json }}' | jq -r '.tags | map("--tag " + .) | join(" ")') \ - $(printf '${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@sha256:%s ' *) + import os + import json + import subprocess + + CONTAINER = '${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}' + METADATA = json.loads('${{ steps.metadata.outputs.json }}') + + digests = [f for f in os.listdir('.') if f.startswith('sha256:') or len(f) == 64] + + command = ['docker', 'buildx', 'imagetools', 'create', + *[annotation for annotation in METADATA.get('annotations', []) for annotation in ('--annotation', annotation)], + *[tag for tag in METADATA.get('tags', []) for tag in ('--tag', tag)], + *[f"{CONTAINER}@sha256:{digest}" for digest in digests] + ] + + print(' '.join(command)) + subprocess.run(command, check=True) - name: Inspect manifest and extract digest id: inspect-manifest run: | @@ -149,11 +163,6 @@ jobs: with: image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }}@${{ steps.inspect-manifest.outputs.digest }} dependency-snapshot: true - - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 - if: github.event_name == 'pull_request' - with: - comment-summary-in-pr: on-failure - fail-on-severity: critical - uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 with: subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ inputs.flavor }} diff --git a/README.md b/README.md index e64777d3..bbfa2435 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ The amp-devcontainer repository follows a [semantic versioning](https://semver.o Released containers will never be cleaned-up, pull request builds are cleaned up when the pull request is merged, and edge builds may be cleaned up after being stale for a while. -The release notes always contain an overview of the corresponding image versions that included the full SHA next to the version number. This makes it possible for humans to easily see what version is used while still pinning to an exact version. This is the recommended way to refer to an image. +The release notes always contain an overview of the corresponding image versions that include the full SHA next to the version number. This makes it possible for humans to easily see what version is used while still pinning to an exact version. This is the recommended way to refer to an image. All container images are included in a release. This might change in the future when the need arises to have separate releases per container. @@ -217,5 +217,5 @@ See [security](.github/SECURITY.md) for more information. ## Licenses -amp-devcontainer is licensed under the MIT license +amp-devcontainer is licensed under the MIT license. See [license](./LICENSE) for more information.