From 43e35905f8d33c979559ae0a1386d7abcc6bf52d Mon Sep 17 00:00:00 2001 From: James Alseth Date: Sat, 22 Nov 2025 12:05:20 -0800 Subject: [PATCH 1/4] ci: Add integrate workflow This ensures that conftest builds successfull on all of the supported OSes, and that the provenance generation workflow is working. It also provides a mechanism for users to obtain pre-release versions of fixes and features they care about without having to build from source. Signed-off-by: James Alseth --- .github/workflows/integrate.yaml | 59 ++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/integrate.yaml diff --git a/.github/workflows/integrate.yaml b/.github/workflows/integrate.yaml new file mode 100644 index 000000000..3ba01a9bc --- /dev/null +++ b/.github/workflows/integrate.yaml @@ -0,0 +1,59 @@ +name: 'integrate' +on: + # TODO: Remove pull_request below after testing is done. + pull_request: + workflow_dispatch: + push: + branches: + - 'master' + +jobs: + goreleaser: + runs-on: 'ubuntu-latest' + permissions: + contents: 'write' # Needs write access for upload-artifact. + outputs: + hashes: '${{ steps.outputs.outputs.hashes }}' + steps: + - name: 'checkout' + uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + fetch-depth: 0 # So that goreleaser can determine the base version. + - name: 'build' + id: 'goreleaser' + uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 + with: + args: 'release --snapshot --clean --skip docker --skip publish' + version: '~> v1' + - name: 'get version' + id: 'version' + shell: 'bash' + run: | + echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" + - name: 'upload' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 + with: + name: 'conftest_${{ steps.version.outputs.version }}' + path: 'dist/*.*' + retention-days: 30 + - name: 'generate outputs' + id: 'outputs' + env: + GORELEASER_ARTIFACTS: '${{ steps.goreleaser.outputs.artifacts }}' + shell: 'bash' + run: | + set -euo pipefail + + checksum_file=$(echo "${GORELEASER_ARTIFACTS}" | jq -r '.[] | select (.type == "Checksum") | .path' | tr -d '\n') + echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "$GITHUB_OUTPUT" + + provenance: + needs: ['goreleaser'] + permissions: + contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. + actions: 'read' # To read the workflow path. + id-token: 'write' # To sign the provenance. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # ratchet:exclude + with: + base64-subjects: '${{ needs.goreleaser.outputs.hashes }}' + upload-assets: false From 5589f1d77a4e1ca59be35e699a796a104bebc79a Mon Sep 17 00:00:00 2001 From: James Alseth Date: Sat, 22 Nov 2025 13:38:14 -0800 Subject: [PATCH 2/4] test docker --- .github/workflows/integrate.yaml | 114 +++++++++++++++++++------------ 1 file changed, 71 insertions(+), 43 deletions(-) diff --git a/.github/workflows/integrate.yaml b/.github/workflows/integrate.yaml index 3ba01a9bc..378600191 100644 --- a/.github/workflows/integrate.yaml +++ b/.github/workflows/integrate.yaml @@ -8,52 +8,80 @@ on: - 'master' jobs: - goreleaser: + # goreleaser: + # runs-on: 'ubuntu-latest' + # permissions: + # contents: 'write' # Needs write access for upload-artifact. + # outputs: + # hashes: '${{ steps.outputs.outputs.hashes }}' + # steps: + # - name: 'checkout' + # uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + # with: + # fetch-depth: 0 # So that goreleaser can determine the base version. + # - name: 'build' + # id: 'goreleaser' + # uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 + # with: + # args: 'release --snapshot --clean --skip docker --skip publish' + # version: '~> v1' + # - name: 'get version' + # id: 'version' + # shell: 'bash' + # run: | + # echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" + # - name: 'upload' + # uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 + # with: + # name: 'conftest_${{ steps.version.outputs.version }}' + # path: 'dist/*.*' + # retention-days: 30 + # - name: 'generate outputs' + # id: 'outputs' + # env: + # GORELEASER_ARTIFACTS: '${{ steps.goreleaser.outputs.artifacts }}' + # shell: 'bash' + # run: | + # set -euo pipefail + + # checksum_file=$(echo "${GORELEASER_ARTIFACTS}" | jq -r '.[] | select (.type == "Checksum") | .path' | tr -d '\n') + # echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "$GITHUB_OUTPUT" + + # binary-provenance: + # needs: ['goreleaser'] + # permissions: + # contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. + # actions: 'read' # To read the workflow path. + # id-token: 'write' # To sign the provenance. + # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # ratchet:exclude + # with: + # base64-subjects: '${{ needs.goreleaser.outputs.hashes }}' + # upload-assets: false + + docker: runs-on: 'ubuntu-latest' permissions: - contents: 'write' # Needs write access for upload-artifact. + contents: 'read' outputs: - hashes: '${{ steps.outputs.outputs.hashes }}' + digest: '${{ steps.build.outputs.digest }}' + env: + CONFTEST_IMAGE: 'openpolicyagent/conftest' + strategy: + matrix: + target: + - '' # Conftest + # - 'examples' # Examples + platform: + - 'linux/amd64' + # - 'linux/arm64' steps: - - name: 'checkout' - uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 - with: - fetch-depth: 0 # So that goreleaser can determine the base version. + - name: 'setup docker buildx' + run: 'docker buildx create --name conftestbuild --use' - name: 'build' - id: 'goreleaser' - uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 + id: 'build' + uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6 with: - args: 'release --snapshot --clean --skip docker --skip publish' - version: '~> v1' - - name: 'get version' - id: 'version' - shell: 'bash' - run: | - echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" - - name: 'upload' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 - with: - name: 'conftest_${{ steps.version.outputs.version }}' - path: 'dist/*.*' - retention-days: 30 - - name: 'generate outputs' - id: 'outputs' - env: - GORELEASER_ARTIFACTS: '${{ steps.goreleaser.outputs.artifacts }}' - shell: 'bash' - run: | - set -euo pipefail - - checksum_file=$(echo "${GORELEASER_ARTIFACTS}" | jq -r '.[] | select (.type == "Checksum") | .path' | tr -d '\n') - echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "$GITHUB_OUTPUT" - - provenance: - needs: ['goreleaser'] - permissions: - contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. - actions: 'read' # To read the workflow path. - id-token: 'write' # To sign the provenance. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # ratchet:exclude - with: - base64-subjects: '${{ needs.goreleaser.outputs.hashes }}' - upload-assets: false + push: false + # target: '${{ matrix.target }}' + tags: '${{ env.CONFTEST_IMAGE }}:latest' + # platforms: '${{ matrix.platform }}' From 76851467b938f17551fc924df42136a0787f73f8 Mon Sep 17 00:00:00 2001 From: James Alseth Date: Sun, 23 Nov 2025 11:34:12 -0800 Subject: [PATCH 3/4] test sbom --- .github/workflows/integrate.yaml | 154 +++++++++++++++++-------------- .goreleaser.yml | 9 +- 2 files changed, 92 insertions(+), 71 deletions(-) diff --git a/.github/workflows/integrate.yaml b/.github/workflows/integrate.yaml index 378600191..3648cd1ee 100644 --- a/.github/workflows/integrate.yaml +++ b/.github/workflows/integrate.yaml @@ -8,80 +8,94 @@ on: - 'master' jobs: - # goreleaser: - # runs-on: 'ubuntu-latest' - # permissions: - # contents: 'write' # Needs write access for upload-artifact. - # outputs: - # hashes: '${{ steps.outputs.outputs.hashes }}' - # steps: - # - name: 'checkout' - # uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 - # with: - # fetch-depth: 0 # So that goreleaser can determine the base version. - # - name: 'build' - # id: 'goreleaser' - # uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 - # with: - # args: 'release --snapshot --clean --skip docker --skip publish' - # version: '~> v1' - # - name: 'get version' - # id: 'version' - # shell: 'bash' - # run: | - # echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" - # - name: 'upload' - # uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 - # with: - # name: 'conftest_${{ steps.version.outputs.version }}' - # path: 'dist/*.*' - # retention-days: 30 - # - name: 'generate outputs' - # id: 'outputs' - # env: - # GORELEASER_ARTIFACTS: '${{ steps.goreleaser.outputs.artifacts }}' - # shell: 'bash' - # run: | - # set -euo pipefail - - # checksum_file=$(echo "${GORELEASER_ARTIFACTS}" | jq -r '.[] | select (.type == "Checksum") | .path' | tr -d '\n') - # echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "$GITHUB_OUTPUT" - - # binary-provenance: - # needs: ['goreleaser'] - # permissions: - # contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. - # actions: 'read' # To read the workflow path. - # id-token: 'write' # To sign the provenance. - # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # ratchet:exclude - # with: - # base64-subjects: '${{ needs.goreleaser.outputs.hashes }}' - # upload-assets: false - - docker: + goreleaser: runs-on: 'ubuntu-latest' permissions: - contents: 'read' + contents: 'write' # Needs write access for upload-artifact. outputs: - digest: '${{ steps.build.outputs.digest }}' + checksums-handle: '${{ steps.checksum-handle.outputs.handle }}' env: - CONFTEST_IMAGE: 'openpolicyagent/conftest' - strategy: - matrix: - target: - - '' # Conftest - # - 'examples' # Examples - platform: - - 'linux/amd64' - # - 'linux/arm64' + CGO_ENABLED: '0' + CHECKSUMS_FILE_NAME: 'checksums.txt' steps: - - name: 'setup docker buildx' - run: 'docker buildx create --name conftestbuild --use' + - name: 'checkout' + uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + with: + fetch-depth: 0 # So that goreleaser can determine the base version. + - name: setup go + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # ratchet:actions/setup-go@v6 + with: + go-version: "1.25.x" + - name: 'setup cyclonedx-gomod' + uses: 'CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f' # ratchet:CycloneDX/gh-gomod-generate-sbom@v2 + with: + version: 'v1' - name: 'build' - id: 'build' - uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6 + id: 'goreleaser' + uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 + with: + version: '~> v1' + args: >- + release + --snapshot + --clean + --skip docker + --skip publish + - name: 'get version' + id: 'version' + shell: 'bash' + run: | + echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" + - name: 'upload build' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 + with: + name: 'conftest_${{ steps.version.outputs.version }}' + path: 'dist/*.*' + retention-days: 30 + - name: 'base64 checksum for provenance input' + shell: 'bash' + run: 'base64 -w0 "dist/${CHECKSUMS_FILE_NAME}" > "${CHECKSUMS_FILE_NAME}"' + - name: 'get checksums handle' + id: 'checksum-handle' + uses: 'slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0' # ratchet:exclude with: - push: false - # target: '${{ matrix.target }}' - tags: '${{ env.CONFTEST_IMAGE }}:latest' - # platforms: '${{ matrix.platform }}' + path: '${{ env.CHECKSUMS_FILE_NAME }}' + + binary-provenance: + needs: ['goreleaser'] + permissions: + contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. + actions: 'read' # To read the workflow path. + id-token: 'write' # To sign the provenance. + uses: 'slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0' # ratchet:exclude + with: + base64-subjects-as-file: '${{ needs.goreleaser.outputs.checksums-handle }}' + upload-assets: false + + # docker: + # runs-on: 'ubuntu-latest' + # permissions: + # contents: 'read' + # outputs: + # digest: '${{ steps.build.outputs.digest }}' + # env: + # CONFTEST_IMAGE: 'openpolicyagent/conftest' + # strategy: + # matrix: + # target: + # - '' # Conftest + # # - 'examples' # Examples + # platform: + # - 'linux/amd64' + # # - 'linux/arm64' + # steps: + # - name: 'setup docker buildx' + # run: 'docker buildx create --name conftestbuild --use' + # - name: 'build' + # id: 'build' + # uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6 + # with: + # push: false + # # target: '${{ matrix.target }}' + # tags: '${{ env.CONFTEST_IMAGE }}:latest' + # # platforms: '${{ matrix.platform }}' diff --git a/.goreleaser.yml b/.goreleaser.yml index 4107f2210..e9bf299e0 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -2,7 +2,13 @@ version: 1 before: hooks: - - go mod download + - 'go mod download' + - >- + cyclonedx-gomod app + -main . + -licenses + -json + -output cyclonedx_bom.json builds: - main: ./main.go @@ -40,6 +46,7 @@ archives: files: - LICENSE - README.md + - cyclonedx_bom.json - plugin/*.sh checksum: From 550126b8bce78724abf8d15010994505e86181d6 Mon Sep 17 00:00:00 2001 From: James Alseth Date: Wed, 26 Nov 2025 19:19:17 -0800 Subject: [PATCH 4/4] test docker with load --- .github/workflows/integrate.yaml | 170 ++++++++++++++++--------------- 1 file changed, 86 insertions(+), 84 deletions(-) diff --git a/.github/workflows/integrate.yaml b/.github/workflows/integrate.yaml index 3648cd1ee..553412c6c 100644 --- a/.github/workflows/integrate.yaml +++ b/.github/workflows/integrate.yaml @@ -8,94 +8,96 @@ on: - 'master' jobs: - goreleaser: - runs-on: 'ubuntu-latest' - permissions: - contents: 'write' # Needs write access for upload-artifact. - outputs: - checksums-handle: '${{ steps.checksum-handle.outputs.handle }}' - env: - CGO_ENABLED: '0' - CHECKSUMS_FILE_NAME: 'checksums.txt' - steps: - - name: 'checkout' - uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 - with: - fetch-depth: 0 # So that goreleaser can determine the base version. - - name: setup go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # ratchet:actions/setup-go@v6 - with: - go-version: "1.25.x" - - name: 'setup cyclonedx-gomod' - uses: 'CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f' # ratchet:CycloneDX/gh-gomod-generate-sbom@v2 - with: - version: 'v1' - - name: 'build' - id: 'goreleaser' - uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 - with: - version: '~> v1' - args: >- - release - --snapshot - --clean - --skip docker - --skip publish - - name: 'get version' - id: 'version' - shell: 'bash' - run: | - echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" - - name: 'upload build' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 - with: - name: 'conftest_${{ steps.version.outputs.version }}' - path: 'dist/*.*' - retention-days: 30 - - name: 'base64 checksum for provenance input' - shell: 'bash' - run: 'base64 -w0 "dist/${CHECKSUMS_FILE_NAME}" > "${CHECKSUMS_FILE_NAME}"' - - name: 'get checksums handle' - id: 'checksum-handle' - uses: 'slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0' # ratchet:exclude - with: - path: '${{ env.CHECKSUMS_FILE_NAME }}' - - binary-provenance: - needs: ['goreleaser'] - permissions: - contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. - actions: 'read' # To read the workflow path. - id-token: 'write' # To sign the provenance. - uses: 'slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0' # ratchet:exclude - with: - base64-subjects-as-file: '${{ needs.goreleaser.outputs.checksums-handle }}' - upload-assets: false - - # docker: + # goreleaser: # runs-on: 'ubuntu-latest' # permissions: - # contents: 'read' + # contents: 'write' # Needs write access for upload-artifact. # outputs: - # digest: '${{ steps.build.outputs.digest }}' + # checksums-handle: '${{ steps.checksum-handle.outputs.handle }}' # env: - # CONFTEST_IMAGE: 'openpolicyagent/conftest' - # strategy: - # matrix: - # target: - # - '' # Conftest - # # - 'examples' # Examples - # platform: - # - 'linux/amd64' - # # - 'linux/arm64' + # CGO_ENABLED: '0' + # CHECKSUMS_FILE_NAME: 'checksums.txt' # steps: - # - name: 'setup docker buildx' - # run: 'docker buildx create --name conftestbuild --use' + # - name: 'checkout' + # uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 + # with: + # fetch-depth: 0 # So that goreleaser can determine the base version. + # - name: setup go + # uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # ratchet:actions/setup-go@v6 + # with: + # go-version: "1.25.x" + # - name: 'setup cyclonedx-gomod' + # uses: 'CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f' # ratchet:CycloneDX/gh-gomod-generate-sbom@v2 + # with: + # version: 'v1' # - name: 'build' - # id: 'build' - # uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6 + # id: 'goreleaser' + # uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 + # with: + # version: '~> v1' + # args: >- + # release + # --snapshot + # --clean + # --skip docker + # --skip publish + # - name: 'get version' + # id: 'version' + # shell: 'bash' + # run: | + # echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" + # - name: 'upload build' + # uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 # with: - # push: false - # # target: '${{ matrix.target }}' - # tags: '${{ env.CONFTEST_IMAGE }}:latest' - # # platforms: '${{ matrix.platform }}' + # name: 'conftest_${{ steps.version.outputs.version }}' + # path: 'dist/*.*' + # retention-days: 30 + # - name: 'base64 checksum for provenance input' + # shell: 'bash' + # run: 'base64 -w0 "dist/${CHECKSUMS_FILE_NAME}" > "${CHECKSUMS_FILE_NAME}"' + # - name: 'get checksums handle' + # id: 'checksum-handle' + # uses: 'slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0' # ratchet:exclude + # with: + # path: '${{ env.CHECKSUMS_FILE_NAME }}' + + # binary-provenance: + # needs: ['goreleaser'] + # permissions: + # contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. + # actions: 'read' # To read the workflow path. + # id-token: 'write' # To sign the provenance. + # uses: 'slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0' # ratchet:exclude + # with: + # base64-subjects-as-file: '${{ needs.goreleaser.outputs.checksums-handle }}' + # upload-assets: false + + docker: + runs-on: 'ubuntu-latest' + permissions: + contents: 'read' + outputs: + digest: '${{ steps.build.outputs.digest }}' + env: + CONFTEST_IMAGE: 'openpolicyagent/conftest' + strategy: + matrix: + target: + - '' # Conftest + - 'examples' # Examples + platform: + - 'linux/amd64' + # - 'linux/arm64' + steps: + - name: 'setup docker buildx' + run: 'docker buildx create --name conftestbuild --use' + - name: 'build' + id: 'build' + uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6 + with: + load: true # Required for the digest to be present. + sbom: true + push: false + target: '${{ matrix.target }}' + tags: '${{ env.CONFTEST_IMAGE }}:latest' + platforms: '${{ matrix.platform }}'