generated from sigstore/sigstore-project-template
-
Notifications
You must be signed in to change notification settings - Fork 13
376 lines (339 loc) · 14.7 KB
/
reusable-prober.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
name: Reusable Sigstore Prober Workflow
on:
workflow_call:
secrets:
PAGERDUTY_INTEGRATION_KEY:
description: 'Integration key for PagerDuty'
required: true
inputs:
rekor_url:
required: false
type: string
default: 'https://rekor.sigstore.dev'
description: 'Rekor URL'
fulcio_url:
required: false
type: string
default: 'https://fulcio.sigstore.dev'
description: 'Fulcio URL'
oidc_url:
required: false
type: string
default: 'https://oauth2.sigstore.dev/auth'
description: 'OIDC URL'
enable_staging:
required: false
type: boolean
tuf_repo:
required: false
type: string
default: 'https://tuf-repo-cdn.sigstore.dev'
description: 'TUF Repo'
tuf_preprod_repo:
required: false
type: string
default: 'https://tuf-preprod-repo-cdn.sigstore.dev'
description: 'TUF Repo'
tuf_root_path:
required: false
type: string
default: "root.json"
description: "path to the tuf root"
tuf_root_url:
required: false
type: string
triggerPagerDutyTest:
description: 'Trigger PagerDuty test message'
required: false
type: string
severity:
description: 'The perceived severity of the status the event is describing with respect to the affected system. This can be "critical", "error", "warning" or "info".' "critical" and "error" default to High urgency, "warning" and "info" to Low.
default: 'error'
type: string
permissions:
contents: read
id-token: write
jobs:
sigstore-probe:
runs-on: ubuntu-latest
timeout-minutes: 10
outputs:
sigstore_probe: ${{ steps.msg.outputs.sigstore_probe }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Set up Go
id: setup-go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v3.3.0
with:
go-version-file: 'prober/hack/toolz/go.mod'
check-latest: true
cache: false
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ steps.setup-go.outputs.go-version }}-${{ github.job }}-${{ hashFiles('prober/hack/toolz/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ steps.setup-go.outputs.go-version }}-${{ github.job }}-
- name: Install 'prober' from sigstore/scaffolding
run: |
make -C prober/ prober
echo "PATH=$PATH:$PWD/prober/hack/toolz/bin" >> $GITHUB_ENV
# Make sure rekor is up and we can get root info
- name: Run prober
env:
DEBUG: 1
uses: nick-fields/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3
with:
timeout_minutes: 3
max_attempts: 3
retry_wait_seconds: 60
retry_on: error
command: prober --one-time --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }}
- name: Set messages
id: msg
if: success() || failure()
run: |
echo "sigstore_probe=good" >> $GITHUB_OUTPUT
if [ "${{ job.status }}" == 'failure' ]; then echo "sigstore_probe=failure" >> $GITHUB_OUTPUT; fi
root-probe:
timeout-minutes: 10
runs-on: ubuntu-latest
outputs:
root_state: ${{ steps.msg.outputs.root_state }}
steps:
- name: Checkout sigstore-probers code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Checkout root-signing to get roots
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
repository: sigstore/root-signing
ref: main
path: root-signing
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v3.3.0
id: setup-go
with:
go-version-file: 'prober/hack/toolz/go.mod'
check-latest: true
cache: false
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ steps.setup-go.outputs.go-version }}-${{ github.job }}-${{ hashFiles('prober/hack/toolz/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ steps.setup-go.outputs.go-version }}-${{ github.job }}-
- name: Install 'verify' tool from sigstore/root-signing
run: |
make -C prober/ verify
echo "PATH=$PATH:$PWD/prober/hack/toolz/bin" >> $GITHUB_ENV
- name: Check expiration
run: |
if [ "${{ inputs.tuf_root_url }}" != "" ]; then
curl -Lo root.json --user-agent "sigstore-prober" ${{ inputs.tuf_root_url }}
export ROOT_PATH=root.json
else
export ROOT_PATH=$GITHUB_WORKSPACE/root-signing/${{ inputs.tuf_root_path }}
fi
export EXPIRY=$(date -d '+2 days' '+%s')
verify repository --repository ${{ inputs.tuf_repo }} --root ${ROOT_PATH} --valid-until ${EXPIRY}
export EXPIRY=$(date -d '+15 days' '+%s')
echo "Verifying root valid within 15 days..."
verify repository --repository ${{ inputs.tuf_repo }} --root ${ROOT_PATH} --valid-until ${EXPIRY} --role root.json --role targets.json
# For preprod/staging TUF bucket
export EXPIRY=$(date -d '+2 days' '+%s')
verify repository --repository ${{ inputs.tuf_preprod_repo }} --root ${ROOT_PATH} --valid-until ${EXPIRY}
export EXPIRY=$(date -d '+15 days' '+%s')
echo "Verifying root valid within 15 days..."
verify repository --repository ${{ inputs.tuf_preprod_repo }} --root ${ROOT_PATH} --valid-until ${EXPIRY} --role root.json --role targets.json
- name: Set messages
id: msg
if: success() || failure()
run: |
echo "root_state=good" >> $GITHUB_OUTPUT
if [ "${{ job.status }}" == 'failure' ]; then echo "root_state=failure" >> $GITHUB_OUTPUT; fi
rekor-fulcio-e2e:
timeout-minutes: 10
permissions:
id-token: write
contents: read
env:
COSIGN_YES: "true"
GIT_HASH: ${{ github.sha }}
GIT_VERSION: unstable
GITHUB_RUN_ID: ${{ github.run_id }}
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
IMAGE: localhost:1338/image:${{ github.sha }}-${{ github.run_id }}
REKOR_SERVER: ${{ inputs.rekor_url }}
runs-on: ubuntu-latest
outputs:
rekor_fulcio_e2e: ${{ steps.msg.outputs.rekor_fulcio_e2e }}
skip_pagerduty: ${{ steps.set-skip-pagerduty.outputs.skip_pagerduty }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# This server is often down, resulting in a lot of flaky probers
# If the server is down, and this step fails, we don't alert PagerDuty
- name: Confirm Github OIDC Server is Available
continue-on-error: true
run: |
curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" $ACTIONS_ID_TOKEN_REQUEST_URL&audience=sigstore
# Since the server is down, we want to ignore the failure in this workflow
# and skip paging PagerDuty
- name: Set skip_pagerduty outputs
id: set-skip-pagerduty
if: failure()
run: |
echo "skip_pagerduty=true" >> $GITHUB_OUTPUT
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v3.3.0
id: setup-go
with:
go-version-file: 'prober/hack/toolz/go.mod'
check-latest: true
cache: false
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ steps.setup-go.outputs.go-version }}-${{ github.job }}-${{ hashFiles('prober/hack/toolz/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ steps.setup-go.outputs.go-version }}-${{ github.job }}-
# Install crane / rekor-cli / cosign tools
- name: Install (crane, rekor-cli, cosign) tools
run: |
make -C prober/ crane rekor-cli cosign
echo "PATH=$PATH:$PWD/prober/hack/toolz/bin" >> $GITHUB_ENV
# Setup the registry on port 1338
- uses: chainguard-dev/actions/setup-registry@main
- name: Build and copy a container image
continue-on-error: true
run: |
for i in {1..5}
do
if crane cp busybox@sha256:d2b53584f580310186df7a2055ce3ff83cc0df6caacf1e3489bff8cf5d0af5d8 ${IMAGE}; then
echo "Successfully copied image" && exit 0
else
echo "Failed to copy image ${IMAGE}" && sleep 10
fi
done
exit 1
# START: PREPRODUCTION VERIFICATION
# TODO: Create a matrix (https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs)
# to reduce duplication
# Test the preproduction bucket only for prod
- name: Initialize preprod TUF root
if: ${{ inputs.enable_staging == false }}
run: |
curl -Lo root.json --user-agent "sigstore-prober" ${{ inputs.tuf_preprod_repo }}/root.json
for i in {1..5}
do
if cosign initialize --mirror=${{ inputs.tuf_preprod_repo }} --root=root.json; then
echo "Successfully initialized" && exit 0
else
echo "Failed to initialize" && sleep 10
fi
done
# Test signing in preproduction
- name: Sign and verify the image with preprod TUF
if: ${{ inputs.enable_staging == false }}
run: |
cosign sign --yes ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --oidc-issuer ${{ inputs.oidc_url }} --oidc-provider github-actions
cosign verify ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp='https://github.com/sigstore/sigstore-probers/.github/workflows/reusable-prober.yml@refs/.*'
- name: Remove preprod TUF
if: ${{ inputs.enable_staging == false }}
run: |
rm -rf ~/.sigstore
# END: PREPRODUCTION VERIFICATION
- name: Initialize prod TUF root
if: ${{ inputs.enable_staging == false }}
run: |
for i in {1..5}
do
if cosign initialize; then
echo "Successfully initialized" && exit 0
else
echo "Failed to initialize" && sleep 10
fi
done
- name: Initialize staging TUF root
if: ${{ inputs.enable_staging }}
run: |
curl -Lo root.json ${{ inputs.tuf_root_url }}
for i in {1..5}
do
if cosign initialize --mirror=${{ inputs.tuf_repo }} --root=root.json; then
echo "Successfully initialized" && exit 0
else
echo "Failed to initialize" && sleep 10
fi
done
exit 1
- name: Sign and verify the image
run: |
cosign sign --yes ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --oidc-issuer ${{ inputs.oidc_url }} --oidc-provider github-actions
cosign verify ${IMAGE} --rekor-url ${{ inputs.rekor_url }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp='https://github.com/sigstore/sigstore-probers/.github/workflows/reusable-prober.yml@refs/.*'
- name: Generate and upload attestation
run: |
cosign attest --predicate ./prober/attestation.json --type slsaprovenance --rekor-url ${{ inputs.rekor_url }} --fulcio-url ${{ inputs.fulcio_url }} --oidc-issuer ${{ inputs.oidc_url }} ${IMAGE}
cosign verify-attestation --rekor-url ${{ inputs.rekor_url }} --type=slsaprovenance ${IMAGE} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp='https://github.com/sigstore/sigstore-probers/.github/workflows/reusable-prober.yml@refs/.*'
# Get attestation hash
IMAGE_ATT=$(echo $(cosign triangulate ${IMAGE}) | sed 's/\.sig/\.att/')
DIGEST=$(crane manifest ${IMAGE_ATT} | jq -r '.layers[-1]'.digest)
echo "attestation_digest=${DIGEST}" >> $GITHUB_ENV
- name: Verify attestation contents
run: |
./prober/verify-attestation.sh "${{ env.attestation_digest }}"
- name: Set messages
id: msg
if: success() || failure()
run: |
echo "rekor_fulcio_e2e=good" >> $GITHUB_OUTPUT
if [ "${{ job.status }}" == 'failure' ]; then echo "rekor_fulcio_e2e=failure" >> $GITHUB_OUTPUT; fi
compute-summary-msg:
runs-on: ubuntu-latest
outputs:
summary: ${{ steps.msg.outputs.summary }}
group: ${{ steps.msg.outputs.group }}
steps:
- name: Set messages
id: msg
if: success() || failure()
run: |
if [ "${{ inputs.triggerPagerDutyTest }}" == "true" ]; then
echo "summary=Test Notification" >> $GITHUB_OUTPUT
else
echo "summary=Prober Failed" >> $GITHUB_OUTPUT
fi
echo "group=production" >> $GITHUB_OUTPUT
if [ ${{ inputs.enable_staging }} == 'true' ]; then
echo "group=staging" >> $GITHUB_OUTPUT;
fi
pagerduty-notification:
if: github.event.inputs.triggerPagerDutyTest=='true' || (failure() && needs.rekor-fulcio-e2e.outputs.skip_pagerduty != 'true')
needs: [sigstore-probe, root-probe, rekor-fulcio-e2e, compute-summary-msg]
uses: ./.github/workflows/reusable-pager.yml
secrets:
PAGERDUTY_INTEGRATION_KEY: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }}
with:
summary: ${{ needs.compute-summary-msg.outputs.summary }}
component: "health prober"
group: ${{ needs.compute-summary-msg.outputs.group }}
severity: ${{ inputs.severity }}
details: >
{
"Environment": "${{ needs.compute-summary-msg.outputs.group }}",
"Failure URL": "https://github.com/sigstore/sigstore-probers/actions/runs/${{ github.run_id }}",
"Commit": "${{ github.sha }}",
"Prober": "${{ needs.sigstore-probe.outputs.sigstore_probe }}",
"GCS Root": "${{ needs.root-probe.outputs.root_state }}",
"Rekor Fulcio E2E Test": "${{ needs.rekor-fulcio-e2e.outputs.rekor_fulcio_e2e }}"
}
links: >
[
{
"href": "https://github.com/sigstore/public-good-instance/blob/main/playbooks/alerting/alerts/k8s-api-endpoint-prober.md",
"text": "Prober Failure Playbook"
}
]