Skip to content

Commit 6e40e6a

Browse files
ryanrousseauryanrousseau
authored
Initial commit
0 parents  commit 6e40e6a

29 files changed

+2505
-0
lines changed

.github/workflows/artifactory-zip-quick.yaml

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
name: Build and Push Zip to Artifactory - Quick
2+
3+
on:
4+
#push:
5+
# paths:
6+
# - "API/**"
7+
# branches:
8+
# - main
9+
workflow_dispatch: {}
10+
11+
env:
12+
OCTOPUS_URL: https://your.octopus.app
13+
OCTOPUS_SERVICE_ACCOUNT: service account id
14+
OCTOPUS_SPACE: Your space
15+
PACKAGE_ID: API
16+
ARTIFACTORY_URL: https://artifactory.octopussamples.com/artifactory
17+
ARTIFACTORY_REPOSITORY: demo-octopus-app-generic
18+
ARTIFACTORY_ORG: app.octopus.your-domain.your-space
19+
20+
jobs:
21+
build:
22+
runs-on: ubuntu-latest
23+
permissions:
24+
id-token: write
25+
contents: read
26+
27+
steps:
28+
- name: Checkout code
29+
uses: actions/checkout@v2
30+
31+
- name: Set Version Number
32+
id: version-generator
33+
run: echo "version=$(date +'%y.%m.%d%H%M%S')-quick" >> $GITHUB_OUTPUT
34+
35+
- name: Login to Octopus Deploy
36+
uses: OctopusDeploy/login@v1
37+
with:
38+
server: ${{ env.OCTOPUS_URL }}
39+
service_account_id: ${{ env.OCTOPUS_SERVICE_ACCOUNT }}
40+
41+
- name: Setup .NET
42+
uses: actions/setup-dotnet@v4
43+
with:
44+
dotnet-version: 9.0
45+
46+
- name: Install dependencies
47+
run: dotnet restore
48+
49+
- name: Build
50+
run: |
51+
cd API
52+
dotnet build --configuration Release --no-restore
53+
dotnet publish -c Release -o ../demoapp-publish -r linux-x64 --self-contained true /p:UseAppHost=true
54+
55+
- name: Create a Zip package 🐙
56+
uses: OctopusDeploy/create-zip-package-action@v3
57+
with:
58+
package_id: ${{ env.PACKAGE_ID }}
59+
version: ${{ steps.version-generator.outputs.version }}
60+
output_folder: "./packaging"
61+
base_path: demoapp-publish
62+
files: |
63+
**/*.*
64+
65+
- uses: OctopusDeploy/push-build-information-action@v3
66+
name: Push build information 🐙
67+
with:
68+
version: ${{ steps.version-generator.outputs.version }}
69+
packages: |
70+
${{ env.ARTIFACTORY_ORG }}/${{ env.PACKAGE_ID }}/${{ env.PACKAGE_ID }}
71+
72+
- name: Upload package to Artifactory
73+
run: |
74+
packageFileName="${{ env.PACKAGE_ID }}.${{ steps.version-generator.outputs.version }}.zip"
75+
packageSource="./packaging/$packageFileName"
76+
url="${{ env.ARTIFACTORY_URL }}/${{ env.ARTIFACTORY_REPOSITORY }}/${{ env.ARTIFACTORY_ORG }}/${{ env.PACKAGE_ID }}/$packageFileName"
77+
curl -v --user ${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_PASSWORD }} --data-binary $packageSource -X PUT $url
78+
echo "Uploaded package to Artifactory: $url"

.github/workflows/artifactory-zip-slsa.yaml

Lines changed: 260 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,260 @@
1+
name: Build and Push Zip to Artifactory - SLSA
2+
3+
on:
4+
#push:
5+
# paths:
6+
# - "API/**"
7+
# branches:
8+
# - main
9+
workflow_dispatch: {}
10+
11+
env:
12+
OCTOPUS_URL: https://your.octopus.app
13+
OCTOPUS_SERVICE_ACCOUNT: service account id
14+
OCTOPUS_SPACE: Your space
15+
PACKAGE_ID: API
16+
SBOM_PACKAGE: API.SBOM
17+
ARTIFACTORY_URL: https://artifactory.octopussamples.com/artifactory
18+
ARTIFACTORY_REPOSITORY: demo-octopus-app-generic
19+
ARTIFACTORY_ORG: app.octopus.your-domain.your-space
20+
21+
jobs:
22+
configure:
23+
runs-on: ubuntu-latest
24+
name: Configure Workflow
25+
outputs:
26+
version: ${{ steps.version-generator.outputs.version }}
27+
steps:
28+
- name: Set Version Number
29+
id: version-generator
30+
run: echo "version=$(date +'%y.%m.%d%H%M%S')" >> $GITHUB_OUTPUT
31+
32+
scan:
33+
runs-on: ubuntu-latest
34+
name: Scan Code
35+
permissions:
36+
security-events: write
37+
38+
steps:
39+
- name: Checkout code
40+
uses: actions/checkout@v4
41+
42+
- name: Run Trivy vulnerability scanner on repo
43+
uses: aquasecurity/[email protected]
44+
with:
45+
scan-type: "fs"
46+
ignore-unfixed: true
47+
exit-code: "1"
48+
format: "sarif"
49+
output: "trivy-results.sarif"
50+
severity: "MEDIUM,HIGH,CRITICAL"
51+
52+
- name: Upload Trivy scan results to GitHub Security tab
53+
uses: github/codeql-action/upload-sarif@v3
54+
with:
55+
sarif_file: "trivy-results.sarif"
56+
57+
create-gh-release:
58+
name: Create GitHub Release
59+
needs: [configure, scan]
60+
runs-on: ubuntu-latest
61+
permissions:
62+
id-token: write
63+
contents: write
64+
steps:
65+
- name: Checkout Code to build website
66+
uses: actions/checkout@v1
67+
68+
- name: Create Release for GitHub
69+
id: create_release
70+
uses: ncipollo/release-action@v1
71+
if: github.ref == 'refs/heads/main'
72+
env:
73+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
74+
with:
75+
tag: "${{ needs.configure.outputs.version }}"
76+
name: Release ${{ needs.configure.outputs.version }}
77+
body: |
78+
Automatic Release creation by GitHub Action
79+
Commit Message: ${{ github.event.head_commit.message }}
80+
draft: false
81+
82+
build:
83+
name: Build and Scan packages
84+
needs: [configure, scan, create-gh-release]
85+
runs-on: ubuntu-latest
86+
permissions:
87+
id-token: write
88+
outputs:
89+
app_hash: ${{ steps.determine_app_hash.outputs.APP_HASH }}
90+
91+
steps:
92+
- name: Checkout code
93+
uses: actions/checkout@v2
94+
95+
- name: Login to Octopus Deploy
96+
uses: OctopusDeploy/login@v1
97+
with:
98+
server: ${{ env.OCTOPUS_URL }}
99+
service_account_id: ${{ env.OCTOPUS_SERVICE_ACCOUNT }}
100+
101+
- name: Setup .NET
102+
uses: actions/setup-dotnet@v4
103+
with:
104+
dotnet-version: 9.0
105+
106+
- name: Install dependencies
107+
run: dotnet restore
108+
109+
- name: Build
110+
run: |
111+
cd API
112+
dotnet build --configuration Release --no-restore
113+
dotnet publish -c Release -o ../demoapp-publish -r win-x64 --self-contained true /p:UseAppHost=true
114+
115+
- name: Run Trivy vulnerability scanner on published folder
116+
uses: aquasecurity/[email protected]
117+
with:
118+
scan-type: "fs"
119+
scan-ref: "demoapp-publish"
120+
ignore-unfixed: true
121+
exit-code: "1"
122+
format: "sarif"
123+
output: "trivy-results.sarif"
124+
severity: "MEDIUM,HIGH,CRITICAL"
125+
126+
- name: Create a Zip package 🐙
127+
uses: OctopusDeploy/create-zip-package-action@v3
128+
with:
129+
package_id: ${{ env.PACKAGE_ID }}
130+
version: ${{ needs.configure.outputs.version }}
131+
output_folder: "./packaging"
132+
base_path: demoapp-publish
133+
files: |
134+
**/*.*
135+
136+
- name: Create the Subject Checksum file for Attestation Build Provenance
137+
id: determine_app_hash
138+
shell: pwsh
139+
run: |
140+
$packageHash = Get-FileHash -path "packaging/${{ env.PACKAGE_ID }}.${{ needs.configure.outputs.version }}.zip" -Algorithm SHA256
141+
$hashToSave = $packageHash.Hash
142+
Write-Host "The app hash is $hashToSave"
143+
144+
"APP_HASH=$hashToSave" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
145+
146+
- uses: OctopusDeploy/push-build-information-action@v3
147+
name: Push build information 🐙
148+
with:
149+
version: ${{ needs.configure.outputs.version }}
150+
packages: |
151+
${{ env.PACKAGE_ID }}
152+
153+
- name: Upload packages to Artifactory
154+
run: |
155+
packageSourceFileName="${{ env.PACKAGE_ID }}.${{ needs.configure.outputs.version }}.zip"
156+
packageSource="./packaging/$packageSourceFileName"
157+
packageTargetFileName="${{ env.PACKAGE_ID }}-${{ needs.configure.outputs.version }}.zip"
158+
url="${{ env.ARTIFACTORY_URL }}/${{ env.ARTIFACTORY_REPOSITORY }}/${{ env.ARTIFACTORY_ORG }}/${{ env.PACKAGE_ID }}/$packageTargetFileName"
159+
curl -v --user ${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_PASSWORD }} -T $packageSource -X PUT $url
160+
echo "Uploaded package to Artifactory: $url"
161+
162+
sbom:
163+
name: Generate and Publish SBOM
164+
outputs:
165+
sbom_hash: ${{ steps.determine_sbom_hash.outputs.SBOM_HASH }}
166+
needs: [configure, scan, create-gh-release]
167+
runs-on: ubuntu-latest
168+
permissions:
169+
# Add any additional permissions your job requires here
170+
id-token: write # This is required to obtain the OIDC Token for Octopus Deploy
171+
steps:
172+
- name: Checkout the code for SBOM
173+
uses: actions/checkout@v1
174+
with:
175+
fetch-depth: "0"
176+
177+
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
178+
uses: aquasecurity/[email protected]
179+
with:
180+
scan-type: "fs"
181+
format: "github"
182+
output: "dependency-results.sbom.json"
183+
scan-ref: "."
184+
github-pat: ${{ secrets.GITHUB_TOKEN }}
185+
186+
- name: Package SBOM
187+
id: "sbom_package"
188+
uses: OctopusDeploy/create-zip-package-action@v3
189+
with:
190+
package_id: "${{ env.SBOM_PACKAGE }}"
191+
version: "${{ needs.configure.outputs.version }}"
192+
base_path: "./"
193+
files: "dependency-results.sbom.json"
194+
output_folder: packaged
195+
196+
- name: Create the Subject Checksum file for Attestation Build Provenance
197+
id: determine_sbom_hash
198+
shell: pwsh
199+
run: |
200+
$packageHash = Get-FileHash -path "packaged/${{ env.SBOM_PACKAGE }}.${{ needs.configure.outputs.version }}.zip" -Algorithm SHA256
201+
$hashToSave = $packageHash.Hash
202+
Write-Host "The SBOM package hash is $hashToSave"
203+
204+
"SBOM_HASH=$hashToSave" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
205+
206+
- name: Login to Octopus Deploy 🐙
207+
uses: OctopusDeploy/login@v1
208+
with:
209+
server: ${{ env.OCTOPUS_URL }}
210+
service_account_id: ${{ env.OCTOPUS_SERVICE_ACCOUNT }}
211+
212+
- name: Push build information to Octopus 🐙
213+
uses: OctopusDeploy/push-build-information-action@v3
214+
with:
215+
packages: |
216+
${{ env.ARTIFACTORY_ORG }}/${{ env.PACKAGE_ID }}/${{ env.PACKAGE_ID }}
217+
${{ env.ARTIFACTORY_ORG }}/${{ env.SBOM_PACKAGE }}/${{ env.SBOM_PACKAGE }}
218+
version: "${{ needs.configure.outputs.version }}"
219+
220+
- name: Upload packages to Artifactory
221+
run: |
222+
packageSourceFileName="${{ env.SBOM_PACKAGE }}.${{ needs.configure.outputs.version }}.zip"
223+
packageSource="./packaged/$packageSourceFileName"
224+
packageTargetFileName="${{ env.SBOM_PACKAGE }}-${{ needs.configure.outputs.version }}.zip"
225+
url="${{ env.ARTIFACTORY_URL }}/${{ env.ARTIFACTORY_REPOSITORY }}/${{ env.ARTIFACTORY_ORG }}/${{ env.SBOM_PACKAGE }}/$packageTargetFileName"
226+
curl -v --user ${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_PASSWORD }} -T $packageSource -X PUT $url
227+
echo "Uploaded package to Artifactory: $url"
228+
229+
create_attestations:
230+
name: Create Attestations
231+
needs: [configure, scan, create-gh-release, build, sbom]
232+
runs-on: ubuntu-latest
233+
permissions:
234+
id-token: write
235+
attestations: write # Required to publish attestations
236+
steps:
237+
- name: Create the subject checksum file for provenance
238+
shell: pwsh
239+
run: |
240+
$cleanedSbomSha = $("${{ needs.sbom.outputs.sbom_hash }}" -replace "sha256:", "").Trim()
241+
$cleanedAppSha = $("${{ needs.build.outputs.app_hash }}" -replace "sha256:", "").Trim()
242+
243+
$appSubject = "${{ env.ARTIFACTORY_ORG }}.${{ env.PACKAGE_ID }}.${{ env.PACKAGE_ID }}.${{ needs.configure.outputs.version }}".Trim()
244+
$sbomSubject = "${{ env.ARTIFACTORY_ORG }}.${{ env.SBOM_PACKAGE }}.${{ env.SBOM_PACKAGE }}.${{ needs.configure.outputs.version }}.zip".Trim()
245+
246+
Write-Host "The API information is $cleanedAppSha $appSubject"
247+
Write-Host "The SBOM information is $cleanedSbomSha $sbomSubject"
248+
249+
$subjectText = @"
250+
$cleanedAppSha $appSubject
251+
$cleanedSbomSha $sbomSubject
252+
"@
253+
254+
Write-Host "Creating the checksums file"
255+
New-Item -Path . -Name "subject.checksums.txt" -ItemType "File" -Value $subjectText
256+
- name: Generate attestation from provenance
257+
uses: actions/attest-build-provenance@v2
258+
id: generate-app-attestation
259+
with:
260+
subject-checksums: subject.checksums.txt

0 commit comments

Comments
 (0)