From 0e39704b3a1527df4b6dd20cd5c967c111622bae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= Date: Tue, 21 Oct 2025 01:53:20 +0200 Subject: [PATCH 1/4] ci(actions): pin action versions to commit SHAs for security - Pin actions/checkout to SHA for v5.0.0 - Pin docker/setup-qemu-action to SHA for v3.6.0 - Pin docker/setup-buildx-action to SHA for v3.11.1 - Pin docker/login-action to SHA for v3.6.0 - Pin actions/setup-go to SHA for v6.0.0 - Pin actions/upload-artifact to SHA for v4.6.2 - Pin actions/setup-node to SHA for v6.0.0 - Pin actions/stale to SHA for v10.1.0 --- .github/workflows/cicd.yml | 14 ++++++++------ .github/workflows/linting.yml | 6 +++--- .github/workflows/stale-bot.yml | 4 ++-- .github/workflows/test.yml | 4 ++-- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 0d2008f1..21765ee1 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -12,23 +12,25 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - - name: Extract tag name id: get-tag run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV - name: Install Go - uses: actions/setup-go@v6 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: 1.24 @@ -67,7 +69,7 @@ jobs: make go-build-release - name: Upload artifacts from /install/bin - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: install-bin path: install/bin/ diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 1a01f1c4..90ce2d0d 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -18,10 +18,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Node.js - uses: actions/setup-node@v5 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: '22' @@ -32,4 +32,4 @@ jobs: run: npm run set:oss - name: Run ESLint - run: npx eslint . --ext .js,.jsx,.ts,.tsx \ No newline at end of file + run: npx eslint . --ext .js,.jsx,.ts,.tsx diff --git a/.github/workflows/stale-bot.yml b/.github/workflows/stale-bot.yml index 4a574d91..5b6889da 100644 --- a/.github/workflows/stale-bot.yml +++ b/.github/workflows/stale-bot.yml @@ -14,7 +14,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v10 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 with: days-before-stale: 14 days-before-close: 14 @@ -34,4 +34,4 @@ jobs: operations-per-run: 100 remove-stale-when-updated: true delete-branch: false - enable-statistics: true \ No newline at end of file + enable-statistics: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3d121f68..cd78e8af 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,9 +11,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: actions/setup-node@v5 + - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: '22' From 07330e84fb6262f0be8491a381d353509e272358 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= Date: Tue, 21 Oct 2025 01:54:23 +0200 Subject: [PATCH 2/4] ci(actions): change runner from ubuntu-latest to amd64-runner --- .github/workflows/linting.yml | 2 +- .github/workflows/test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 90ce2d0d..31db63ea 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -15,7 +15,7 @@ on: jobs: Linter: - runs-on: ubuntu-latest + runs-on: amd64-runner steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index cd78e8af..eb5e03f5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,7 +8,7 @@ on: jobs: test: - runs-on: ubuntu-latest + runs-on: amd64-runner steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 From bfb5b2864d4ab838f18c0984c28fc2ef58314cdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= Date: Tue, 21 Oct 2025 01:59:52 +0200 Subject: [PATCH 3/4] ci(actions): add permissions section to workflows --- .github/workflows/cicd.yml | 3 +++ .github/workflows/linting.yml | 3 +++ .github/workflows/test.yml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 21765ee1..9aab3199 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -1,5 +1,8 @@ name: CI/CD Pipeline +permissions: + contents: read + on: push: tags: diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 31db63ea..15474255 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -1,5 +1,8 @@ name: ESLint +permissions: + contents: read + on: pull_request: paths: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index eb5e03f5..c40689bc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,8 @@ name: Run Tests +permissions: + contents: read + on: pull_request: branches: From bc430546bcb9f2b20cc26ec828bdccd551ff0552 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= Date: Tue, 21 Oct 2025 02:07:26 +0200 Subject: [PATCH 4/4] ci(actions): add GHCR mirroring and cosign signing for Docker images - mirror images from Docker Hub to GHCR using skopeo (preserves multi-arch manifests) - login to GHCR via docker/login-action for signing/pushing - install cosign and perform dual signing: keyless (OIDC) + key-based; verify signatures - add required permissions for id-token/packages and reference necessary secrets --- .github/workflows/cicd.yml | 100 ++++++++++++++++++++++++++++++++++++- 1 file changed, 99 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 9aab3199..b0c4c193 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -1,17 +1,37 @@ name: CI/CD Pipeline +# CI/CD workflow for building, publishing, mirroring, signing container images and building release binaries. +# Actions are pinned to specific SHAs to reduce supply-chain risk. This workflow triggers on tag push events. + permissions: contents: read + packages: write # for GHCR push + id-token: write # for Cosign Keyless (OIDC) Signing + +# Required secrets: +# - DOCKER_HUB_USERNAME / DOCKER_HUB_ACCESS_TOKEN: push to Docker Hub +# - GITHUB_TOKEN: used for GHCR login and OIDC keyless signing +# - COSIGN_PRIVATE_KEY / COSIGN_PASSWORD / COSIGN_PUBLIC_KEY: for key-based signing on: push: tags: - "[0-9]+.[0-9]+.[0-9]+" +concurrency: + group: ${{ github.ref }} + cancel-in-progress: true + jobs: release: name: Build and Release runs-on: amd64-runner + # Job-level timeout to avoid runaway or stuck runs + timeout-minutes: 120 + env: + # Target images + DOCKERHUB_IMAGE: docker.io/${{ secrets.DOCKER_HUB_USERNAME }}/${{ github.event.repository.name }} + GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }} steps: - name: Checkout code @@ -26,11 +46,13 @@ jobs: - name: Log in to Docker Hub uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: + registry: docker.io username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Extract tag name id: get-tag run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV + shell: bash - name: Install Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 @@ -42,18 +64,21 @@ jobs: TAG=${{ env.TAG }} sed -i "s/export const APP_VERSION = \".*\";/export const APP_VERSION = \"$TAG\";/" server/lib/consts.ts cat server/lib/consts.ts + shell: bash - name: Pull latest Gerbil version id: get-gerbil-tag run: | LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/gerbil/tags | jq -r '.[0].name') echo "LATEST_GERBIL_TAG=$LATEST_TAG" >> $GITHUB_ENV + shell: bash - name: Pull latest Badger version id: get-badger-tag run: | LATEST_TAG=$(curl -s https://api.github.com/repos/fosrl/badger/tags | jq -r '.[0].name') echo "LATEST_BADGER_TAG=$LATEST_TAG" >> $GITHUB_ENV + shell: bash - name: Update install/main.go run: | @@ -65,6 +90,7 @@ jobs: sed -i "s/config.BadgerVersion = \".*\"/config.BadgerVersion = \"$BADGER_VERSION\"/" install/main.go echo "Updated install/main.go with Pangolin version $PANGOLIN_VERSION, Gerbil version $GERBIL_VERSION, and Badger version $BADGER_VERSION" cat install/main.go + shell: bash - name: Build installer working-directory: install @@ -77,7 +103,79 @@ jobs: name: install-bin path: install/bin/ - - name: Build and push Docker images + - name: Build and push Docker images (Docker Hub) run: | TAG=${{ env.TAG }} make build-release tag=$TAG + echo "Built & pushed to: ${{ env.DOCKERHUB_IMAGE }}:${TAG}" + shell: bash + + - name: Login in to GHCR + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Install skopeo + jq + # skopeo: copy/inspect images between registries + # jq: JSON parsing tool used to extract digest values + run: | + sudo apt-get update -y + sudo apt-get install -y skopeo jq + skopeo --version + shell: bash + + - name: Copy tag from Docker Hub to GHCR + # Mirror the already-built image (all architectures) to GHCR so we can sign it + run: | + set -euo pipefail + TAG=${{ env.TAG }} + echo "Copying ${{ env.DOCKERHUB_IMAGE }}:${TAG} -> ${{ env.GHCR_IMAGE }}:${TAG}" + skopeo copy --all --retry-times 3 \ + docker://$DOCKERHUB_IMAGE:$TAG \ + docker://$GHCR_IMAGE:$TAG + shell: bash + + - name: Install cosign + # cosign is used to sign and verify container images (key and keyless) + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + + - name: Dual-sign and verify (GHCR & Docker Hub) + # Sign each image by digest using keyless (OIDC) and key-based signing, + # then verify both the public key signature and the keyless OIDC signature. + env: + TAG: ${{ env.TAG }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} + COSIGN_YES: "true" + run: | + set -euo pipefail + + issuer="https://token.actions.githubusercontent.com" + id_regex="^https://github.com/${{ github.repository }}/.+" # accept this repo (all workflows/refs) + + for IMAGE in "${GHCR_IMAGE}" "${DOCKERHUB_IMAGE}"; do + echo "Processing ${IMAGE}:${TAG}" + + DIGEST="$(skopeo inspect --retry-times 3 docker://${IMAGE}:${TAG} | jq -r '.Digest')" + REF="${IMAGE}@${DIGEST}" + echo "Resolved digest: ${REF}" + + echo "==> cosign sign (keyless) --recursive ${REF}" + cosign sign --recursive "${REF}" + + echo "==> cosign sign (key) --recursive ${REF}" + cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}" + + echo "==> cosign verify (public key) ${REF}" + cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text + + echo "==> cosign verify (keyless policy) ${REF}" + cosign verify \ + --certificate-oidc-issuer "${issuer}" \ + --certificate-identity-regexp "${id_regex}" \ + "${REF}" -o text + done + shell: bash