refactor(WIP): define reusable docker content trust workflow

SpecterOps · Jan 17, 2025 · 9f75b39 · 9f75b39
1 parent b845add
commit 9f75b39
Show file tree

Hide file tree

Showing 7 changed files with 226 additions and 312 deletions.
diff --git a/.actrc b/.actrc
@@ -0,0 +1,9 @@
+--rm
+--reuse
+--container-options=--privileged
+--pull=false
+--platform=ubuntu-latest=catthehacker/ubuntu:custom-20.04
+--container-architecture=linux/amd64
+--workflows=./.github/workflows
+--secret-file=./.act.secrets
+--eventpath=./.act.event.json
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -0,0 +1,77 @@
+---
+# Copyright 2024 Specter Ops, Inc.
+#
+# Licensed under the Apache License, Version 2.0
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+name: Continuous Deployment (CD)
+
+on:
+  pull_request:
+    branches:
+      - main
+      - develop
+    types:
+      - assigned
+      - opened
+      - synchronize
+      - reopened
+      - closed
+  push:
+    branches:
+      - main
+      - develop
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+rc[0-9]+'
+
+jobs:
+  bloodhound-container-image:
+    name: Build and Publish BloodHound Container Image
+    uses: ./.github/workflows/reusable.build-container-image.yml
+    with:
+      container_image_repository_name: docker.io/specterops/bloodhound
+      image_sbom: true
+      image_provenance: mode=max
+      build_target: bloodhound
+      build_outputs: type=image,push=true
+      dockerfile: dockerfiles/bloodhound.Dockerfile
+      image_cache_from: |-
+        type=registry,ref=docker.io/specterops/bloodhound:buildcache
+        type=registry,ref=ghcr.io/specterops/bloodhound:buildcache
+      image_cache_to: |-
+        type=registry,ref=docker.io/specterops/bloodhound:buildcache,mode=max
+        type=registry,ref=ghcr.io/specterops/bloodhound:buildcache,mode=max
+    secrets:
+      dockerhub_account: ${{ secrets.DOCKERHUB_USERNAME }}
+      dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+      ghcr_account: ${{ github.actor }}
+      ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+      gh_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+  docker-content-trust-sign-image:
+    needs: bloodhound-container-image
+    name: Sign Docker Image using Docker Content Trust
+    uses: ./.github/workflows/reusable.dockder-content-trust.yml
+    with:
+      dockerhub_image_reference: ${{ needs.bloodhound-container-image.outputs.image_reference }}
+    secrets:
+      dockerhub_account: ${{ secrets.DOCKERHUB_USERNAME }}
+      dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
+      ghcr_account: ${{ github.actor }}
+      ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+      gh_access_token: ${{ secrets.GITHUB_TOKEN }}
+      docker_content_trust_repository_key_id: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
+      docker_content_trust_repository_passphrase: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
+      docker_content_trust_repository_key: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }}
+      docker_content_trust_repository_public_key: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PUBLIC_KEY }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -55,27 +55,22 @@ jobs:
     with:
       container_image_repository_name: docker.io/specterops/bloodhound
       build_target: bloodhound
-      image_sbom: true
-      image_provenance: mode=max
-      build_outputs: type=image,push=true
+      image_sbom: false
+      image_provenance: false
+      build_outputs: type=image,push=false
       dockerfile: dockerfiles/bloodhound.Dockerfile
       image_cache_from: |-
         type=registry,ref=docker.io/specterops/bloodhound:buildcache
         type=registry,ref=ghcr.io/specterops/bloodhound:buildcache
       image_cache_to: |-
         type=registry,ref=docker.io/specterops/bloodhound:buildcache,mode=max
         type=registry,ref=ghcr.io/specterops/bloodhound:buildcache,mode=max
-      docker_content_trust_server: https://notary.docker.io
     secrets:
       dockerhub_account: ${{ secrets.DOCKERHUB_USERNAME }}
       dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}
       ghcr_account: ${{ github.actor }}
       ghcr_token: ${{ secrets.GITHUB_TOKEN }}
       gh_access_token: ${{ secrets.GITHUB_TOKEN }}
-      docker_content_trust_repository_key_id: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY_ID }}
-      docker_content_trust_repository_passphrase: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
-      docker_content_trust_repository_key: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_KEY }}
-      docker_content_trust_repository_public_key: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PUBLIC_KEY }}
 
   # static-code-analysis:
   #   name: Static Code Analysis

diff --git a/.github/workflows/reusable.build-container-image-artifact.yml b/.github/workflows/reusable.build-container-image-artifact.yml