Merge pull request #19 from natrontech/feat/jfu

feat: restructure CI, add git files

Author: janfuhrer

.editorconfig

@@ -0,0 +1,18 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[{*.go,Makefile,.gitmodules,go.mod,go.sum}]
+indent_style = tab
+
+[*.md]
+indent_style = tab
+trim_trailing_whitespace = false
+
+[*.{yml,yaml,json}]
+indent_style = space
+indent_size = 2

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,23 @@
+---
+name: Bug report
+about: Create a report to help me improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe any alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any additional context or screenshots about the feature request here.

.github/dependabot.yml

@@ -1,14 +1,15 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
 updates:
-  # GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
     commit-message:
-      prefix: ":seedling:"
+      prefix: ":seedling:"
+
+  - package-ecosystem: "docker"
+    directory: /
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: ":robot:"

.github/workflows/README.md

@@ -0,0 +1,38 @@
+# GitHub Workflows
+
+## Overview
+
+Following workflows are implemented in the repository.
+[SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) is used to store the results for an analysis of code scanning tools in the Security tab of the repository.
+
+| Workflow                         | Jobs                            | Trigger                                                       | SARIF upload | Description                                                              |
+| :------------------------------- | :------------------------------ | :------------------------------------------------------------ | :----------- | ------------------------------------------------------------------------ |
+| [cleanup.yml](./cleanup.yml)     | `clean`                         | workflow_dispatch, cron `0 0 * * *`                           | -            | Cleanup all untagged tags from GHCR repository which are older than `2w` |
+| [release.yml](./release.yml)     | see [release chapter](#release) | push tag `v*`, cron `20 14 * * *`, pr on `main`               | -            | Create release with go binaries and docker container                     |
+| [scorecard.yml](./scorecard.yml) | `analyze`                       | push to `main`, cron: `00 14 * * 1`, change branch protection | yes          | Create OpenSSF analysis and create project score                         |
+
+## Release
+
+The release workflow includes multiple jobs to create a release of the project. Following jobs are implemented:
+
+| Job                        | GitHub Action                                                                                                              | Description                                                                  |
+| :------------------------- | :------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------- |
+| `docker-publish`           | -                                                                                                                          | Build and sign the container image, create and sign the SBOM with Syft       |
+| `image-provenance`         | [generator_container_slsa3](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) | Generates provenance for the container images                                |
+| `verification-with-cosign` | -                                                                                                                          | Verifying the cryptographic signatures on provenance for the container image |
+
+### Container Release
+
+The docker image provenance is generated using the [SLSA Container Generator](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) and uploaded to the GitHub registry. The provenance can be verified using the `slsa-verifier` or `cosign` tool (see [Release Verification](./../../SECURITY.md#release-verification)).
+
+### Container SBOM
+
+The SBOMs of the container images are uploaded to a separate package registry (see [SBOM](./../../SECURITY.md#sbom) for more information).
+
+## Scorecards
+
+Action: https://github.com/ossf/scorecard-action
+
+[Scorecards](https://github.com/ossf/scorecard) is a tool that provides a security score for open-source projects. The workflow runs the scorecard on the repository and uploads the results to the Security tab of the repository. There is also a report on the OpenSSF website, the link is available in the README file by clicking on the OpenSSF Scorecard badge.
+
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/natrontech/gcp-mysql-backup/badge)](https://securityscorecards.dev/viewer/?uri=github.com/natrontech/gcp-mysql-backup)

.github/workflows/cleanup.yml

@@ -0,0 +1,23 @@
+name: GHCR cleanup
+
+on:
+  workflow_dispatch:
+  schedule:
+  - cron: "0 0 * * *"  # every day at midnight, utc
+
+permissions: {}
+
+jobs:
+  clean:
+    runs-on: ubuntu-latest
+    name: Delete old test images
+    steps:
+    - name: cleanup ghcr
+      uses: snok/[email protected]
+      with:
+        account: natrontech
+        token: ${{ secrets.GITHUB_TOKEN }}
+        image-names: "gcp-mysql-backup"
+        cut-off: 2w
+        tag-selection: untagged
+        dry-run: false

.github/workflows/docker-publish.yml

@@ -0,0 +1,159 @@
+name: release
+
+on:
+  schedule:
+    - cron: '20 14 * * *'
+  push:
+    tags:
+      - "v*"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions: {}
+
+jobs:
+  docker-publish:
+    outputs:
+      digest: ${{ steps.build-and-push.outputs.digest }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write # sign archives with cosign
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        with:
+          images: ghcr.io/${{ github.repository }}
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@0adf9959216b96bec444f325f1e493d4aa344497 # v6.14.0
+        with:
+          context: .
+          tags: ${{ steps.meta.outputs.tags }}
+          push: true
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - name: Syft SBOM generation
+        uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
+        with:
+          image: ghcr.io/natrontech/gcp-mysql-backup@${{ steps.build-and-push.outputs.digest }}
+          format: cyclonedx-json
+          output-file: gcp-mysql-backup-bom.cdx.json
+          upload-artifact: false
+          upload-release-assets: false
+      - name: Cosign sign image
+        # env:
+        #   COSIGN_REPOSITORY: ghcr.io/${{ github.repository_owner }}/signatures
+        run: |
+          set -e
+          cosign sign --yes \
+            -a "repo=${{ github.repository }}" \
+            -a "workflow=${{ github.workflow }}" \
+            -a "ref=${{ github.sha }}" \
+            ghcr.io/natrontech/gcp-mysql-backup@${{ steps.build-and-push.outputs.digest }}
+      - name: Cosign sign sbom
+        # env:
+        #   COSIGN_REPOSITORY: ghcr.io/${{ github.repository_owner }}/sbom
+        run: |
+          cosign attest --yes \
+            --predicate ./gcp-mysql-backup-bom.cdx.json \
+            --type cyclonedx \
+            --oidc-provider github-actions \
+            ghcr.io/natrontech/gcp-mysql-backup@${{ steps.build-and-push.outputs.digest }}
+
+  image-provenance:
+    needs: [docker-publish]
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    # MUST be referenced by tag (see https://github.com/slsa-framework/slsa-github-generator/?tab=readme-ov-file#referencing-slsa-builders-and-generators)
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/gcp-mysql-backup
+      digest: ${{ needs.docker-publish.outputs.digest }}
+      registry-username: ${{ github.actor }}
+      provenance-registry-username: ${{ github.actor }}
+      #provenance-repository: ghcr.io/${{ github.repository_owner }}/signatures
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+      provenance-registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  verification-with-cosign:
+    needs: [docker-publish, image-provenance]
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Login
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+
+      - name: Verify provenance of image
+        env:
+          IMAGE: ghcr.io/${{ github.repository_owner }}/gcp-mysql-backup
+          DIGEST: ${{ needs.docker-publish.outputs.digest }}
+          REPOSITORY: ${{ github.repository_owner }}
+        run: |
+          cosign verify-attestation \
+            --type slsaprovenance \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
+            --policy policy.cue \
+            $IMAGE@$DIGEST
+
+      - name: Verify signature of image
+        env:
+          IMAGE: ghcr.io/${{ github.repository_owner }}/gcp-mysql-backup
+          DIGEST: ${{ needs.docker-publish.outputs.digest }}
+          REPOSITORY: ${{ github.repository_owner }}
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp '^https://github.com/natrontech/gcp-mysql-backup/.github/workflows/release.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+(-rc.[0-9]+)?$' \
+            --certificate-identity-regexp '^https://github.com/natrontech/gcp-mysql-backup/.github/workflows/release.yml@refs/heads/main$' \
+            $IMAGE@$DIGEST
+
+      - name: Verify sbom of image
+        env:
+          IMAGE: ghcr.io/${{ github.repository_owner }}/gcp-mysql-backup
+          DIGEST: ${{ needs.docker-publish.outputs.digest }}
+          REPOSITORY: ${{ github.repository_owner }}
+        run: |
+          cosign verify-attestation \
+            --type cyclonedx \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp '^https://github.com/natrontech/gcp-mysql-backup/.github/workflows/release.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+(-rc.[0-9]+)?$' \
+            --certificate-identity-regexp '^https://github.com/natrontech/gcp-mysql-backup/.github/workflows/release.yml@refs/heads/main$' \
+            $IMAGE@$DIGEST