diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 449f546..0319a27 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,4 @@ -name: Docker-build-with-evidence +name: ptfl-build-with-evidence on: [workflow_dispatch] @@ -9,9 +9,12 @@ permissions: jobs: Docker-build-with-evidence: + environment: Jfrog runs-on: ubuntu-latest env: - REPO_NAME: evidence-demo-docker-dev + REPO_NAME: ptfl-oci-dev-local + JF_PROJECT: ptfl + steps: - uses: actions/checkout@v4 @@ -25,46 +28,48 @@ jobs: - name: Build Docker image run: | URL=$(echo ${{ vars.ARTIFACTORY_URL }} | sed 's|^https://||') + echo ${URL} REPO_URL=${URL}/${REPO_NAME} + echo ${REPO_URL} docker build -t ${REPO_URL}/example-go-app:${{ github.run_number }} . - jf docker push ${REPO_URL}/example-go-app:${{ github.run_number }} + jf docker push ${REPO_URL}/example-go-app:${{ github.run_number }} --project ${JF_PROJECT} - name: Evidence on docker run: | echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json - jf evd create --package-name example-go-app --package-version ${{ github.run_number }} --package-repo-name ${REPO_NAME} \ - --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} \ - --predicate ./sign.json --predicate-type https://jfrog.com/evidence/signature/v1 + cat ./sign.json + jf evd create --package-name example-go-app --package-version ${{ github.run_number }} --package-repo-name ${REPO_NAME} --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} --predicate ./sign.json --predicate-type https://jfrog.com/evidence/signature/v1 --project ${JF_PROJECT} echo '🔎 Evidence attached: `signature` 🔏 ' - name: Collecting Information from Git - run: jf rt build-add-git + run: jf rt build-add-git --project ${JF_PROJECT} - name: Collecting Environment Variables - run: jf rt build-collect-env + run: jf rt build-collect-env --project ${JF_PROJECT} - name: Publish build info - run: jfrog rt build-publish + run: jfrog rt build-publish --project ${JF_PROJECT} - name: Sign build evidence run: | echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'" }' > sign.json jf evd create --build-name ${{ github.workflow }} --build-number ${{ github.run_number }} \ --predicate ./sign.json --predicate-type https://jfrog.com/evidence/build-signature/v1 \ - --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} + --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} --project ${JF_PROJECT} echo '🔎 Evidence attached: `build-signature` 🔏 ' >> $GITHUB_STEP_SUMMARY - name: Create release bundle run: | - echo '{ "files": [ {"build": "'"${{ github.workflow }}/${{ github.run_number }}"'" } ] }' > bundle-spec.json - jf release-bundle-create ${{ github.actor }}-evidence-training ${{ github.run_number }} --signing-key ${{ secrets.RB_KEY }} --spec bundle-spec.json --sync=true - VER_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ github.actor }}-evidence-training'&bundleToFlash='${{ github.actor }}-evidence-training'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=release-bundles-v2&activeKanbanTab=promotion' - echo '📦 Release bundle ['${{ github.actor }}-evidence-training:${{ github.run_number }}']('${VER_LINK}') created' >> $GITHUB_STEP_SUMMARY + echo '{ "files": [ {"build": "'"${{ github.workflow }}/${{ github.run_number }}"'" , "project" : "'"${JF_PROJECT}"'" } ] }' > bundle-spec.json + cat ./bundle-spec.json + jf release-bundle-create ${{ github.actor }}-evd-flow ${{ github.run_number }} --signing-key ${{ secrets.RB_KEY }} --spec bundle-spec.json --sync=true --project ${JF_PROJECT} + VER_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ github.actor }}-evidence-training'&bundleToFlash='${{ github.actor }}-evd-flow'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=release-bundles-v2&activeKanbanTab=promotion' + echo '📦 Release bundle ['${{ github.actor }}-evd-flow:${{ github.run_number }}']('${VER_LINK}') created' >> $GITHUB_STEP_SUMMARY - # - name: Approve release-bundle - # run: | - # echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'", "approved": "true" }' > rbv2_approval_evidence.json - # jf evd create --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} \ - # --release-bundle ${{ github.actor }}-evidence-training --release-bundle-version ${{ github.run_number }} \ - # --predicate ./rbv2_approval_evidence.json --predicate-type https://jfrog.com/evidence/approval/v1 - # echo 'Approval of Release bundle ${{ github.actor }}-evidence-training':'${{ github.run_number }} succeded' >> $GITHUB_STEP_SUMMARY + - name: Approve release-bundle + run: | + echo '{ "actor": "${{ github.actor }}", "date": "'$(date -u +"%Y-%m-%dT%H:%M:%SZ")'", "approved": "true" }' > rbv2_approval_evidence.json + jf evd create --key "${{ secrets.PRIVATE_KEY }}" --key-alias ${{ secrets.KEY_ALIAS }} \ + --release-bundle ${{ github.actor }}-evd-flow --release-bundle-version ${{ github.run_number }} \ + --predicate ./rbv2_approval_evidence.json --predicate-type https://jfrog.com/evidence/approval/v1 --project ${JF_PROJECT} + echo 'Approval of Release bundle ${{ github.actor }}-evd-flow':'${{ github.run_number }} succeded' >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/distribute.yml b/.github/workflows/distribute.yml new file mode 100644 index 0000000..b10e37b --- /dev/null +++ b/.github/workflows/distribute.yml @@ -0,0 +1,34 @@ +name: distribute-to-edge-nodes +on: + workflow_dispatch: + inputs: + rb-version: + description: 'Release bundle version' + required: true +permissions: + id-token: write + contents: read + +jobs: + Promote-to-qa-and-test: + environment: Jfrog-US + runs-on: ubuntu-latest + env: + PROMOTE_REPO_NAME: ptfl1-docker + JF_PROJECT: ptfl1 + steps: + + - name: Checkout + uses: actions/checkout@v4 + + - name: Install jfrog cli + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.ARTIFACTORY_URL }} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + + - name: Distribute to Edge nodes + run: | + echo '{ "distribution_rules": [ {"site_name": "SolEngEdgeSaaS"} ] }' > distr-rule.json + jf release-bundle-distribute --sync=true --project ${JF_PROJECT} --dist-rules=distr-rule.json ${{ github.actor }}-evd-flow ${{ inputs.rb-version }} --sync=true --project ${JF_PROJECT} + echo "🚀 Succesfully promoted to \`QA\` environemnt" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/frogbot-scan-fix.yaml b/.github/workflows/frogbot-scan-fix.yaml new file mode 100644 index 0000000..9517952 --- /dev/null +++ b/.github/workflows/frogbot-scan-fix.yaml @@ -0,0 +1,137 @@ +name: "Frogbot Scan and Fix" +on: + schedule: + # The repository will be scanned based on the following cron expression + - cron: "0 0 * 1 *" + workflow_dispatch: + inputs: + run_reason: + required: false + type: string + default: "On-demand workflow run" + description: "Reason for manually triggering the workflow" +permissions: + contents: write + pull-requests: write + security-events: write + id-token: write +jobs: + create-fix-pull-requests: + environment: Jfrog + runs-on: ubuntu-latest + env: + REPO_NAME: ptfl1-docker + JF_PROJECT: ptfl1 + + strategy: + matrix: + # The repository scanning will be triggered periodically on the following branches. + branch: [ "main" ] + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ matrix.branch }} + - uses: actions/setup-go@v5 + with: + go-version: '^1.23.3' # The Go version to download (if necessary) and use. + # Install prerequisites + - name: Setup Frogbot + uses: jfrog/frogbot@v2 + env: + # [Mandatory] + # JFrog platform URL + JF_URL: ${{ vars.ARTIFACTORY_URL}} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + JFROG_CLI_LOG_LEVEL: "DEBUG" + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + # JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional, default: https://api.github.com] + # API endpoint to GitHub + # JF_GIT_API_ENDPOINT: https://github.example.com + + # [Optional] + # If the machine that runs Frogbot has no access to the internet, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. + # JF_RELEASES_REPO: "" + + + + ########################################################################## + ## If your project uses a 'frogbot-config.yml' file, you can define ## + ## the following variables inside the file, instead of here. ## + ########################################################################## + + # [Mandatory if the two conditions below are met] + # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "nuget restore") + # JF_INSTALL_DEPS_CMD: "" + + # [Optional, default: "."] + # Relative path to the root of the project in the Git repository + # JF_WORKING_DIR: path/to/project/dir + + # [Optional] + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + # JF_WATCHES: ,... + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + JF_PROJECT: ${JF_PROJECT} + + # [Optional, default: "TRUE"] + # Fails the Frogbot task if any security issue is found. + # JF_FAIL: "FALSE" + + # [Optional] + # Frogbot will download the project dependencies if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" + + # [Optional] + # Template for the branch name generated by Frogbot when creating pull requests with fixes. + # The template must include ${BRANCH_NAME_HASH}, to ensure that the generated branch name is unique. + # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables. + # JF_BRANCH_NAME_TEMPLATE: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}" + + # [Optional] + # Template for the commit message generated by Frogbot when creating pull requests with fixes + # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables. + # JF_COMMIT_MESSAGE_TEMPLATE: "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}" + + # [Optional] + # Template for the pull request title generated by Frogbot when creating pull requests with fixes. + # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables. + # JF_PULL_REQUEST_TITLE_TEMPLATE: "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to to ${FIX_VERSION}" + + # [Optional, Default: "FALSE"] + # If TRUE, Frogbot creates a single pull request with all the fixes. + # If FALSE, Frogbot creates a separate pull request for each fix. + # JF_GIT_AGGREGATE_FIXES: "FALSE" + + # [Optional, Default: "FALSE"] + # Handle vulnerabilities with fix versions only + # JF_FIXABLE_ONLY: "TRUE" + + # [Optional] + # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests + # The following values are accepted: Low, Medium, High or Critical + JF_MIN_SEVERITY: "High" diff --git a/.github/workflows/jf_build.yml b/.github/workflows/jf_build.yml new file mode 100644 index 0000000..f622266 --- /dev/null +++ b/.github/workflows/jf_build.yml @@ -0,0 +1,52 @@ +name: ptfl1-build-with-rb + +on: + [workflow_dispatch] + +permissions: + id-token: write + contents: read + +jobs: + Docker-build-with-evidence: + environment: Jfrog-US + runs-on: ubuntu-latest + env: + REPO_NAME: ptfl1-docker + JF_PROJECT: ptfl1 + + steps: + + - uses: actions/checkout@v4 + + - name: Install jfrog cli + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.ARTIFACTORY_URL }} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + + - name: Build Docker image + run: | + URL=$(echo ${{ vars.ARTIFACTORY_URL }} | sed 's|^https://||') + echo ${URL} + REPO_URL=${URL}/${REPO_NAME} + echo ${REPO_URL} + docker build -t ${REPO_URL}/example-go-app:${{ github.run_number }} . + jf docker push ${REPO_URL}/example-go-app:${{ github.run_number }} --project ${JF_PROJECT} + + - name: Collecting Information from Git + run: jf rt build-add-git --project ${JF_PROJECT} + + - name: Collecting Environment Variables + run: jf rt build-collect-env --project ${JF_PROJECT} + + - name: Publish build info + run: jfrog rt build-publish --project ${JF_PROJECT} + + - name: Create release bundle + run: | + echo '{ "files": [ {"build": "'"${{ github.workflow }}/${{ github.run_number }}"'" , "project" : "'"${JF_PROJECT}"'" } ] }' > bundle-spec.json + cat ./bundle-spec.json + jf release-bundle-create ${{ github.actor }}-evd-flow ${{ github.run_number }} --signing-key ${{ secrets.RB_KEY }} --spec bundle-spec.json --sync=true --project ${JF_PROJECT} + VER_LINK=${{ vars.ARTIFACTORY_URL }}'/ui/artifactory/lifecycle/?bundleName='${{ github.actor }}-evidence-training'&bundleToFlash='${{ github.actor }}-evd-flow'&releaseBundleVersion='${{ github.run_number }}'&repositoryKey=release-bundles-v2&activeKanbanTab=promotion' + echo '📦 Release bundle ['${{ github.actor }}-evd-flow:${{ github.run_number }}']('${VER_LINK}') created' >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml index ee24af4..a26f6e2 100644 --- a/.github/workflows/promote.yml +++ b/.github/workflows/promote.yml @@ -11,7 +11,11 @@ permissions: jobs: Promote-to-qa-and-test: + environment: Jfrog runs-on: ubuntu-latest + env: + PROMOTE_REPO_NAME: ptfl-oci-dev-local + JF_PROJECT: ptfl steps: - name: Checkout @@ -31,7 +35,7 @@ jobs: - name: Call GraphQL run: | - ./scripts/graphql.sh ${{ vars.ARTIFACTORY_URL }} ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} release-bundles-v2 ${{ github.actor }}-evidence-training ${{ inputs.rb-version }} + ./scripts/graphql.sh ${{ vars.ARTIFACTORY_URL }} ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} ${JF_PROJECT}-release-bundles-v2 ${{ github.actor }}-evd-flow ${{ inputs.rb-version }} cat evidence_graph.json - name: Run policy @@ -44,7 +48,7 @@ jobs: - name: Promote to Test run: | if [ "${{ env.RESULT }}" == "true" ]; then - jf release-bundle-promote ${{ github.actor }}-evidence-training ${{ inputs.rb-version }} QA --signing-key ${{ secrets.RB_KEY }} --sync=true + jf release-bundle-promote ${{ github.actor }}-evd-flow ${{ inputs.rb-version }} QA --signing-key ${{ secrets.RB_KEY }} --sync=true --project ${JF_PROJECT} echo "🚀 Succesfully promoted to \`QA\` environemnt" >> $GITHUB_STEP_SUMMARY else opa eval --input ./evidence_graph.json --data policy/policy.rego "data.policy.output" | jq '.result[0].expressions[0].value'