Merge pull request #4 from AstrumBot/ci/sbom-provenance-cosign

Nyrest · web-flow · commit d5a12417e550 · 2026-05-04T21:07:44.000+08:00
ci: add SBOM/provenance/cosign signing and hadolint/trivy scanning
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -10,6 +10,7 @@ on:
 permissions:
   contents: read
   packages: write
+  id-token: write
 
 env:
   IMAGE_NAME: astrum-agent-runtime
@@ -64,12 +65,15 @@ jobs:
       - name: Verify runtime
         run: docker run --rm "${{ steps.meta.outputs.image }}:verify" verify-runtime
 
-      - name: Push verified image
+      - name: Push verified image with attestations
+        id: push
         uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
           push: true
+          provenance: mode=max
+          sbom: true
           tags: |
             ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.tag }}
             ${{ steps.meta.outputs.image }}:${{ steps.meta.outputs.latest }}
@@ -81,3 +85,14 @@ jobs:
             org.opencontainers.image.version=${{ steps.meta.outputs.tag }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.8.1
+        with:
+          cosign-release: 'v2.4.3'
+
+      - name: Sign image with cosign
+        env:
+          COSIGN_YES: true
+        run: |
+          cosign sign "${{ steps.meta.outputs.image }}@${{ steps.push.outputs.digest }}"
diff --git a/.github/workflows/docker-verify.yml b/.github/workflows/docker-verify.yml
@@ -9,15 +9,36 @@ on:
 
 permissions:
   contents: read
+  security-events: write
 
 env:
   IMAGE_NAME: astrum-agent-runtime
 
 jobs:
-  verify:
-    name: Build and verify image
+  lint:
+    name: Lint Dockerfile
     runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
+          format: sarif
+          output-file: hadolint-results.sarif
+          no-fail: true
+
+      - name: Upload hadolint results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: hadolint-results.sarif
+          category: hadolint
 
+  scan:
+    name: Build and scan image
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -37,3 +58,18 @@ jobs:
 
       - name: Verify runtime
         run: docker run --rm "${{ env.IMAGE_NAME }}:pr-${{ github.event.number }}" verify-runtime
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.36.0
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:pr-${{ github.event.number }}
+          format: sarif
+          output: trivy-results.sarif
+          severity: HIGH,CRITICAL
+
+      - name: Upload Trivy results to GitHub Security
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy
