Página inicial Explorar Ajuda
Entrar
akillibulut
/
cost-model
mirror de https://github.com/kubecost/cost-model
2
0
Fork 0
Arquivos Issues 0 Wiki
Ver código fonte

fix(ci): address Copilot review — resolve commit from workspace, pass run-started-at, tighten verify regexp

  * Derive the provenance `git_commit` and source URI from `git rev-parse HEAD`
    so the attestation records the actually-built revision rather than
    `GITHUB_SHA`, which on a tag push reflects the triggering ref, not the
    branch the release workflow checks out.
  * Accept `run-started-at` as an input and record it as
    `runDetails.metadata.startedOn`, sourced from `github.run_started_at` in
    both caller workflows, instead of `date -u` at predicate-build time.
  * Tighten the documented develop `--certificate-identity-regexp` to
    `refs/heads/develop$` so verifiers do not accept signatures from
    unexpected branches if the workflow trigger ever broadens.
  * Redefine `VERSION` in the `verify-attestation` example so the block is
    copy-pastable independently of the earlier `verify` example.

Signed-off-by: Warwick Peatey <warwick@automatic.systems>
Assisted-by: Claude Code
Warwick Peatey 1 mês atrás
pai
92701ad980
commit
b110fb2aec
4 arquivos alterados com 15 adições e 4 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 10 3
      .github/actions/sign-image/action.yaml
  2. 1 0
      .github/workflows/build-and-publish-develop.yml
  3. 1 0
      .github/workflows/build-and-publish-release.yml
  4. 3 1
      SECURITY.md

+ 10 - 3
.github/actions/sign-image/action.yaml
Ver arquivo 

@@ -11,6 +11,12 @@ inputs:
 
     workflow-path:
 
         description: 'Path to the workflow file (repo-relative) that triggered the build.'
 
         required: true
 
+    run-started-at:
 
+        description: >-
 
+          ISO-8601 workflow run start time, typically `${{ github.run_started_at }}`
 
+          from the caller. Recorded as `runDetails.metadata.startedOn` in the
 
+          SLSA provenance predicate.
 
+        required: true
 
 
 runs:
 
     using: "composite"
 
@@ -47,15 +53,16 @@ runs:
 
         shell: bash
 
         env:
 
           WORKFLOW_PATH: ${{ inputs.workflow-path }}
 
+          STARTED_ON: ${{ inputs.run-started-at }}
 
         run: |
 
           set -euo pipefail
 
-          STARTED_ON="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
 
+          RESOLVED_GIT_COMMIT="$(git rev-parse HEAD)"
 
           jq -n \
 
             --arg workflow_ref   "${GITHUB_REF}"                                 \
 
             --arg repo_url       "https://github.com/${GITHUB_REPOSITORY}"       \
 
             --arg workflow_path  "${WORKFLOW_PATH}"                              \
 
-            --arg source_uri     "git+https://github.com/${GITHUB_REPOSITORY}@${GITHUB_REF}" \
 
-            --arg git_commit     "${GITHUB_SHA}"                                 \
 
+            --arg source_uri     "git+https://github.com/${GITHUB_REPOSITORY}@${RESOLVED_GIT_COMMIT}" \
 
+            --arg git_commit     "${RESOLVED_GIT_COMMIT}"                        \
 
             --arg builder_id     "https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" \
 
             --arg invocation_id  "https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}" \
 
             --arg started_on     "${STARTED_ON}" \

+ 1 - 0
.github/workflows/build-and-publish-develop.yml
Ver arquivo 

@@ -67,3 +67,4 @@ jobs:
 
         with:
 
           image: ${{ steps.tags.outputs.IMAGE_TAG }}
 
           workflow-path: .github/workflows/build-and-publish-develop.yml
 
+          run-started-at: ${{ github.run_started_at }}

+ 1 - 0
.github/workflows/build-and-publish-release.yml
Ver arquivo 

@@ -118,3 +118,4 @@ jobs:
 
         with:
 
           image: ${{ steps.tags.outputs.IMAGE_TAG_VERSION }}
 
           workflow-path: .github/workflows/build-and-publish-release.yml
 
+          run-started-at: ${{ github.run_started_at }}

+ 3 - 1
SECURITY.md
Ver arquivo 

@@ -39,7 +39,7 @@ to a signed manifest is verifiable regardless of tag mutation.
 
 | `--certificate-oidc-issuer` | `https://token.actions.githubusercontent.com` |
 
 | `--certificate-identity` (release tag `vX.Y.Z`) | `https://github.com/opencost/opencost/.github/workflows/build-and-publish-release.yml@refs/tags/vX.Y.Z` |
 
 | `--certificate-identity-regexp` (any release) | `^https://github\.com/opencost/opencost/\.github/workflows/build-and-publish-release\.yml@refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$` |
 
-| `--certificate-identity-regexp` (develop) | `^https://github\.com/opencost/opencost/\.github/workflows/build-and-publish-develop\.yml@refs/heads/.+$` |
 
+| `--certificate-identity-regexp` (develop) | `^https://github\.com/opencost/opencost/\.github/workflows/build-and-publish-develop\.yml@refs/heads/develop$` |
 
 
 ### Verifying an image signature
 
 
@@ -64,6 +64,8 @@ inclusion proof.
 
 Each image also has a SLSA v1 provenance attestation. Inspect it with:
 
 
 ```bash
 
+VERSION=1.115.0 # replace with the release you are verifying
 
+
 
 cosign verify-attestation \
 
   --type slsaprovenance1 \
 
   --certificate-identity-regexp "^https://github\.com/opencost/opencost/\.github/workflows/build-and-publish-release\.yml@refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$" \