From d6bcdffe97a9a0f0e4cf21fda9c4b19e004dac60 Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Tue, 23 Jul 2024 14:46:15 +0200 Subject: [PATCH 01/11] feat: add attestation to installer --- .github/workflows/pkg-installer.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml index 5abe7152c9f9f..e517243016c59 100644 --- a/.github/workflows/pkg-installer.yml +++ b/.github/workflows/pkg-installer.yml @@ -19,6 +19,10 @@ jobs: build: if: github.repository_owner == 'Homebrew' runs-on: macos-latest + permissions: + contents: read # for code access + attestations: write # for actions/attest-build-provenance + id-token: write # for actions/attest-build-provenance outputs: installer_path: "Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg" env: @@ -119,6 +123,11 @@ jobs: security delete-keychain "${RUNNER_TEMP}/${TEMPORARY_KEYCHAIN_FILE}" fi + - name: Generate build provenance + uses: actions/attest-build-provenance@v1.3.3 + with: + subject-path: Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg + - name: Upload installer to GitHub Actions uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4 with: From cd7660814de23ec69de0c7e89a47ce68fed9b1ae Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Tue, 23 Jul 2024 08:59:03 -0400 Subject: [PATCH 02/11] feat: add docker attestation --- .github/workflows/docker.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index fae55e6d5642c..3ea762dab9476 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -52,6 +52,18 @@ jobs: - name: Run brew test-bot --only-setup run: docker run --rm brew brew test-bot --only-setup + - name: Generate image digest + id: digest + run: echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' brew)" >> "$GITHUB_OUTPUT" + + - name: Generate build provenance + uses: actions/attest-build-provenance@v1.3.3 + id: attest + with: + subject-name: ghcr.io/homebrew/ubuntu${{matrix.version}} + subject-digest: ${{ steps.digest.outputs.digest }} + push-to-registry: ${{ startsWith(github.ref, 'refs/tags/') }} + - name: Deploy the tagged Docker image to GitHub Packages if: startsWith(github.ref, 'refs/tags/') run: | From 467645a51162fe26bcf0a1c61734c0848cc663ae Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Tue, 23 Jul 2024 15:05:59 +0200 Subject: [PATCH 03/11] fix: add permissions for docker attestation --- .github/workflows/docker.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 3ea762dab9476..8121c82a9aeff 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -23,6 +23,10 @@ jobs: fail-fast: false matrix: version: ["18.04", "20.04", "22.04", "24.04"] + permissions: + contents: read # for code access + attestations: write # for actions/attest-build-provenance + id-token: write # for actions/attest-build-provenance steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 From 501dc787f00b247ee22054bdee0dc028f5951770 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 23 Jul 2024 10:55:56 -0400 Subject: [PATCH 04/11] Apply suggestions from code review Co-authored-by: Patrick Linnane --- .github/workflows/docker.yml | 2 +- .github/workflows/pkg-installer.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 8121c82a9aeff..0e61e580f4a6e 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -61,7 +61,7 @@ jobs: run: echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' brew)" >> "$GITHUB_OUTPUT" - name: Generate build provenance - uses: actions/attest-build-provenance@v1.3.3 + uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 id: attest with: subject-name: ghcr.io/homebrew/ubuntu${{matrix.version}} diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml index e517243016c59..5261c8f484d37 100644 --- a/.github/workflows/pkg-installer.yml +++ b/.github/workflows/pkg-installer.yml @@ -124,7 +124,7 @@ jobs: fi - name: Generate build provenance - uses: actions/attest-build-provenance@v1.3.3 + uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 with: subject-path: Homebrew-${{ steps.homebrew-version.outputs.version }}.pkg From 53fd88966e74ee6298784694fde0aa6cfada8554 Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Tue, 23 Jul 2024 17:59:52 +0200 Subject: [PATCH 05/11] Update .github/workflows/docker.yml --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 0e61e580f4a6e..db50daf680d80 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -58,7 +58,7 @@ jobs: - name: Generate image digest id: digest - run: echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' brew)" >> "$GITHUB_OUTPUT" + run: echo "digest=$(docker image inspect --format='{{.Digest}}' brew)" >> "$GITHUB_OUTPUT" - name: Generate build provenance uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 From a7cd22746933332b91e22a4090777ef521cb3dc3 Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Tue, 23 Jul 2024 18:06:03 +0200 Subject: [PATCH 06/11] fix: add debug info --- .github/workflows/docker.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index db50daf680d80..13b47ab602ad3 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -56,6 +56,8 @@ jobs: - name: Run brew test-bot --only-setup run: docker run --rm brew brew test-bot --only-setup + - run: docker image inspect --format='{{json}}' brew + - name: Generate image digest id: digest run: echo "digest=$(docker image inspect --format='{{.Digest}}' brew)" >> "$GITHUB_OUTPUT" From a9ca20dff5860c6c4513e76d4c19875375d9bb47 Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Tue, 23 Jul 2024 18:12:49 +0200 Subject: [PATCH 07/11] Update docker.yml --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 13b47ab602ad3..9e062b4b1f39e 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -56,7 +56,7 @@ jobs: - name: Run brew test-bot --only-setup run: docker run --rm brew brew test-bot --only-setup - - run: docker image inspect --format='{{json}}' brew + - run: docker image inspect --format=json brew - name: Generate image digest id: digest From 37df6fb424321458165cf7ad0ce018c21f2e9a6d Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Tue, 23 Jul 2024 18:30:39 +0200 Subject: [PATCH 08/11] Update docker.yml --- .github/workflows/docker.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 9e062b4b1f39e..73cdef967f737 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -57,6 +57,10 @@ jobs: run: docker run --rm brew brew test-bot --only-setup - run: docker image inspect --format=json brew + - run: docker image inspect --format='{{.Id}}' brew + + - run: docker images --digests brew + - run: docker images --digests brew --format='{{.Digest}}' - name: Generate image digest id: digest From 266a1bc953238ef9566e45d4dba1cfd0edcdea95 Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Wed, 14 Aug 2024 09:46:55 +0200 Subject: [PATCH 09/11] fix: only do Docker attestation on tags --- .github/workflows/docker.yml | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 73cdef967f737..03beac43b0f20 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -56,35 +56,31 @@ jobs: - name: Run brew test-bot --only-setup run: docker run --rm brew brew test-bot --only-setup - - run: docker image inspect --format=json brew - - run: docker image inspect --format='{{.Id}}' brew - - - run: docker images --digests brew - - run: docker images --digests brew --format='{{.Digest}}' + - name: Deploy the tagged Docker image to GitHub Packages + if: startsWith(github.ref, 'refs/tags/') + run: | + brew_version="${GITHUB_REF:10}" + echo "brew_version=${brew_version}" >> "${GITHUB_ENV}" + echo ${{secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN}} | docker login ghcr.io -u BrewTestBot --password-stdin + docker tag brew "ghcr.io/homebrew/ubuntu${{matrix.version}}:${brew_version}" + docker push "ghcr.io/homebrew/ubuntu${{matrix.version}}:${brew_version}" + docker tag brew "ghcr.io/homebrew/ubuntu${{matrix.version}}:latest" + docker push "ghcr.io/homebrew/ubuntu${{matrix.version}}:latest" - name: Generate image digest + if: startsWith(github.ref, 'refs/tags/') id: digest - run: echo "digest=$(docker image inspect --format='{{.Digest}}' brew)" >> "$GITHUB_OUTPUT" + run: echo "digest=$(docker image inspect --format='{{.Digest}}' brew:${brew_version})" >> "$GITHUB_OUTPUT" - name: Generate build provenance uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 + if: startsWith(github.ref, 'refs/tags/') id: attest with: subject-name: ghcr.io/homebrew/ubuntu${{matrix.version}} subject-digest: ${{ steps.digest.outputs.digest }} push-to-registry: ${{ startsWith(github.ref, 'refs/tags/') }} - - name: Deploy the tagged Docker image to GitHub Packages - if: startsWith(github.ref, 'refs/tags/') - run: | - brew_version="${GITHUB_REF:10}" - echo "brew_version=${brew_version}" >> "${GITHUB_ENV}" - echo ${{secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN}} | docker login ghcr.io -u BrewTestBot --password-stdin - docker tag brew "ghcr.io/homebrew/ubuntu${{matrix.version}}:${brew_version}" - docker push "ghcr.io/homebrew/ubuntu${{matrix.version}}:${brew_version}" - docker tag brew "ghcr.io/homebrew/ubuntu${{matrix.version}}:latest" - docker push "ghcr.io/homebrew/ubuntu${{matrix.version}}:latest" - - name: Deploy the tagged Docker image to Docker Hub if: startsWith(github.ref, 'refs/tags/') run: | From 96afc21057d5a05d98871e2f7ffc67f9170e4dbf Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Fri, 16 Aug 2024 08:19:52 -0400 Subject: [PATCH 10/11] fix: only add attestation to nightly docker --- .github/workflows/docker.yml | 14 -------------- .github/workflows/tests.yml | 28 ++++++++++++++++++++++------ 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 03beac43b0f20..e49cea599d124 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -67,20 +67,6 @@ jobs: docker tag brew "ghcr.io/homebrew/ubuntu${{matrix.version}}:latest" docker push "ghcr.io/homebrew/ubuntu${{matrix.version}}:latest" - - name: Generate image digest - if: startsWith(github.ref, 'refs/tags/') - id: digest - run: echo "digest=$(docker image inspect --format='{{.Digest}}' brew:${brew_version})" >> "$GITHUB_OUTPUT" - - - name: Generate build provenance - uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 - if: startsWith(github.ref, 'refs/tags/') - id: attest - with: - subject-name: ghcr.io/homebrew/ubuntu${{matrix.version}} - subject-digest: ${{ steps.digest.outputs.digest }} - push-to-registry: ${{ startsWith(github.ref, 'refs/tags/') }} - - name: Deploy the tagged Docker image to Docker Hub if: startsWith(github.ref, 'refs/tags/') run: | diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 79d48a7700b8b..d44f64ce0902d 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -239,14 +239,30 @@ jobs: - name: Deploy the Docker image to GitHub Packages and Docker Hub if: github.ref == 'refs/heads/master' run: | - echo ${{secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN}} | + echo ${{ secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN }} | docker login ghcr.io -u BrewTestBot --password-stdin - docker tag brew "ghcr.io/homebrew/ubuntu22.04:master" - docker push "ghcr.io/homebrew/ubuntu22.04:master" - echo ${{secrets.HOMEBREW_BREW_DOCKER_TOKEN}} | + docker tag brew "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}" + docker push "ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }}" + echo ${{ secrets.HOMEBREW_BREW_DOCKER_TOKEN }} | docker login -u brewtestbot --password-stdin - docker tag brew "homebrew/ubuntu22.04:master" - docker push "homebrew/ubuntu22.04:master" + docker tag brew "homebrew/ubuntu22.04:${{ github.ref_name }}" + docker push "homebrew/ubuntu22.04:${{ github.ref_name }}" + + - name: Generate image digest + if: github.ref == 'refs/heads/master' + id: digest + run: | + digest="$(docker image inspect --format='{{.Digest}}' brew)" + echo "digest=$digest" >> "$GITHUB_OUTPUT" + + - name: Generate build provenance + uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 + if: github.ref == 'refs/heads/master' + id: attest + with: + push-to-registry: true + subject-digest: ${{ steps.digest.outputs.digest }} + subject-name: ghcr.io/homebrew/ubuntu22.04:${{ github.ref_name }} update-test: name: ${{ matrix.name }} From 2e990ce35ccd0d8e887390d690f0fb7cdec22c49 Mon Sep 17 00:00:00 2001 From: Sean Molenaar Date: Mon, 19 Aug 2024 17:13:33 +0200 Subject: [PATCH 11/11] fix: naming tweaks Co-authored-by: Mike McQuaid --- .github/workflows/tests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d44f64ce0902d..93c873c70960f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -248,14 +248,14 @@ jobs: docker tag brew "homebrew/ubuntu22.04:${{ github.ref_name }}" docker push "homebrew/ubuntu22.04:${{ github.ref_name }}" - - name: Generate image digest + - name: Generate Docker image digest if: github.ref == 'refs/heads/master' id: digest run: | digest="$(docker image inspect --format='{{.Digest}}' brew)" echo "digest=$digest" >> "$GITHUB_OUTPUT" - - name: Generate build provenance + - name: Generate Docker image build provenance uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3 if: github.ref == 'refs/heads/master' id: attest