From 4fa7940f9ac4fd9996dce3802f3dc72cc4f7b160 Mon Sep 17 00:00:00 2001 From: Ivan Date: Tue, 31 Mar 2026 00:32:35 +0300 Subject: [PATCH] feat(ci): update build and scan workflows with cosign integration and frontend dependency management --- .gitea/workflows/build.yml | 38 +++++++++++++++++++++++++++++--------- .gitea/workflows/scan.yml | 19 +++++++++++++++++++ 2 files changed, 48 insertions(+), 9 deletions(-) diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml index b4aac5d..6370102 100644 --- a/.gitea/workflows/build.yml +++ b/.gitea/workflows/build.yml @@ -21,6 +21,9 @@ permissions: contents: write packages: write +env: + COSIGN_VERSION: "3.0.5" + jobs: build: name: Build and Release @@ -146,7 +149,7 @@ jobs: echo "## SHA256 Checksums" > release-body.md echo "" >> release-body.md for file in release-assets/*; do - if [ -f "$file" ] && [[ "$file" != *.sha256 ]] && [[ "$file" != *release-body.md* ]]; then + if [ -f "$file" ] && [[ "$file" != *.sha256 ]] && [[ "$file" != *.cosign.bundle ]] && [[ "$file" != *release-body.md* ]]; then filename=$(basename "$file") if [ -f "release-assets/${filename}.sha256" ]; then # Extract just the filename and its sha256 (format: ) @@ -155,6 +158,30 @@ jobs: fi done + - name: SLSA attestations (cosign) + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + GITHUB_SERVER_URL: ${{ github.server_url }} + GITHUB_REPOSITORY: ${{ github.repository }} + GITHUB_SHA: ${{ github.sha }} + GITHUB_REF: ${{ github.ref }} + GITHUB_RUN_ID: ${{ github.run_id }} + GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }} + GITHUB_WORKFLOW: ${{ github.workflow }} + run: | + set -eu + if [ -z "${COSIGN_PRIVATE_KEY:-}" ]; then + echo "Skipping SLSA attestations: add repository secret COSIGN_PRIVATE_KEY (PEM) to sign releases." + exit 0 + fi + sh scripts/ci/setup-cosign.sh "${COSIGN_VERSION}" + printf '%s\n' "$COSIGN_PRIVATE_KEY" > /tmp/cosign.key + chmod 600 /tmp/cosign.key + export COSIGN_KEY_PATH=/tmp/cosign.key + sh scripts/ci/attest-release-assets.sh ./release-assets + rm -f /tmp/cosign.key + - name: Validate version run: | VERSION="${{ steps.version.outputs.version }}" @@ -176,14 +203,7 @@ jobs: gitea_token: ${{ secrets.GITEA_TOKEN }} title: ${{ steps.version.outputs.version }} tag: ${{ steps.version.outputs.version }} - files: | - release-assets/*.AppImage - release-assets/*.deb - release-assets/*.rpm - release-assets/*.whl - release-assets/*.zip - release-assets/*.sha256 - release-assets/sbom.cyclonedx.json + files: release-assets/* body_path: "release-body.md" draft: true prerelease: false diff --git a/.gitea/workflows/scan.yml b/.gitea/workflows/scan.yml index aee50af..b4545f3 100644 --- a/.gitea/workflows/scan.yml +++ b/.gitea/workflows/scan.yml @@ -30,6 +30,25 @@ jobs: git init -q && git remote add origin "${SERVER}/${REPO}.git" git fetch -q --depth=1 origin "${GITHUB_SHA}" && git checkout -q FETCH_HEAD + - name: Setup Node.js + run: sh scripts/ci/setup-node.sh 24 + + - name: Setup pnpm + run: sh scripts/ci/setup-pnpm.sh + + - name: Setup Task + run: sh scripts/ci/setup-task.sh + + - name: Install frontend dependencies + run: | + . scripts/ci/ci-node-path.sh + task deps:fe + + - name: pnpm audit + run: | + . scripts/ci/ci-node-path.sh + pnpm audit --audit-level=high + - name: Download Trivy run: | curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb