Initialize repository

Author: migmartri

.gitattributes

@@ -0,0 +1,3 @@
+app/controlplane/api/gen/frontend/** linguist-generated=true
+app/controlplane/internal/data/ent/** linguist-generated=true
+app/controlplane/internal/data/ent/schema/* linguist-detectable=true

.github/workflows/contracts/build-and-test.cue

@@ -0,0 +1,2 @@
+schemaVersion: "v1"
+runner: type: "GITHUB_ACTION"

.github/workflows/contracts/releases.cue

@@ -0,0 +1,14 @@
+schemaVersion: "v1"
+materials: [
+	// Binaries
+	{type: "ARTIFACT", name: "cli-linux-amd64", output:           true},
+	{type: "ARTIFACT", name: "control-plane-linux-amd64", output: true},
+	{type: "ARTIFACT", name: "artifact-cas-linux-amd64", output:  true},
+	// Container images
+	{type: "CONTAINER_IMAGE", name: "control-plane-image", output: true},
+	{type: "CONTAINER_IMAGE", name: "artifact-cas-image", output:  true},
+	// SBOMS for those container images
+	{type: "SBOM_CYCLONEDX_JSON", name: "sbom-control-plane"},
+	{type: "SBOM_CYCLONEDX_JSON", name: "sbom-artifact-cas"},
+]
+runner: type: "GITHUB_ACTION"

.github/workflows/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMBSJAtPWo4hhThSBJXF9pfheP1x7
+JQRD2meyc92McFO96WlRB1yW11kC24gVdxOyZvOz+qk8CR+/2GuQYleKsQ==
+-----END PUBLIC KEY-----

.github/workflows/lint.yml

@@ -0,0 +1,49 @@
+name: Lint
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+permissions:
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+jobs:
+  golangci:
+    name: lint
+    strategy:
+      fail-fast: false
+      matrix:
+        app:
+          - main-module
+          - cli
+          - controlplane
+          - artifact-cas
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.20"
+
+      - uses: actions/checkout@v3
+
+      - name: Lint main module
+        uses: golangci/golangci-lint-action@v3
+        if: ${{ matrix.app == 'main-module' }}
+
+      - name: Lint ${{ matrix.app }}
+        uses: golangci/golangci-lint-action@v3
+        if: ${{ matrix.app != 'main-module' }}
+        with:
+          working-directory: app/${{ matrix.app }}
+
+  lint-protos:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: bufbuild/buf-setup-action@v1
+        with:
+          buf_user: ${{ secrets.buf_user }}
+          buf_api_token: ${{ secrets.buf_api_token }}
+      - uses: bufbuild/buf-lint-action@v1

.github/workflows/release.yaml

@@ -0,0 +1,133 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+jobs:
+  test:
+    uses: chainloop-dev/chainloop/.github/workflows/test.yml@main
+
+  release:
+    name: Release CLI and control-plane/artifact-cas container images
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.ref_type == 'tag' # Guard to make sure we are releasing once
+    permissions:
+      id-token: write # required to use OIDC and retrieve Google Cloud Credentials
+      contents: write # required for goreleaser
+      packages: write # to push container images
+    env:
+      CHAINLOOP_VERSION: 0.8.89
+      CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT }}
+      CONTAINER_IMAGE_CP: ghcr.io/chainloop-dev/chainloop/control-plane:${{ github.ref_name }}
+      CONTAINER_IMAGE_CAS: ghcr.io/chainloop-dev/chainloop/artifact-cas:${{ github.ref_name }}
+    steps:
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://chainloop.dev/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}
+
+      - name: Download jq
+        run: |
+          sudo wget -q https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -O /usr/local/bin/jq
+          sudo chmod u+x /usr/local/bin/jq
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Initialize Attestation
+        run: |
+          chainloop attestation init
+
+      # TODO: remove once we move the releases and the installation script to Github
+      - name: "Configure Google Cloud credentials"
+        id: "auth-google"
+        uses: "google-github-actions/auth@v0"
+        with:
+          token_format: "access_token"
+          workload_identity_provider: projects/1044976554810/locations/global/workloadIdentityPools/chainloop-github-pool/providers/github-provider
+          service_account: [email protected]
+
+      - name: Docker login to Github Packages
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "1.20"
+
+      - name: Run GoReleaser
+        id: release
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+
+      - uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.CONTAINER_IMAGE_CP }}
+          format: cyclonedx-json
+          artifact-name: controlplane.cyclonedx.json
+          output-file: /tmp/sbom.cp.cyclonedx.json
+
+      - uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.CONTAINER_IMAGE_CAS }}
+          format: cyclonedx-json
+          artifact-name: cas.cyclonedx.json
+          output-file: /tmp/sbom.cas.cyclonedx.json
+
+      - name: Add Attestation Artifacts (SBOM)
+        run: |
+          chainloop attestation add --name sbom-control-plane --value /tmp/sbom.cp.cyclonedx.json
+          chainloop attestation add --name sbom-artifact-cas --value /tmp/sbom.cas.cyclonedx.json
+
+      - name: Add Attestation Artifacts (container images)
+        run: |
+          # Control plane image
+          chainloop attestation add --name control-plane-image --value ${{ env.CONTAINER_IMAGE_CP }}
+          # CAS image
+          chainloop attestation add --name artifact-cas-image --value ${{ env.CONTAINER_IMAGE_CAS }}
+
+      - name: Add Attestation Artifacts (binaries)
+        run: |
+          # Binaries x86_64
+          # TODO: add the rest of binaries
+          echo -n '${{ steps.release.outputs.artifacts }}' | jq -r '.[] | select(.type=="Binary" and .goos=="linux" and .goarch=="amd64") | { "name": "\(.extra.ID)-\(.goos)-\(.goarch)", "path":"\(.path)"} | @base64' | while read i; do
+              BINARY_NAME=$(echo "${i}" | base64 --decode | jq -r ${1} .name)
+              BINARY_PATH=$(echo "${i}" | base64 --decode | jq -r ${1} .path)
+              chainloop attestation add --name ${BINARY_NAME} --value ${BINARY_PATH} 
+            done
+
+      - name: Finish and Record Attestation
+        if: ${{ success() }}
+        run: |
+          chainloop attestation status --full
+          chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY
+        env:
+          CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }}
+
+      - name: Mark attestation as failed
+        if: ${{ failure() }}
+        run: |
+          chainloop attestation reset
+      - name: Mark attestation as cancelled
+        if: ${{ cancelled() }}
+        run: |
+          chainloop attestation reset --trigger cancellation

.github/workflows/test.yml

@@ -0,0 +1,53 @@
+name: Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  # We want to call this workflow during release too
+  workflow_call:
+
+jobs:
+  build_and_test:
+    name: Test
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        app:
+          - main-module
+          - cli
+          - controlplane
+          - artifact-cas
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        if: ${{ matrix.app != 'main-module' }}
+        with:
+          go-version-file: app/${{ matrix.app }}/go.mod
+          cache: true
+          cache-dependency-path: app/${{ matrix.app }}/go.sum
+
+      - uses: actions/setup-go@v3
+        if: ${{ matrix.app == 'main-module' }}
+        with:
+          go-version-file: go.mod
+          cache: true
+          cache-dependency-path: go.sum
+
+      # Check that the generated ent code is up to date
+      # see https://entgo.io/docs/ci/
+      - uses: ent/contrib/ci@master
+        name: "Check all generated code is checked in"
+        if: ${{ matrix.app != 'main-module' }}
+        with:
+          working-directory: app/${{ matrix.app }}
+
+      - name: Test
+        if: ${{ matrix.app != 'main-module' }}
+        run: make -C app/${{ matrix.app }} test
+
+      - name: Test top level modules
+        if: ${{ matrix.app == 'main-module' }}
+        run: make test

.gitignore

@@ -0,0 +1,47 @@
+# Reference https://github.com/github/gitignore/blob/master/Go.gitignore
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+vendor/
+
+# Go workspace file
+# go.work
+
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# OS General
+Thumbs.db
+.DS_Store
+
+# project
+*.cert
+*.key
+*.log
+bin/
+
+# Develop tools
+.vscode/
+.idea/
+*.swp
+
+# Go releaser
+dist/
+
+# Dev configuration associated with authentication
+*/*/*/secret.yaml
+
+gha-creds-*.json

.golangci.yml

@@ -0,0 +1,60 @@
+run:
+  timeout: 10m
+
+linters:
+  # Note that there are some linters enabled by default, see golang-ci linters
+  enable:
+    - goheader
+    - dupl
+    - gofmt
+    - goimports
+    - misspell
+    - nakedret
+    - revive
+    - gosec
+    - depguard
+    - asciicheck
+    - whitespace
+    - errorlint
+    - forbidigo
+    - gocritic
+    - importas
+    - prealloc
+    - stylecheck
+    - unconvert
+    - dogsled
+    - goconst
+    - exportloopref
+    - gocyclo
+    - goprintffuncname
+    # Can't enable it for now, it crashes https://github.com/ent/ent/pull/3315
+    # - unparam
+
+linters-settings:
+  gofmt:
+    simplify: true
+  dupl:
+    threshold: 400
+  goheader:
+    template: |-
+      Copyright {{copyright-year}} The Chainloop Authors.
+
+      Licensed under the Apache License, Version 2.0 (the "License");
+      you may not use this file except in compliance with the License.
+      You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+      See the License for the specific language governing permissions and
+      limitations under the License.
+    values:
+      regexp:
+        copyright-year: 202[3]
+  forbidigo:
+    forbid:
+      - ^print.*$
+      - '^t\.Error.*$(# forbid t.Error in favor of using testify\.)?'
+      - '^t\.Fatal.*$(# forbid t.Fatal in favor of using testify\.)?'