.gitlab-ci.yml

# SPDX-License-Identifier: Apache-2.0
#
# Copyright (c) 2022 Patrick Dung

---

.default_rules:
  rules:
    - if: $CI_COMMIT_BRANCH != "main" &&  ($CI_PIPELINE_SOURCE == 'push' || $CI_PIPELINE_SOURCE == 'merge_request_event' || $CI_PIPELINE_SOURCE == 'web') && $CI_COMMIT_BRANCH

# Use Fedora image for buildah/podman
image: registry.fedoraproject.org/fedora:39
stages:
  - build-and-push
  - sign-containers
  - scan-containers-and-gen-sbom
  - attest-sbom
  - release

# rules:
#  allow_failure: true
# when: 'manual'
#  - if: $CI_COMMIT_REF_SLUG == "main"
#    when: never

variables:
  # if use Docker
  # https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-the-overlayfs-driver
  DOCKER_DRIVER: overlay2
  # Buildah needs to update in order to use 'overlay' driver when running inside Docker
  # https://github.com/ansible/awx/issues/10099
  # STORAGE_DRIVER: 'vfs'
  STORAGE_DRIVER: 'overlay'
  BUILDAH_FORMAT: 'docker'
  BUILDAH_ISOLATION: 'chroot'
  # For Dockerfile that it is going to build, not the base image for the building CI
  #BASE_IMAGE: 'quay.io/almalinuxorg/9-minimal:9.2'
  BASE_IMAGE: 'quay.io/rockylinux/rockylinux:9.3-minimal'
  # ## tag: "${CI_COMMIT_REF_SLUG}"
  tag: "${CI_COMMIT_BRANCH}"

before_script:
  - >
    dnf install -y --nodocs --setopt=install_weak_deps=False
    buildah podman skopeo runc qemu-user-binfmt jq curl fuse-overlayfs
  # - sed -i '/^mountopt =.*/d' /etc/containers/storage.conf
  # Not sure why it won't take options from /etc/containers/containers.conf
  - |
    cat >> /etc/containers/libpod.conf << EOF
    cgroup_manager = "cgroupfs"
    events_logger = "file"
    EOF
  #- |
    ##cat >> /etc/containers/storage.conf << EOF
    ##[storage.options.overlay]
    ##mount_program = "/usr/bin/fuse-overlayfs"
    ##EOF
    #sed -i -E -e 's|#mount_program = "/usr/bin/fuse-overlayfs"|mount_program = "/usr/bin/fuse-overlayfs"|' /etc/containers/storage.conf

  - podman run --rm --privileged docker.io/multiarch/qemu-user-static --reset -p yes
  - buildah login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
  # Cosign currently relies on Docker to operate
  - |
    mkdir ~/.docker
    chmod 700 ~/.docker
    #cat ${XDG_RUNTIME_DIR}/containers/auth.json > ~/.docker/config.json
    # root / normal users seems to have different location
    #cat /run/user/1000/podman/containers/auth.json > ~/.docker/config.json
    cat /run/containers/0/auth.json > ~/.docker/config.json

build-and-push:
  stage: build-and-push
  rules:
    - !reference [.default_rules, rules]
  script:
    # Fetch the latest version of amicontained
    - |
      curl -sL https://api.github.com/repos/patrickdung/amicontained-build/releases | jq -r ".[].tag_name" | grep -v rc | sort -r -V | head -n 1 | sed -E 's|^v||' > /tmp/amicontained-latest-branch-name
      export AMICONTAINED_VERSION=$(cat /tmp/amicontained-latest-branch-name)
      export AMICONTAINED_BASE_URL=https://github.com/patrickdung/amicontained-build/releases/download/v${AMICONTAINED_VERSION}

    # - buildah login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
    # Newer versions of podman/buildah configured overlayfs mount options when
    # using the vfs driver, and this causes errors.
    - |
      # if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
      #  tag=""
      #  echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
      #else
      #  tag=":$CI_COMMIT_REF_SLUG"
      #  echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
      #fi
      #tag="${CI_COMMIT_REF_SLUG}"
      echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"

    # Build containers
    - >
      buildah build-using-dockerfile --override-arch arm64
      --build-arg BASE_IMAGE="${BASE_IMAGE}"
      --build-arg AMICONTAINED_VERSION="${AMICONTAINED_VERSION}"
      --build-arg AMICONTAINED_BASE_URL="${AMICONTAINED_BASE_URL}"
      -t ${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}:${tag}-arm64
    - >
      buildah build-using-dockerfile --override-arch amd64
      --build-arg BASE_IMAGE="${BASE_IMAGE}"
      --build-arg AMICONTAINED_VERSION="${AMICONTAINED_VERSION}"
      --build-arg AMICONTAINED_BASE_URL="${AMICONTAINED_BASE_URL}"
      -t ${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}:${tag}-amd64

    - buildah manifest create ${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}:${tag}
    - >
      buildah manifest add ${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}:${tag}
      localhost/${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}:${tag}-arm64
    - >
      buildah manifest add ${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}:${tag}
      localhost/${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}:${tag}-amd64
    - >
      buildah manifest push --all --format v2s2
      ${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}:${tag}
      docker://${CI_REGISTRY_IMAGE}:${tag}

    # - buildah inspect ${CI_REGISTRY_IMAGE}:${tag}
    - skopeo inspect --raw docker://${CI_REGISTRY_IMAGE}:${tag} | jq
    - skopeo inspect --raw docker://${CI_REGISTRY_IMAGE}:${tag} | jq -r '.manifests[] | select(.platform .architecture=="arm64" and .platform .os=="linux") | .digest' > ./container-digest-arm64
    - skopeo inspect --raw docker://${CI_REGISTRY_IMAGE}:${tag} | jq -r '.manifests[] | select(.platform .architecture=="amd64" and .platform .os=="linux") | .digest' > ./container-digest-amd64

    - ls -la
    - export container_digest_arm64=$(cat ./container-digest-arm64)
    - export container_digest_amd64=$(cat ./container-digest-amd64)
    - echo ${container_digest_arm64}
    - echo ${container_digest_amd64}

  artifacts:
    # expire_in: 1 hour
    paths:
      - ./container-digest-arm64
      - ./container-digest-amd64

#  rules:
#    - when: 'manual'
#      allow_failure: true
#      exists:
#        - Dockerfile

sign-containers:
  stage: sign-containers
  rules:
    - !reference [.default_rules, rules]
  dependencies: ["build-and-push"]
  script:

    - export container_digest_arm64=$(cat ./container-digest-arm64)
    - export container_digest_amd64=$(cat ./container-digest-amd64)

    # Fetch the latest version of the applications
    - |
      # Fixed cosign version as 1.13.1
      #curl -sL https://api.github.com/repos/sigstore/cosign/releases | jq -r ".[].tag_name" | grep -v rc | sort -r -V | head -n 1 | sed -E 's|^v||' > /tmp/cosign-latest-branch-name
      #export COSIGN_VERSION=$(cat /tmp/cosign-latest-branch-name)
      export COSIGN_VERSION=1.13.1

    # Install Cosign
    - |
      curl -L -O -v https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64
      curl -L -O -v https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign_checksums.txt
      sha256sum -c cosign_checksums.txt --ignore-missing
      chmod 755 ./cosign-linux-amd64

    # Sign container images recursively by Cosign
    - echo -n "${COSIGN_PRIVATE_KEY_PASSWORD}" | ./cosign-linux-amd64 sign --recursive --key <(echo -n "${COSIGN_PRIVATE_KEY}") ${CI_REGISTRY_IMAGE}:${tag}

scan-containers-and-gen-sbom:
  stage: scan-containers-and-gen-sbom
  rules:
    - !reference [.default_rules, rules]
  dependencies: ["build-and-push"]
  script:

    - export container_digest_arm64=$(cat ./container-digest-arm64)
    - export container_digest_amd64=$(cat ./container-digest-amd64)

    # The digest contains 'sha256:' in the beginning
    # Cannot run grype container in GL CI (already DinD?)
    # - >
    #  podman run -it docker.io/anchore/grype:latest
    #  ${CI_REGISTRY_IMAGE}@${container_digest_arm64}
    #  > ./arm64-container-vulnerabilities-report-grype.txt

    # Fetch the latest version of the applications
    - |
      curl -sL https://api.github.com/repos/anchore/grype/releases | jq -r ".[].tag_name" | grep -v rc | sort -r -V | head -n 1 | sed -E 's|^v||' > /tmp/grype-latest-branch-name
      export GRYPE_VERSION=$(cat /tmp/grype-latest-branch-name)
    - |
      curl -sL https://api.github.com/repos/anchore/syft/releases | jq -r ".[].tag_name" | grep -v rc | sort -r -V | head -n 1 | sed -E 's|^v||' > /tmp/syft-latest-branch-name
      export SYFT_VERSION=$(cat /tmp/syft-latest-branch-name)

    # Install Grype
    - |
      curl -L -O -v https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.rpm
      curl -L -O -v https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_checksums.txt
      sha256sum -c grype_${GRYPE_VERSION}_checksums.txt --ignore-missing
      sudo rpm -ivh grype_${GRYPE_VERSION}_linux_amd64.rpm

    # Install Syft
    - |
      curl -L -O -v https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.rpm
      curl -L -O -v https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_checksums.txt
      sha256sum -c syft_${SYFT_VERSION}_checksums.txt --ignore-missing
      sudo rpm -ivh syft_${SYFT_VERSION}_linux_amd64.rpm

    # Scan by Grype
    - grype -o table registry:${CI_REGISTRY_IMAGE}@${container_digest_arm64} > ./arm64-container-vulnerabilities-report-grype-table.txt
    - grype -o table registry:${CI_REGISTRY_IMAGE}@${container_digest_amd64} > ./amd64-container-vulnerabilities-report-grype-table.txt

    # Generate SBOM by Syft
    - syft -v registry:${CI_REGISTRY_IMAGE}@${container_digest_arm64} -o json > ./arm64-container-sbom.json
    - syft -v registry:${CI_REGISTRY_IMAGE}@${container_digest_amd64} -o json > ./amd64-container-sbom.json

    # Upload artifiacts
    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ./arm64-container-vulnerabilities-report-grype-table.txt "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/reports/${tag}/arm64-container-vulnerabilities-report-grype-table.txt"'
    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ./arm64-container-vulnerabilities-report-grype-table.txt "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/reports/${tag}/arm64-container-vulnerabilities-report-grype-table.txt"'
    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ./amd64-container-sbom.json "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/reports/${tag}/amd64-container-sbom.json"'
    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ./arm64-container-sbom.json "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/reports/${tag}/arm64-container-sbom.json"'

  artifacts:
    expose_as: 'Grype scanning reports and SBOM'
    # Then can't use * when expose_as is used
    paths:
      - ./arm64-container-vulnerabilities-report-grype-table.txt
      - ./amd64-container-vulnerabilities-report-grype-table.txt
      - ./arm64-container-sbom.json
      - ./amd64-container-sbom.json

attest-sbom:
  stage: attest-sbom
  rules:
    - !reference [.default_rules, rules]
  dependencies: ["build-and-push", "sign-containers", "scan-containers-and-gen-sbom"]
  script:

    - export container_digest_arm64=$(cat ./container-digest-arm64)
    - export container_digest_amd64=$(cat ./container-digest-amd64)

    # Fetch the latest version of the applications
    - |
      # Fixed cosign version as 1.13.1
      #curl -sL https://api.github.com/repos/sigstore/cosign/releases | jq -r ".[].tag_name" | grep -v rc | sort -r -V | head -n 1 | sed -E 's|^v||' > /tmp/cosign-latest-branch-name
      #export COSIGN_VERSION=$(cat /tmp/cosign-latest-branch-name)
      export COSIGN_VERSION=1.13.1

    # Install Cosign
    - |
      curl -L -O -v https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-amd64
      curl -L -O -v https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign_checksums.txt
      sha256sum -c cosign_checksums.txt --ignore-missing
      chmod 755 ./cosign-linux-amd64

    # Create SBOM attestation and push it to the container registry
    - echo -n "${COSIGN_PRIVATE_KEY_PASSWORD}" | ./cosign-linux-amd64 attest --predicate ./arm64-container-sbom.json --key <(echo -n "${COSIGN_PRIVATE_KEY}") ${CI_REGISTRY_IMAGE}@${container_digest_arm64}
    - echo -n "${COSIGN_PRIVATE_KEY_PASSWORD}" | ./cosign-linux-amd64 attest --predicate ./amd64-container-sbom.json --key <(echo -n "${COSIGN_PRIVATE_KEY}") ${CI_REGISTRY_IMAGE}@${container_digest_amd64}

release:
  stage: release
  dependencies: ["build-and-push", "sign-containers", "scan-containers-and-gen-sbom", "attest-sbom"]
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  rules:
    # ## - if: $CI_COMMIT_TAG
    - !reference [.default_rules, rules]
  before_script: []
  script:
    - echo "Running release job"
  release:
    name: 'Release $CI_COMMIT_BRANCH'
    description: 'Release $CI_COMMIT_BRANCH'
    tag_name: '$CI_COMMIT_BRANCH'
    ref: '$CI_COMMIT_BRANCH'
    # Optional, multiple asset links
    assets:
      links:
        - name: 'Containers Registry for viewing in browsers'
          url: 'https://gitlab.com/patrickdung/pod-recon/container_registry'
        - name: 'Grype scanning reports and SBOM'
          url: 'https://gitlab.com/patrickdung/pod-recon/-/packages/'
          # optional
          # filepath: '/pretty/url/1'
          # optional
          link_type: 'other'