Cray-HPE
diff --git a/‎.github/workflows/build-sign-scan.yaml‎
Lines changed: 471 additions & 0 deletions b/‎.github/workflows/build-sign-scan.yaml‎
Lines changed: 471 additions & 0 deletions
diff --git a/‎.github/workflows/test-build-sign-scan.yaml‎
Lines changed: 247 additions & 0 deletions b/‎.github/workflows/test-build-sign-scan.yaml‎
Lines changed: 247 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 76 additions & 5 deletions b/‎README.md‎
Lines changed: 76 additions & 5 deletions
diff --git a/‎tests/build-sign-scan/alpine/Dockerfile‎
Lines changed: 24 additions & 0 deletions b/‎tests/build-sign-scan/alpine/Dockerfile‎
Lines changed: 24 additions & 0 deletions
@@ -0,0 +1,247 @@
+#
+# MIT License
+#
+# (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+name: Test build-sign-scan reusable workflow
+
+on:
+  push:
+    paths:
+      - .github/workflows/test-build-sign-scan.yaml
+      - tests/build-sign-scan/**
+  workflow_dispatch:
+
+jobs:
+  test-docker-build-local:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: tests/build-sign-scan/sles
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-local-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-local-2
+      docker_build_args: |
+        --label='Random label 1'
+        --label="Random label 2"
+      env: |
+        VAR1=var1
+        VAR2='var2 var2'
+        VAR3="var3 var3"
+        VAR4='var4
+        var4'
+        VAR5="var4
+        var4"
+      docker_push: false
+      snyk: false
+      sign: false
+    secrets:
+      docker_username: ${{ secrets.ARTIFACTORY_ALGOL60_USERNAME }}
+      docker_password: ${{ secrets.ARTIFACTORY_ALGOL60_TOKEN }}
+      docker_secrets: |
+        SLES_REPO_USERNAME='${{ secrets.ARTIFACTORY_ALGOL60_READONLY_USERNAME }}'
+        SLES_REPO_PASSWORD="${{ secrets.ARTIFACTORY_ALGOL60_READONLY_TOKEN }}"
+        SECRET_1="SECRET_1
+        SECRET_1"
+        SECRET_2='SECRET_2
+        SECRET_2'
+      gcp_workload_identity_provider: ${{ secrets.COSIGN_GCP_WORKLOAD_IDENTITY_PROVIDER_RSA }}
+      gcp_service_account: ${{ secrets.COSIGN_GCP_SERVICE_ACCOUNT_RSA }}
+      gcp_cosign_key: ${{ secrets.COSIGN_KEY_RSA }}
+      snyk_token: ${{ secrets.SNYK_TOKEN }}
+
+  test-docker-build-single-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: tests/build-sign-scan/alpine
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-single-platform-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-single-platform-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-docker-build-multi-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: tests/build-sign-scan/alpine
+      docker_tag: artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-multi-platform-1
+      docker_build_platforms: linux/amd64,linux/arm64
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-docker-build-multi-platform-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-docker-build-google:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: tests/build-sign-scan/alpine
+      docker_login: false
+      docker_oidc: true
+      docker_tag: us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan:test-docker-build-google-1
+      docker_build_platforms: linux/amd64,linux/arm64
+      docker_additional_tags: |
+        us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan:test-docker-build-google-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-makefile-local:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: tests/build-sign-scan/sles
+      make_target: local
+      docker_login: false
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-makefile-local-2
+      docker_build_args: |
+        --label='Random label 1'
+        --label="Random label 2"
+      env: |
+        VERSION=test-makefile-local-1
+        VAR1=var1
+        VAR2='var2 var2'
+        VAR3="var3 var3"
+        VAR4='var4
+        var4'
+        VAR5="var4
+        var4"
+      snyk: false
+      sign: false
+    secrets:
+      docker_username: ${{ secrets.ARTIFACTORY_ALGOL60_USERNAME }}
+      docker_password: ${{ secrets.ARTIFACTORY_ALGOL60_TOKEN }}
+      docker_secrets: |
+        SLES_REPO_USERNAME=${{ secrets.ARTIFACTORY_ALGOL60_READONLY_USERNAME }}
+        SLES_REPO_PASSWORD=${{ secrets.ARTIFACTORY_ALGOL60_READONLY_TOKEN }}
+        SECRET_1="SECRET_1
+        SECRET_1"
+        SECRET_2='SECRET_2
+        SECRET_2'
+      gcp_workload_identity_provider: ${{ secrets.COSIGN_GCP_WORKLOAD_IDENTITY_PROVIDER_RSA }}
+      gcp_service_account: ${{ secrets.COSIGN_GCP_SERVICE_ACCOUNT_RSA }}
+      gcp_cosign_key: ${{ secrets.COSIGN_KEY_RSA }}
+      snyk_token: ${{ secrets.SNYK_TOKEN }}
+
+  test-makefile-single-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: tests/build-sign-scan/alpine
+      make_target: unstable
+      env: |
+        PLATFORM=linux/amd64
+        VERSION=test-makefile-single-platform-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-makefile-single-platform-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-makefile-multi-platform:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: tests/build-sign-scan/alpine
+      make_target: unstable
+      env: |
+        VERSION=test-makefile-multi-platform-1
+      docker_additional_tags: |
+        artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan:test-makefile-multi-platform-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  test-makefile-google:
+    uses: ./.github/workflows/build-sign-scan.yaml
+    with:
+      context_path: tests/build-sign-scan/alpine
+      make_target: unstable
+      docker_login: false
+      docker_oidc: true
+      env: |
+        REGISTRY=us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable
+        VERSION=test-makefile-google-1
+      docker_additional_tags: |
+        us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan:test-makefile-google-2
+      snyk: true
+      sign: true
+    secrets: inherit
+
+  review:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    needs:
+    - test-docker-build-local
+    - test-docker-build-single-platform
+    - test-docker-build-multi-platform
+    - test-docker-build-google
+    - test-makefile-local
+    - test-makefile-single-platform
+    - test-makefile-multi-platform
+    - test-makefile-google
+
+    steps:
+      - name: Report Test Results
+        env:
+          NEEDS_CONTEXT: ${{ toJSON(needs) }}
+        run: |
+          function assert() {
+              if ! [[ "${2}" =~ ${3} ]]; then
+                  echo "::error::Test ${test_name}: ${1}: expected \"${3}\", got \"${2}\"."
+                  exit_code=$((exit_code+1))
+              fi
+          }
+
+          echo "$NEEDS_CONTEXT" > outputs.json
+          exit_code=0
+          for build_type in docker-build makefile; do
+              for image_type in local single-platform multi-platform google; do
+                  test_name="test-${build_type}-${image_type}"
+
+                  # Test built tags
+                  image_name=artifactory.algol60.net/csm-docker-backup/unstable/test-build-sign-scan
+                  test "${image_type}" == google && image_name=us-docker.pkg.dev/hpe-stage-csm-release/csm-docker/unstable/test-build-sign-scan
+                  tags=$(jq -r ".\"${test_name}\".outputs.image_tags" outputs.json | tr ',' '\n' | sort  | tr '\n' ',' | sed -e 's/,$//')
+                  assert tags "${tags}" "${image_name}:${test_name}-1,${image_name}:${test_name}-2"
+
+                  # Test built platforms
+                  platforms=$(jq -r ".\"${test_name}\".outputs.image_platforms" outputs.json)
+                  test "${image_type}" == single && assert platforms "${platforms}" '["linux/amd64"]'
+                  test "${image_type}" != local -a "${image_type}" != single-platform && assert platforms "${platforms}" '["linux/amd64","linux/arm64"]'
+
+                  # Test Snyk output
+                  snyk_summary=$(jq -r ".\"${test_name}\".outputs.snyk_summary" outputs.json)
+                  test "${image_type}" != local && assert snyk_summary "${snyk_summary}" 'crtitical: [0-9]+, high: [0-9]+, medium: [0-9]+, low: [0-9]+'
+
+                  # Test Trivy output
+                  trivy_summary=$(jq -r ".\"${test_name}\".outputs.trivy_summary" outputs.json)
+                  test "${image_type}" != local && assert trivy_summary "${trivy_summary}" '(Tests: [0-9]+ \(SUCCESSES: [0-9]+, FAILURES: [0-9]+\)|PASS)'
+
+                  # Test Scan output
+                  sign_summary=$(jq -r ".\"${test_name}\".outputs.sign_summary" outputs.json)
+                  test "${image_type}" != local && assert sign_summary "${sign_summary}" 'Signed .+ with Cosign'
+              done
+          done
+          exit $exit_code
+        shell: bash
@@ -1,7 +1,78 @@
-# github-actions
-Cray-HPE Shared GitHub Actions 
+# Resuable Github Actions and Workflows
 
-A place for shared GitHub actions to be used. 
+## Build Sign Scan Reusable Workflow
 
-## build-sign-scan
-Builds, pushes, signs, and scans docker images. Currently used in the `container-images` repo
+### Location
+
+Build, Sign and Scan reusable workflow is located in `.github/workflows//build-sign-scan.yaml` file.
+
+### Features
+
+- Container image builds via provided `Makefile` or without it (i.e. only `Dockerfle` is present).
+- Multi-platform builds (via `docker_platform` parameter).
+- Push into generic private registry (basic authentication) or Google Artifact Registry (OIDC auth).
+- Scan with Snyk.
+- Scan with Trivy.
+- Signing with Sigstore Cosign using key stored in Google KMS.
+
+### Requirements
+Reusable workflow follows dry-out configuration approach. All input parameters are optional and have reasonable defaults.
+The only mandatory parameter is `docker_tag` (if no `Makefile` is provided) or `make_target` (if `Makefile` is provided).
+Also, access to `secrets` context is required. Please refer to workflow file for detailed description of input parameters.
+
+### Minimal Configuration
+
+- If `Makefile` is provided:
+
+      jobs:
+        build-sign-scan:
+          uses: Cray-HPE/.github/workflows//build-sign-scan.yaml@build-sign-scan-workflow/v1
+          with:
+            make_target: ${{ github.ref_type == 'tag' && 'stable' || 'unstable' }}
+            secrets: inherit
+
+    NOTE: `Makefle` must honor `DOCKER_BUILD_ARGS` environment variable.
+
+- If `Makefile` is not provided:
+
+      jobs:
+        build-sign-scan:
+          uses: Cray-HPE/.github/workflows//build-sign-scan.yaml@build-sign-scan-workflow/v1
+          with:
+            docker_tag: artifactory.algol60.net/csm-docker/${{ github.ref_type == 'tag' && 'stable' || 'unstable' }}/my-image:tag
+            secrets: inherit
+
+In these examples, `Makefile` target `stable` is called when build is invoked on git tag, otherwise `unstable` target is called (i.e. tag-based release strategy is used).
+
+### Secrets in Build Context
+
+Workflow accepts `docker_secrets` input secret as new-line separated list of `key=value` secret pairs, to be made available during build time. Each `key=value` pair is injected into build as environment variable named as `<key>`, with value set to `<value>`.
+
+- If `Makefile` is used, it should provide `--secret id=<key>,env=<key>` command line option(s) for `docker buildx build` command to mount secrets during build time.
+- If `Makefile` is not used, `--secret id=<key>,env=<key>` command line option is added to `docker buildx build` command automatically for each secret.
+
+Each secret will be available in build context as a file named `/run/secrets/<key>`.
+
+#### NOTE 1: 
+Multiline secrets are not supported (will be converted to space-separated secrets).
+
+#### NOTE 2:
+Reusable workflow syntax does not allow mixing implicitly specified secrets (`inherit` keyword) and exlicitly specified secrets. Therefore all secrets needed by image build, push, sign and scan will need to be provided, if `docker_secrets` is used.
+
+#### Example:
+
+    jobs:
+      build-sign-scan:
+        uses: Cray-HPE/.github/workflows//build-sign-scan.yaml@build-sign-scan-workflow/v1
+        with:
+          docker_tag: artifactory.algol60.net/csm-docker/${{ github.ref_type == 'tag' && 'stable' || 'unstable' }}/my-image:tag
+        secrets:
+          docker_username: ${{ secrets.ARTIFACTORY_ALGOL60_USERNAME }}
+          docker_password: ${{ secrets.ARTIFACTORY_ALGOL60_TOKEN }}
+          gcp_workload_identity_provider: ${{ secrets.COSIGN_GCP_WORKLOAD_IDENTITY_PROVIDER_RSA }}
+          gcp_service_account: ${{ secrets.COSIGN_GCP_SERVICE_ACCOUNT_RSA }}
+          gcp_cosign_key: ${{ secrets.COSIGN_KEY_RSA }}
+          snyk_token: ${{ secrets.SNYK_TOKEN }}
+          docker_secrets: |
+            SECRET_1="${{ secrets.ORG_SECRET_1 }}"
+            SECRET_2="${{ secrets.ORG_SECRET_2 }}"
@@ -0,0 +1,24 @@
+#
+# MIT License
+#
+# (C) Copyright 2025 Hewlett Packard Enterprise Development LP
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+#
+FROM alpine:latest