From a5e20269ddfa6e9d346047a1da0f11e854081bc0 Mon Sep 17 00:00:00 2001 From: CaIon Date: Tue, 24 Mar 2026 23:53:50 +0800 Subject: [PATCH] security: harden Docker and release CI workflows - Pin all GitHub Actions to commit SHA to prevent supply chain attacks - Enable SLSA provenance attestation (mode=max) and SBOM generation - Add cosign keyless signing for Docker images via GitHub OIDC - Capture and output image digests to GitHub Job Summary - Pin Dockerfile base images to digest (bun:1, golang:1.26.1-alpine, debian:bookworm-slim) - Add SHA256 checksum generation for binary releases (Linux/macOS/Windows) - Update actions/checkout v3->v4, actions/setup-go v3->v5 in release.yml --- .github/workflows/docker-image-alpha.yml | 50 ++++++++++++++++++------ .github/workflows/docker-image-arm64.yml | 43 +++++++++++++++----- .github/workflows/release.yml | 42 +++++++++++++------- Dockerfile | 6 +-- 4 files changed, 103 insertions(+), 38 deletions(-) diff --git a/.github/workflows/docker-image-alpha.yml b/.github/workflows/docker-image-alpha.yml index 2a7d43ad..116dd145 100644 --- a/.github/workflows/docker-image-alpha.yml +++ b/.github/workflows/docker-image-alpha.yml @@ -27,9 +27,10 @@ jobs: permissions: packages: write contents: read + id-token: write steps: - name: Check out (shallow) - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 1 @@ -46,16 +47,16 @@ jobs: run: echo "GHCR_REPOSITORY=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -63,14 +64,15 @@ jobs: - name: Extract metadata (labels) id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: | calciumion/new-api ghcr.io/${{ env.GHCR_REPOSITORY }} - name: Build & push single-arch (to both registries) - uses: docker/build-push-action@v6 + id: build + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . platforms: ${{ matrix.platform }} @@ -83,8 +85,25 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - provenance: false - sbom: false + provenance: mode=max + sbom: true + + - name: Install cosign + uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 + + - name: Sign image with cosign + run: | + cosign sign --yes calciumion/new-api@${{ steps.build.outputs.digest }} + cosign sign --yes ghcr.io/${{ env.GHCR_REPOSITORY }}@${{ steps.build.outputs.digest }} + + - name: Output digest + run: | + echo "### Docker Image Digest (${{ matrix.arch }})" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + echo "calciumion/new-api:alpha-${{ matrix.arch }}" >> $GITHUB_STEP_SUMMARY + echo "ghcr.io/${{ env.GHCR_REPOSITORY }}:alpha-${{ matrix.arch }}" >> $GITHUB_STEP_SUMMARY + echo "${{ steps.build.outputs.digest }}" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY create_manifests: name: Create multi-arch manifests (Docker Hub + GHCR) @@ -95,7 +114,7 @@ jobs: contents: read steps: - name: Check out (shallow) - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 1 @@ -110,7 +129,7 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -130,7 +149,7 @@ jobs: calciumion/new-api:${VERSION}-arm64 - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -149,3 +168,12 @@ jobs: -t ghcr.io/${GHCR_REPOSITORY}:${VERSION} \ ghcr.io/${GHCR_REPOSITORY}:${VERSION}-amd64 \ ghcr.io/${GHCR_REPOSITORY}:${VERSION}-arm64 + + - name: Output manifest digest + run: | + echo "### Multi-arch Manifest Digests" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + docker buildx imagetools inspect calciumion/new-api:alpha >> $GITHUB_STEP_SUMMARY + echo "---" >> $GITHUB_STEP_SUMMARY + docker buildx imagetools inspect ghcr.io/${GHCR_REPOSITORY}:alpha >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/docker-image-arm64.yml b/.github/workflows/docker-image-arm64.yml index 0c288fd0..83303ee3 100644 --- a/.github/workflows/docker-image-arm64.yml +++ b/.github/workflows/docker-image-arm64.yml @@ -30,10 +30,11 @@ jobs: permissions: packages: write contents: read + id-token: write steps: - name: Check out - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: ${{ github.event_name == 'workflow_dispatch' && 0 || 1 }} ref: ${{ github.event.inputs.tag || github.ref }} @@ -59,16 +60,16 @@ jobs: # run: echo "GHCR_REPOSITORY=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} # - name: Log in to GHCR -# uses: docker/login-action@v3 +# uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 # with: # registry: ghcr.io # username: ${{ github.actor }} @@ -76,14 +77,15 @@ jobs: - name: Extract metadata (labels) id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5 with: images: | calciumion/new-api # ghcr.io/${{ env.GHCR_REPOSITORY }} - name: Build & push single-arch (to both registries) - uses: docker/build-push-action@v6 + id: build + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . platforms: ${{ matrix.platform }} @@ -96,8 +98,22 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - provenance: false - sbom: false + provenance: mode=max + sbom: true + + - name: Install cosign + uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 + + - name: Sign image with cosign + run: cosign sign --yes calciumion/new-api@${{ steps.build.outputs.digest }} + + - name: Output digest + run: | + echo "### Docker Image Digest (${{ matrix.arch }})" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + echo "calciumion/new-api:${{ env.TAG }}-${{ matrix.arch }}" >> $GITHUB_STEP_SUMMARY + echo "${{ steps.build.outputs.digest }}" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY create_manifests: name: Create multi-arch manifests (Docker Hub) @@ -117,7 +133,7 @@ jobs: # run: echo "GHCR_REPOSITORY=${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV - name: Log in to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -136,9 +152,16 @@ jobs: calciumion/new-api:latest-amd64 \ calciumion/new-api:latest-arm64 + - name: Output manifest digest + run: | + echo "### Multi-arch Manifest" >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + docker buildx imagetools inspect calciumion/new-api:${TAG} >> $GITHUB_STEP_SUMMARY + echo '```' >> $GITHUB_STEP_SUMMARY + # ---- GHCR ---- # - name: Log in to GHCR -# uses: docker/login-action@v3 +# uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 # with: # registry: ghcr.io # username: ${{ github.actor }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a961027..1a903322 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,14 +19,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Determine Version run: | VERSION=$(git describe --tags) echo "VERSION=$VERSION" >> $GITHUB_ENV - - uses: oven-sh/setup-bun@v2 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: latest - name: Build Frontend @@ -38,7 +38,7 @@ jobs: DISABLE_ESLINT_PLUGIN='true' VITE_REACT_APP_VERSION=$VERSION bun run build cd .. - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '>=1.25.1' - name: Build Backend (amd64) @@ -50,12 +50,16 @@ jobs: sudo apt-get update DEBIAN_FRONTEND=noninteractive sudo apt-get install -y gcc-aarch64-linux-gnu CC=aarch64-linux-gnu-gcc CGO_ENABLED=1 GOOS=linux GOARCH=arm64 go build -ldflags "-s -w -X 'new-api/common.Version=$VERSION' -extldflags '-static'" -o new-api-arm64-$VERSION + - name: Generate checksums + run: sha256sum new-api-* > checksums-linux.txt + - name: Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 if: startsWith(github.ref, 'refs/tags/') with: files: | new-api-* + checksums-linux.txt env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -64,14 +68,14 @@ jobs: runs-on: macos-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Determine Version run: | VERSION=$(git describe --tags) echo "VERSION=$VERSION" >> $GITHUB_ENV - - uses: oven-sh/setup-bun@v2 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: latest - name: Build Frontend @@ -84,18 +88,23 @@ jobs: DISABLE_ESLINT_PLUGIN='true' VITE_REACT_APP_VERSION=$VERSION bun run build cd .. - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '>=1.25.1' - name: Build Backend run: | go mod download go build -ldflags "-X 'new-api/common.Version=$VERSION'" -o new-api-macos-$VERSION + - name: Generate checksums + run: shasum -a 256 new-api-macos-* > checksums-macos.txt + - name: Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 if: startsWith(github.ref, 'refs/tags/') with: - files: new-api-macos-* + files: | + new-api-macos-* + checksums-macos.txt env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -107,14 +116,14 @@ jobs: shell: bash steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Determine Version run: | VERSION=$(git describe --tags) echo "VERSION=$VERSION" >> $GITHUB_ENV - - uses: oven-sh/setup-bun@v2 + - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: latest - name: Build Frontend @@ -126,17 +135,22 @@ jobs: DISABLE_ESLINT_PLUGIN='true' VITE_REACT_APP_VERSION=$VERSION bun run build cd .. - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: '>=1.25.1' - name: Build Backend run: | go mod download go build -ldflags "-s -w -X 'new-api/common.Version=$VERSION'" -o new-api-$VERSION.exe + - name: Generate checksums + run: sha256sum new-api-*.exe > checksums-windows.txt + - name: Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 if: startsWith(github.ref, 'refs/tags/') with: - files: new-api-*.exe + files: | + new-api-*.exe + checksums-windows.txt env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/Dockerfile b/Dockerfile index aa43de1c..93279163 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM oven/bun:latest AS builder +FROM oven/bun:1@sha256:0733e50325078969732ebe3b15ce4c4be5082f18c4ac1a0f0ca4839c2e4e42a7 AS builder WORKDIR /build COPY web/package.json . @@ -8,7 +8,7 @@ COPY ./web . COPY ./VERSION . RUN DISABLE_ESLINT_PLUGIN='true' VITE_REACT_APP_VERSION=$(cat VERSION) bun run build -FROM golang:alpine AS builder2 +FROM golang:1.26.1-alpine@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039 AS builder2 ENV GO111MODULE=on CGO_ENABLED=0 ARG TARGETOS @@ -25,7 +25,7 @@ COPY . . COPY --from=builder /build/dist ./web/dist RUN go build -ldflags "-s -w -X 'github.com/QuantumNous/new-api/common.Version=$(cat VERSION)'" -o new-api -FROM debian:bookworm-slim +FROM debian:bookworm-slim@sha256:f06537653ac770703bc45b4b113475bd402f451e85223f0f2837acbf89ab020a RUN apt-get update \ && apt-get install -y --no-install-recommends ca-certificates tzdata libasan8 wget \