Alpha to beta

.github/dependabot.yaml

@@ -6,7 +6,7 @@ updates:
     schedule:
       interval: "weekly"
 
-  # Chall-Manager app
+  # Chall-Manager module
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:

.github/workflows/ci.yaml

@@ -49,12 +49,12 @@ jobs:
           fi
 
       - name: Run go tests
-        run: make tests
+        run: make unit-tests
 
-      # - name: Upload coverage to Coveralls
-      #   uses: shogo82148/actions-goveralls@785c9d68212c91196d3994652647f8721918ba11 # v1.9.0
-      #   with:
-      #     path-to-profile: 'cov.out'
+      - name: Upload coverage to Coveralls
+        uses: shogo82148/actions-goveralls@785c9d68212c91196d3994652647f8721918ba11 # v1.9.0
+        with:
+          path-to-profile: 'cov.out'
 
   go-lint:
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yaml

@@ -0,0 +1,45 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '0 6 * * 5'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      with:
+        go-version-file: 'go.mod'
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0

.github/workflows/docker.yaml

@@ -0,0 +1,147 @@
+name: Build Docker images
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  docker-cm:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      digest: ${{ steps.build.outputs.digest }}
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        with:
+          images: ctferio/chall-manager
+
+      - name: Git commit date
+        id: infos
+        run: |
+          # trim version prefix
+          version=${{ github.ref_name }}
+          version="${version#"v"}"
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+          # output date per RFC 3339
+          date="$(git log -1 --format=%cd --date=format:%Y-%m-%dT%H:%M:%SZ)"
+          echo "date=$date" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        id: build
+        with:
+          push: true
+          sbom: true # may not produce SBOM in manifest if the image has no filesystem (e.g. "FROM scratch")
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          file: Dockerfile.chall-manager
+          build-args: |
+            VERSION=${{ steps.infos.outputs.version }}
+            COMMIT=${{ github.sha }}
+            DATE=${{ steps.infos.outputs.date }}
+
+  # This step calls the container workflow to generate provenance and push it to
+  # the container registry.
+  provenance-cm:
+    needs: [docker-cm]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ctferio/chall-manager
+      digest: ${{ needs.docker-cm.outputs.digest }}
+    secrets:
+      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+
+
+  docker-cmj:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      digest: ${{ steps.build.outputs.digest }}
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        with:
+          images: ctferio/chall-manager-janitor
+
+      - name: Git commit date
+        id: infos
+        run: |
+          # trim version prefix
+          version=${{ github.ref_name }}
+          version="${version#"v"}"
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+
+          # output date per RFC 3339
+          date="$(git log -1 --format=%cd --date=format:%Y-%m-%dT%H:%M:%SZ)"
+          echo "date=$date" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        id: build
+        with:
+          push: true
+          sbom: true # may not produce SBOM in manifest if the image has no filesystem (e.g. "FROM scratch")
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          file: Dockerfile.chall-manager-janitor
+          build-args: |
+            VERSION=${{ steps.infos.outputs.version }}
+            COMMIT=${{ github.sha }}
+            DATE=${{ steps.infos.outputs.date }}
+
+  # This step calls the container workflow to generate provenance and push it to
+  # the container registry.
+  provenance-cmj:
+    needs: [docker-cmj]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    if: startsWith(github.ref, 'refs/tags/')
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
+    with:
+      image: ctferio/chall-manager-janitor
+      digest: ${{ needs.docker-cmj.outputs.digest }}
+    secrets:
+      registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
+      registry-password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/scoreboard.yaml

@@ -0,0 +1,35 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '30 6 * * 6'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        with:
+          sarif_file: results.sarif

.goreleaser.yaml

@@ -29,30 +29,6 @@ builds:
     flags:
       - -cover
 
-dockers:
-  - ids:
-      - cm
-    dockerfile: Dockerfile.chall-manager
-    image_templates:
-      - "ctferio/chall-manager:latest"
-      - "ctferio/chall-manager:{{ .Tag }}"
-    build_flag_templates:
-      - "--label=org.opencontainers.image.created={{ .Date }}"
-      - "--label=org.opencontainers.image.title=chall-manager"
-      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - "--label=org.opencontainers.image.version={{ .Version }}"
-  - ids:
-      - cmj
-    dockerfile: Dockerfile.chall-manager-janitor
-    image_templates:
-      - "ctferio/chall-manager-janitor:latest"
-      - "ctferio/chall-manager-janitor:{{ .Tag }}"
-    build_flag_templates:
-      - "--label=org.opencontainers.image.created={{ .Date }}"
-      - "--label=org.opencontainers.image.title=chall-manager-janitor"
-      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
-      - "--label=org.opencontainers.image.version={{ .Version }}"
-
 changelog:
   sort: asc
   filters:

Dockerfile.chall-manager

@@ -1,5 +1,30 @@
+# Build stage
+FROM golang:1.23.4 AS builder
+
+WORKDIR /go/src
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+RUN go install github.com/bufbuild/buf/cmd/buf && \
+    go install github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 && \
+    go install google.golang.org/grpc/cmd/protoc-gen-go-grpc && \
+    go install github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway && \
+    go install google.golang.org/protobuf/cmd/protoc-gen-go
+RUN make buf
+
+RUN apt update && apt install zip unzip -y
+RUN make update-swagger
+
+ENV CGO_ENABLED=0
+RUN go build -cover -o /go/bin/chall-manager cmd/chall-manager/main.go
+
+
+
+# Prod stage
 FROM pulumi/pulumi-go:3.144.1
 RUN pulumi login --local
-COPY chall-manager /chall-manager
-COPY ./gen/api/v1/launch/launch.swagger.json ./gen/api/v1/launch/launch.swagger.json
+COPY --from=builder /go/bin/chall-manager /chall-manager
+COPY ./gen ./gen
 ENTRYPOINT [ "/chall-manager" ]

Dockerfile.chall-manager-janitor

@@ -1,3 +1,18 @@
+# Build stage
+FROM golang:1.23.4 AS builder
+
+WORKDIR /go/src
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+ENV CGO_ENABLED=0
+RUN go build -cover -o /go/bin/chall-manager-janitor cmd/chall-manager-janitor/main.go
+
+
+
+# Prod stage
 FROM scratch
-COPY chall-manager-janitor /chall-manager-janitor
+COPY --from=builder /go/bin/chall-manager-janitor /chall-manager-janitor
 ENTRYPOINT [ "/chall-manager-janitor" ]

Makefile

@@ -1,5 +1,5 @@
-.PHONY: tests
-tests:
+.PHONY: unit-tests
+unit-tests:
 	@echo "--- Unitary tests ---"
 	go test ./... -run=^Test_U_ -json -cover -coverprofile=cov.out | tee -a gotest.json