attest test

rwestphal · rwestphal · commit d173dd2a2513 · 2025-07-25T23:43:52.000-03:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -24,85 +24,88 @@ jobs:
             exit 1
           fi
 
-  clippy_check:
-    name: Linter Check
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@1.88
-        with:
-          components: clippy
-      - name: Install Protocol Buffers Compiler
-        run: sudo apt-get install -y protobuf-compiler
-      - name: Set PROTOC Environment Variable
-        run: export PROTOC=/path/to/protoc
-      - name: Run Clippy
-        run: cargo clippy
-      - name: Run Clippy
-        run: cargo clippy --package holo-tools
+  #clippy_check:
+  #  name: Linter Check
+  #  runs-on: ubuntu-latest
+  #  steps:
+  #    - uses: actions/checkout@v4
+  #    - uses: dtolnay/rust-toolchain@1.88
+  #      with:
+  #        components: clippy
+  #    - name: Install Protocol Buffers Compiler
+  #      run: sudo apt-get install -y protobuf-compiler
+  #    - name: Set PROTOC Environment Variable
+  #      run: export PROTOC=/path/to/protoc
+  #    - name: Run Clippy
+  #      run: cargo clippy
+  #    - name: Run Clippy
+  #      run: cargo clippy --package holo-tools
 
-  tests_and_coverage_report:
-    name: Tests and Coverage Report
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@1.88
-      - name: Install cargo-llvm-cov
-        uses: taiki-e/install-action@cargo-llvm-cov
-      - name: Generate code coverage
-        run: cargo llvm-cov --all-features --codecov --output-path codecov.json -p holo-bfd -p holo-bgp -p holo-isis -p holo-ldp -p holo-ospf -p holo-rip -p holo-vrrp
-      - name: Upload to Codecov
-        uses: codecov/codecov-action@v4
-        if: github.event_name != 'pull_request'
-        with:
-          files: ./lcov.info
-          fail_ci_if_error: false
-          token: ${{ secrets.CODECOV_TOKEN }}
+  #tests_and_coverage_report:
+  #  name: Tests and Coverage Report
+  #  runs-on: ubuntu-latest
+  #  steps:
+  #    - uses: actions/checkout@v4
+  #    - uses: dtolnay/rust-toolchain@1.88
+  #    - name: Install cargo-llvm-cov
+  #      uses: taiki-e/install-action@cargo-llvm-cov
+  #    - name: Generate code coverage
+  #      run: cargo llvm-cov --all-features --codecov --output-path codecov.json -p holo-bfd -p holo-bgp -p holo-isis -p holo-ldp -p holo-ospf -p holo-rip -p holo-vrrp
+  #    - name: Upload to Codecov
+  #      uses: codecov/codecov-action@v4
+  #      if: github.event_name != 'pull_request'
+  #      with:
+  #        files: ./lcov.info
+  #        fail_ci_if_error: false
+  #        token: ${{ secrets.CODECOV_TOKEN }}
 
-  tests_arm:
-    name: Tests (Arm64)
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@1.88
-      - name: Run tests
-        run: cargo test --all-features -p holo-bfd -p holo-bgp -p holo-isis -p holo-ldp -p holo-ospf -p holo-rip -p holo-vrrp
+  #tests_arm:
+  #  name: Tests (Arm64)
+  #  runs-on: ubuntu-24.04-arm
+  #  steps:
+  #    - uses: actions/checkout@v4
+  #    - uses: dtolnay/rust-toolchain@1.88
+  #    - name: Run tests
+  #      run: cargo test --all-features -p holo-bfd -p holo-bgp -p holo-isis -p holo-ldp -p holo-ospf -p holo-rip -p holo-vrrp
 
-  fuzz-build-check:
-    name: Check fuzz targets build
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      # cargo-fuzz requires nightly Rust due to LLVM sanitizer support
-      - uses: dtolnay/rust-toolchain@nightly
-      - name: Install cargo-fuzz
-        run: cargo install cargo-fuzz
-      - name: Check fuzz targets
-        run: cargo fuzz check
+  #fuzz-build-check:
+  #  name: Check fuzz targets build
+  #  runs-on: ubuntu-latest
+  #  steps:
+  #    - uses: actions/checkout@v4
+  #    # cargo-fuzz requires nightly Rust due to LLVM sanitizer support
+  #    - uses: dtolnay/rust-toolchain@nightly
+  #    - name: Install cargo-fuzz
+  #      run: cargo install cargo-fuzz
+  #    - name: Check fuzz targets
+  #      run: cargo fuzz check
 
-  bench-build-check:
-    name: Check benchmark builds
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@1.88
-      - name: Check benchmark builds
-        run: cargo bench --no-run -p holo-bgp -p holo-ldp -p holo-ospf
+  #bench-build-check:
+  #  name: Check benchmark builds
+  #  runs-on: ubuntu-latest
+  #  steps:
+  #    - uses: actions/checkout@v4
+  #    - uses: dtolnay/rust-toolchain@1.88
+  #    - name: Check benchmark builds
+  #      run: cargo bench --no-run -p holo-bgp -p holo-ldp -p holo-ospf
 
-  push-image:
-    name: Docker Image Build
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/master' && github.repository_owner == 'holo-routing'
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{github.actor}}
-          password: ${{secrets.GITHUB_TOKEN}}
-      - name: Build and push container image
-        run: |
-          docker build . -f docker/Dockerfile.holod --tag ghcr.io/holo-routing/holod:latest
-          docker push ghcr.io/holo-routing/holod:latest
-          docker build . -f docker/Dockerfile.holo-bundle --tag ghcr.io/holo-routing/holo-bundle:latest
-          docker push ghcr.io/holo-routing/holo-bundle:latest
+  docker-build-holod:
+    uses: .github/workflows/docker-build-and-attest.yml
+    with:
+      image-name: holod
+      dockerfile: docker/Dockerfile.holod
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
+
+  docker-build-holo-bundle:
+    needs: docker-build-holod
+    uses: .github/workflows/docker-build-and-attest.yml
+    with:
+      image-name: holo-bundle
+      dockerfile: docker/Dockerfile.holo-bundle
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
diff --git a/.github/workflows/docker-build-and-attest.yml b/.github/workflows/docker-build-and-attest.yml
@@ -0,0 +1,44 @@
+name: Build and Attest Docker Image
+
+on:
+  workflow_call:
+    inputs:
+      image-name:
+        required: true
+        type: string
+      dockerfile:
+        required: true
+        type: string
+
+jobs:
+  build-and-attest:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push image
+        id: push_image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ inputs.dockerfile }}
+          push: true
+          tags: ghcr.io/holo-routing/${{ inputs.image-name }}:latest
+
+      - name: Attest image
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/holo-routing/${{ inputs.image-name }}
+          subject-digest: ${{ steps.push_image.outputs.digest }}
+          push-to-registry: true
