sec(release): release sboms and signatures in same repository as artefact

.github/ISSUE_TEMPLATE/config.yaml

@@ -2,4 +2,4 @@ blank_issues_enabled: false
 contact_links:
   - name: Chat on Slack
     url: https://kubernetes.slack.com/archives/C03GETTJQRL
-    about: Maybe chatting with the community can help
+    about: Maybe chatting with the community can help

.github/actions/exists/action.yaml

@@ -18,4 +18,4 @@ runs:
     - shell: bash
       id: check
       run: |
-        echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT
+        echo "result=${{ inputs.value != '' }}" >> $GITHUB_OUTPUT

.github/actions/setup-caches/action.yaml

@@ -17,4 +17,4 @@ runs:
       if: ${{ inputs.build-cache-key }}
       with:
         path: ~/.cache/go-build
-        key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
+        key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}

.github/configs/ct.yaml

@@ -2,9 +2,9 @@ remote: origin
 target-branch: main
 chart-dirs:
   - charts
-helm-extra-args: "--timeout 600s"  
+helm-extra-args: "--timeout 600s"
 validate-chart-schema: false
 validate-maintainers: false
 validate-yaml: true
 exclude-deprecated: true
-check-version-increment: false
+check-version-increment: false

.github/configs/lintconf.yaml

@@ -1,5 +1,12 @@
 ---
+ignore:
+  - config/
+  - charts/*/templates/
+  - charts/**/templates/
 rules:
+  truthy:
+    level: warning
+    check-keys: false
   braces:
     min-spaces-inside: 0
     max-spaces-inside: 0
@@ -38,5 +45,3 @@ rules:
   new-lines:
     type: unix
   trailing-spaces: enable
-  truthy:
-    level: warning

.github/workflows/check-actions.yml

@@ -3,7 +3,8 @@ permissions: {}
 
 on:
   pull_request:
-    branches: [ "*" ]
+    branches:
+      - "*"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -18,7 +19,7 @@ jobs:
       - name: Ensure SHA pinned actions
         uses: zgosalvez/github-actions-ensure-sha-pinned-actions@c3a2b64f69b7a1542a68f44d9edbd9ec3fc1455e # v3.0.20
         with:
-          # slsa-github-generator requires using a semver tag for reusable workflows. 
+          # slsa-github-generator requires using a semver tag for reusable workflows.
           # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
           allowlist: |
-            slsa-framework/slsa-github-generator
+            slsa-framework/slsa-github-generator

.github/workflows/check-commit.yml

@@ -3,7 +3,8 @@ permissions: {}
 
 on:
   pull_request:
-    branches: [ "*" ]
+    branches:
+      - "*"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -16,6 +17,4 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
-        with:
-          firstParent: true
+      - uses: wagoid/commitlint-github-action@3d28780bbf0365e29b144e272b2121204d5be5f3 # v6.1.2

.github/workflows/coverage.yml

@@ -0,0 +1,86 @@
+name: Coverage
+
+on:
+  push:
+    branches:
+      - "main"
+  pull_request:
+    types: [opened, reopened, synchronize]
+    branches:
+      - "main"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  compliance:
+    name: "License Compliance"
+    runs-on: ubuntu-24.04
+    steps:
+      - name: "Checkout Code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.FOSSA_API_KEY }}
+      - name: "Run FOSSA Scan"
+        if: steps.checksecret.outputs.result == 'true'
+        uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+      - name: "Run FOSSA Test"
+        if: steps.checksecret.outputs.result == 'true'
+        uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+        with:
+          api-key: ${{ secrets.FOSSA_API_KEY }}
+          run-tests: true
+  sast:
+    name: "SAST"
+    runs-on: ubuntu-24.04
+    env:
+      GO111MODULE: on
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@e0cca6fe95306b7e7790d6f1bf6a7bec6d622459 # v2.22.0
+        with:
+          args: '-no-fail -fmt sarif -out gosec.sarif ./...'
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@24e1c2d337459cce262cbca8d69998e56cd5eb8e
+        with:
+          sarif_file: gosec.sarif
+  unit_tests:
+    name: "Unit tests"
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version-file: 'go.mod'
+      - name: Unit Test
+        run: make test
+      - name: Check secret
+        id: checksecret
+        uses: ./.github/actions/exists
+        with:
+          value: ${{ secrets.CODECOV_TOKEN }}
+      - name: Upload Report to Codecov
+        if: ${{ steps.checksecret.outputs.result == 'true' }}
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          slug: projectcapsule/capsule-proxy
+          files: ./coverage.out
+          fail_ci_if_error: true
+          verbose: true

.github/workflows/docker-build.yml

@@ -0,0 +1,45 @@
+name: Build images
+permissions: {}
+on:
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - '.github/workflows/docker-*.yml'
+      - 'api/**'
+      - 'controllers/**'
+      - 'pkg/**'
+      - 'e2e/*'
+      - '.ko.yaml'
+      - 'go.*'
+      - 'main.go'
+      - 'Makefile'
+
+jobs:
+  build-images:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: ko build
+        run: VERSION=${{ github.sha }} make ko-build-all
+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+        env:
+          # Trivy is returning TOOMANYREQUESTS
+          # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
+          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@24e1c2d337459cce262cbca8d69998e56cd5eb8e
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/docker-publish.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       packages: write
-      id-token: write 
+      id-token: write
     outputs:
       capsule-digest: ${{ steps.publish-capsule.outputs.digest }}
     steps:
@@ -49,8 +49,8 @@ jobs:
           version: ${{ github.ref_name }}
           sign-image: true
           sbom-name: capsule-proxy
-          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
-          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule-proxy
+          signature-repository: ghcr.io/${{ github.repository_owner }}/capsule-proxy
           main-path: ./
         env:
           REPOSITORY: ${{ github.repository }}
@@ -66,4 +66,4 @@ jobs:
       digest: "${{ needs.publish-images.outputs.capsule-digest }}"
       registry-username: ${{ github.actor }}
     secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/e2e.yml

@@ -2,20 +2,9 @@ name: e2e
 permissions: {}
 
 on:
-  push:
-    branches: [ "*" ]
-    paths:
-      - '.github/workflows/e2e.yml'
-      - 'api/**'
-      - 'controllers/**'
-      - 'internal/**'
-      - 'e2e/*'
-      - 'Dockerfile'
-      - 'go.*'
-      - 'main.go'
-      - 'Makefile'
   pull_request:
-    branches: [ "*" ]
+    branches:
+      - "*"
     paths:
       - '.github/workflows/e2e.yml'
       - 'api/**'
@@ -34,10 +23,6 @@ concurrency:
 jobs:
   kind:
     name: Kubernetes
-    strategy:
-      fail-fast: false
-      matrix:
-        k8s-version: [ 'v1.24.7', 'v1.25.3', 'v1.26.3', 'v1.27.2', 'v1.28.0', 'v1.29.0', 'v1.30.0', 'v1.31.0' ]
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -49,8 +34,5 @@ jobs:
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
         with:
           version: v3.14.2
-      - uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
-        with:
-          skipClusterCreation: true
       - name: e2e testing
-        run: KIND_K8S_VERSION=${{ matrix.k8s-version }} make e2e
+        run: make e2e