diff --git a/.github/workflows/docker-publish-hardened.yaml b/.github/workflows/docker-publish-hardened.yaml index 6efe8579..e17cd188 100644 --- a/.github/workflows/docker-publish-hardened.yaml +++ b/.github/workflows/docker-publish-hardened.yaml @@ -118,10 +118,18 @@ jobs: VERSION=${{ github.ref_name }} COMMIT=${{ github.sha }} BUILD_TIME=${{ env.BUILD_TIME }} - provenance: true + provenance: mode=slsa sbom: true annotations: ${{ steps.meta.outputs.annotations }} - + + - name: Attest platform-specific images + uses: actions/attest-build-provenance@v1 + if: github.event_name != 'pull_request' + with: + subject-name: ${{ env.GHCR_REPO }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true + - name: Export digest run: | mkdir -p /tmp/digests @@ -199,6 +207,14 @@ jobs: docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *) + - name: Attest GHCR images + uses: actions/attest-build-provenance@v1 + if: github.event_name != 'pull_request' + with: + subject-name: ${{ env.GHCR_REPO }} + subject-digest: ${{ steps.push-ghcr.outputs.digest }} + push-to-registry: true + - name: Create manifest list and push Dockerhub id: push-dockerhub working-directory: /tmp/digests @@ -206,3 +222,11 @@ jobs: run: | docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *) + + - name: Attest Dockerhub images + uses: actions/attest-build-provenance@v1 + if: (github.event_name == 'schedule' || startsWith(github.ref, 'refs/tags/')) + with: + subject-name: ${{ env.DOCKERHUB_REPO }} + subject-digest: ${{ steps.push-dockerhub.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index 0a3d9188..01549c61 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -120,10 +120,18 @@ jobs: build-args: | VERSION=${{ github.ref_name }} COMMIT=${{ github.sha }} - provenance: true + provenance: mode=slsa sbom: true annotations: ${{ steps.meta.outputs.annotations }} - + + - name: Attest platform-specific images + uses: actions/attest-build-provenance@v1 + if: github.event_name != 'pull_request' + with: + subject-name: ${{ env.GHCR_REPO }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true + - name: Export digest run: | mkdir -p /tmp/digests @@ -201,6 +209,14 @@ jobs: docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *) + - name: Attest GHCR images + uses: actions/attest-build-provenance@v1 + if: github.event_name != 'pull_request' + with: + subject-name: ${{ env.GHCR_REPO }} + subject-digest: ${{ steps.push-ghcr.outputs.digest }} + push-to-registry: true + - name: Create manifest list and push Dockerhub id: push-dockerhub working-directory: /tmp/digests @@ -208,3 +224,11 @@ jobs: run: | docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *) + + - name: Attest Dockerhub images + uses: actions/attest-build-provenance@v1 + if: (github.event_name == 'schedule' || startsWith(github.ref, 'refs/tags/')) + with: + subject-name: ${{ env.DOCKERHUB_REPO }} + subject-digest: ${{ steps.push-dockerhub.outputs.digest }} + push-to-registry: true diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml index f52287cb..35436285 100644 --- a/.github/workflows/docker-publish.yaml +++ b/.github/workflows/docker-publish.yaml @@ -113,10 +113,18 @@ jobs: build-args: | VERSION=${{ github.ref_name }} COMMIT=${{ github.sha }} - provenance: true + provenance: mode=slsa sbom: true annotations: ${{ steps.meta.outputs.annotations }} + - name: Attest platform-specific images + uses: actions/attest-build-provenance@v1 + if: github.event_name != 'pull_request' + with: + subject-name: ${{ env.GHCR_REPO }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true + - name: Export digest run: | mkdir -p /tmp/digests @@ -192,6 +200,14 @@ jobs: docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *) + - name: Attest GHCR images + uses: actions/attest-build-provenance@v1 + if: github.event_name != 'pull_request' + with: + subject-name: ${{ env.GHCR_REPO }} + subject-digest: ${{ steps.push-ghcr.outputs.digest }} + push-to-registry: true + - name: Create manifest list and push Dockerhub id: push-dockerhub working-directory: /tmp/digests @@ -199,3 +215,11 @@ jobs: run: | docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *) + + - name: Attest Dockerhub images + uses: actions/attest-build-provenance@v1 + if: (github.event_name == 'schedule' || startsWith(github.ref, 'refs/tags/')) + with: + subject-name: ${{ env.DOCKERHUB_REPO }} + subject-digest: ${{ steps.push-dockerhub.outputs.digest }} + push-to-registry: true diff --git a/backend/.goreleaser.yaml b/backend/.goreleaser.yaml index b2ac7fa7..d6b77631 100644 --- a/backend/.goreleaser.yaml +++ b/backend/.goreleaser.yaml @@ -47,15 +47,14 @@ builds: signs: - cmd: cosign - stdin: "{{ .Env.COSIGN_PWD }}" + signature: "${artifact}.sigstore.json" args: - - "sign-blob" - - "--key=cosign.key" - - "--output-signature=${signature}" + - sign-blob + - "--bundle=${signature}" - "${artifact}" - - "--yes" # needed on cosign 2.0.0+ - artifacts: all - + - "--yes" + artifacts: checksum + output: true archives: - formats: [ 'tar.gz' ] # this name template makes the OS and Arch compatible with the results of uname. @@ -70,7 +69,8 @@ archives: format_overrides: - goos: windows formats: [ 'zip' ] - +sboms: + - artifacts: archive release: extra_files: - glob: dist/*.sig diff --git a/backend/go.sum b/backend/go.sum index 7bc52ea2..72192aaf 100644 --- a/backend/go.sum +++ b/backend/go.sum @@ -325,6 +325,8 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/ github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0= +github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs= github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/mfridman/interpolate v0.0.2 h1:pnuTK7MQIxxFz1Gr+rjSIx9u7qVjf5VOoM/u6BbAxPY= @@ -347,6 +349,8 @@ github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOF github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= github.com/olahol/melody v1.4.0 h1:Pa5SdeZL/zXPi1tJuMAPDbl4n3gQOThSL6G1p4qZ4SI= github.com/olahol/melody v1.4.0/go.mod h1:GgkTl6Y7yWj/HtfD48Q5vLKPVoZOH+Qqgfa7CvJgJM4= +github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= +github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo/v2 v2.9.2 h1:BA2GMJOtfGAfagzYtrAlufIP0lq6QERkFmHLMLPwFSU= github.com/onsi/ginkgo/v2 v2.9.2/go.mod h1:WHcJJG2dIlcCqVfBAwUCrJxSPFb6v4azBwgxeMeDuts= github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= @@ -389,6 +393,10 @@ github.com/shirou/gopsutil/v4 v4.25.11 h1:X53gB7muL9Gnwwo2evPSE+SfOrltMoR6V3xJAX github.com/shirou/gopsutil/v4 v4.25.11/go.mod h1:EivAfP5x2EhLp2ovdpKSozecVXn1TmuG7SMzs/Wh4PU= github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0= github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M= +github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= +github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= diff --git a/backend/internal/data/migrations/postgres/20250826000000_make_attachment_paths_relative.sql b/backend/internal/data/migrations/postgres/20250826000000_make_attachment_paths_relative.sql index 58221abc..75ac28b5 100644 --- a/backend/internal/data/migrations/postgres/20250826000000_make_attachment_paths_relative.sql +++ b/backend/internal/data/migrations/postgres/20250826000000_make_attachment_paths_relative.sql @@ -13,13 +13,9 @@ WHERE path LIKE '%/documents/%' -- Update Windows-style paths that contain "\documents\" by extracting the part starting from the UUID -- Convert backslashes to forward slashes in the process for consistency UPDATE attachments -SET path = REPLACE(SUBSTRING(path FROM POSITION('\documents\' IN path) - 36), '\', '/') -WHERE path LIKE '%\documents\%' - AND POSITION('\documents\' IN path) > 36; +SET path = REPLACE(SUBSTRING(path FROM POSITION(E'\\documents\\' IN path) - 36), E'\\', '/') +WHERE path LIKE E'%\\documents\\%' + AND POSITION(E'\\documents\\' IN path) > 36; -- For paths that already look like relative paths (start with UUID), leave them unchanged --- This handles cases where the migration might be run multiple times - --- +goose Down --- Note: This down migration cannot be safely implemented because we don't know --- what the original prefix paths were. This is a one-way migration. \ No newline at end of file +-- This handles cases where the migration might be run multiple times \ No newline at end of file