add catalog validation to archive

catalog_validation/truecharts-fork/.github/workflows/ci.yml

@@ -0,0 +1,34 @@
+name: CI
+
+on: [push]
+
+jobs:
+  build-deb:
+    runs-on: ubuntu-latest
+    container:
+      image: tccr.io/truecharts/catalog_validation:latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+
+      - name: Build deb package
+        run: >
+          dpkg-buildpackage
+          -B
+          --no-sign
+          -jauto
+
+      - name: Create artifacts dir
+        run: mkdir artifacts
+        if: success()
+
+      - name: Move artifacts
+        run: mv ../*.deb artifacts
+        if: success()
+
+      - uses: actions/upload-artifact@v1
+        with:
+          name: py-catalog-validation
+          path: artifacts
+        if: success()

catalog_validation/truecharts-fork/.github/workflows/containers.build.yaml

@@ -0,0 +1,180 @@
+name: build_image
+
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  build:
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    name: Build
+    runs-on: ubuntu-22.04
+    if: "!contains(github.event.head_commit.message, '[ci-skip]')"
+    steps:
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
+    # Define if tests and push should be run against which versions/platforms
+    - name: Prepare
+      id: prep
+      run: |
+        PLATFORM="linux/amd64"
+        echo ::set-output name=platform::${PLATFORM}
+
+        if [ "${{github.event_name}}" == "pull_request" ]; then
+          echo ::set-output name=push::false
+          echo ::set-output name=cache_from::"type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ matrix.container }}:buildcache" || echo ::set-output name=cache_from::""
+          echo ::set-output name=cache_to::""
+        else
+          echo ::set-output name=push::true
+          echo ::set-output name=cache_from::"type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ matrix.container }}:buildcache"
+          echo ::set-output name=cache_to::"type=registry,ref=ghcr.io/${{ github.repository_owner }}/${{ matrix.container }}:buildcache,mode=max"
+        fi
+    - name: Get Time
+      id: time
+      uses: nanzm/get-time-action@887e4db9af58ebae64998b7105921b816af77977 # v2.0
+      with:
+        timeZone: 1
+        format: 'YYYYMMDDHHmmss'
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3
+      with:
+        platforms: amd64
+        
+    - uses: sigstore/cosign-installer@main
+        
+    - name: Install Syft
+      uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
+
+    - name: Login to Quay
+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
+      if: github.event_name != 'pull_request'
+      with:
+        registry: quay.io
+        username: ${{ secrets.QUAY_USER }}
+        password: ${{ secrets.QUAY_SECRET }}
+
+    - name: Login to GHCR
+      uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
+      if: github.event_name != 'pull_request'
+      with:
+        registry: ghcr.io
+        username: ${{ secrets.GHCR_USERNAME }}
+        password: ${{ secrets.GHCR_TOKEN }}
+        
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5
+      with:
+        # list of Docker images to use as base name for tags
+        images: |
+          quay.io/truecharts/catalog_validation
+          ghcr.io/truecharts/catalog_validation
+          tccr.io/truecharts/catalog_validation
+
+    # Install and configure Buildx
+    - name: Set up Docker Buildx
+      id: buildx
+      uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
+      with:
+        install: true
+        version: latest
+        driver-opts: image=moby/buildkit:latest
+
+    # Creates a local build to run tests on
+    - name: Build and Load local test-container
+      if: ${{ steps.prep.outputs.goss == 'true' }}
+      uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
+      with:
+        build-args: |
+          CONTAINER_NAME=catalog_validation
+        context: .
+        file: ./Dockerfile
+        load: true
+        tags: |
+          ghcr.io/${{ github.repository_owner }}/catalog_validation:test
+
+    # Push if not a PR, otherwise just test the build process for all requested platforms
+    - name: Build and Push
+      id: push
+      uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5
+      with:
+        build-args: |
+          CONTAINER_NAME=catalog_validation
+        context: .
+        platforms: ${{ steps.prep.outputs.platform }}
+        file: ./Dockerfile
+        push: ${{ steps.prep.outputs.push }}
+        labels: ${{ steps.meta.outputs.labels }}
+        tags: |
+          quay.io/truecharts/catalog_validation:latest
+          quay.io/truecharts/catalog_validation:build${{ steps.time.outputs.time }}
+
+    - name: Set quay to Public
+      if: github.event_name != 'pull_request'
+      run: |
+        curl -X POST -H "Content-Type: application/json" -d '{"visibility": "public"}' -H "Authorization: Bearer ${{ secrets.QUAY_TOKEN }}" "https://quay.io/api/v1/repository/truecharts/catalog_validation/changevisibility"
+      
+    - name: Sign the images
+      if: github.event_name != 'pull_request'
+      run: |
+         cosign sign quay.io/truecharts/catalog_validation@${{ steps.push.outputs.digest }} -y -a "repo=${{ github.repository }}" -a "workflow=${{ github.workflow }}" -a "ref=${{ github.sha }}"
+        
+    - name: Verify the pushed tags
+      if: github.event_name != 'pull_request'
+      run: |
+         cosign verify quay.io/truecharts/catalog_validation@${{ steps.push.outputs.digest }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/truecharts/catalog_validation/.github/workflows/containers.build.yaml@refs/heads/master
+      
+    - name: Generate SBOM 
+      if: github.event_name != 'pull_request'
+      run: |
+        syft "quay.io/truecharts/catalog_validation:build${{ steps.time.outputs.time }}@${{ steps.push.outputs.digest }}" -o spdx-json=catalog_validation-sbom-spdx.json
+      
+    - name: Attach SBOM to image
+      if: github.event_name != 'pull_request'
+      run: |
+        cosign attest --predicate catalog_validation-sbom-spdx.json --type spdx "quay.io/truecharts/catalog_validation@${{ steps.push.outputs.digest }}" -y
+
+        
+    - name: Verify SBOM attestation
+      if: github.event_name != 'pull_request'
+      run: |
+        cosign verify-attestation quay.io/truecharts/catalog_validation@${{ steps.push.outputs.digest }}  --type https://spdx.dev/Document --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/truecharts/catalog_validation/.github/workflows/containers.build.yaml@refs/heads/master | jq '.payload |= @base64d | .payload | fromjson'
+        
+    - name: Generate provenance
+      id: gen-prov
+      if: github.event_name != 'pull_request'
+      run: |
+        wget https://github.com/slsa-framework/slsa-github-generator/releases/download/v1.5.0/slsa-generator-container-linux-amd64
+        chmod +x slsa-generator-container-linux-amd64
+        # Generate a predicate only.
+        ./slsa-generator-container-linux-amd64 generate --predicate="catalog_validation-predicate.json"
+      env:
+        UNTRUSTED_IMAGE: "quay.io/truecharts/catalog_validation"
+        UNTRUSTED_DIGEST: "${{ steps.push.outputs.digest }}"
+        GITHUB_CONTEXT: "${{ toJSON(github) }}"
+          
+    - name: Sign provenance
+      id: sign-prov
+      if: github.event_name != 'pull_request'
+      run: |
+        cosign attest --predicate="catalog_validation-predicate.json" \
+          --type slsaprovenance \
+          --yes \
+          "quay.io/truecharts/catalog_validation@${{ steps.push.outputs.digest }}"
+      env:
+        COSIGN_EXPERIMENTAL: 1
+        
+    - name: Verify provenance attestation
+      if: github.event_name != 'pull_request'
+      id: verf-prov
+      run: |
+        cosign verify-attestation quay.io/truecharts/catalog_validation@${{ steps.push.outputs.digest }} --type slsaprovenance --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/truecharts/catalog_validation/.github/workflows/containers.build.yaml@refs/heads/master | jq '.payload |= @base64d | .payload | fromjson'
+      env:
+        COSIGN_EXPERIMENTAL: 1
+        

catalog_validation/truecharts-fork/.github/workflows/lint.yml

@@ -0,0 +1,21 @@
+name: flake8
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v1
+      with:
+        python-version: 3.8
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install flake8
+    - name: Analysing the code with flake8
+      run: flake8 .

catalog_validation/truecharts-fork/.github/workflows/test.yaml

@@ -0,0 +1,24 @@
+name: catalog_validation_test
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v1
+      with:
+        python-version: 3.8
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r catalog_validation/pytest/requirements.txt
+        pip install -r requirements.txt
+    - name: Installing catalog validation
+      run: python setup.py install
+    - name: Running test
+      run: pytest catalog_validation/pytest/