fireflag/.github/workflows/container-build.yml at main · hyperpolymath/fireflag · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# SPDX-License-Identifier: PMPL-1.0-or-later
name: Container Build

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  container-build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4

      - name: Set up Podman
        run: |
          sudo apt-get update
          sudo apt-get install -y podman

      - name: Build container
        run: |
          podman build -f .containerization/Containerfile -t fireflag:${{ github.sha }} .

      - name: Extract artifacts
        run: |
          CONTAINER_ID=$(podman create fireflag:${{ github.sha }})
          mkdir -p build-output
          podman cp $CONTAINER_ID:/build/extension/web-ext-artifacts/ build-output/ || true
          podman rm $CONTAINER_ID

      - name: Verify checksums
        run: |
          if [ -f build-output/web-ext-artifacts/SHA256SUMS ]; then
            cd build-output/web-ext-artifacts
            sha256sum -c SHA256SUMS
          fi

      - name: Upload extension artifact
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
        with:
          name: fireflag-extension-${{ github.sha }}
          path: build-output/web-ext-artifacts/*.xpi
          retention-days: 30

      - name: Upload checksums
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
        with:
          name: fireflag-checksums-${{ github.sha }}
          path: build-output/web-ext-artifacts/SHA256SUMS*
          retention-days: 30

  reproducibility-check:
    runs-on: ubuntu-latest
    needs: container-build
    if: github.event_name == 'pull_request'

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4

      - name: Set up Podman
        run: |
          sudo apt-get update
          sudo apt-get install -y podman

      - name: Build container (attempt 1)
        run: |
          podman build -f .containerization/Containerfile -t fireflag:build1 .
          CONTAINER_ID=$(podman create fireflag:build1)
          mkdir -p build1
          podman cp $CONTAINER_ID:/build/extension/web-ext-artifacts/ build1/ || true
          podman rm $CONTAINER_ID

      - name: Build container (attempt 2)
        run: |
          # Clean and rebuild to test reproducibility
          podman rmi fireflag:build1
          podman build -f .containerization/Containerfile -t fireflag:build2 .
          CONTAINER_ID=$(podman create fireflag:build2)
          mkdir -p build2
          podman cp $CONTAINER_ID:/build/extension/web-ext-artifacts/ build2/ || true
          podman rm $CONTAINER_ID

      - name: Compare builds
        run: |
          echo "Comparing build artifacts for reproducibility..."
          # Note: Currently not fully reproducible due to timestamps in .xpi
          # This is a known limitation that will be addressed
          if diff -r build1/web-ext-artifacts build2/web-ext-artifacts; then
            echo "✓ Builds are reproducible!"
          else
            echo "⚠ Builds differ (this is expected currently)"
            echo "See .containerization/README.adoc for details"
          fi

  security-scan:
    runs-on: ubuntu-latest
    needs: container-build

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4

      - name: Download artifact
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v4
        with:
          name: fireflag-extension-${{ github.sha }}
          path: artifacts/

      - name: Scan extension archive
        run: |
          # Unzip and scan contents
          mkdir -p /tmp/extension
          unzip artifacts/*.xpi -d /tmp/extension

          # Basic security checks
          echo "Checking for executable scripts..."
          find /tmp/extension -type f -executable -name "*.js" -o -name "*.html"

          echo "Verifying manifest..."
          jq empty /tmp/extension/manifest.json
          jq '.manifest_version == 3' /tmp/extension/manifest.json

      - name: Run TruffleHog
        uses: trufflesecurity/trufflehog@8a8ef8526528d8a4ff3e2c90be08e25ef8efbd9b # v3
        with:
          path: artifacts/
          base: ''
          head: ''
          extra_args: --only-verified