Feat/signature verification with component tests

.github/workflows/component-tests.yaml

@@ -30,7 +30,8 @@ name: Node Agent Component Tests
 on:
   push:
     branches:
-      - main
+      - feat/signature-verification
+      - feat/tamperalert
   workflow_dispatch:
     inputs:
       build_image:
@@ -200,7 +201,9 @@ jobs:
           Test_23_RuleCooldownTest,
           Test_24_ProcessTreeDepthTest,
           Test_27_ApplicationProfileOpens,
-          Test_28_UserDefinedNetworkNeighborhood
+          Test_28_UserDefinedNetworkNeighborhood,
+          Test_29_SignedApplicationProfile,
+          Test_30_TamperedSignedProfiles
         ]
     steps:
       - name: Checkout code

.github/workflows/sign-object.yaml

@@ -0,0 +1,67 @@
+name: Build sign-object image
+
+on:
+  push:
+    branches: [main, feat/signature-verification]
+    paths:
+      - 'cmd/sign-object/**'
+      - 'pkg/signature/**'
+      - 'pkg/signature/profiles/**'
+      - 'go.mod'
+      - 'go.sum'
+  pull_request:
+    paths:
+      - 'cmd/sign-object/**'
+      - 'pkg/signature/**'
+      - 'pkg/signature/profiles/**'
+  workflow_dispatch:
+    inputs:
+      IMAGE_TAG:
+        required: false
+        type: string
+        default: 'latest'
+        description: 'Image tag for the sign-object image'
+
+permissions:
+  packages: write
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository_owner }}/sign-object
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set image tag
+        id: tag
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ inputs.IMAGE_TAG }}" ]; then
+            echo "tag=${{ inputs.IMAGE_TAG }}" >> "$GITHUB_OUTPUT"
+          elif [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo "tag=pr-${{ github.event.number }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=latest" >> "$GITHUB_OUTPUT"
+          fi
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        if: github.event_name != 'pull_request'
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: cmd/sign-object/Dockerfile
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          push: ${{ github.event_name != 'pull_request' }}

cmd/main.go

@@ -226,7 +226,7 @@ func main() {
 		ruleBindingCache = rulebindingcachev1.NewCache(cfg, k8sClient, ruleCreator)
 		rulesWatcher := ruleswatcher.NewRulesWatcher(k8sClient, ruleCreator, func() {
 			ruleBindingCache.RefreshRuleBindingsRules()
-		})
+		}, &cfg)
 		dWatcher.AddAdaptor(rulesWatcher)
 	}
 

cmd/sign-object/Dockerfile

@@ -0,0 +1,20 @@
+FROM --platform=$BUILDPLATFORM golang:1.25-trixie AS builder
+
+ENV GO111MODULE=on CGO_ENABLED=0
+WORKDIR /src
+ARG TARGETOS TARGETARCH
+
+COPY go.mod go.sum ./
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    go mod download
+
+COPY . .
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /sign-object ./cmd/sign-object
+
+FROM gcr.io/distroless/static-debian13:latest
+COPY --from=builder /sign-object /usr/local/bin/sign-object
+WORKDIR /work
+ENTRYPOINT ["sign-object"]