forked from TrueCloudLab/certificates
Merge pull request #1142 from smallstep/max/keyless-cosign
[action] keyless cosign for all release artifacts
This commit is contained in:
Max
GitHub
commit
995b6d1b6c
4 changed files with 42 additions and 143 deletions
75
.github/workflows/release.yml
vendored
75
.github/workflows/release.yml
vendored
|
|
@ -13,10 +13,14 @@ jobs:
|
|||
|
||||
create_release:
|
||||
name: Create Release
|
||||
#needs: ci
|
||||
runs-on: ubuntu-20.04
|
||||
needs: ci
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
DOCKER_IMAGE: smallstep/step-ca
|
||||
outputs:
|
||||
version: ${{ steps.extract-tag.outputs.VERSION }}
|
||||
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
|
||||
docker_tags: ${{ env.DOCKER_TAGS }}
|
||||
steps:
|
||||
- name: Is Pre-release
|
||||
id: is_prerelease
|
||||
|
|
@ -25,7 +29,17 @@ jobs:
|
|||
echo ${{ github.ref }} | grep "\-rc.*"
|
||||
OUT=$?
|
||||
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
|
||||
echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
|
||||
echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
|
||||
- name: Extract Tag Names
|
||||
id: extract-tag
|
||||
run: |
|
||||
VERSION=${GITHUB_REF#refs/tags/v}
|
||||
echo "VERSION=${VERSION}" >> ${GITHUB_OUTPUT}
|
||||
echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> ${GITHUB_ENV}
|
||||
- name: Add Latest Tag
|
||||
if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
|
||||
run: |
|
||||
echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV}
|
||||
- name: Create Release
|
||||
id: create_release
|
||||
uses: actions/create-release@v1
|
||||
|
|
@ -39,8 +53,11 @@ jobs:
|
|||
|
||||
goreleaser:
|
||||
name: Upload Assets To Github w/ goreleaser
|
||||
runs-on: ubuntu-20.04
|
||||
runs-on: ubuntu-latest
|
||||
needs: create_release
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: write
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
|
|
@ -50,17 +67,14 @@ jobs:
|
|||
go-version: 1.19
|
||||
check-latest: true
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@v2.7.0
|
||||
uses: sigstore/cosign-installer@v2
|
||||
with:
|
||||
cosign-release: 'v1.12.1'
|
||||
- name: Write cosign key to disk
|
||||
id: write_key
|
||||
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
||||
cosign-release: 'v1.13.1'
|
||||
- name: Get Release Date
|
||||
id: release_date
|
||||
run: |
|
||||
RELEASE_DATE=$(date +"%y-%m-%d")
|
||||
echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}"
|
||||
echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
|
||||
- name: Run GoReleaser
|
||||
uses: goreleaser/goreleaser-action@v3
|
||||
with:
|
||||
|
|
@ -68,34 +82,19 @@ jobs:
|
|||
args: release --rm-dist
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
|
||||
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
|
||||
RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
|
||||
RELEASE_DATE: ${{ env.RELEASE_DATE }}
|
||||
COSIGN_EXPERIMENTAL: 1
|
||||
|
||||
build_upload_docker:
|
||||
name: Build & Upload Docker Images
|
||||
runs-on: ubuntu-20.04
|
||||
needs: ci
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: '1.19'
|
||||
check-latest: true
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@v1.1.0
|
||||
with:
|
||||
cosign-release: 'v1.1.0'
|
||||
- name: Write cosign key to disk
|
||||
id: write_key
|
||||
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
||||
- name: Build
|
||||
id: build
|
||||
run: |
|
||||
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
|
||||
make docker-artifacts
|
||||
env:
|
||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
|
||||
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
|
||||
needs: create_release
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: write
|
||||
uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
|
||||
with:
|
||||
platforms: linux/amd64,linux/386,linux/arm,linux/arm64
|
||||
tags: ${{ needs.create_release.outputs.docker_tags }}
|
||||
docker_image: smallstep/step-ca
|
||||
docker_file: docker/Dockerfile.step-ca
|
||||
secrets: inherit
|
||||
|
|
|
|||
|
|
@ -87,8 +87,9 @@ checksum:
|
|||
|
||||
signs:
|
||||
- cmd: cosign
|
||||
stdin: '{{ .Env.COSIGN_PWD }}'
|
||||
args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"]
|
||||
signature: "${artifact}.sig"
|
||||
certificate: "${artifact}.pem"
|
||||
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
|
||||
artifacts: all
|
||||
|
||||
snapshot:
|
||||
|
|
@ -154,8 +155,8 @@ release:
|
|||
|
||||
```
|
||||
cosign verify-blob \
|
||||
-key https://raw.githubusercontent.com/smallstep/certificates/master/cosign.pub \
|
||||
-signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig
|
||||
--certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
|
||||
--signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
|
||||
~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
|
||||
```
|
||||
|
||||
|
|
|
|||
10
Makefile
10
Makefile
|
|
@ -79,8 +79,6 @@ $(info DEB_VERSION is $(DEB_VERSION))
|
|||
$(info PUSHTYPE is $(PUSHTYPE))
|
||||
endif
|
||||
|
||||
include make/docker.mk
|
||||
|
||||
#########################################
|
||||
# Build
|
||||
#########################################
|
||||
|
|
@ -232,11 +230,3 @@ debian: changelog
|
|||
distclean: clean
|
||||
|
||||
.PHONY: changelog debian distclean
|
||||
|
||||
#################################################
|
||||
# Targets for creating step artifacts
|
||||
#################################################
|
||||
|
||||
docker-artifacts: docker-$(PUSHTYPE)
|
||||
|
||||
.PHONY: docker-artifacts
|
||||
|
|
|
|||
|
|
@ -1,91 +0,0 @@
|
|||
#########################################
|
||||
# Building Docker Image
|
||||
#
|
||||
# This uses a multi-stage build file. The first stage is a builder (that might
|
||||
# be large in size). After the build has succeeded, the statically linked
|
||||
# binary is copied to a new image that is optimized for size.
|
||||
#########################################
|
||||
|
||||
ifeq (, $(shell which docker))
|
||||
DOCKER_CLIENT_OS := linux
|
||||
else
|
||||
DOCKER_CLIENT_OS := $(strip $(shell docker version -f '{{.Client.Os}}' 2>/dev/null))
|
||||
endif
|
||||
|
||||
DOCKER_PLATFORMS = linux/amd64,linux/386,linux/arm,linux/arm64
|
||||
DOCKER_IMAGE_NAME = smallstep/step-ca
|
||||
|
||||
docker-prepare:
|
||||
# Ensure, we can build for ARM architecture
|
||||
ifeq (linux,$(DOCKER_CLIENT_OS))
|
||||
[ -f /proc/sys/fs/binfmt_misc/qemu-arm ] || docker run --rm --privileged linuxkit/binfmt:v0.8-amd64
|
||||
endif
|
||||
|
||||
# Register buildx builder
|
||||
mkdir -p $$HOME/.docker/cli-plugins
|
||||
|
||||
test -f $$HOME/.docker/cli-plugins/docker-buildx || \
|
||||
(wget -q -O $$HOME/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.$(DOCKER_CLIENT_OS)-amd64 && \
|
||||
chmod +x $$HOME/.docker/cli-plugins/docker-buildx)
|
||||
|
||||
docker buildx create --use --name mybuilder --platform="$(DOCKER_PLATFORMS)" || true
|
||||
|
||||
.PHONY: docker-prepare
|
||||
|
||||
#################################################
|
||||
# Releasing Docker Images
|
||||
#
|
||||
# Using the docker build infrastructure, this section is responsible for
|
||||
# logging into docker hub.
|
||||
#################################################
|
||||
|
||||
# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
|
||||
# equivalent environment
|
||||
docker-login:
|
||||
$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
|
||||
|
||||
.PHONY: docker-login
|
||||
|
||||
#################################################
|
||||
# Targets for different type of builds
|
||||
#################################################
|
||||
|
||||
define DOCKER_BUILDX
|
||||
# $(1) -- Image Tag
|
||||
# $(2) -- Push (empty is no push | --push will push to dockerhub)
|
||||
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
|
||||
echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1)
|
||||
|
||||
endef
|
||||
|
||||
# For non-master builds don't build the docker containers.
|
||||
docker-branch:
|
||||
|
||||
# For master builds don't build the docker containers.
|
||||
docker-master:
|
||||
|
||||
# For all builds with a release candidate tag build and push the containers.
|
||||
docker-release-candidate: docker-prepare docker-login
|
||||
$(call DOCKER_BUILDX,$(VERSION),--push)
|
||||
|
||||
# For all builds with a release tag build and push the containers.
|
||||
docker-release: docker-prepare docker-login
|
||||
$(call DOCKER_BUILDX,latest,--push)
|
||||
$(call DOCKER_BUILDX,$(VERSION),--push)
|
||||
|
||||
.PHONY: docker-branch docker-master docker-release-candidate docker-release
|
||||
|
||||
# XXX We put the output for the build in 'output' so we don't mess with how we
|
||||
# do rule overriding from the base Makefile (if you name it 'build' it messes up
|
||||
# the wildcarding).
|
||||
DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
|
||||
|
||||
DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(BINNAME)
|
||||
DOCKER_BUILD=$Q docker build -t $(DOCKER_IMAGE_NAME):latest -f docker/Dockerfile.step-ca --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(BINNAME) .
|
||||
|
||||
docker-dev: docker/Dockerfile.step-ca
|
||||
mkdir -p $(DOCKER_OUTPUT)
|
||||
$(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca)
|
||||
$(call DOCKER_BUILD)
|
||||
|
||||
.PHONY: docker-dev
|
||||
Loading…
Reference in a new issue