Merge pull request #1142 from smallstep/max/keyless-cosign

[action] keyless cosign for all release artifacts
This commit is contained in:
Max 2022-10-29 17:22:51 -07:00 committed by GitHub
commit 995b6d1b6c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 42 additions and 143 deletions

View file

@ -13,10 +13,14 @@ jobs:
create_release: create_release:
name: Create Release name: Create Release
#needs: ci needs: ci
runs-on: ubuntu-20.04 runs-on: ubuntu-latest
env:
DOCKER_IMAGE: smallstep/step-ca
outputs: outputs:
version: ${{ steps.extract-tag.outputs.VERSION }}
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
docker_tags: ${{ env.DOCKER_TAGS }}
steps: steps:
- name: Is Pre-release - name: Is Pre-release
id: is_prerelease id: is_prerelease
@ -25,7 +29,17 @@ jobs:
echo ${{ github.ref }} | grep "\-rc.*" echo ${{ github.ref }} | grep "\-rc.*"
OUT=$? OUT=$?
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}" echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
- name: Extract Tag Names
id: extract-tag
run: |
VERSION=${GITHUB_REF#refs/tags/v}
echo "VERSION=${VERSION}" >> ${GITHUB_OUTPUT}
echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> ${GITHUB_ENV}
- name: Add Latest Tag
if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
run: |
echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV}
- name: Create Release - name: Create Release
id: create_release id: create_release
uses: actions/create-release@v1 uses: actions/create-release@v1
@ -39,8 +53,11 @@ jobs:
goreleaser: goreleaser:
name: Upload Assets To Github w/ goreleaser name: Upload Assets To Github w/ goreleaser
runs-on: ubuntu-20.04 runs-on: ubuntu-latest
needs: create_release needs: create_release
permissions:
id-token: write
contents: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
@ -50,17 +67,14 @@ jobs:
go-version: 1.19 go-version: 1.19
check-latest: true check-latest: true
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@v2.7.0 uses: sigstore/cosign-installer@v2
with: with:
cosign-release: 'v1.12.1' cosign-release: 'v1.13.1'
- name: Write cosign key to disk
id: write_key
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
- name: Get Release Date - name: Get Release Date
id: release_date id: release_date
run: | run: |
RELEASE_DATE=$(date +"%y-%m-%d") RELEASE_DATE=$(date +"%y-%m-%d")
echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}" echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
- name: Run GoReleaser - name: Run GoReleaser
uses: goreleaser/goreleaser-action@v3 uses: goreleaser/goreleaser-action@v3
with: with:
@ -68,34 +82,19 @@ jobs:
args: release --rm-dist args: release --rm-dist
env: env:
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }} GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
COSIGN_PWD: ${{ secrets.COSIGN_PWD }} RELEASE_DATE: ${{ env.RELEASE_DATE }}
RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }} COSIGN_EXPERIMENTAL: 1
build_upload_docker: build_upload_docker:
name: Build & Upload Docker Images name: Build & Upload Docker Images
runs-on: ubuntu-20.04 needs: create_release
needs: ci permissions:
steps: id-token: write
- name: Checkout contents: write
uses: actions/checkout@v3 uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
- name: Setup Go
uses: actions/setup-go@v3
with: with:
go-version: '1.19' platforms: linux/amd64,linux/386,linux/arm,linux/arm64
check-latest: true tags: ${{ needs.create_release.outputs.docker_tags }}
- name: Install cosign docker_image: smallstep/step-ca
uses: sigstore/cosign-installer@v1.1.0 docker_file: docker/Dockerfile.step-ca
with: secrets: inherit
cosign-release: 'v1.1.0'
- name: Write cosign key to disk
id: write_key
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
- name: Build
id: build
run: |
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
make docker-artifacts
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}

View file

@ -87,8 +87,9 @@ checksum:
signs: signs:
- cmd: cosign - cmd: cosign
stdin: '{{ .Env.COSIGN_PWD }}' signature: "${artifact}.sig"
args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"] certificate: "${artifact}.pem"
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
artifacts: all artifacts: all
snapshot: snapshot:
@ -154,8 +155,8 @@ release:
``` ```
cosign verify-blob \ cosign verify-blob \
-key https://raw.githubusercontent.com/smallstep/certificates/master/cosign.pub \ --certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
-signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig --signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
``` ```

View file

@ -79,8 +79,6 @@ $(info DEB_VERSION is $(DEB_VERSION))
$(info PUSHTYPE is $(PUSHTYPE)) $(info PUSHTYPE is $(PUSHTYPE))
endif endif
include make/docker.mk
######################################### #########################################
# Build # Build
######################################### #########################################
@ -232,11 +230,3 @@ debian: changelog
distclean: clean distclean: clean
.PHONY: changelog debian distclean .PHONY: changelog debian distclean
#################################################
# Targets for creating step artifacts
#################################################
docker-artifacts: docker-$(PUSHTYPE)
.PHONY: docker-artifacts

View file

@ -1,91 +0,0 @@
#########################################
# Building Docker Image
#
# This uses a multi-stage build file. The first stage is a builder (that might
# be large in size). After the build has succeeded, the statically linked
# binary is copied to a new image that is optimized for size.
#########################################
ifeq (, $(shell which docker))
DOCKER_CLIENT_OS := linux
else
DOCKER_CLIENT_OS := $(strip $(shell docker version -f '{{.Client.Os}}' 2>/dev/null))
endif
DOCKER_PLATFORMS = linux/amd64,linux/386,linux/arm,linux/arm64
DOCKER_IMAGE_NAME = smallstep/step-ca
docker-prepare:
# Ensure, we can build for ARM architecture
ifeq (linux,$(DOCKER_CLIENT_OS))
[ -f /proc/sys/fs/binfmt_misc/qemu-arm ] || docker run --rm --privileged linuxkit/binfmt:v0.8-amd64
endif
# Register buildx builder
mkdir -p $$HOME/.docker/cli-plugins
test -f $$HOME/.docker/cli-plugins/docker-buildx || \
(wget -q -O $$HOME/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.$(DOCKER_CLIENT_OS)-amd64 && \
chmod +x $$HOME/.docker/cli-plugins/docker-buildx)
docker buildx create --use --name mybuilder --platform="$(DOCKER_PLATFORMS)" || true
.PHONY: docker-prepare
#################################################
# Releasing Docker Images
#
# Using the docker build infrastructure, this section is responsible for
# logging into docker hub.
#################################################
# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
# equivalent environment
docker-login:
$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
.PHONY: docker-login
#################################################
# Targets for different type of builds
#################################################
define DOCKER_BUILDX
# $(1) -- Image Tag
# $(2) -- Push (empty is no push | --push will push to dockerhub)
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1)
endef
# For non-master builds don't build the docker containers.
docker-branch:
# For master builds don't build the docker containers.
docker-master:
# For all builds with a release candidate tag build and push the containers.
docker-release-candidate: docker-prepare docker-login
$(call DOCKER_BUILDX,$(VERSION),--push)
# For all builds with a release tag build and push the containers.
docker-release: docker-prepare docker-login
$(call DOCKER_BUILDX,latest,--push)
$(call DOCKER_BUILDX,$(VERSION),--push)
.PHONY: docker-branch docker-master docker-release-candidate docker-release
# XXX We put the output for the build in 'output' so we don't mess with how we
# do rule overriding from the base Makefile (if you name it 'build' it messes up
# the wildcarding).
DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(BINNAME)
DOCKER_BUILD=$Q docker build -t $(DOCKER_IMAGE_NAME):latest -f docker/Dockerfile.step-ca --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(BINNAME) .
docker-dev: docker/Dockerfile.step-ca
mkdir -p $(DOCKER_OUTPUT)
$(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca)
$(call DOCKER_BUILD)
.PHONY: docker-dev