forked from TrueCloudLab/certificates
Merge pull request #1142 from smallstep/max/keyless-cosign
[action] keyless cosign for all release artifacts
This commit is contained in:
commit
995b6d1b6c
4 changed files with 42 additions and 143 deletions
75
.github/workflows/release.yml
vendored
75
.github/workflows/release.yml
vendored
|
@ -13,10 +13,14 @@ jobs:
|
||||||
|
|
||||||
create_release:
|
create_release:
|
||||||
name: Create Release
|
name: Create Release
|
||||||
#needs: ci
|
needs: ci
|
||||||
runs-on: ubuntu-20.04
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
DOCKER_IMAGE: smallstep/step-ca
|
||||||
outputs:
|
outputs:
|
||||||
|
version: ${{ steps.extract-tag.outputs.VERSION }}
|
||||||
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
|
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
|
||||||
|
docker_tags: ${{ env.DOCKER_TAGS }}
|
||||||
steps:
|
steps:
|
||||||
- name: Is Pre-release
|
- name: Is Pre-release
|
||||||
id: is_prerelease
|
id: is_prerelease
|
||||||
|
@ -25,7 +29,17 @@ jobs:
|
||||||
echo ${{ github.ref }} | grep "\-rc.*"
|
echo ${{ github.ref }} | grep "\-rc.*"
|
||||||
OUT=$?
|
OUT=$?
|
||||||
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
|
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
|
||||||
echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
|
echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
|
||||||
|
- name: Extract Tag Names
|
||||||
|
id: extract-tag
|
||||||
|
run: |
|
||||||
|
VERSION=${GITHUB_REF#refs/tags/v}
|
||||||
|
echo "VERSION=${VERSION}" >> ${GITHUB_OUTPUT}
|
||||||
|
echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> ${GITHUB_ENV}
|
||||||
|
- name: Add Latest Tag
|
||||||
|
if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
|
||||||
|
run: |
|
||||||
|
echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV}
|
||||||
- name: Create Release
|
- name: Create Release
|
||||||
id: create_release
|
id: create_release
|
||||||
uses: actions/create-release@v1
|
uses: actions/create-release@v1
|
||||||
|
@ -39,8 +53,11 @@ jobs:
|
||||||
|
|
||||||
goreleaser:
|
goreleaser:
|
||||||
name: Upload Assets To Github w/ goreleaser
|
name: Upload Assets To Github w/ goreleaser
|
||||||
runs-on: ubuntu-20.04
|
runs-on: ubuntu-latest
|
||||||
needs: create_release
|
needs: create_release
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: write
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
|
@ -50,17 +67,14 @@ jobs:
|
||||||
go-version: 1.19
|
go-version: 1.19
|
||||||
check-latest: true
|
check-latest: true
|
||||||
- name: Install cosign
|
- name: Install cosign
|
||||||
uses: sigstore/cosign-installer@v2.7.0
|
uses: sigstore/cosign-installer@v2
|
||||||
with:
|
with:
|
||||||
cosign-release: 'v1.12.1'
|
cosign-release: 'v1.13.1'
|
||||||
- name: Write cosign key to disk
|
|
||||||
id: write_key
|
|
||||||
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
|
||||||
- name: Get Release Date
|
- name: Get Release Date
|
||||||
id: release_date
|
id: release_date
|
||||||
run: |
|
run: |
|
||||||
RELEASE_DATE=$(date +"%y-%m-%d")
|
RELEASE_DATE=$(date +"%y-%m-%d")
|
||||||
echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}"
|
echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
|
||||||
- name: Run GoReleaser
|
- name: Run GoReleaser
|
||||||
uses: goreleaser/goreleaser-action@v3
|
uses: goreleaser/goreleaser-action@v3
|
||||||
with:
|
with:
|
||||||
|
@ -68,34 +82,19 @@ jobs:
|
||||||
args: release --rm-dist
|
args: release --rm-dist
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
|
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
|
||||||
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
|
RELEASE_DATE: ${{ env.RELEASE_DATE }}
|
||||||
RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
|
COSIGN_EXPERIMENTAL: 1
|
||||||
|
|
||||||
build_upload_docker:
|
build_upload_docker:
|
||||||
name: Build & Upload Docker Images
|
name: Build & Upload Docker Images
|
||||||
runs-on: ubuntu-20.04
|
needs: create_release
|
||||||
needs: ci
|
permissions:
|
||||||
steps:
|
id-token: write
|
||||||
- name: Checkout
|
contents: write
|
||||||
uses: actions/checkout@v3
|
uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
|
||||||
- name: Setup Go
|
with:
|
||||||
uses: actions/setup-go@v3
|
platforms: linux/amd64,linux/386,linux/arm,linux/arm64
|
||||||
with:
|
tags: ${{ needs.create_release.outputs.docker_tags }}
|
||||||
go-version: '1.19'
|
docker_image: smallstep/step-ca
|
||||||
check-latest: true
|
docker_file: docker/Dockerfile.step-ca
|
||||||
- name: Install cosign
|
secrets: inherit
|
||||||
uses: sigstore/cosign-installer@v1.1.0
|
|
||||||
with:
|
|
||||||
cosign-release: 'v1.1.0'
|
|
||||||
- name: Write cosign key to disk
|
|
||||||
id: write_key
|
|
||||||
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
|
||||||
- name: Build
|
|
||||||
id: build
|
|
||||||
run: |
|
|
||||||
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
|
|
||||||
make docker-artifacts
|
|
||||||
env:
|
|
||||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
|
||||||
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
|
|
||||||
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
|
|
||||||
|
|
|
@ -87,8 +87,9 @@ checksum:
|
||||||
|
|
||||||
signs:
|
signs:
|
||||||
- cmd: cosign
|
- cmd: cosign
|
||||||
stdin: '{{ .Env.COSIGN_PWD }}'
|
signature: "${artifact}.sig"
|
||||||
args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"]
|
certificate: "${artifact}.pem"
|
||||||
|
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
|
||||||
artifacts: all
|
artifacts: all
|
||||||
|
|
||||||
snapshot:
|
snapshot:
|
||||||
|
@ -154,8 +155,8 @@ release:
|
||||||
|
|
||||||
```
|
```
|
||||||
cosign verify-blob \
|
cosign verify-blob \
|
||||||
-key https://raw.githubusercontent.com/smallstep/certificates/master/cosign.pub \
|
--certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
|
||||||
-signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig
|
--signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
|
||||||
~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
|
~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
10
Makefile
10
Makefile
|
@ -79,8 +79,6 @@ $(info DEB_VERSION is $(DEB_VERSION))
|
||||||
$(info PUSHTYPE is $(PUSHTYPE))
|
$(info PUSHTYPE is $(PUSHTYPE))
|
||||||
endif
|
endif
|
||||||
|
|
||||||
include make/docker.mk
|
|
||||||
|
|
||||||
#########################################
|
#########################################
|
||||||
# Build
|
# Build
|
||||||
#########################################
|
#########################################
|
||||||
|
@ -232,11 +230,3 @@ debian: changelog
|
||||||
distclean: clean
|
distclean: clean
|
||||||
|
|
||||||
.PHONY: changelog debian distclean
|
.PHONY: changelog debian distclean
|
||||||
|
|
||||||
#################################################
|
|
||||||
# Targets for creating step artifacts
|
|
||||||
#################################################
|
|
||||||
|
|
||||||
docker-artifacts: docker-$(PUSHTYPE)
|
|
||||||
|
|
||||||
.PHONY: docker-artifacts
|
|
||||||
|
|
|
@ -1,91 +0,0 @@
|
||||||
#########################################
|
|
||||||
# Building Docker Image
|
|
||||||
#
|
|
||||||
# This uses a multi-stage build file. The first stage is a builder (that might
|
|
||||||
# be large in size). After the build has succeeded, the statically linked
|
|
||||||
# binary is copied to a new image that is optimized for size.
|
|
||||||
#########################################
|
|
||||||
|
|
||||||
ifeq (, $(shell which docker))
|
|
||||||
DOCKER_CLIENT_OS := linux
|
|
||||||
else
|
|
||||||
DOCKER_CLIENT_OS := $(strip $(shell docker version -f '{{.Client.Os}}' 2>/dev/null))
|
|
||||||
endif
|
|
||||||
|
|
||||||
DOCKER_PLATFORMS = linux/amd64,linux/386,linux/arm,linux/arm64
|
|
||||||
DOCKER_IMAGE_NAME = smallstep/step-ca
|
|
||||||
|
|
||||||
docker-prepare:
|
|
||||||
# Ensure, we can build for ARM architecture
|
|
||||||
ifeq (linux,$(DOCKER_CLIENT_OS))
|
|
||||||
[ -f /proc/sys/fs/binfmt_misc/qemu-arm ] || docker run --rm --privileged linuxkit/binfmt:v0.8-amd64
|
|
||||||
endif
|
|
||||||
|
|
||||||
# Register buildx builder
|
|
||||||
mkdir -p $$HOME/.docker/cli-plugins
|
|
||||||
|
|
||||||
test -f $$HOME/.docker/cli-plugins/docker-buildx || \
|
|
||||||
(wget -q -O $$HOME/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.$(DOCKER_CLIENT_OS)-amd64 && \
|
|
||||||
chmod +x $$HOME/.docker/cli-plugins/docker-buildx)
|
|
||||||
|
|
||||||
docker buildx create --use --name mybuilder --platform="$(DOCKER_PLATFORMS)" || true
|
|
||||||
|
|
||||||
.PHONY: docker-prepare
|
|
||||||
|
|
||||||
#################################################
|
|
||||||
# Releasing Docker Images
|
|
||||||
#
|
|
||||||
# Using the docker build infrastructure, this section is responsible for
|
|
||||||
# logging into docker hub.
|
|
||||||
#################################################
|
|
||||||
|
|
||||||
# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
|
|
||||||
# equivalent environment
|
|
||||||
docker-login:
|
|
||||||
$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
|
|
||||||
|
|
||||||
.PHONY: docker-login
|
|
||||||
|
|
||||||
#################################################
|
|
||||||
# Targets for different type of builds
|
|
||||||
#################################################
|
|
||||||
|
|
||||||
define DOCKER_BUILDX
|
|
||||||
# $(1) -- Image Tag
|
|
||||||
# $(2) -- Push (empty is no push | --push will push to dockerhub)
|
|
||||||
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
|
|
||||||
echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1)
|
|
||||||
|
|
||||||
endef
|
|
||||||
|
|
||||||
# For non-master builds don't build the docker containers.
|
|
||||||
docker-branch:
|
|
||||||
|
|
||||||
# For master builds don't build the docker containers.
|
|
||||||
docker-master:
|
|
||||||
|
|
||||||
# For all builds with a release candidate tag build and push the containers.
|
|
||||||
docker-release-candidate: docker-prepare docker-login
|
|
||||||
$(call DOCKER_BUILDX,$(VERSION),--push)
|
|
||||||
|
|
||||||
# For all builds with a release tag build and push the containers.
|
|
||||||
docker-release: docker-prepare docker-login
|
|
||||||
$(call DOCKER_BUILDX,latest,--push)
|
|
||||||
$(call DOCKER_BUILDX,$(VERSION),--push)
|
|
||||||
|
|
||||||
.PHONY: docker-branch docker-master docker-release-candidate docker-release
|
|
||||||
|
|
||||||
# XXX We put the output for the build in 'output' so we don't mess with how we
|
|
||||||
# do rule overriding from the base Makefile (if you name it 'build' it messes up
|
|
||||||
# the wildcarding).
|
|
||||||
DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
|
|
||||||
|
|
||||||
DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(BINNAME)
|
|
||||||
DOCKER_BUILD=$Q docker build -t $(DOCKER_IMAGE_NAME):latest -f docker/Dockerfile.step-ca --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(BINNAME) .
|
|
||||||
|
|
||||||
docker-dev: docker/Dockerfile.step-ca
|
|
||||||
mkdir -p $(DOCKER_OUTPUT)
|
|
||||||
$(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca)
|
|
||||||
$(call DOCKER_BUILD)
|
|
||||||
|
|
||||||
.PHONY: docker-dev
|
|
Loading…
Reference in a new issue