From c43d59a69a220f82142677fe9fc624d9203f416e Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 25 Oct 2022 21:26:50 -0700 Subject: [PATCH] [action] keyless cosign for all release artifacts --- .github/workflows/release.yml | 38 +++++++++++++++++------------------ .goreleaser.yml | 9 +++++---- make/docker.mk | 2 +- 3 files changed, 25 insertions(+), 24 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4c00ad04..48bbf730 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,8 +13,8 @@ jobs: create_release: name: Create Release - #needs: ci - runs-on: ubuntu-20.04 + needs: ci + runs-on: ubuntu-latest outputs: is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} steps: @@ -25,7 +25,7 @@ jobs: echo ${{ github.ref }} | grep "\-rc.*" OUT=$? if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi - echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}" + echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT} - name: Create Release id: create_release uses: actions/create-release@v1 @@ -39,8 +39,11 @@ jobs: goreleaser: name: Upload Assets To Github w/ goreleaser - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest needs: create_release + permissions: + id-token: write + contents: write steps: - name: Checkout uses: actions/checkout@v3 @@ -50,17 +53,14 @@ jobs: go-version: 1.19 check-latest: true - name: Install cosign - uses: sigstore/cosign-installer@v2.7.0 + uses: sigstore/cosign-installer@v2 with: - cosign-release: 'v1.12.1' - - name: Write cosign key to disk - id: write_key - run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key" + cosign-release: 'v1.13.1' - name: Get Release Date id: release_date run: | RELEASE_DATE=$(date +"%y-%m-%d") - echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}" + echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV} - name: Run GoReleaser uses: goreleaser/goreleaser-action@v3 with: @@ -68,13 +68,16 @@ jobs: args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} - RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }} + RELEASE_DATE: ${RELEASE_DATE} + COSIGN_EXPERIMENTAL: 1 build_upload_docker: name: Build & Upload Docker Images - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest needs: ci + permissions: + id-token: write + contents: write steps: - name: Checkout uses: actions/checkout@v3 @@ -84,12 +87,9 @@ jobs: go-version: '1.19' check-latest: true - name: Install cosign - uses: sigstore/cosign-installer@v1.1.0 + uses: sigstore/cosign-installer@v2 with: - cosign-release: 'v1.1.0' - - name: Write cosign key to disk - id: write_key - run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key" + cosign-release: 'v1.13.1' - name: Build id: build run: | @@ -98,4 +98,4 @@ jobs: env: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} + COSIGN_EXPERIMENTAL: 1 diff --git a/.goreleaser.yml b/.goreleaser.yml index c8650d5b..43ffadb3 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -87,8 +87,9 @@ checksum: signs: - cmd: cosign - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"] + signature: "${artifact}.sig" + certificate: "${artifact}.pem" + args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"] artifacts: all snapshot: @@ -154,8 +155,8 @@ release: ``` cosign verify-blob \ - -key https://raw.githubusercontent.com/smallstep/certificates/master/cosign.pub \ - -signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig + --certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \ + --signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \ ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz ``` diff --git a/make/docker.mk b/make/docker.mk index edb82423..0d56e663 100644 --- a/make/docker.mk +++ b/make/docker.mk @@ -54,7 +54,7 @@ define DOCKER_BUILDX # $(1) -- Image Tag # $(2) -- Push (empty is no push | --push will push to dockerhub) docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2) - echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1) + cosign sign -r $(DOCKER_IMAGE_NAME):$(1) endef