forked from TrueCloudLab/certificates
[action] keyless cosign for all release artifacts
This commit is contained in:
max furman
parent
0af15a0538
commit
c43d59a69a
3 changed files with 25 additions and 24 deletions
38
.github/workflows/release.yml
vendored
38
.github/workflows/release.yml
vendored
|
|
@ -13,8 +13,8 @@ jobs:
|
||||||
|
|
||||||
create_release:
|
create_release:
|
||||||
name: Create Release
|
name: Create Release
|
||||||
#needs: ci
|
needs: ci
|
||||||
runs-on: ubuntu-20.04
|
runs-on: ubuntu-latest
|
||||||
outputs:
|
outputs:
|
||||||
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
|
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
|
||||||
steps:
|
steps:
|
||||||
|
|
@ -25,7 +25,7 @@ jobs:
|
||||||
echo ${{ github.ref }} | grep "\-rc.*"
|
echo ${{ github.ref }} | grep "\-rc.*"
|
||||||
OUT=$?
|
OUT=$?
|
||||||
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
|
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
|
||||||
echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
|
echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
|
||||||
- name: Create Release
|
- name: Create Release
|
||||||
id: create_release
|
id: create_release
|
||||||
uses: actions/create-release@v1
|
uses: actions/create-release@v1
|
||||||
|
|
@ -39,8 +39,11 @@ jobs:
|
||||||
|
|
||||||
goreleaser:
|
goreleaser:
|
||||||
name: Upload Assets To Github w/ goreleaser
|
name: Upload Assets To Github w/ goreleaser
|
||||||
runs-on: ubuntu-20.04
|
runs-on: ubuntu-latest
|
||||||
needs: create_release
|
needs: create_release
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: write
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
|
|
@ -50,17 +53,14 @@ jobs:
|
||||||
go-version: 1.19
|
go-version: 1.19
|
||||||
check-latest: true
|
check-latest: true
|
||||||
- name: Install cosign
|
- name: Install cosign
|
||||||
uses: sigstore/cosign-installer@v2.7.0
|
uses: sigstore/cosign-installer@v2
|
||||||
with:
|
with:
|
||||||
cosign-release: 'v1.12.1'
|
cosign-release: 'v1.13.1'
|
||||||
- name: Write cosign key to disk
|
|
||||||
id: write_key
|
|
||||||
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
|
||||||
- name: Get Release Date
|
- name: Get Release Date
|
||||||
id: release_date
|
id: release_date
|
||||||
run: |
|
run: |
|
||||||
RELEASE_DATE=$(date +"%y-%m-%d")
|
RELEASE_DATE=$(date +"%y-%m-%d")
|
||||||
echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}"
|
echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
|
||||||
- name: Run GoReleaser
|
- name: Run GoReleaser
|
||||||
uses: goreleaser/goreleaser-action@v3
|
uses: goreleaser/goreleaser-action@v3
|
||||||
with:
|
with:
|
||||||
|
|
@ -68,13 +68,16 @@ jobs:
|
||||||
args: release --rm-dist
|
args: release --rm-dist
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
|
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
|
||||||
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
|
RELEASE_DATE: ${RELEASE_DATE}
|
||||||
RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
|
COSIGN_EXPERIMENTAL: 1
|
||||||
|
|
||||||
build_upload_docker:
|
build_upload_docker:
|
||||||
name: Build & Upload Docker Images
|
name: Build & Upload Docker Images
|
||||||
runs-on: ubuntu-20.04
|
runs-on: ubuntu-latest
|
||||||
needs: ci
|
needs: ci
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: write
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
|
|
@ -84,12 +87,9 @@ jobs:
|
||||||
go-version: '1.19'
|
go-version: '1.19'
|
||||||
check-latest: true
|
check-latest: true
|
||||||
- name: Install cosign
|
- name: Install cosign
|
||||||
uses: sigstore/cosign-installer@v1.1.0
|
uses: sigstore/cosign-installer@v2
|
||||||
with:
|
with:
|
||||||
cosign-release: 'v1.1.0'
|
cosign-release: 'v1.13.1'
|
||||||
- name: Write cosign key to disk
|
|
||||||
id: write_key
|
|
||||||
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
|
||||||
- name: Build
|
- name: Build
|
||||||
id: build
|
id: build
|
||||||
run: |
|
run: |
|
||||||
|
|
@ -98,4 +98,4 @@ jobs:
|
||||||
env:
|
env:
|
||||||
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
|
||||||
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
|
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
|
||||||
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
|
COSIGN_EXPERIMENTAL: 1
|
||||||
|
|
|
||||||
|
|
@ -87,8 +87,9 @@ checksum:
|
||||||
|
|
||||||
signs:
|
signs:
|
||||||
- cmd: cosign
|
- cmd: cosign
|
||||||
stdin: '{{ .Env.COSIGN_PWD }}'
|
signature: "${artifact}.sig"
|
||||||
args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"]
|
certificate: "${artifact}.pem"
|
||||||
|
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
|
||||||
artifacts: all
|
artifacts: all
|
||||||
|
|
||||||
snapshot:
|
snapshot:
|
||||||
|
|
@ -154,8 +155,8 @@ release:
|
||||||
|
|
||||||
```
|
```
|
||||||
cosign verify-blob \
|
cosign verify-blob \
|
||||||
-key https://raw.githubusercontent.com/smallstep/certificates/master/cosign.pub \
|
--certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
|
||||||
-signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig
|
--signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
|
||||||
~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
|
~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -54,7 +54,7 @@ define DOCKER_BUILDX
|
||||||
# $(1) -- Image Tag
|
# $(1) -- Image Tag
|
||||||
# $(2) -- Push (empty is no push | --push will push to dockerhub)
|
# $(2) -- Push (empty is no push | --push will push to dockerhub)
|
||||||
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
|
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
|
||||||
echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1)
|
cosign sign -r $(DOCKER_IMAGE_NAME):$(1)
|
||||||
|
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue