From 27e7b01111e1c8e7824a04828801408cef69778f Mon Sep 17 00:00:00 2001 From: cpanato Date: Tue, 14 Mar 2023 14:02:08 +0100 Subject: [PATCH] refactor release job Signed-off-by: cpanato --- .github/workflows/release.yml | 62 ++++++++++++--------- .gitignore | 2 +- .goreleaser.yml | 81 +++++++++++++++++----------- hack/boilerplate/boilerplate.sh.txt | 2 +- scripts/build-sign-release-images.sh | 34 ++++++++++++ 5 files changed, 124 insertions(+), 57 deletions(-) create mode 100755 scripts/build-sign-release-images.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1022d911b6..32ae11ac77 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,24 +11,50 @@ jobs: hashes: ${{ steps.hash.outputs.hashes }} tag_name: ${{ steps.tag.outputs.tag_name }} + permissions: + packages: write + id-token: write + contents: write + runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + - run: git fetch --prune --unshallow + - uses: actions/setup-go@v3 with: go-version: '1.20' check-latest: true + + - uses: ko-build/setup-ko@v0.6 # This installs the current latest release. + + - uses: imjasonh/setup-crane@v0.3 + + - uses: sigstore/cosign-installer@v3.0.1 + - name: Set tag output id: tag run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" + - uses: goreleaser/goreleaser-action@v4.2.0 id: run-goreleaser with: version: latest - args: release --rm-dist + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: sign ko-image + run: ./scripts/build-sign-release-images.sh + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GIT_HASH: ${{ github.sha }} + GIT_TAG: ${{ steps.tag.outputs.tag_name }} + RUN_ATTEMPT: ${{ github.run_attempt }} + RUN_ID: ${{ github.run_id }} + REGISTRY: "ghcr.io/${{ github.repository }}" + - name: Generate subject id: hash env: @@ -37,35 +63,17 @@ jobs: set -euo pipefail checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)" - - publish: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - run: git fetch --prune --unshallow - - uses: actions/setup-go@v3 - with: - go-version: '1.20' - check-latest: true - - uses: imjasonh/setup-ko@v0.6 # This installs the current latest release. - - uses: sigstore/cosign-installer@v3.0.1 - - run: | - tag=$(echo ${{ github.ref }} | cut -c11-) # get tag name without tags/refs/ prefix. - img=$(ko build --bare --platform=all -t latest -t ${{ github.sha }} -t ${tag} ./) - echo "built ${img}" - cosign sign ${img} \ - -a sha=${{ github.sha }} \ - -a run_id=${{ github.run_id }} \ - -a run_attempt=${{ github.run_attempt }} \ - -a tag=${tag} + echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" provenance: - needs: [goreleaser] + needs: + - goreleaser + permissions: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" @@ -73,9 +81,13 @@ jobs: upload-tag-name: "${{ needs.release.outputs.tag_name }}" verification: - needs: [goreleaser, provenance] + needs: + - goreleaser + - provenance + runs-on: ubuntu-latest permissions: read-all + steps: # Note: this will be replaced with the GHA in the future. - name: Install the verifier diff --git a/.gitignore b/.gitignore index 2d8e0e742f..83acd05615 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ # Ignore GoLand (IntelliJ) files. .idea/ - +imagerefs ko .DS_Store diff --git a/.goreleaser.yml b/.goreleaser.yml index 2afaa2bbab..011ebac545 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,45 +1,66 @@ -# This is an example goreleaser.yaml file with some sane defaults. # Make sure to check the documentation at http://goreleaser.com before: hooks: - # you may remove this if you don't use vgo - go mod tidy - # you may remove this if you don't need go generate - - go generate ./... + - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' + builds: -- main: ./main.go - env: - - CGO_ENABLED=0 - flags: - - -trimpath - ldflags: - - "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}" - goos: - - windows - - linux - - darwin - goarch: - - amd64 - - arm64 - - s390x - - 386 - - mips64le - - ppc64le + - id: binary + main: ./main.go + env: + - CGO_ENABLED=0 + flags: + - -trimpath + ldflags: + - "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}" + goos: + - windows + - linux + - darwin + goarch: + - amd64 + - arm64 + - s390x + - 386 + - mips64le + - ppc64le + +kos: + - id: ko-image + build: binary + main: . + base_image: golang:1.20 + ldflags: + - "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}" + platforms: + - all + tags: + - '{{ .Tag }}' + - '{{ .FullCommit }}' + - latest + sbom: spdx + bare: true + preserve_import_paths: false + base_import_paths: false + archives: -- replacements: - darwin: Darwin - linux: Linux - windows: Windows - 386: i386 - amd64: x86_64 + - name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + checksum: name_template: 'checksums.txt' + snapshot: name_template: "{{ .Tag }}-next" + changelog: sort: asc use: github filters: exclude: - - '^docs:' - - '^test:' + - '^docs:' + - '^test:' diff --git a/hack/boilerplate/boilerplate.sh.txt b/hack/boilerplate/boilerplate.sh.txt index 35082a679b..fe3c7688c9 100755 --- a/hack/boilerplate/boilerplate.sh.txt +++ b/hack/boilerplate/boilerplate.sh.txt @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # Copyright 2020 Google LLC All Rights Reserved. # diff --git a/scripts/build-sign-release-images.sh b/scripts/build-sign-release-images.sh new file mode 100755 index 0000000000..af68d49c58 --- /dev/null +++ b/scripts/build-sign-release-images.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +# Copyright 2023 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +: "${GIT_HASH:?Environment variable empty or not defined.}" +: "${GIT_TAG:?Environment variable empty or not defined.}" +: "${RUN_ID:?Environment variable empty or not defined.}" +: "${RUN_ATTEMPT:?Environment variable empty or not defined.}" +: "${REGISTRY:?Environment variable empty or not defined.}" + +echo "Signing images with Keyless..." +digest=$(crane digest "${REGISTRY}"/ko:"${GIT_TAG}") +cosign sign --yes \ + -a GIT_HASH="${GIT_HASH}" \ + -a GIT_TAG="${GIT_TAG}" \ + -a RUN_ID="${RUN_ID}" \ + -a RUN_ATTEMPT="${RUN_ATTEMPT}" \ + "${REGISTRY}/ko@${digest}"