Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor release job #986

Merged
merged 2 commits into from
Mar 17, 2023
Merged

refactor release job #986

merged 2 commits into from
Mar 17, 2023

Conversation

cpanato
Copy link
Member

@cpanato cpanato commented Mar 14, 2023

  • add tag name to the provenance
  • refactor release job
  • update deprecated Goreleaser flags
  • and other cosmetic updates

Rehearsal here: https://github.com/cpanato/ko/actions/runs/4416634779 / https://github.com/cpanato/ko/releases/tag/v99.99.02

Image:

$ cosign verify --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/cpanato/ko/.github/workflows/release.yml@refs/tags/v99.99.02" ghcr.io/cpanato/ko:v99.99.02 | jq .

Verification for ghcr.io/cpanato/ko:v99.99.02 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/cpanato/ko"
      },
      "image": {
        "docker-manifest-digest": "sha256:4063bcc4092a5122926b9dfc53cb63d562c335594ab7c358cca9cde6f00537ab"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
      "1.3.6.1.4.1.57264.1.2": "push",
      "1.3.6.1.4.1.57264.1.3": "6ce8a434b794b79fe831727f2c308a39c5ba6acb",
      "1.3.6.1.4.1.57264.1.4": "goreleaser",
      "1.3.6.1.4.1.57264.1.5": "cpanato/ko",
      "1.3.6.1.4.1.57264.1.6": "refs/tags/v99.99.02",
      "Bundle": {
        "SignedEntryTimestamp": "MEQCIB78uc7Dp23sau4pwR0o8PHAQViEnNMK2kz1pQyyFBK3AiBXiKiQd9tkC9AU6ZJ+ITnxdZFV2b8pNQIDa9ceYlUUiA==",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJmZTE4MzBmNjMyMTU5NGRlZTgyYTVkMzI1MmI5MDBjNjBlNTg4NTljYjVkYjkxZDZiNTg5NTIyN2I0YTBkOTkxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQXJ6c2pIbnlRNVFSZzUzMUkxMjZSbllDcC9VaG01NVRGblkrWElMV3dFekFpRUF4UWpNSlZ4anF3cHY1WVFLUktRWW1BbmhzQlZwVWYycCt0Q1grNDc5VkcwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnFla05EUVhoVFowRjNTVUpCWjBsVllsUlNkRXh1ZUc5dWQyMTZSbmx1THpObE5qaFNLM2wyV2tObmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5kMDE2UlRCTlZGRjRUMVJWZWxkb1kwNU5hazEzVFhwRk1FMVVVWGxQVkZWNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZYTkd0NVlWSkVOVlpvWjI1dmVWRjFOa2htYUhaUVJVbGhZbUV2WWxaUU5uaG1XR0VLTm1KVWRqaG5OVzVFV0U5VFZVSmtNMkpVTm5Wc1dWaDBla3MzT1ZkeGNWWnhVVTlRVFdzd2VFaFJTekZoT0VvclJVdFBRMEZxVFhkblowbDJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZYVFZodUNtNDNla3BwZVUwMGVHUlpUVkpaV0RsTk4zQldlbVZCZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFoUldVUldVakJTUVZGSUwwSkdUWGRWV1ZwUVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKT2QxbFhOV2hrUnpoMllUSTRkZ3BNYldSd1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmpiVlp6V2xkR2VscFROVFZpVjNoQlkyMVdiV041T1RCWlYyUjZURE5aTlU5VE5EVlBVelIzQ2sxcVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG13S1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ1NVZERhWE5IUVZGUlFtYzNPSGRCVVVsRlFraENNV015WjNkT1oxbExTM2RaUWtKQlIwUjJla0ZDUVhkUmJ3cE9iVTVzVDBkRk1FMTZVbWxPZW1zd1dXcGpOVnB0VlRSTmVrVXpUV3BrYlUxdFRYcE5SR2hvVFhwc2FrNVhTbWhPYlVacVdXcEJXVUpuYjNKQ1owVkZDa0ZaVHk5TlFVVkZRa0Z3Ym1JelNteGlSMVpvWXpKV2VVMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVWVkZRMjFPZDFsWE5XaGtSemgyWVRJNGQwbFJXVXNLUzNkWlFrSkJSMFIyZWtGQ1FtZFJWR050Vm0xamVUa3dXVmRrZWt3eldUVlBVelExVDFNMGQwMXFRMEpwWjFsTFMzZFpRa0pCU0ZkbFVVbEZRV2RTT0FwQ1NHOUJaVUZDTWtGT01EbE5SM0pIZUhoRmVWbDRhMlZJU214dVRuZExhVk5zTmpRemFubDBMelJsUzJOdlFYWkxaVFpQUVVGQlFtaDFRamsyVlZWQkNrRkJVVVJCUldOM1VsRkpaMHh5ZFdKcFdYVjViRk5LUkdoc1MwNXFSakZhVUVwb2JUWkJTbTA1VjFoTVJsRkJlRFZ1ZWtGM1pGRkRTVkZEV205cE1HVUtWMlJKVXpFemQwRm9Na2RuUkdjeU1ubEhPV3N5UWtoeFRqRlJTeXN3YjNCSVFsZGxkbFJCUzBKblozRm9hMnBQVUZGUlJFRjNUbkJCUkVKdFFXcEZRUW9yT1doMWRFWkZUWGxTTW1OTFptNVdjbGRxWkhBd2JqSmFOakJuTVZrMFlVaHViMmxtYkRRd1lYVklWV292ZG5JMmRtWm9TelZTZWs0d1dqQTRaakZPQ2tGcVJVRnJUMmhwY0cweWNGRm9NRFZrYVRGc01XTm1jbTVsZEVwMVVXSTBTVzFyVW1kaGJtWlliR1p2TUN0eVRUY3lVM0JtV0VsTlZXUXlOMjl6VTBNS05qZFViUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09In19fX0=",
          "integratedTime": 1678803594,
          "logIndex": 15405023,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "GIT_HASH": "6ce8a434b794b79fe831727f2c308a39c5ba6acb",
      "GIT_TAG": "v99.99.02",
      "Issuer": "https://token.actions.githubusercontent.com",
      "RUN_ATTEMPT": "1",
      "RUN_ID": "4416634779",
      "Subject": "https://github.com/cpanato/ko/.github/workflows/release.yml@refs/tags/v99.99.02",
      "githubWorkflowName": "goreleaser",
      "githubWorkflowRef": "refs/tags/v99.99.02",
      "githubWorkflowRepository": "cpanato/ko",
      "githubWorkflowSha": "6ce8a434b794b79fe831727f2c308a39c5ba6acb",
      "githubWorkflowTrigger": "push"
    }
  }
]

@cpanato cpanato force-pushed the fix-provencance branch 2 times, most recently from 535c7d8 to 4111de2 Compare March 14, 2023 14:33
imjasonh
imjasonh reviewed Mar 14, 2023
View reviewed changes
scripts/builld-sign-release-images.sh Outdated Show resolved Hide resolved
.goreleaser.yml Outdated Show resolved Hide resolved
.goreleaser.yml Outdated Show resolved Hide resolved
.goreleaser.yml Outdated Show resolved Hide resolved
@cpanato cpanato force-pushed the fix-provencance branch 4 times, most recently from 27e7b01 to 2cf5658 Compare March 14, 2023 17:46
@cpanato
Copy link
Member Author

cpanato commented Mar 14, 2023

ok, forgot that now Goreleaser can build using ko :) (just not signing for now, but it is a great step)

here is the new rehearsal: https://github.com/cpanato/ko/actions/runs/4418689179/jobs/7746132525 / https://github.com/cpanato/ko/releases/tag/v99.99.06

$ cosign verify --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/cpanato/ko/.github/workflows/release.yml@refs/tags/v99.99.06" ghcr.io/cpanato/ko:v99.99.06 | jq .

Verification for ghcr.io/cpanato/ko:v99.99.06 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/cpanato/ko"
      },
      "image": {
        "docker-manifest-digest": "sha256:b66800750a3fd0d15a880fffa33027de82ae19ce2266f5c3798f7fd42b87ccc6"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
      "1.3.6.1.4.1.57264.1.2": "push",
      "1.3.6.1.4.1.57264.1.3": "2cf56584529e089c558b82627ec828d80e23eb9d",
      "1.3.6.1.4.1.57264.1.4": "goreleaser",
      "1.3.6.1.4.1.57264.1.5": "cpanato/ko",
      "1.3.6.1.4.1.57264.1.6": "refs/tags/v99.99.06",
      "Bundle": {
        "SignedEntryTimestamp": "MEYCIQCctz8jUIFhgA2AZ/8RfLV8zEeJi+xa1q8zKSd/Ki90fgIhAP/ex/D12n6RWh3Dy017umiPlfWZZ9oB4BmQxG6J/cIu",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2ZTcxZDg0NGE1M2IxMzFlYTMyYjI5NGU3NjZlZGFkMzA4NWViZDQzZjRlYzUyM2M5ZjYyNjdkODBmZWFmZTA0In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQ0t6dXd5YU1Yei9Pa0lESnpmZEhmalV6RnNtNFJnQWdQNG4vdFJabkg1OEFpRUF1SXd4YmtkdmNmYXg2d2Q1QjdONW50eDB3ZUozZWZkMXUySzRPRHoxcUVJPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVUnFla05EUVhoWFowRjNTVUpCWjBsVlVEUm5NRWxSUWtkQlZGa3ZPVWxqZGtoVmFGSlZhbVZTYzNOemQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5kMDE2UlRCTlZHZDNUVlJKZUZkb1kwNU5hazEzVFhwRk1FMVVaM2hOVkVsNFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZoWlc1TVF5czBRbTFGTDFoUmRGWlpPRXhKVVM5d1FrdERaVFIwTjFOVmFYZFhSMDBLVlhCMWJ6QnVRbVowVEZobGFXaFdiREkzVjI0MVFYa3JjRTFJZEZkdFJFTklaME5KT1dwUldGRlBURzkwVkRWdVREWlBRMEZxVVhkblowbDNUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlUyVkVneENuUnpSMG8xTkdsc1RXUlhaR3A1U0ZNNFJYQlVURU52ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFoUldVUldVakJTUVZGSUwwSkdUWGRWV1ZwUVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKT2QxbFhOV2hrUnpoMllUSTRkZ3BNYldSd1pFZG9NVmxwT1ROaU0wcHlXbTE0ZG1RelRYWmpiVlp6V2xkR2VscFROVFZpVjNoQlkyMVdiV041T1RCWlYyUjZURE5aTlU5VE5EVlBVelIzQ2s1cVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVZuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG13S1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ1NVZERhWE5IUVZGUlFtYzNPSGRCVVVsRlFraENNV015WjNkT1oxbExTM2RaUWtKQlIwUjJla0ZDUVhkUmJ3cE5iVTV0VGxSWk1VOUVVVEZOYW14c1RVUm5OVmw2VlRGUFIwazBUV3BaZVU0eVZtcFBSRWswV2tSbmQxcFVTWHBhVjBrMVdrUkJXVUpuYjNKQ1owVkZDa0ZaVHk5TlFVVkZRa0Z3Ym1JelNteGlSMVpvWXpKV2VVMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVWVkZRMjFPZDFsWE5XaGtSemgyWVRJNGQwbFJXVXNLUzNkWlFrSkJSMFIyZWtGQ1FtZFJWR050Vm0xamVUa3dXVmRrZWt3eldUVlBVelExVDFNMGQwNXFRMEpwZDFsTFMzZFpRa0pCU0ZkbFVVbEZRV2RTT1FwQ1NITkJaVkZDTTBGT01EbE5SM0pIZUhoRmVWbDRhMlZJU214dVRuZExhVk5zTmpRemFubDBMelJsUzJOdlFYWkxaVFpQUVVGQlFtaDFSa2x4YmxsQkNrRkJVVVJCUldkM1VtZEphRUZKYjNabFluZ3JNbTg1VlZjeWN6aEJaMlI1ZFZSS1JVNTBVRkF2TTFwWWQyYzJiRlV6TUM5VFkxaEhRV2xGUVc5dmJrUUtZa1l2WlhaS0wyRmtTamhHVEZwaGJ6TmFaR05SU0d0NlRVOVVXRlZqZVhCSE5YRlZTbHBCZDBObldVbExiMXBKZW1vd1JVRjNUVVJoUVVGM1dsRkplQXBCU2xCU1NYQkpSRlJMYkZGa1l6TXpiR28zSzFJeFkxZE9XVTQyUldWNVNreHFRMWxtYWprM2FGUnZRbHBaTkV4TVNFOXpkbEo1TTIxTVp6bEpNbWRTQ2pKQlNYZE5XV0pXTlZJeWNtZFNTa3hLYzNCNlNGUXpVQ3RxTTNKRFJqRXJhRU5UWlhCVFUwVTJlbk5EVGpJMldubDRRVmsyWldOc2FYbFNSMVJIT1VZS1JqaEpNQW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09In19fX0=",
          "integratedTime": 1678816882,
          "logIndex": 15418491,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      },
      "GIT_HASH": "2cf56584529e089c558b82627ec828d80e23eb9d",
      "GIT_TAG": "v99.99.06",
      "Issuer": "https://token.actions.githubusercontent.com",
      "RUN_ATTEMPT": "1",
      "RUN_ID": "4418689179",
      "Subject": "https://github.com/cpanato/ko/.github/workflows/release.yml@refs/tags/v99.99.06",
      "githubWorkflowName": "goreleaser",
      "githubWorkflowRef": "refs/tags/v99.99.06",
      "githubWorkflowRepository": "cpanato/ko",
      "githubWorkflowSha": "2cf56584529e089c558b82627ec828d80e23eb9d",
      "githubWorkflowTrigger": "push"
    }
  }
]

@cpanato cpanato requested a review from imjasonh March 14, 2023 18:03
imjasonh
imjasonh reviewed Mar 14, 2023
View reviewed changes
scripts/build-sign-release-images.sh Outdated Show resolved Hide resolved
.goreleaser.yml Outdated Show resolved Hide resolved
@cpanato cpanato force-pushed the fix-provencance branch 2 times, most recently from 55d426c to 5578a57 Compare March 14, 2023 18:27
@cpanato
Copy link
Member Author

cpanato commented Mar 14, 2023

ok new one :)

https://github.com/cpanato/ko/actions/runs/4419196873/jobs/7747315185 / https://github.com/cpanato/ko/releases/tag/v99.99.08

@imjasonh imjasonh merged commit deb13d7 into ko-build:main Mar 17, 2023
@cpanato cpanato deleted the fix-provencance branch March 17, 2023 13:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@developer-guy developer-guy developer-guy approved these changes

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cpanato @imjasonh @developer-guy