Skip to content

sign release artifacts using cosign #1

sign release artifacts using cosign

sign release artifacts using cosign #1

Workflow file for this run

name: goreleaser
on:
push:
tags:
- 'v*'
jobs:
goreleaser:
runs-on: ubuntu-latest
# Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.21.3
- name: Set up Cosign
uses: sigstore/cosign-installer@v3
- name: Retrieve version
run: |
echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT
id: version
- name: Run GoReleaser
# GoReleaser v4.2.0
uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b
if: startsWith(github.ref, 'refs/tags/')
with:
version: 1.16.2
args: release --clean --debug
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.TAG_NAME }}
- uses: actions/github-script@v4
id: get-checksums-from-draft-release
if: startsWith(github.ref, 'refs/tags/')
with:
github-token: ${{secrets.GITHUB_TOKEN}}
result-encoding: string
script: |
var crypto = require('crypto');
const { owner, repo } = context.repo;
// https://docs.github.com/en/rest/reference/repos#list-releases
// https://octokit.github.io/rest.js/v18#repos-list-releases
var releases = await github.repos.listReleases({
owner: owner,
repo: repo
});
var crypto = require('crypto')
var fs = require('fs')
const url = require('url');
const https = require('https');
checksums = {}
for (const r of releases["data"]) {
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") {
for (const asset of r.assets) {
var release_asset = await github.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id });
const hash = crypto.createHash('sha256');
let http_promise = new Promise((resolve, reject) => {
https.get(release_asset.url, (stream) => {
stream.on('data', function (data) {
hash.update(data);
});
stream.on('end', function () {
checksums[asset.name]= hash.digest('hex');
resolve(`${asset.name}`);
});
});
});
await http_promise;
}
}
}
console.log(checksums)
return `${checksums['kbld-darwin-amd64']} ./kbld-darwin-amd64
${checksums['kbld-darwin-arm64']} ./kbld-darwin-arm64
${checksums['kbld-linux-amd64']} ./kbld-linux-amd64
${checksums['kbld-linux-arm64']} ./kbld-linux-arm64
${checksums['kbld-windows-amd64.exe']} ./kbld-windows-amd64.exe
${checksums['kbld-windows-arm64.exe']} ./kbld-windows-arm64.exe`
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert dist/checksums.txt.pem \
--signature dist/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./dist/checksums.txt
- name: verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: |
set -e -x
VERSION=`echo ${{ github.ref }} | grep -Eo '[0-9].*'`
./hack/build-binaries.sh "$VERSION" > ./go-checksums
cat ./go-checksums
diff ./go-checksums <(cat <<EOF
${{steps.get-checksums-from-draft-release.outputs.result}}
EOF
)