Skip to content

Commit

Permalink
chore: update workflow to use new key (#2920)
Browse files Browse the repository at this point in the history
Signed-off-by: Austin Abro <[email protected]>
  • Loading branch information
AustinAbro321 authored Aug 22, 2024
1 parent 15fa119 commit 186c5d0
Show file tree
Hide file tree
Showing 6 changed files with 33 additions and 44 deletions.
13 changes: 9 additions & 4 deletions .github/workflows/publish-application-packages.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
name: Zarf Application Package Publishing

permissions:
id-token: write
contents: read

on:
Expand All @@ -22,6 +23,14 @@ jobs:
with:
ref: ${{ github.event.inputs.branchName }}

- name: Auth with AWS
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_KMS_ROLE }}
role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
aws-region: us-east-2
role-duration-seconds: 3600

- name: Install The Latest Release Version of Zarf
uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1

Expand All @@ -44,7 +53,3 @@ jobs:
# Publish a skeleton of the dos-games package
zarf package publish examples/dos-games oci://ghcr.io/zarf-dev/packages
env:
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
12 changes: 9 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
name: Release CLI and Packages on Tag

permissions:
id-token: write
contents: read

on:
Expand Down Expand Up @@ -53,13 +54,18 @@ jobs:
rm build/zarf-linux-arm64
echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
- name: Auth with AWS
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_KMS_ROLE }}
role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
aws-region: us-east-2
role-duration-seconds: 3600

- name: "Zarf Agent: Sign the Image"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/zarf-dev/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
env:
COSIGN_EXPERIMENTAL: 1
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}

# Builds init packages since GoReleaser won't handle this for us
- name: Build init-packages For Release
Expand Down
26 changes: 13 additions & 13 deletions cosign.pub
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9u472y/wY0tjIiR2T6rY
zOG1q4qwx5ZdmnoGsiG0Zc3rYo2DMiuKciG0MI4opCf4IID7kfYOD4aWILymwFID
xW0L6pEbxknHRQacWZSf/qfA+aAcjbKOY3ZWU8/uLJJeq37Y4OLc17ThJ7ZOj1Yf
Uvj81Uz9ZWVW7kYY31vWCruJh4VxZLsUAmFc6CsQUtzSGordLhh1b1rDP6ZRAaIP
mQnniULogwIBqnUTkIVwxiRYG+V2a3IC5vqlBLQRQ3UOWQ9mgZcfcXuTA6Fh8bwO
2lG768UfI1RBYioXAgXbPwXK+kM3Idvjcr+X2F3VpYWhHTscMIQF0ERzK7BkRqRI
x9l/RRm5lP+9a1kt6giYtvX2OqEsWaG3lTen3ocwblaHRlmqnaiVBtAnVny6QDHX
9p1HPMD/NjWjZucxWMjtdL5FZxBywbJVlxhe7sFByMoBZYhea9vGGSn2M2Q9kPiq
Bgl6bKZdeYIhaKQ7wrNkS6YVHMIqqpCIUI6/YGYwnu0hodbjR0yA2LFx4TgFZAuY
uGEiRP4Oi7WEOPkjRjP7kPXGpEBB7ulZ/Wohq1B6pB1Odo8WlfJRAek319F2aqqh
J1c3YdZ/w3EvCLKd+Inp1UNbamb79UN6jtwhqwKw72YbZh/yP0rim49lQ++umwPX
JWqG8iY/UzGB/3ch4/Wb09UCAwEAAQ==
-----END PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr6pqXju3qrkVae35GIuG
F58+zMd5XGMVgPkxFrdrJZ/3Ag65y7j4QsrcCFkXYAYNIy9iZliXypsxrr3oajJv
EgLDAc0CqtWYa0tuT2kAP4YHzxVkLC8MZLhQ1fuj9QKylm3OIMf18ZAnp12upmK8
SBvrYxtWfTOv4KBgRGdIO0U9M/dwNnodGosY0znyHD9dp1G7qRA7BNpOsuXoaLa/
aSQ2X0icoq5N8BLLOl3/23w6nCV+G32HFD0/AurDZVMC8o6N91AkX3smfWINkNk+
QUrCkjhlAMxtBPi2TCYB4PimOKLpO/q/hwfixkHJcx8zPY/UZCCJGrsOcdFdvN/M
FkxqVZ2vBv+8LaElSAmbzsjVpg4w3QMk/6fVuU2rBtwog7DekuV/J5SwGCyTfC/4
R8SetTsEpYgtDWp8+vugcfZTg5+7rPnMfNG16HdwJoC+LnWbeot6X2ZepTu4CrkV
qCAfFlu9G9sy2ZrwT5gnFT9JoKPVRTgkYmADgSfF0njKjuFKfk+aEVIrKRCVbExe
VtfmM1A9OfP4vCtCKw7tE5fFhmAa5v2D6LS/rG2m99fbZjDdeK9y22OZZyUCZaUN
TM+VQTuY1bwXY0/XEhUHxP0Fzk2VGQVslwXgW305SzR8Yh/bTbE4pkNGpOta+4s2
E5ZMlZgQX8x4gSfbxmBHgP0CAwEAAQ==
-----END PUBLIC KEY-----
8 changes: 0 additions & 8 deletions src/pkg/utils/cosign.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,13 @@ import (
"context"
"fmt"
"io"
"os"
"strings"

"github.com/defenseunicorns/pkg/helpers/v2"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/pkg/errors"
"github.com/zarf-dev/zarf/src/config"
"github.com/zarf-dev/zarf/src/config/lang"
"github.com/zarf-dev/zarf/src/pkg/message"

Expand All @@ -41,12 +39,6 @@ import (
func Sget(ctx context.Context, image, key string, out io.Writer) error {
message.Warnf(lang.WarnSGetDeprecation)

// If this is a DefenseUnicorns package, use an internal sget public key
if strings.HasPrefix(image, fmt.Sprintf("%s://defenseunicorns", helpers.SGETURLScheme)) {
os.Setenv("DU_SGET_KEY", config.CosignPublicKey)
key = "env://DU_SGET_KEY"
}

// Remove the custom protocol header from the url
image = strings.TrimPrefix(image, helpers.SGETURLPrefix)

Expand Down
2 changes: 1 addition & 1 deletion src/test/e2e/11_oci_pull_inspect_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func (suite *PullInspectTestSuite) Test_0_Pull() {

// Verify the package was pulled correctly.
suite.FileExists(out)
stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", out, "--key", "https://zarf.dev/cosign.pub", "--sbom-out", sbomTmp)
stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", out, "--key", "https://raw.githubusercontent.com/zarf-dev/zarf/v0.38.2/cosign.pub", "--sbom-out", sbomTmp)
suite.NoError(err, stdOut, stdErr)
suite.Contains(stdErr, "Validating SBOM checksums")
suite.Contains(stdErr, "Package signature validated!")
Expand Down
16 changes: 1 addition & 15 deletions src/test/e2e/27_deploy_regression_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (
"testing"

"github.com/stretchr/testify/require"
"github.com/zarf-dev/zarf/src/pkg/utils/exec"
)

func TestGHCRDeploy(t *testing.T) {
Expand All @@ -25,20 +24,7 @@ func TestGHCRDeploy(t *testing.T) {
}

// Test with command from https://docs.zarf.dev/getting-started/install/
stdOut, stdErr, err := e2e.Zarf(t, "package", "deploy", fmt.Sprintf("oci://🦄/dos-games:1.0.0-%s@sha256:%s", e2e.Arch, sha), "--key=https://zarf.dev/cosign.pub", "--confirm")
require.NoError(t, err, stdOut, stdErr)

stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm")
require.NoError(t, err, stdOut, stdErr)
}

func TestCosignDeploy(t *testing.T) {
t.Log("E2E: Cosign deploy")

// Test with command from https://docs.zarf.dev/getting-started/install/
command := fmt.Sprintf("%s package deploy sget://defenseunicorns/zarf-hello-world:$(uname -m) --confirm", e2e.ZarfBinPath)

stdOut, stdErr, err := exec.CmdWithTesting(t, exec.PrintCfg(), "sh", "-c", command)
stdOut, stdErr, err := e2e.Zarf(t, "package", "deploy", fmt.Sprintf("oci://🦄/dos-games:1.0.0-%s@sha256:%s", e2e.Arch, sha), "--key=https://raw.githubusercontent.com/zarf-dev/zarf/v0.38.2/cosign.pub", "--confirm")
require.NoError(t, err, stdOut, stdErr)

stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm")
Expand Down

0 comments on commit 186c5d0

Please sign in to comment.