From 2548a30897b77b68e0f052c939cd815265dfe097 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 17:57:19 +0000 Subject: [PATCH 01/11] update workflow to use new key Signed-off-by: Austin Abro --- .../publish-application-packages.yml | 6 ++-- .github/workflows/release.yml | 11 +++++-- .github/workflows/test-release.yaml | 32 +++++++++++++++++++ cosign.pub | 26 +++++++-------- 4 files changed, 55 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/test-release.yaml diff --git a/.github/workflows/publish-application-packages.yml b/.github/workflows/publish-application-packages.yml index 3944aa0abb..0fd0251b51 100644 --- a/.github/workflows/publish-application-packages.yml +++ b/.github/workflows/publish-application-packages.yml @@ -32,6 +32,8 @@ jobs: username: dummy password: ${{ github.token }} + + - name: Build And Publish Application Packages # Create the dos-games package with the cosign signature, publish to ghcr and copy the tags to allow 'uname -m' to work run: | @@ -44,7 +46,3 @@ jobs: # Publish a skeleton of the dos-games package zarf package publish examples/dos-games oci://ghcr.io/zarf-dev/packages - env: - AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }} - AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 52b3d38b31..529f7b6f59 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,13 +53,18 @@ jobs: rm build/zarf-linux-arm64 echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV + - name: Auth with AWS + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_KMS_ROLE }} + role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} + aws-region: us-east-2 + role-duration-seconds: 3600 + - name: "Zarf Agent: Sign the Image" run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/zarf-dev/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y env: COSIGN_EXPERIMENTAL: 1 - AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }} - AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }} # Builds init packages since GoReleaser won't handle this for us - name: Build init-packages For Release diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml new file mode 100644 index 0000000000..8af7a496f7 --- /dev/null +++ b/.github/workflows/test-release.yaml @@ -0,0 +1,32 @@ +name: Release CLI and Packages on Tag + +permissions: + contents: read + +on: + push: + workflow_dispatch: + + +jobs: + build-release: + runs-on: ubuntu-latest + steps: + - name: "Zarf Agent: Login to GHCR" + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: dummy + password: ${{ github.token }} + + - name: Auth with AWS + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_KMS_ROLE }} + role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} + aws-region: us-east-2 + role-duration-seconds: 3600 + + + - name: "sign image" + run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} ghcr.io/zarf-dev/test-signing-image@sha256:aa22bce1c95a25aadfd695caad2a1227fa2aa61833753317356d15500a6e6878 diff --git a/cosign.pub b/cosign.pub index 6c8e8e4eb5..a2677f32b0 100644 --- a/cosign.pub +++ b/cosign.pub @@ -1,14 +1,14 @@ -----BEGIN PUBLIC KEY----- -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9u472y/wY0tjIiR2T6rY -zOG1q4qwx5ZdmnoGsiG0Zc3rYo2DMiuKciG0MI4opCf4IID7kfYOD4aWILymwFID -xW0L6pEbxknHRQacWZSf/qfA+aAcjbKOY3ZWU8/uLJJeq37Y4OLc17ThJ7ZOj1Yf -Uvj81Uz9ZWVW7kYY31vWCruJh4VxZLsUAmFc6CsQUtzSGordLhh1b1rDP6ZRAaIP -mQnniULogwIBqnUTkIVwxiRYG+V2a3IC5vqlBLQRQ3UOWQ9mgZcfcXuTA6Fh8bwO -2lG768UfI1RBYioXAgXbPwXK+kM3Idvjcr+X2F3VpYWhHTscMIQF0ERzK7BkRqRI -x9l/RRm5lP+9a1kt6giYtvX2OqEsWaG3lTen3ocwblaHRlmqnaiVBtAnVny6QDHX -9p1HPMD/NjWjZucxWMjtdL5FZxBywbJVlxhe7sFByMoBZYhea9vGGSn2M2Q9kPiq -Bgl6bKZdeYIhaKQ7wrNkS6YVHMIqqpCIUI6/YGYwnu0hodbjR0yA2LFx4TgFZAuY -uGEiRP4Oi7WEOPkjRjP7kPXGpEBB7ulZ/Wohq1B6pB1Odo8WlfJRAek319F2aqqh -J1c3YdZ/w3EvCLKd+Inp1UNbamb79UN6jtwhqwKw72YbZh/yP0rim49lQ++umwPX -JWqG8iY/UzGB/3ch4/Wb09UCAwEAAQ== ------END PUBLIC KEY----- \ No newline at end of file +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr6pqXju3qrkVae35GIuG +F58+zMd5XGMVgPkxFrdrJZ/3Ag65y7j4QsrcCFkXYAYNIy9iZliXypsxrr3oajJv +EgLDAc0CqtWYa0tuT2kAP4YHzxVkLC8MZLhQ1fuj9QKylm3OIMf18ZAnp12upmK8 +SBvrYxtWfTOv4KBgRGdIO0U9M/dwNnodGosY0znyHD9dp1G7qRA7BNpOsuXoaLa/ +aSQ2X0icoq5N8BLLOl3/23w6nCV+G32HFD0/AurDZVMC8o6N91AkX3smfWINkNk+ +QUrCkjhlAMxtBPi2TCYB4PimOKLpO/q/hwfixkHJcx8zPY/UZCCJGrsOcdFdvN/M +FkxqVZ2vBv+8LaElSAmbzsjVpg4w3QMk/6fVuU2rBtwog7DekuV/J5SwGCyTfC/4 +R8SetTsEpYgtDWp8+vugcfZTg5+7rPnMfNG16HdwJoC+LnWbeot6X2ZepTu4CrkV +qCAfFlu9G9sy2ZrwT5gnFT9JoKPVRTgkYmADgSfF0njKjuFKfk+aEVIrKRCVbExe +VtfmM1A9OfP4vCtCKw7tE5fFhmAa5v2D6LS/rG2m99fbZjDdeK9y22OZZyUCZaUN +TM+VQTuY1bwXY0/XEhUHxP0Fzk2VGQVslwXgW305SzR8Yh/bTbE4pkNGpOta+4s2 +E5ZMlZgQX8x4gSfbxmBHgP0CAwEAAQ== +-----END PUBLIC KEY----- From 30faccc27d9f154c065243000845dfdb1e229a38 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 18:00:23 +0000 Subject: [PATCH 02/11] id token write Signed-off-by: Austin Abro --- .github/workflows/release.yml | 1 + .github/workflows/test-release.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 529f7b6f59..f7af1a32de 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,7 @@ name: Release CLI and Packages on Tag permissions: + id-token: write contents: read on: diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index 8af7a496f7..5ca1f14bea 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -1,6 +1,7 @@ name: Release CLI and Packages on Tag permissions: + id-token: write contents: read on: From b077af91bd54ff94ecd804456c62ecbf4a13efd9 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 18:01:20 +0000 Subject: [PATCH 03/11] install tools Signed-off-by: Austin Abro --- .github/workflows/test-release.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index 5ca1f14bea..c49559f02a 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -28,6 +28,8 @@ jobs: aws-region: us-east-2 role-duration-seconds: 3600 + - name: Install tools + uses: ./.github/actions/install-tools - name: "sign image" run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} ghcr.io/zarf-dev/test-signing-image@sha256:aa22bce1c95a25aadfd695caad2a1227fa2aa61833753317356d15500a6e6878 From 289b239a9ca145fc9149727f3c18660e27edaa6a Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 18:02:42 +0000 Subject: [PATCH 04/11] checkout Signed-off-by: Austin Abro --- .github/workflows/test-release.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index c49559f02a..ff255f2035 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -13,6 +13,12 @@ jobs: build-release: runs-on: ubuntu-latest steps: + # Checkout the repo and setup the tooling for this job + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - name: "Zarf Agent: Login to GHCR" uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: From 19690b4c67a589502a6102bc0978fc9cf74d8a14 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 18:05:23 +0000 Subject: [PATCH 05/11] sign different image Signed-off-by: Austin Abro --- .github/workflows/test-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml index ff255f2035..8a0b114e67 100644 --- a/.github/workflows/test-release.yaml +++ b/.github/workflows/test-release.yaml @@ -38,4 +38,4 @@ jobs: uses: ./.github/actions/install-tools - name: "sign image" - run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} ghcr.io/zarf-dev/test-signing-image@sha256:aa22bce1c95a25aadfd695caad2a1227fa2aa61833753317356d15500a6e6878 + run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} ghcr.io/zarf-dev/zarf/test-signing-image@sha256:aa22bce1c95a25aadfd695caad2a1227fa2aa61833753317356d15500a6e6878 From 649bdb71f1883660f51017940c3e57d803ac25ac Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 18:20:41 +0000 Subject: [PATCH 06/11] add aws login Signed-off-by: Austin Abro --- .github/workflows/publish-application-packages.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-application-packages.yml b/.github/workflows/publish-application-packages.yml index 0fd0251b51..4dc7ef1e51 100644 --- a/.github/workflows/publish-application-packages.yml +++ b/.github/workflows/publish-application-packages.yml @@ -22,6 +22,14 @@ jobs: with: ref: ${{ github.event.inputs.branchName }} + - name: Auth with AWS + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 + with: + role-to-assume: ${{ secrets.AWS_KMS_ROLE }} + role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} + aws-region: us-east-2 + role-duration-seconds: 3600 + - name: Install The Latest Release Version of Zarf uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1 @@ -32,8 +40,6 @@ jobs: username: dummy password: ${{ github.token }} - - - name: Build And Publish Application Packages # Create the dos-games package with the cosign signature, publish to ghcr and copy the tags to allow 'uname -m' to work run: | From f475ddadd55b46ce8dfecf3c59563492acda81b8 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 18:31:53 +0000 Subject: [PATCH 07/11] id token Signed-off-by: Austin Abro --- .../publish-application-packages.yml | 1 + .github/workflows/test-release.yaml | 41 ------------------- 2 files changed, 1 insertion(+), 41 deletions(-) delete mode 100644 .github/workflows/test-release.yaml diff --git a/.github/workflows/publish-application-packages.yml b/.github/workflows/publish-application-packages.yml index 4dc7ef1e51..de96965506 100644 --- a/.github/workflows/publish-application-packages.yml +++ b/.github/workflows/publish-application-packages.yml @@ -1,6 +1,7 @@ name: Zarf Application Package Publishing permissions: + id-token: write contents: read on: diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml deleted file mode 100644 index 8a0b114e67..0000000000 --- a/.github/workflows/test-release.yaml +++ /dev/null @@ -1,41 +0,0 @@ -name: Release CLI and Packages on Tag - -permissions: - id-token: write - contents: read - -on: - push: - workflow_dispatch: - - -jobs: - build-release: - runs-on: ubuntu-latest - steps: - # Checkout the repo and setup the tooling for this job - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - - name: "Zarf Agent: Login to GHCR" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: dummy - password: ${{ github.token }} - - - name: Auth with AWS - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - role-to-assume: ${{ secrets.AWS_KMS_ROLE }} - role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} - aws-region: us-east-2 - role-duration-seconds: 3600 - - - name: Install tools - uses: ./.github/actions/install-tools - - - name: "sign image" - run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} ghcr.io/zarf-dev/zarf/test-signing-image@sha256:aa22bce1c95a25aadfd695caad2a1227fa2aa61833753317356d15500a6e6878 From c701d0aadfc3ad52bd6741b89354d95a7659c5bb Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 19:29:44 +0000 Subject: [PATCH 08/11] delete sget test Signed-off-by: Austin Abro --- src/pkg/utils/cosign.go | 8 -------- src/test/e2e/27_deploy_regression_test.go | 14 -------------- 2 files changed, 22 deletions(-) diff --git a/src/pkg/utils/cosign.go b/src/pkg/utils/cosign.go index eb16d6159f..1e129ffb5c 100644 --- a/src/pkg/utils/cosign.go +++ b/src/pkg/utils/cosign.go @@ -8,7 +8,6 @@ import ( "context" "fmt" "io" - "os" "strings" "github.com/defenseunicorns/pkg/helpers/v2" @@ -16,7 +15,6 @@ import ( "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" "github.com/pkg/errors" - "github.com/zarf-dev/zarf/src/config" "github.com/zarf-dev/zarf/src/config/lang" "github.com/zarf-dev/zarf/src/pkg/message" @@ -41,12 +39,6 @@ import ( func Sget(ctx context.Context, image, key string, out io.Writer) error { message.Warnf(lang.WarnSGetDeprecation) - // If this is a DefenseUnicorns package, use an internal sget public key - if strings.HasPrefix(image, fmt.Sprintf("%s://defenseunicorns", helpers.SGETURLScheme)) { - os.Setenv("DU_SGET_KEY", config.CosignPublicKey) - key = "env://DU_SGET_KEY" - } - // Remove the custom protocol header from the url image = strings.TrimPrefix(image, helpers.SGETURLPrefix) diff --git a/src/test/e2e/27_deploy_regression_test.go b/src/test/e2e/27_deploy_regression_test.go index f16c3d243a..ae19cc2e4b 100644 --- a/src/test/e2e/27_deploy_regression_test.go +++ b/src/test/e2e/27_deploy_regression_test.go @@ -9,7 +9,6 @@ import ( "testing" "github.com/stretchr/testify/require" - "github.com/zarf-dev/zarf/src/pkg/utils/exec" ) func TestGHCRDeploy(t *testing.T) { @@ -31,16 +30,3 @@ func TestGHCRDeploy(t *testing.T) { stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm") require.NoError(t, err, stdOut, stdErr) } - -func TestCosignDeploy(t *testing.T) { - t.Log("E2E: Cosign deploy") - - // Test with command from https://docs.zarf.dev/getting-started/install/ - command := fmt.Sprintf("%s package deploy sget://defenseunicorns/zarf-hello-world:$(uname -m) --confirm", e2e.ZarfBinPath) - - stdOut, stdErr, err := exec.CmdWithTesting(t, exec.PrintCfg(), "sh", "-c", command) - require.NoError(t, err, stdOut, stdErr) - - stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm") - require.NoError(t, err, stdOut, stdErr) -} From cc3108d2a1d6626d30cf1cdd92fc3274d67ac837 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 19:31:34 +0000 Subject: [PATCH 09/11] use key that won't change Signed-off-by: Austin Abro --- src/test/e2e/11_oci_pull_inspect_test.go | 2 +- src/test/e2e/27_deploy_regression_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/test/e2e/11_oci_pull_inspect_test.go b/src/test/e2e/11_oci_pull_inspect_test.go index a992a50f55..cd045ae0a6 100644 --- a/src/test/e2e/11_oci_pull_inspect_test.go +++ b/src/test/e2e/11_oci_pull_inspect_test.go @@ -55,7 +55,7 @@ func (suite *PullInspectTestSuite) Test_0_Pull() { // Verify the package was pulled correctly. suite.FileExists(out) - stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", out, "--key", "https://zarf.dev/cosign.pub", "--sbom-out", sbomTmp) + stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", out, "--key", "https://raw.githubusercontent.com/zarf-dev/zarf/v0.38.2/cosign.pub", "--sbom-out", sbomTmp) suite.NoError(err, stdOut, stdErr) suite.Contains(stdErr, "Validating SBOM checksums") suite.Contains(stdErr, "Package signature validated!") diff --git a/src/test/e2e/27_deploy_regression_test.go b/src/test/e2e/27_deploy_regression_test.go index ae19cc2e4b..87663469f9 100644 --- a/src/test/e2e/27_deploy_regression_test.go +++ b/src/test/e2e/27_deploy_regression_test.go @@ -24,7 +24,7 @@ func TestGHCRDeploy(t *testing.T) { } // Test with command from https://docs.zarf.dev/getting-started/install/ - stdOut, stdErr, err := e2e.Zarf(t, "package", "deploy", fmt.Sprintf("oci://🦄/dos-games:1.0.0-%s@sha256:%s", e2e.Arch, sha), "--key=https://zarf.dev/cosign.pub", "--confirm") + stdOut, stdErr, err := e2e.Zarf(t, "package", "deploy", fmt.Sprintf("oci://🦄/dos-games:1.0.0-%s@sha256:%s", e2e.Arch, sha), "--key=https://raw.githubusercontent.com/zarf-dev/zarf/v0.38.2/cosign.pub", "--confirm") require.NoError(t, err, stdOut, stdErr) stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm") From 373d4d1b5d335e8abb9807c964c3f63dd5c5dd5e Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 19:37:47 +0000 Subject: [PATCH 10/11] update dos games release Signed-off-by: Austin Abro --- .github/workflows/publish-application-packages.yml | 11 ++--------- examples/dos-games/zarf.yaml | 2 +- src/test/e2e/05_tarball_test.go | 2 +- src/test/e2e/06_create_sbom_test.go | 2 +- src/test/e2e/25_helm_test.go | 4 ++-- src/test/e2e/26_simple_packages_test.go | 2 +- src/test/e2e/31_checksum_and_signature_test.go | 2 +- src/test/e2e/32_component_webhooks_test.go | 2 +- 8 files changed, 10 insertions(+), 17 deletions(-) diff --git a/.github/workflows/publish-application-packages.yml b/.github/workflows/publish-application-packages.yml index 3944aa0abb..5538782fa5 100644 --- a/.github/workflows/publish-application-packages.yml +++ b/.github/workflows/publish-application-packages.yml @@ -5,11 +5,6 @@ permissions: on: workflow_dispatch: - inputs: - branchName: - description: "Branch to build the packages from" - required: true - default: "main" jobs: publish-packages: @@ -19,8 +14,6 @@ jobs: steps: - name: "Checkout Repo" uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: ${{ github.event.inputs.branchName }} - name: Install The Latest Release Version of Zarf uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1 @@ -39,8 +32,8 @@ jobs: zarf package create -o build -a arm64 examples/dos-games --signing-key=awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} --confirm # Publish a the signed dos-games package - zarf package publish ./build/zarf-package-dos-games-amd64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub - zarf package publish ./build/zarf-package-dos-games-arm64-1.0.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub + zarf package publish ./build/zarf-package-dos-games-amd64-1.1.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub + zarf package publish ./build/zarf-package-dos-games-arm64-1.1.0.tar.zst oci://ghcr.io/zarf-dev/packages --key=https://zarf.dev/cosign.pub # Publish a skeleton of the dos-games package zarf package publish examples/dos-games oci://ghcr.io/zarf-dev/packages diff --git a/examples/dos-games/zarf.yaml b/examples/dos-games/zarf.yaml index 49d49f5be8..87042ca58d 100644 --- a/examples/dos-games/zarf.yaml +++ b/examples/dos-games/zarf.yaml @@ -2,7 +2,7 @@ kind: ZarfPackageConfig metadata: name: dos-games description: Simple example to load classic DOS games into K8s in the airgap - version: 1.0.0 + version: 1.1.0 components: - name: baseline diff --git a/src/test/e2e/05_tarball_test.go b/src/test/e2e/05_tarball_test.go index a9af583002..d1646899cf 100644 --- a/src/test/e2e/05_tarball_test.go +++ b/src/test/e2e/05_tarball_test.go @@ -83,7 +83,7 @@ func TestReproducibleTarballs(t *testing.T) { var ( createPath = filepath.Join("examples", "dos-games") tmp = t.TempDir() - tb = filepath.Join(tmp, fmt.Sprintf("zarf-package-dos-games-%s-1.0.0.tar.zst", e2e.Arch)) + tb = filepath.Join(tmp, fmt.Sprintf("zarf-package-dos-games-%s-1.1.0.tar.zst", e2e.Arch)) unpack1 = filepath.Join(tmp, "unpack1") unpack2 = filepath.Join(tmp, "unpack2") ) diff --git a/src/test/e2e/06_create_sbom_test.go b/src/test/e2e/06_create_sbom_test.go index 26890ccaf9..a3ee3b4118 100644 --- a/src/test/e2e/06_create_sbom_test.go +++ b/src/test/e2e/06_create_sbom_test.go @@ -18,7 +18,7 @@ func TestCreateSBOM(t *testing.T) { tmpdir := t.TempDir() sbomPath := filepath.Join(tmpdir, ".sbom-location") - pkgName := fmt.Sprintf("zarf-package-dos-games-%s-1.0.0.tar.zst", e2e.Arch) + pkgName := fmt.Sprintf("zarf-package-dos-games-%s-1.1.0.tar.zst", e2e.Arch) stdOut, stdErr, err := e2e.Zarf(t, "package", "create", "examples/dos-games", "--sbom-out", sbomPath, "--confirm") require.NoError(t, err, stdOut, stdErr) diff --git a/src/test/e2e/25_helm_test.go b/src/test/e2e/25_helm_test.go index 322d3c89dd..b37c3ad39a 100644 --- a/src/test/e2e/25_helm_test.go +++ b/src/test/e2e/25_helm_test.go @@ -115,7 +115,7 @@ func testHelmEscaping(t *testing.T) { func testHelmUninstallRollback(t *testing.T) { t.Log("E2E: Helm Uninstall and Rollback") - goodPath := fmt.Sprintf("build/zarf-package-dos-games-%s-1.0.0.tar.zst", e2e.Arch) + goodPath := fmt.Sprintf("build/zarf-package-dos-games-%s-1.1.0.tar.zst", e2e.Arch) evilPath := fmt.Sprintf("zarf-package-dos-games-%s.tar.zst", e2e.Arch) // Create the evil package (with the bad service). @@ -172,7 +172,7 @@ func testHelmUninstallRollback(t *testing.T) { func testHelmAdoption(t *testing.T) { t.Log("E2E: Helm Adopt a Deployment") - packagePath := fmt.Sprintf("build/zarf-package-dos-games-%s-1.0.0.tar.zst", e2e.Arch) + packagePath := fmt.Sprintf("build/zarf-package-dos-games-%s-1.1.0.tar.zst", e2e.Arch) deploymentManifest := "src/test/packages/25-manifest-adoption/deployment.yaml" // Deploy dos-games manually into the cluster without Zarf diff --git a/src/test/e2e/26_simple_packages_test.go b/src/test/e2e/26_simple_packages_test.go index 6e4c20bd8a..08df1d709b 100644 --- a/src/test/e2e/26_simple_packages_test.go +++ b/src/test/e2e/26_simple_packages_test.go @@ -18,7 +18,7 @@ import ( func TestDosGames(t *testing.T) { t.Log("E2E: Dos games") - path := filepath.Join("build", fmt.Sprintf("zarf-package-dos-games-%s-1.0.0.tar.zst", e2e.Arch)) + path := filepath.Join("build", fmt.Sprintf("zarf-package-dos-games-%s-1.1.0.tar.zst", e2e.Arch)) // Deploy the game stdOut, stdErr, err := e2e.Zarf(t, "package", "deploy", path, "--confirm") diff --git a/src/test/e2e/31_checksum_and_signature_test.go b/src/test/e2e/31_checksum_and_signature_test.go index b80e83e699..c83888fe00 100644 --- a/src/test/e2e/31_checksum_and_signature_test.go +++ b/src/test/e2e/31_checksum_and_signature_test.go @@ -15,7 +15,7 @@ func TestChecksumAndSignature(t *testing.T) { t.Log("E2E: Checksum and Signature") testPackageDirPath := "examples/dos-games" - pkgName := fmt.Sprintf("zarf-package-dos-games-%s-1.0.0.tar.zst", e2e.Arch) + pkgName := fmt.Sprintf("zarf-package-dos-games-%s-1.1.0.tar.zst", e2e.Arch) privateKeyFlag := "--signing-key=src/test/packages/zarf-test.prv-key" publicKeyFlag := "--key=src/test/packages/zarf-test.pub" diff --git a/src/test/e2e/32_component_webhooks_test.go b/src/test/e2e/32_component_webhooks_test.go index 7d6d761835..18c9ed33cc 100644 --- a/src/test/e2e/32_component_webhooks_test.go +++ b/src/test/e2e/32_component_webhooks_test.go @@ -23,7 +23,7 @@ func TestComponentWebhooks(t *testing.T) { defer e2e.CleanFiles(webhookPath) // Ensure package deployments wait for webhooks to complete. - gamesPath := fmt.Sprintf("build/zarf-package-dos-games-%s-1.0.0.tar.zst", e2e.Arch) + gamesPath := fmt.Sprintf("build/zarf-package-dos-games-%s-1.1.0.tar.zst", e2e.Arch) stdOut, stdErr, err = e2e.Zarf(t, "package", "deploy", gamesPath, "--confirm") require.NoError(t, err, stdOut, stdErr) require.Contains(t, stdErr, "Waiting for webhook \"test-webhook\" to complete for component \"baseline\"") From 9337ad0a7bc7f63b54de10c8cef7d2967831f322 Mon Sep 17 00:00:00 2001 From: Austin Abro Date: Thu, 22 Aug 2024 20:18:15 +0000 Subject: [PATCH 11/11] auth with aws once Signed-off-by: Austin Abro --- .github/workflows/publish-application-packages.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/publish-application-packages.yml b/.github/workflows/publish-application-packages.yml index 43f6fef0a0..d8e1c34d05 100644 --- a/.github/workflows/publish-application-packages.yml +++ b/.github/workflows/publish-application-packages.yml @@ -24,14 +24,6 @@ jobs: aws-region: us-east-2 role-duration-seconds: 3600 - - name: Auth with AWS - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 - with: - role-to-assume: ${{ secrets.AWS_KMS_ROLE }} - role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} - aws-region: us-east-2 - role-duration-seconds: 3600 - - name: Install The Latest Release Version of Zarf uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1