Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cloud build script to latest for v1.13.x #3615

Merged
merged 13 commits into from Mar 21, 2024
Merged

Update cloud build script to latest for v1.13.x #3615

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
f74fd10
Update cloud build script to latest for v1.13.x
haydentherapper Mar 21, 2024
76498a1
Update validate-release.yml
haydentherapper Mar 21, 2024
672e676
Update ko-sign-release-images.sh
haydentherapper Mar 21, 2024
8402458
Update .goreleaser.yml
haydentherapper Mar 21, 2024
4dfbc99
Update release.mk
haydentherapper Mar 21, 2024
544b0ff
Update .ko.yaml
haydentherapper Mar 21, 2024
f966da9
Update Makefile
haydentherapper Mar 21, 2024
b8f21e6
Update release.mk
haydentherapper Mar 21, 2024
6cdefcf
Update ko-sign-release-images.sh
haydentherapper Mar 21, 2024
1f8d239
Update .ko.yaml
haydentherapper Mar 21, 2024
191664f
Update .ko.yaml
haydentherapper Mar 21, 2024
7207a13
Update ko-sign-release-images.sh
haydentherapper Mar 21, 2024
f16c253
Update Makefile
haydentherapper Mar 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
64 changes: 7 additions & 57 deletions .github/workflows/validate-release.yml
View file
Open in desktop
Expand Up @@ -26,28 +26,29 @@ jobs:
check-signature:
runs-on: ubuntu-latest
container:
image: gcr.io/projectsigstore/cosign:v1.13.1@sha256:fd5b09be23ef1027e1bdd490ce78dcc65d2b15902e1f4ba8e04f3b4019cc1057
image: gcr.io/projectsigstore/cosign:v2.2.3-dev@sha256:0d795fa145b03026b7bc2a35e33068cdb75e1c1f974e604c17408bf7bd174967

steps:
- name: Check Signature
run: |
cosign verify ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06
cosign verify ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.8-0"
env:
TUF_ROOT: /tmp
COSIGN_EXPERIMENTAL: true

validate-release-job:
runs-on: ubuntu-latest
needs:
- check-signature

container:
image: ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06
image: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405

permissions: {}

steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

# Error: fatal: detected dubious ownership in repository at '/__w/cosign/cosign'
# To add an exception for this directory, call:
Expand Down Expand Up @@ -112,62 +113,11 @@ jobs:
- name: check disk space
run: df -h

- name: free up disk space
run: |
rm -rf /usr/share/dotnet/
rm -rf "$AGENT_TOOLSDIRECTORY"
rm -rf "/usr/local/share/boost"
rm -rf /opt/ghc
docker rmi $(docker image ls -aq) || true
swapoff /swapfile || true
rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true
apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \
clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- name: check disk space
run: df -h

- name: goreleaser snapshot
run: make snapshot
env:
PROJECT_ID: honk-fake-project
RUNTIME_IMAGE: gcr.io/distroless/static:debug-nonroot
RUNTIME_IMAGE: gcr.io/distroless/static-debian12:nonroot

- name: check binaries
run: |
Expand Down
127 changes: 65 additions & 62 deletions release/cloudbuild.yaml
View file
Open in desktop
Expand Up @@ -32,83 +32,86 @@ steps:
echo "Checking out ${_GIT_TAG}"
git checkout ${_GIT_TAG}

- name: 'gcr.io/projectsigstore/cosign:v1.13.1@sha256:fd5b09be23ef1027e1bdd490ce78dcc65d2b15902e1f4ba8e04f3b4019cc1057'
dir: "go/src/sigstore/cosign"
env:
- COSIGN_EXPERIMENTAL=true
- TUF_ROOT=/tmp
args:
- 'verify'
- 'ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06'
- name: 'gcr.io/projectsigstore/cosign:v2.2.3-dev@sha256:0d795fa145b03026b7bc2a35e33068cdb75e1c1f974e604c17408bf7bd174967'
dir: "go/src/sigstore/cosign"
env:
- TUF_ROOT=/tmp
args:
- 'verify'
- 'ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405'
- '--certificate-oidc-issuer'
- "https://token.actions.githubusercontent.com"
- '--certificate-identity'
- "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.8-0"

# maybe we can build our own image and use that to be more in a safe side
- name: ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06
entrypoint: /bin/sh
dir: "go/src/sigstore/cosign"
env:
- "GOPATH=/workspace/go"
- "GOBIN=/workspace/bin"
- PROJECT_ID=${PROJECT_ID}
- KEY_LOCATION=${_KEY_LOCATION}
- KEY_RING=${_KEY_RING}
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
- COSIGN_EXPERIMENTAL=true
- KO_PREFIX=gcr.io/${PROJECT_ID}
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
gcloud auth configure-docker \
&& make release
# maybe we can build our own image and use that to be more in a safe side
- name: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405
entrypoint: /bin/sh
dir: "go/src/sigstore/cosign"
env:
- "GOPATH=/workspace/go"
- "GOBIN=/workspace/bin"
- PROJECT_ID=${PROJECT_ID}
- KEY_LOCATION=${_KEY_LOCATION}
- KEY_RING=${_KEY_RING}
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
- COSIGN_YES=true
- KO_PREFIX=gcr.io/${PROJECT_ID}
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
gcloud auth configure-docker \
&& make release

- name: ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06
entrypoint: 'bash'
dir: "go/src/sigstore/cosign"
env:
- "GOPATH=/workspace/go"
- "GOBIN=/workspace/bin"
- PROJECT_ID=${PROJECT_ID}
- KEY_LOCATION=${_KEY_LOCATION}
- KEY_RING=${_KEY_RING}
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- KO_PREFIX=gcr.io/${PROJECT_ID}
- COSIGN_EXPERIMENTAL=true
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
- GITHUB_USER=${_GITHUB_USER}
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
&& make copy-signed-release-to-ghcr || true
- name: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405
entrypoint: 'bash'
dir: "go/src/sigstore/cosign"
env:
- "GOPATH=/workspace/go"
- "GOBIN=/workspace/bin"
- PROJECT_ID=${PROJECT_ID}
- KEY_LOCATION=${_KEY_LOCATION}
- KEY_RING=${_KEY_RING}
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- KO_PREFIX=gcr.io/${PROJECT_ID}
- COSIGN_YES=true
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
- GITHUB_USER=${_GITHUB_USER}
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
&& make sign-release-images && make copy-signed-release-to-ghcr || true

availableSecrets:
secretManager:
- versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
env: GITHUB_TOKEN
- versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
env: GITHUB_TOKEN

artifacts:
objects:
location: 'gs://${_STORAGE_LOCATION}/${_GIT_TAG}'
paths:
- "go/src/sigstore/cosign/dist/*"
- "go/src/sigstore/cosign/release/release-cosign.pub"
- "go/src/sigstore/cosign/dist/*"
- "go/src/sigstore/cosign/release/release-cosign.pub"

options:
machineType: E2_HIGHCPU_32

tags:
- cosign-release
- ${_GIT_TAG}
- ${_TOOL_ORG}
- ${_TOOL_REPO}
- cosign-release
- ${_GIT_TAG}
- ${_TOOL_ORG}
- ${_TOOL_REPO}

substitutions:
_GIT_TAG: 'v1.23.45'
Expand Down
12 changes: 2 additions & 10 deletions release/ko-sign-release-images.sh
View file
Open in desktop
Expand Up @@ -32,16 +32,8 @@ if [[ ! -f cosignImagerefs ]]; then
exit 1
fi

if [[ ! -f sgetImagerefs ]]; then
echo "sgetImagerefs not found"
exit 1
fi

echo "Signing cosign images with GCP KMS Key..."

cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs)
cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs)
cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update sign script too since force flag no longer exists


echo "Signing images with Keyless..."
cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs)
cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat sgetImagerefs)
cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs)