From 0f95b7090cef7b6f7ccd7da4a83f88def283fec1 Mon Sep 17 00:00:00 2001 From: Justin Marquis <34fathombelow@protonmail.com> Date: Tue, 1 Nov 2022 08:50:41 -0700 Subject: [PATCH] chore: sign container images and checksum assets (#2334) Signed-off-by: Justin Marquis <34fathombelow@protonmail.com> --- .github/workflows/docker-publish.yml | 52 +++++++++++++++++++++++++++- .github/workflows/release.yaml | 36 +++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index c96f45c77f..47875b478e 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -94,4 +94,54 @@ jobs: target: kubectl-argo-rollouts platforms: ${{ steps.platform-matrix.outputs.platform-matrix }} push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.plugin-meta.outputs.tags }} \ No newline at end of file + tags: ${{ steps.plugin-meta.outputs.tags }} + + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.13.1' + + - name: Install crane to get digest of image + uses: imjasonh/setup-crane@v0.1 + + - name: Get digest of controller-image + run: | + if [[ "${{ github.ref == 'refs/heads/master' }}" ]] + then + echo "CONTROLLER_DIGEST=$(crane digest quay.io/argoproj/argo-rollouts:latest)" >> $GITHUB_ENV + fi + if [[ "${{ github.ref != 'refs/heads/master' }}" ]] + then + echo "CONTROLLER_DIGEST=$(crane digest ${{ steps.controller-meta.outputs.tags }})" >> $GITHUB_ENV + fi + if: github.event_name != 'pull_request' + + - name: Get digest of plugin-image + run: | + if [[ "${{ github.ref == 'refs/heads/master' }}" ]] + then + echo "PLUGIN_DIGEST=$(crane digest quay.io/argoproj/kubectl-argo-rollouts:latest)" >> $GITHUB_ENV + fi + if [[ "${{ github.ref != 'refs/heads/master' }}" ]] + then + echo "PLUGIN_DIGEST=$(crane digest ${{ steps.plugin-meta.outputs.tags }})" >> $GITHUB_ENV + fi + if: github.event_name != 'pull_request' + + - name: Sign Argo Rollouts Images + run: | + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }} + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }} + env: + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} + if: ${{ github.event_name == 'push' }} + + - name: Display the public key to share. + run: | + # Displays the public key to share + cosign public-key --key env://COSIGN_PRIVATE_KEY + env: + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} + if: ${{ github.event_name == 'push' }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f24bf75caf..43f5d6e908 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -149,6 +149,40 @@ jobs: cd /tmp && tar -zcf sbom.tar.gz *.spdx + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.13.1' + + - name: Install crane to get digest of image + uses: imjasonh/setup-crane@v0.1 + + - name: Get digest of controller-image + run: | + echo "CONTROLLER_DIGEST=$(crane digest ${{ steps.controller-meta.outputs.tags }})" >> $GITHUB_ENV + + - name: Get digest of plugin-image + run: | + echo "PLUGIN_DIGEST=$(crane digest ${{ steps.plugin-meta.outputs.tags }})" >> $GITHUB_ENV + + - name: Sign Argo Rollouts Images + run: | + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }} + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }} + env: + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} + + - name: Sign checksums and create public key for release assets + run: | + cosign sign-blob --key env://COSIGN_PRIVATE_KEY dist/argo-rollouts-checksums.txt > dist/argo-rollouts-checksums.sig + cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-rollouts-cosign.pub + # Displays the public key to share. + cosign public-key --key env://COSIGN_PRIVATE_KEY + env: + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} + - name: Draft release uses: softprops/action-gh-release@v1 with: @@ -161,6 +195,8 @@ jobs: dist/kubectl-argo-rollouts-darwin-arm64 dist/kubectl-argo-rollouts-windows-amd64 dist/argo-rollouts-checksums.txt + dist/argo-rollouts-checksums.sig + dist/argo-rollouts-cosign.pub manifests/dashboard-install.yaml manifests/install.yaml manifests/namespace-install.yaml