diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9c26d7d8..b8e1884c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -76,6 +76,11 @@ jobs: with: go-version: 1.17 + - name: Install cosign + uses: sigstore/cosign-installer@v1.4.1 + with: + cosign-release: 'v1.4.1' + - name: Checkout uses: actions/checkout@v2.4.0 with: @@ -100,6 +105,10 @@ jobs: fi rm -f /tmp/spiffe-vault-release-vars.env + - name: Install signing key + run: | + echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key + - name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }} uses: goreleaser/goreleaser-action@v2 with: @@ -109,6 +118,7 @@ jobs: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }} GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Get container info id: container_info @@ -125,6 +135,10 @@ jobs: docker logout docker logout ghcr.io + - name: Cleanup signing keys + if: ${{ always() }} + run: rm -f cosign.key + container-provenance: name: container-provenance needs: [release] @@ -142,7 +156,7 @@ jobs: cosign-release: 'v1.4.1' - name: Generate provenance for ${{ matrix.repo }} - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: container @@ -169,7 +183,6 @@ jobs: - name: Verify attestation run: | - echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} - name: Logout from Container registries @@ -177,6 +190,7 @@ jobs: run: | docker logout docker logout ghcr.io + rm -f cosign.key provenance: name: provenance @@ -186,7 +200,7 @@ jobs: steps: - name: Generate provenance for Release - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: github-release diff --git a/.github/workflows/example-publish.yaml b/.github/workflows/example-publish.yaml index c700b8fb..a6b45c87 100644 --- a/.github/workflows/example-publish.yaml +++ b/.github/workflows/example-publish.yaml @@ -26,7 +26,7 @@ jobs: uses: actions/download-artifact@v2 - name: Generate provenance - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: files diff --git a/.goreleaser.draft.yml b/.goreleaser.draft.yml index c99fddd2..d7777648 100644 --- a/.goreleaser.draft.yml +++ b/.goreleaser.draft.yml @@ -30,10 +30,15 @@ archives: files: - LICENSE* - README* + - cosign.pub + - dist/*.sig format_overrides: - goos: windows format: zip +checksum: + name_template: 'checksums.txt' + dockers: - goos: linux goarch: amd64 @@ -57,8 +62,54 @@ dockers: - "go.sum" - "cmd" - "lib" -checksum: - name_template: 'checksums.txt' + +signs: + - id: checksums + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + output: true + artifacts: checksum + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + - id: binaries + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + output: true + artifacts: binary + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + - id: archives + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + output: true + artifacts: archive + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + +docker_signs: + - cmd: cosign + artifacts: all + output: true + args: + - 'sign' + - --key + - cosign.key + - '${artifact}' snapshot: name_template: "{{ .Version }}-next" @@ -75,3 +126,5 @@ changelog: release: draft: true prerelease: auto + extra_files: + - glob: "./cosign.pub" diff --git a/.goreleaser.yml b/.goreleaser.yml index a274937a..d8865219 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -30,10 +30,15 @@ archives: files: - LICENSE* - README* + - cosign.pub + - dist/*.sig format_overrides: - goos: windows format: zip +checksum: + name_template: 'checksums.txt' + dockers: - goos: linux goarch: amd64 @@ -57,8 +62,54 @@ dockers: - "go.sum" - "cmd" - "lib" -checksum: - name_template: 'checksums.txt' + +signs: + - id: checksums + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + output: true + artifacts: checksum + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + - id: binaries + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + output: true + artifacts: binary + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + - id: archives + cmd: cosign + stdin: '{{ .Env.COSIGN_PASSWORD }}' + output: true + artifacts: archive + args: + - sign-blob + - --key + - cosign.key + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + +docker_signs: + - cmd: cosign + artifacts: all + output: true + args: + - 'sign' + - --key + - cosign.key + - '${artifact}' snapshot: name_template: "{{ .Version }}-next" @@ -75,3 +126,5 @@ changelog: release: draft: false prerelease: auto + extra_files: + - glob: "./cosign.pub" diff --git a/Makefile b/Makefile index 1ad9c66f..bdcf86d7 100644 --- a/Makefile +++ b/Makefile @@ -88,7 +88,7 @@ image: ## build the binary in a docker image . $(GO_PATH)/bin/goreleaser: - go install github.com/goreleaser/goreleaser@v0.182.1 + go install github.com/goreleaser/goreleaser@v1.2.5 .PHONY: snapshot-release snapshot-release: $(GO_PATH)/bin/goreleaser ## creates a snapshot release using goreleaser diff --git a/README.md b/README.md index f1049f88..8bd84aa5 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ See all available images [here.](https://hub.docker.com/r/philipssoftware/slsa-p Run the Docker image by doing: ```sh -docker run philipssoftware/slsa-provenance:v0.5.0 +docker run philipssoftware/slsa-provenance:v0.5.1-draft ``` **GitHub Container Registry** @@ -117,7 +117,7 @@ See all available images [here.](https://github.com/philips-labs/slsa-provenance Run the Docker image by doing: ```sh -docker run ghcr.io/philips-labs/slsa-provenance:v0.5.0 +docker run ghcr.io/philips-labs/slsa-provenance:v0.5.1-draft ``` The Docker image includes the working binary that can be executed by using the ``slsa-provenance`` command. @@ -145,7 +145,7 @@ The easiest way to use this action is to add the following into your workflow fi steps: - name: Generate provenance for Release - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: files @@ -180,7 +180,7 @@ The easiest way to use this action is to add the following into your workflow fi path: extra-materials/ - name: Generate provenance - uses: philips-labs/slsa-provenance-action@v0.5.0 + uses: philips-labs/slsa-provenance-action@v0.5.1-draft with: command: generate subcommand: files diff --git a/action.yaml b/action.yaml index fdeacf31..fdf13096 100644 --- a/action.yaml +++ b/action.yaml @@ -47,6 +47,6 @@ runs: run: | echo Running slsa-provenance with following arguments echo ${{ steps.compose-args.outputs.provenance_args }} - - uses: 'docker://ghcr.io/philips-labs/slsa-provenance:v0.5.0' + - uses: 'docker://ghcr.io/philips-labs/slsa-provenance:v0.5.1-draft' with: args: ${{ steps.compose-args.outputs.provenance_args }} diff --git a/release.md b/release.md index 77fd63a2..27b3aa9a 100644 --- a/release.md +++ b/release.md @@ -5,7 +5,7 @@ To make a new release you can make use of the following `make` task. ```bash -make gh-release NEW_VERSION=v0.6.0 OLD_VERSION=v0.5.0 DESCRIPTION="A test release to see how it works" +make gh-release NEW_VERSION=v0.6.0 OLD_VERSION=v0.5.1-draft DESCRIPTION="A test release to see how it works" ``` `NEW_VERSION` the version that you want to release.