Use keyless cosign approach #152
Conversation
Signed-off-by: Brend Smits <[email protected]>
Signed-off-by: Brend Smits <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #152 +/- ##
=======================================
Coverage 77.54% 77.54%
=======================================
Files 15 15
Lines 610 610
=======================================
Hits 473 473
Misses 97 97
Partials 40 40
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
There was a problem hiding this comment.
As described here #122. We decided to hold this back for a while.
Changes look good
We have to consider how to deal with the old releases, to make it transparent for our consumers on how to verify old releases and how to verify the new releases.
Currently the cosign.pub is not part of the release and only in the git repo.
We should think of a strategy how we make this transparent for our consumers which key to use to verify which version.
| @@ -70,6 +70,10 @@ jobs: | |||
| container_repos: ${{ steps.container_info.outputs.container_repos }} | |||
|
|
|||
| runs-on: ubuntu-20.04 | |||
| permissions: | |||
There was a problem hiding this comment.
probably better to set for the entire workflow as all jobs require it.
| @@ -124,6 +128,7 @@ jobs: | |||
| LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }} | |||
| GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }} | |||
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |||
| COSIGN_EXPERIMENTAL: 1 | |||
There was a problem hiding this comment.
Maybe also move this to the job level.
Makes sense, I'm going to close this PR until we have more time to work on those things. Keeping the branch. I meant to open a draft PR anyways! |
Still a work in progress.
Todo:
Signed-off-by: Brend Smits [email protected]