Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cosign signing on build #816

Merged
merged 1 commit into from
Oct 27, 2021
Merged

Add cosign signing on build #816

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions .github/build.yaml.gomplate
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,6 +445,8 @@
{{{- else }}}
needs: tests-squashfs-{{{ $flavor }}}
{{{- end }}}
permissions:
id-token: write # undocumented OIDC support.
env:
FLAVOR: {{{ $flavor }}}
ARCH: {{{ $config.arch }}}
Expand All @@ -455,14 +457,28 @@
{{{- if has $config "luet_install_from_cos_repo" }}}
LUET_INSTALL_FROM_COS_REPO: {{{ $config.luet_install_from_cos_repo }}}
{{{- end }}}
COSIGN_EXPERIMENTAL: 1 # use keyless signing
COSIGN_REPOSITORY: raccos/releases-{{{ $flavor }}}
PUBLISH_ARGS: "--plugin luet-cosign"
steps:
{{{ tmpl.Exec "prepare_build" }}}
{{{ tmpl.Exec "prepare_worker" }}}
{{{- if or $config.publishing_pipeline $config.push_cache }}}
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
{{{- end }}}
{{{ tmpl.Exec "make" "deps" }}}
- name: Install Cosign
uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
- name: Download result for build
uses: actions/download-artifact@v2
with:
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/build-master-blue-arm64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,13 +104,18 @@ jobs:
runs-on: ubuntu-latest
needs:
- build-blue-arm64
permissions:
id-token: write # undocumented OIDC support.
env:
FLAVOR: blue
ARCH: arm64
FINAL_REPO: quay.io/costoolkit/releases-blue-arm64
DOWNLOAD_METADATA: true
DOWNLOAD_ALL: true
DOWNLOAD_ONLY: true
COSIGN_EXPERIMENTAL: 1 # use keyless signing
COSIGN_REPOSITORY: raccos/releases-blue
PUBLISH_ARGS: "--plugin luet-cosign"
steps:
- run: |
sudo rm -rf build || true
Expand All @@ -130,12 +135,23 @@ jobs:
- uses: actions/checkout@v2
- run: |
git fetch --prune --unshallow
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Run make deps
run: |
sudo -E make deps
sudo luet install --no-spinner -y toolchain/yq
- name: Install Cosign
uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
- name: Download result for build
uses: actions/download-artifact@v2
with:
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/build-master-blue-x86_64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,13 +112,18 @@ jobs:
runs-on: ubuntu-latest
needs:
- build-blue-x86_64
permissions:
id-token: write # undocumented OIDC support.
env:
FLAVOR: blue
ARCH: x86_64
FINAL_REPO: quay.io/costoolkit/releases-blue
DOWNLOAD_METADATA: true
DOWNLOAD_ALL: true
DOWNLOAD_ONLY: true
COSIGN_EXPERIMENTAL: 1 # use keyless signing
COSIGN_REPOSITORY: raccos/releases-blue
PUBLISH_ARGS: "--plugin luet-cosign"
steps:
- name: Install Go
uses: actions/setup-go@v2
Expand All @@ -131,12 +136,23 @@ jobs:
run: |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Run make deps
run: |
sudo -E make deps
sudo luet install --no-spinner -y toolchain/yq
- name: Install Cosign
uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
- name: Download result for build
uses: actions/download-artifact@v2
with:
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/build-master-green-arm64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -403,13 +403,18 @@ jobs:
publish-green:
runs-on: ubuntu-latest
needs: tests-squashfs-green
permissions:
id-token: write # undocumented OIDC support.
env:
FLAVOR: green
ARCH: arm64
FINAL_REPO: quay.io/costoolkit/releases-green-arm64
DOWNLOAD_METADATA: true
DOWNLOAD_ALL: true
DOWNLOAD_ONLY: true
COSIGN_EXPERIMENTAL: 1 # use keyless signing
COSIGN_REPOSITORY: raccos/releases-green
PUBLISH_ARGS: "--plugin luet-cosign"
steps:
- run: |
sudo rm -rf build || true
Expand All @@ -429,12 +434,23 @@ jobs:
- uses: actions/checkout@v2
- run: |
git fetch --prune --unshallow
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Run make deps
run: |
sudo -E make deps
sudo luet install --no-spinner -y toolchain/yq
- name: Install Cosign
uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
- name: Download result for build
uses: actions/download-artifact@v2
with:
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/build-master-green-x86_64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -445,13 +445,18 @@ jobs:
publish-green:
runs-on: ubuntu-latest
needs: tests-squashfs-green
permissions:
id-token: write # undocumented OIDC support.
env:
FLAVOR: green
ARCH: x86_64
FINAL_REPO: quay.io/costoolkit/releases-green
DOWNLOAD_METADATA: true
DOWNLOAD_ALL: true
DOWNLOAD_ONLY: true
COSIGN_EXPERIMENTAL: 1 # use keyless signing
COSIGN_REPOSITORY: raccos/releases-green
PUBLISH_ARGS: "--plugin luet-cosign"
steps:
- name: Install Go
uses: actions/setup-go@v2
Expand All @@ -464,12 +469,23 @@ jobs:
run: |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Run make deps
run: |
sudo -E make deps
sudo luet install --no-spinner -y toolchain/yq
- name: Install Cosign
uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
- name: Download result for build
uses: actions/download-artifact@v2
with:
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/build-master-orange-arm64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,13 +106,18 @@ jobs:
runs-on: ubuntu-latest
needs:
- build-orange-arm64
permissions:
id-token: write # undocumented OIDC support.
env:
FLAVOR: orange
ARCH: arm64
FINAL_REPO: quay.io/costoolkit/releases-orange-arm64
DOWNLOAD_METADATA: true
DOWNLOAD_ALL: true
DOWNLOAD_ONLY: true
COSIGN_EXPERIMENTAL: 1 # use keyless signing
COSIGN_REPOSITORY: raccos/releases-orange
PUBLISH_ARGS: "--plugin luet-cosign"
steps:
- run: |
sudo rm -rf build || true
Expand All @@ -132,12 +137,23 @@ jobs:
- uses: actions/checkout@v2
- run: |
git fetch --prune --unshallow
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Run make deps
run: |
sudo -E make deps
sudo luet install --no-spinner -y toolchain/yq
- name: Install Cosign
uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
- name: Download result for build
uses: actions/download-artifact@v2
with:
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/build-master-orange-x86_64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,13 +112,18 @@ jobs:
runs-on: ubuntu-latest
needs:
- build-orange-x86_64
permissions:
id-token: write # undocumented OIDC support.
env:
FLAVOR: orange
ARCH: x86_64
FINAL_REPO: quay.io/costoolkit/releases-orange
DOWNLOAD_METADATA: true
DOWNLOAD_ALL: true
DOWNLOAD_ONLY: true
COSIGN_EXPERIMENTAL: 1 # use keyless signing
COSIGN_REPOSITORY: raccos/releases-orange
PUBLISH_ARGS: "--plugin luet-cosign"
steps:
- name: Install Go
uses: actions/setup-go@v2
Expand All @@ -131,12 +136,23 @@ jobs:
run: |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Run make deps
run: |
sudo -E make deps
sudo luet install --no-spinner -y toolchain/yq
- name: Install Cosign
uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
- name: Download result for build
uses: actions/download-artifact@v2
with:
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/build-releases-blue-arm64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,13 +104,18 @@ jobs:
runs-on: ubuntu-latest
needs:
- build-blue-arm64
permissions:
id-token: write # undocumented OIDC support.
env:
FLAVOR: blue
ARCH: arm64
FINAL_REPO: quay.io/costoolkit/releases-blue-arm64
DOWNLOAD_METADATA: true
DOWNLOAD_ALL: true
DOWNLOAD_ONLY: true
COSIGN_EXPERIMENTAL: 1 # use keyless signing
COSIGN_REPOSITORY: raccos/releases-blue
PUBLISH_ARGS: "--plugin luet-cosign"
steps:
- run: |
sudo rm -rf build || true
Expand All @@ -130,12 +135,23 @@ jobs:
- uses: actions/checkout@v2
- run: |
git fetch --prune --unshallow
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Run make deps
run: |
sudo -E make deps
sudo luet install --no-spinner -y toolchain/yq
- name: Install Cosign
uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
- name: Download result for build
uses: actions/download-artifact@v2
with:
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/build-releases-blue-x86_64.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,13 +112,18 @@ jobs:
runs-on: ubuntu-latest
needs:
- build-blue-x86_64
permissions:
id-token: write # undocumented OIDC support.
env:
FLAVOR: blue
ARCH: x86_64
FINAL_REPO: quay.io/costoolkit/releases-blue
DOWNLOAD_METADATA: true
DOWNLOAD_ALL: true
DOWNLOAD_ONLY: true
COSIGN_EXPERIMENTAL: 1 # use keyless signing
COSIGN_REPOSITORY: raccos/releases-blue
PUBLISH_ARGS: "--plugin luet-cosign"
steps:
- name: Install Go
uses: actions/setup-go@v2
Expand All @@ -131,12 +136,23 @@ jobs:
run: |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
- name: Login to Quay Registry
run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Run make deps
run: |
sudo -E make deps
sudo luet install --no-spinner -y toolchain/yq
- name: Install Cosign
uses: sigstore/cosign-installer@f700e6fbbab82f6897758a3af7a8dede4e308656 # v1.2.1
- name: Download result for build
uses: actions/download-artifact@v2
with:
Expand Down
Loading