release: add gorelease scripts

Signed-off-by: Hector Fernandez <[email protected]>
sigstore · Aug 26, 2021 · 1ae7f58 · 1ae7f58
1 parent 30fa296
commit 1ae7f58
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 4 deletions.
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -90,12 +90,32 @@ builds:
   tags:
     - pivkey
 
+- id: linux-cosigned
+  binary: cosigned-linux-{{ .Arch }}
+  no_unique_dist_dir: true
+  main: ./cmd/cosign/webhook
+  goos:
+    - linux
+  goarch:
+    - amd64
+  ldflags:
+    - "{{ .Env.LDFLAGS }}"
+  env:
+    - CGO_ENABLED=0
+
 signs:
   - id: cosign
     signature: "${artifact}.sig"
     cmd: ./dist/cosign-linux-amd64
     args: ["sign-blob", "-output", "${artifact}.sig", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
+  - id: cosigned
+    signature: "${artifact}.sig"
+    cmd: ./dist/cosign-linux-amd64
+    args: ["sign-blob", "-output", "${artifact}.sig", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
+    artifacts: binary
+    ids:
+      - linux-cosigned
 
 archives:
 - format: binary

diff --git a/Makefile b/Makefile
@@ -119,11 +119,22 @@ sign-container-cloudbuild: docker-cloudbuild
 
 
 # Build cosigned binary
+.PHONY: cosigned
 cosigned: lint
 	CGO_ENABLED=0 go build -ldflags $(LDFLAGS) -o $@ ./cmd/cosign/webhook
 
-cosigned-container:
-	docker build -f Dockerfile.cosigned -t hectorj2f/cosigned-admission-webhook:dev .
+.PHONY: cosigned-docker-cloudbuild
+cosigned-docker-cloudbuild:
+	docker build --build-arg RUNTIME_IMAGE=$(RUNTIME_IMAGE) \
+		-t "gcr.io/$(PROJECT_ID)/cosigned:$(GIT_TAG)" \
+		-t "gcr.io/$(PROJECT_ID)/cosigned:$(GIT_HASH)" -f Dockerfile.cosigned .
+
+.PHONY: cosigned-sign-container-cloudbuild
+cosigned-sign-container-cloudbuild: cosigned-docker-cloudbuild
+	docker push gcr.io/${PROJECT_ID}/cosigned:$(GIT_HASH)
+	docker push gcr.io/${PROJECT_ID}/cosigned:$(GIT_TAG)
+	cosign sign -key gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION} -a GIT_HASH=$(GIT_HASH) gcr.io/${PROJECT_ID}/cosigned:$(GIT_HASH)
+	cosign sign -key gcpkms://projects/${PROJECT_ID}/locations/${KEY_LOCATION}/keyRings/${KEY_RING}/cryptoKeys/${KEY_NAME}/versions/${KEY_VERSION} -a GIT_TAG=$(GIT_TAG) gcr.io/${PROJECT_ID}/cosigned:$(GIT_TAG)
 
 uninstall-cosigned: manifests
 	helm delete cosigned -n cosigned

diff --git a/chart/cosigned/values.yaml b/chart/cosigned/values.yaml
@@ -39,8 +39,8 @@ webhook:
   secretKeyRef:
     name:
   image:
-    repository: hectorj2f/cosigned-admission-webhook
-    tag: dev
+    repository: gcr.io/projectsigstore/cosigned
+    tag:
     pullPolicy: IfNotPresent
   env: {}
   extraArgs: {}

diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
@@ -70,6 +70,9 @@ steps:
     cosign verify-dockerfile -base-image-only -key https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub ./Dockerfile
     make sign-container-cloudbuild
 
+    cosign verify-dockerfile -base-image-only -key https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub ./Dockerfile.cosigned
+    make cosigned-sign-container-cloudbuild
+
 availableSecrets:
   secretManager:
   - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest