Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cherry picks to release-1.5 branch #1482

Merged
merged 6 commits into from
Feb 18, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .github/workflows/validate-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ jobs:
statuses: none

env:
CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9
COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.4.1@sha256:502d5130431e45f28c51d2c24a05ef5ccd3fd916bcc91db0c8bee3a81e09a0bb
CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.7-0@sha256:949325ffc52c16867d78412ce70f5ce531812c20e7528ae70dc9e718d72223e8
COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.5.1@sha256:6247b2e693b0e6a62dcfa75eb46b698c1f4cd1aca36aaefafd4bbb2f2b2af717

steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
Expand All @@ -58,6 +58,7 @@ jobs:
run: |
docker run --rm --privileged \
-e PROJECT_ID=honk-fake-project \
-e CI=$CI \
-e RUNTIME_IMAGE=gcr.io/distroless/static:debug-nonroot \
-v ${PWD}:/go/src/sigstore/cosign \
-v /var/run/docker.sock:/var/run/docker.sock \
Expand Down
5 changes: 5 additions & 0 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ before:
hooks:
- go mod tidy
- /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
# if running a release we will generate the images in this step
# if running in the CI the CI env va is set and we dont run the ko steps
# this is needed because we are generating files that goreleaser was not aware to push to GH project release
- /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release && make sign-keyless-release; fi'

gomod:
proxy: true
Expand Down Expand Up @@ -250,6 +254,7 @@ release:

extra_files:
- glob: "./release/release-cosign.pub"
- glob: "./cosign*.yaml"

rigs:
- rig:
Expand Down
5 changes: 3 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ GOLANGCI_LINT_BIN = $(GOLANGCI_LINT_DIR)/golangci-lint

KO_PREFIX ?= gcr.io/projectsigstore
export KO_DOCKER_REPO=$(KO_PREFIX)
COSIGNED_YAML ?= cosign-$(GIT_TAG).yaml

.PHONY: all lint test clean cosign cross
all: cosign
Expand Down Expand Up @@ -133,9 +134,9 @@ ko:

# cosigned
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
KO_DOCKER_REPO=${KO_PREFIX}/cosigned ko publish --bare \
KO_DOCKER_REPO=${KO_PREFIX}/cosigned ko resolve --bare \
--platform=all --tags $(GIT_VERSION) --tags $(GIT_HASH) \
github.com/sigstore/cosign/cmd/cosign/webhook
--filename config/ > $(COSIGNED_YAML)

# sget
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
Expand Down
33 changes: 6 additions & 27 deletions release/cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,10 @@ steps:
- TUF_ROOT=/tmp
args:
- 'verify'
- 'ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9'
- 'ghcr.io/gythialy/golang-cross:v1.17.7-0@sha256:949325ffc52c16867d78412ce70f5ce531812c20e7528ae70dc9e718d72223e8'

# maybe we can build our own image and use that to be more in a safe side
- name: ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9
- name: ghcr.io/gythialy/golang-cross:v1.17.7-0@sha256:949325ffc52c16867d78412ce70f5ce531812c20e7528ae70dc9e718d72223e8
entrypoint: /bin/sh
dir: "go/src/sigstore/cosign"
env:
Expand All @@ -56,36 +56,14 @@ steps:
- GIT_TAG=${_GIT_TAG}
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
- COSIGN_EXPERIMENTAL=true
- KO_PREFIX=gcr.io/${PROJECT_ID}
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
make release

- name: ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9
entrypoint: 'bash'
dir: "go/src/sigstore/cosign"
env:
- "GOPATH=/workspace/go"
- "GOBIN=/workspace/bin"
- PROJECT_ID=${PROJECT_ID}
- KEY_LOCATION=${_KEY_LOCATION}
- KEY_RING=${_KEY_RING}
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- KO_PREFIX=gcr.io/${PROJECT_ID}
- COSIGN_EXPERIMENTAL=true
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
gcloud auth configure-docker \
&& make sign-container-release \
&& make sign-keyless-release
gcloud auth configure-docker \
&& make release

availableSecrets:
secretManager:
Expand All @@ -98,6 +76,7 @@ artifacts:
paths:
- "go/src/sigstore/cosign/dist/*"
- "go/src/sigstore/cosign/release/release-cosign.pub"
- "go/src/sigstore/cosign/cosign*.yaml"

options:
machineType: E2_HIGHCPU_8
Expand Down
4 changes: 2 additions & 2 deletions release/release.mk
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
# used when releasing together with GCP CloudBuild
.PHONY: release
release:
LDFLAGS="$(LDFLAGS)" goreleaser release
LDFLAGS="$(LDFLAGS)" goreleaser release --timeout 120m

###########################
# sign with GCP KMS section
Expand Down Expand Up @@ -48,4 +48,4 @@ sign-keyless-release: sign-keyless-cosign-release sign-keyless-cosigned-release
# used when need to validate the goreleaser
.PHONY: snapshot
snapshot:
LDFLAGS="$(LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist
LDFLAGS="$(LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist --timeout 60m