From 752a72ba5f06e32eba83bc834b1c602a98ab5fc2 Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Thu, 3 Mar 2022 12:56:18 -0800 Subject: [PATCH] Mirror signed release images from GCR to GHCR as part of release with Cloud Build. Signed-off-by: Kenny Leung --- Makefile | 1 + release/README.md | 3 ++- release/cloudbuild.yaml | 25 +++++++++++++++++++++++++ release/release.mk | 20 ++++++++++++++++++++ 4 files changed, 48 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index a440e805c43..d522e9eed7a 100644 --- a/Makefile +++ b/Makefile @@ -55,6 +55,7 @@ GOLANGCI_LINT_BIN = $(GOLANGCI_LINT_DIR)/golangci-lint KO_PREFIX ?= gcr.io/projectsigstore export KO_DOCKER_REPO=$(KO_PREFIX) +GHCR_PREFIX ?= ghcr.io/sigstore/cosign COSIGNED_YAML ?= cosign-$(GIT_TAG).yaml .PHONY: all lint test clean cosign cross diff --git a/release/README.md b/release/README.md index daa9c9074f3..d40d24021d5 100644 --- a/release/README.md +++ b/release/README.md @@ -32,7 +32,7 @@ $ git push origin ${RELEASE_TAG} ```shell $ gcloud builds submit --config \ - --substitutions _GIT_TAG=${RELEASE_TAG},_TOOL_ORG=sigstore,_TOOL_REPO=cosign,_STORAGE_LOCATION=cosign-releases,_KEY_RING=,_KEY_NAME= \ + --substitutions _GIT_TAG=${RELEASE_TAG},_TOOL_ORG=sigstore,_TOOL_REPO=cosign,_STORAGE_LOCATION=cosign-releases,_KEY_RING=,_KEY_NAME=,_GITHUB_USER= \ --project ``` @@ -48,6 +48,7 @@ Where: - `_KEY_NAME` key name of your cosign key. - `_KEY_VERSION` version of the key stored in KMS. Default `1`. - `_KEY_LOCATION` location in GCP where the key is stored. Default `global`. +- `_GITHUB_USER` GitHub user to authenticate for pushing to GHCR. 3. When the job finish, without issues, you should be able to see in GitHub a draft release. diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index e9cd8518880..35467d9fe9b 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -65,6 +65,30 @@ steps: gcloud auth configure-docker \ && make release +- name: gcr.io/cloud-builders/docker + entrypoint: 'bash' + dir: "go/src/sigstore/fulcio" + env: + - "GOPATH=/workspace/go" + - "GOBIN=/workspace/bin" + - PROJECT_ID=${PROJECT_ID} + - KEY_LOCATION=${_KEY_LOCATION} + - KEY_RING=${_KEY_RING} + - KEY_NAME=${_KEY_NAME} + - KEY_VERSION=${_KEY_VERSION} + - GIT_TAG=${_GIT_TAG} + - KO_PREFIX=gcr.io/${PROJECT_ID} + - COSIGN_EXPERIMENTAL=true + - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com + - GITHUB_USER=${_GITHUB_USER} + secretEnv: + - GITHUB_TOKEN + args: + - '-c' + - | + echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \ + && make copy-signed-release-to-ghcr + availableSecrets: secretManager: - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest @@ -96,3 +120,4 @@ substitutions: _KEY_NAME: 'honk-crypto' _KEY_VERSION: '1' _KEY_LOCATION: 'global' + _GITHUB_USER: 'placeholder' diff --git a/release/release.mk b/release/release.mk index 02243519441..a4290074bff 100644 --- a/release/release.mk +++ b/release/release.mk @@ -49,3 +49,23 @@ sign-keyless-release: sign-keyless-cosign-release sign-keyless-cosigned-release .PHONY: snapshot snapshot: LDFLAGS="$(LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist --timeout 60m + +#################### +# copy image to GHCR +#################### + +.PHONY: copy-cosign-signed-release-to-ghcr +copy-cosign-signed-release-to-ghcr: + cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION) + +.PHONY: copy-cosigned-signed-release-to-ghcr +copy-cosigned-signed-release-to-ghcr: + cosign copy $(KO_PREFIX)/cosigned:$(GIT_VERSION) $(GHCR_PREFIX)/cosigned:$(GIT_VERSION) + +.PHONY: copy-sget-signed-release-to-ghcr +copy-sget-signed-release-to-ghcr: + cosign copy $(KO_PREFIX)/sget:$(GIT_VERSION) $(GHCR_PREFIX)/sget:$(GIT_VERSION) + +.PHONY: copy-signed-release-to-ghcr +copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-cosigned-signed-release-to-ghcr copy-sget-signed-release-to-ghcr +