Skip to content

Commit

Permalink
Add step in release to mirror signed image to ghcr (#441)
Browse files Browse the repository at this point in the history
Signed-off-by: Kenny Leung <[email protected]>
  • Loading branch information
k4leung4 authored Mar 2, 2022
1 parent 8c19704 commit 0e7768f
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 2 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/cut-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,4 @@ jobs:

- name: Start cloudbuild job
working-directory: ./src/github.com/sigstore/fulcio
run: gcloud builds submit --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.GIT_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=${{ github.event.inputs.key_ring }},_KEY_NAME=${{ github.event.inputs.key_name }} --project=${{ env.PROJECT_ID }}
run: gcloud builds submit --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.GIT_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=${{ github.event.inputs.key_ring }},_KEY_NAME=${{ github.event.inputs.key_name }},_GITHUB_USER=${{ github.actor }} --project=${{ env.PROJECT_ID }}
2 changes: 2 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ LDFLAGS=-X $(FULCIO_PKG).gitVersion=$(GIT_VERSION) -X $(FULCIO_PKG).gitCommit=$(
KO_PREFIX ?= gcr.io/projectsigstore
export KO_DOCKER_REPO=$(KO_PREFIX)

GHCR_PREFIX ?= ghcr.io/sigstore

lint: ## Runs golangci-lint
$(GOBIN)/golangci-lint run -v ./...

Expand Down
3 changes: 2 additions & 1 deletion release/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ One time setup in ./hack/github-oidc-setup.sh. This is to provide GitHub actions

```shell
$ gcloud builds submit --config <PATH_TO_CLOUDBUILD> \
--substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME> \
--substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME>,_GITHUB_USER=<GITHUB_USER> \
--project <GCP_PROJECT>
```

Expand All @@ -86,6 +86,7 @@ One time setup in ./hack/github-oidc-setup.sh. This is to provide GitHub actions
- `_KEY_NAME` key name of your cosign key.
- `_KEY_VERSION` version of the key storaged in KMS. Default `1`.
- `_KEY_LOCATION` location in GCP where the key is storaged. Default `global`.
- `_GITHUB_USER` GitHub user to authenticate for pushing to GHCR.

4. When the job finish, whithout issues, you should be able to see in GitHub a draft release.
You now can review the release, make any changes if needed and then publish to make it an official release.
Expand Down
25 changes: 25 additions & 0 deletions release/cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,30 @@ steps:
&& make sign-container-release \
&& make sign-keyless-release
- name: gcr.io/cloud-builders/docker
entrypoint: 'bash'
dir: "go/src/sigstore/fulcio"
env:
- "GOPATH=/workspace/go"
- "GOBIN=/workspace/bin"
- PROJECT_ID=${PROJECT_ID}
- KEY_LOCATION=${_KEY_LOCATION}
- KEY_RING=${_KEY_RING}
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- KO_PREFIX=gcr.io/${PROJECT_ID}
- COSIGN_EXPERIMENTAL=true
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
- GITHUB_USER=${_GITHUB_USER}
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
&& make copy-signed-release-to-ghcr
availableSecrets:
secretManager:
- versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
Expand Down Expand Up @@ -116,3 +140,4 @@ substitutions:
_KEY_NAME: 'honk-crypto'
_KEY_VERSION: '1'
_KEY_LOCATION: 'global'
_GITHUB_USER: 'placeholder'
7 changes: 7 additions & 0 deletions release/release.mk
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,10 @@ sign-container-release: release-images
.PHONY: sign-keyless-release
sign-keyless-release:
cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/fulcio:$(GIT_VERSION)

####################
# copy image to GHCR
####################

.PHONY: copy-signed-release-to-ghcr
cosign copy ${KO_PREFIX}/fulcio:$(GIT_VERSION) ${GHCR_PREFIX}/fulcio:$(GIT_VERSION)

0 comments on commit 0e7768f

Please sign in to comment.