From 0e7768fc51c80195d224fbf491fea06eea21d9d0 Mon Sep 17 00:00:00 2001
From: Kenny Leung <kleung@chainguard.dev>
Date: Wed, 2 Mar 2022 11:19:02 -0800
Subject: [PATCH] Add step in release to mirror signed image to ghcr (#441)

Signed-off-by: Kenny Leung <kleung@chainguard.dev>
---
 .github/workflows/cut-release.yml |  2 +-
 Makefile                          |  2 ++
 release/README.md                 |  3 ++-
 release/cloudbuild.yaml           | 25 +++++++++++++++++++++++++
 release/release.mk                |  7 +++++++
 5 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cut-release.yml b/.github/workflows/cut-release.yml
index c79f51113..382782c84 100644
--- a/.github/workflows/cut-release.yml
+++ b/.github/workflows/cut-release.yml
@@ -51,4 +51,4 @@ jobs:
 
       - name: Start cloudbuild job
         working-directory: ./src/github.com/sigstore/fulcio
-        run: gcloud builds submit --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.GIT_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=${{ github.event.inputs.key_ring }},_KEY_NAME=${{ github.event.inputs.key_name }} --project=${{ env.PROJECT_ID }}
+        run: gcloud builds submit --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.GIT_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=${{ github.event.inputs.key_ring }},_KEY_NAME=${{ github.event.inputs.key_name }},_GITHUB_USER=${{ github.actor }} --project=${{ env.PROJECT_ID }}
diff --git a/Makefile b/Makefile
index 7df160ee1..af74dd8e8 100644
--- a/Makefile
+++ b/Makefile
@@ -44,6 +44,8 @@ LDFLAGS=-X $(FULCIO_PKG).gitVersion=$(GIT_VERSION) -X $(FULCIO_PKG).gitCommit=$(
 KO_PREFIX ?= gcr.io/projectsigstore
 export KO_DOCKER_REPO=$(KO_PREFIX)
 
+GHCR_PREFIX ?= ghcr.io/sigstore
+
 lint: ## Runs golangci-lint
 	$(GOBIN)/golangci-lint run -v ./...
 
diff --git a/release/README.md b/release/README.md
index 89cd5de77..a9c5b727e 100644
--- a/release/README.md
+++ b/release/README.md
@@ -70,7 +70,7 @@ One time setup in ./hack/github-oidc-setup.sh. This is to provide GitHub actions
 
 	```shell
 	$ gcloud builds submit --config <PATH_TO_CLOUDBUILD> \
-	   --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME> \
+	   --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME>,_GITHUB_USER=<GITHUB_USER> \
 	   --project <GCP_PROJECT>
 	```
 	
@@ -86,6 +86,7 @@ One time setup in ./hack/github-oidc-setup.sh. This is to provide GitHub actions
 	- `_KEY_NAME` key name of your  cosign key.
 	- `_KEY_VERSION` version of the key storaged in KMS. Default `1`.
 	- `_KEY_LOCATION` location in GCP where the key is storaged. Default `global`.
+	- `_GITHUB_USER` GitHub user to authenticate for pushing to GHCR.
 
 4. When the job finish, whithout issues, you should be able to see in GitHub a draft release.
 You now can review the release, make any changes if needed and then publish to make it an official release.
diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
index 342ad1d93..9e62dea2a 100644
--- a/release/cloudbuild.yaml
+++ b/release/cloudbuild.yaml
@@ -86,6 +86,30 @@ steps:
       && make sign-container-release \
       && make sign-keyless-release
 
+- name: gcr.io/cloud-builders/docker
+  entrypoint: 'bash'
+  dir: "go/src/sigstore/fulcio"
+  env:
+  - "GOPATH=/workspace/go"
+  - "GOBIN=/workspace/bin"
+  - PROJECT_ID=${PROJECT_ID}
+  - KEY_LOCATION=${_KEY_LOCATION}
+  - KEY_RING=${_KEY_RING}
+  - KEY_NAME=${_KEY_NAME}
+  - KEY_VERSION=${_KEY_VERSION}
+  - GIT_TAG=${_GIT_TAG}
+  - KO_PREFIX=gcr.io/${PROJECT_ID}
+  - COSIGN_EXPERIMENTAL=true
+  - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
+  - GITHUB_USER=${_GITHUB_USER}
+  secretEnv:
+  - GITHUB_TOKEN
+  args:
+    - '-c'
+    - |
+      echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
+      && make copy-signed-release-to-ghcr
+
 availableSecrets:
   secretManager:
   - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
@@ -116,3 +140,4 @@ substitutions:
   _KEY_NAME: 'honk-crypto'
   _KEY_VERSION: '1'
   _KEY_LOCATION: 'global'
+  _GITHUB_USER: 'placeholder'
diff --git a/release/release.mk b/release/release.mk
index bd53bc0ce..75d60eaf6 100644
--- a/release/release.mk
+++ b/release/release.mk
@@ -83,3 +83,10 @@ sign-container-release: release-images
 .PHONY: sign-keyless-release
 sign-keyless-release:
 	cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/fulcio:$(GIT_VERSION)
+
+####################
+# copy image to GHCR
+####################
+
+.PHONY: copy-signed-release-to-ghcr
+	cosign copy ${KO_PREFIX}/fulcio:$(GIT_VERSION) ${GHCR_PREFIX}/fulcio:$(GIT_VERSION)