From dd4a410480b191217a3fecc9750bf565b1794d12 Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Tue, 1 Mar 2022 12:09:39 -0800 Subject: [PATCH] Add step in release to mirror signed image to ghcr Signed-off-by: Kenny Leung --- .github/workflows/cut-release.yml | 2 +- Makefile | 2 ++ release/README.md | 3 ++- release/cloudbuild.yaml | 25 +++++++++++++++++++++++++ release/release.mk | 7 +++++++ 5 files changed, 37 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cut-release.yml b/.github/workflows/cut-release.yml index 33a49b832..84fbbc151 100644 --- a/.github/workflows/cut-release.yml +++ b/.github/workflows/cut-release.yml @@ -51,4 +51,4 @@ jobs: - name: Start cloudbuild job working-directory: ./src/github.com/sigstore/fulcio - run: gcloud builds submit --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.GIT_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=${{ github.event.inputs.key_ring }},_KEY_NAME=${{ github.event.inputs.key_name }} --project=${{ env.PROJECT_ID }} + run: gcloud builds submit --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.GIT_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=${{ github.event.inputs.key_ring }},_KEY_NAME=${{ github.event.inputs.key_name }},_GITHUB_USER=${{ github.actor }} --project=${{ env.PROJECT_ID }} diff --git a/Makefile b/Makefile index 7df160ee1..af74dd8e8 100644 --- a/Makefile +++ b/Makefile @@ -44,6 +44,8 @@ LDFLAGS=-X $(FULCIO_PKG).gitVersion=$(GIT_VERSION) -X $(FULCIO_PKG).gitCommit=$( KO_PREFIX ?= gcr.io/projectsigstore export KO_DOCKER_REPO=$(KO_PREFIX) +GHCR_PREFIX ?= ghcr.io/sigstore + lint: ## Runs golangci-lint $(GOBIN)/golangci-lint run -v ./... diff --git a/release/README.md b/release/README.md index 89cd5de77..43d49c3cf 100644 --- a/release/README.md +++ b/release/README.md @@ -70,7 +70,7 @@ One time setup in ./hack/github-oidc-setup.sh. This is to provide GitHub actions ```shell $ gcloud builds submit --config \ - --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=,_KEY_NAME= \ + --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=,_KEY_NAME=,_GITHUB_USER= \ --project ``` @@ -86,6 +86,7 @@ One time setup in ./hack/github-oidc-setup.sh. This is to provide GitHub actions - `_KEY_NAME` key name of your cosign key. - `_KEY_VERSION` version of the key storaged in KMS. Default `1`. - `_KEY_LOCATION` location in GCP where the key is storaged. Default `global`. + - `_GITHUB_USER` GitHub user to authenticate for pushing to GHCR. 4. When the job finish, whithout issues, you should be able to see in GitHub a draft release. You now can review the release, make any changes if needed and then publish to make it an official release. diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 342ad1d93..9e62dea2a 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -86,6 +86,30 @@ steps: && make sign-container-release \ && make sign-keyless-release +- name: gcr.io/cloud-builders/docker + entrypoint: 'bash' + dir: "go/src/sigstore/fulcio" + env: + - "GOPATH=/workspace/go" + - "GOBIN=/workspace/bin" + - PROJECT_ID=${PROJECT_ID} + - KEY_LOCATION=${_KEY_LOCATION} + - KEY_RING=${_KEY_RING} + - KEY_NAME=${_KEY_NAME} + - KEY_VERSION=${_KEY_VERSION} + - GIT_TAG=${_GIT_TAG} + - KO_PREFIX=gcr.io/${PROJECT_ID} + - COSIGN_EXPERIMENTAL=true + - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com + - GITHUB_USER=${_GITHUB_USER} + secretEnv: + - GITHUB_TOKEN + args: + - '-c' + - | + echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \ + && make copy-signed-release-to-ghcr + availableSecrets: secretManager: - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest @@ -116,3 +140,4 @@ substitutions: _KEY_NAME: 'honk-crypto' _KEY_VERSION: '1' _KEY_LOCATION: 'global' + _GITHUB_USER: 'placeholder' diff --git a/release/release.mk b/release/release.mk index bd53bc0ce..75d60eaf6 100644 --- a/release/release.mk +++ b/release/release.mk @@ -83,3 +83,10 @@ sign-container-release: release-images .PHONY: sign-keyless-release sign-keyless-release: cosign sign --force -a GIT_HASH=$(GIT_HASH) -a GIT_VERSION=$(GIT_VERSION) ${KO_PREFIX}/fulcio:$(GIT_VERSION) + +#################### +# copy image to GHCR +#################### + +.PHONY: copy-signed-release-to-ghcr + cosign copy ${KO_PREFIX}/fulcio:$(GIT_VERSION) ${GHCR_PREFIX}/fulcio:$(GIT_VERSION)