fix release workflow to checkout first #2063
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Fulcio&Rekor E2E Tests | |
on: | |
pull_request: | |
branches: [ main ] | |
paths-ignore: | |
- 'terraform/**' | |
permissions: read-all | |
defaults: | |
run: | |
shell: bash | |
working-directory: ./src/github.com/sigstore/scaffolding | |
concurrency: | |
group: fulcio-rekor-kind-${{ github.head_ref }} | |
cancel-in-progress: true | |
jobs: | |
fulcio-rekor-ctlog-tests: | |
name: e2e tests | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false # Keep running if one leg fails. | |
matrix: | |
k8s-version: | |
- v1.27.x | |
- v1.28.x | |
- v1.29.x | |
- v1.30.x | |
leg: | |
- fulcio rekor ctlog e2e | |
go-version: | |
- 1.23.x | |
env: | |
GOPATH: ${{ github.workspace }} | |
GO111MODULE: on | |
GOFLAGS: -ldflags=-s -ldflags=-w | |
KO_DOCKER_REPO: registry.local:5000/knative | |
KOCACHE: ~/ko | |
steps: | |
- name: Check out our repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
path: ./src/github.com/sigstore/scaffolding | |
- uses: chainguard-dev/actions/setup-mirror@main | |
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds | |
- name: Set up Go | |
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ matrix.go-version }} | |
check-latest: true | |
- uses: actions/cache@v4 | |
with: | |
# In order: | |
# * Module download cache | |
# * Build cache (Linux) | |
path: | | |
~/go/pkg/mod | |
~/.cache/go-build | |
${{ env.KOCACHE }} | |
key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go-${{ matrix.go-version }}- | |
- uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 | |
- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
- name: Setup Cluster | |
uses: chainguard-dev/actions/setup-kind@main | |
id: kind | |
with: | |
k8s-version: ${{ matrix.k8s-version }} | |
registry-authority: registry.local:5000 | |
cluster-suffix: cluster.local | |
service-account-issuer: https://kubernetes.default.svc.cluster.local | |
- name: Setup Knative | |
uses: chainguard-dev/actions/setup-knative@main | |
with: | |
version: "1.11.x" | |
serving-features: > | |
{ | |
"kubernetes.podspec-fieldref": "enabled" | |
} | |
- name: Create sample image | |
run: | | |
pushd $(mktemp -d) | |
go mod init example.com/demo | |
cat <<EOF > main.go | |
package main | |
import "fmt" | |
func main() { | |
fmt.Println("hello world") | |
} | |
EOF | |
demoimage=`ko publish -B example.com/demo` | |
echo "demoimage=$demoimage" >> $GITHUB_ENV | |
echo Created image $demoimage | |
popd | |
- name: Install scaffolding | |
run: | | |
./hack/setup-scaffolding.sh | |
- name: Initialize cosign with our custom tuf root and make root copy | |
run: | | |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.root}' | base64 -d > ./root.json | |
# Also grab the compressed repository for airgap testing. | |
kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz | |
TUF_MIRROR=$(kubectl -n tuf-system get ksvc tuf -ojsonpath='{.status.url}') | |
echo "TUF_MIRROR=$TUF_MIRROR" >> $GITHUB_ENV | |
# Then initialize cosign | |
cosign initialize --mirror $TUF_MIRROR --root ./root.json | |
# Make copy of the tuf root in the default namespace for tests | |
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: default/' | kubectl create -f - | |
- name: Run signing job in k8s using kubernetes tokens in the cluster | |
run: | | |
make ko-apply-sign-job | |
kubectl wait --for=condition=Complete --timeout=90s job/sign-job | |
- name: Verify the image with cosign using kubernetes tokens in the cluster | |
run: | | |
make ko-apply-verify-job | |
kubectl wait --for=condition=Complete --timeout=180s job/verify-job | |
- name: Install a Knative service for fetch tokens off the cluster | |
run: | | |
make ko-apply-gettoken | |
sleep 2 | |
kubectl wait --for=condition=Ready --timeout=15s ksvc gettoken | |
- name: Get the endpoints on the cluster | |
run: | | |
REKOR_URL=$(kubectl -n rekor-system get ksvc rekor -ojsonpath='{.status.url}') | |
echo "REKOR_URL=$REKOR_URL" >> $GITHUB_ENV | |
FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio -ojsonpath='{.status.url}') | |
echo "FULCIO_URL=$FULCIO_URL" >> $GITHUB_ENV | |
#FULCIO_GRPC_URL=$(kubectl -n fulcio-system get ksvc fulcio-grpc -ojsonpath='{.status.url}') | |
#echo "FULCIO_GRPC_URL=$FULCIO_GRPC_URL" >> $GITHUB_ENV | |
CTLOG_URL=$(kubectl -n ctlog-system get ksvc ctlog -ojsonpath='{.status.url}') | |
echo "CTLOG_URL=$CTLOG_URL" >> $GITHUB_ENV | |
ISSUER_URL=$(kubectl get ksvc gettoken -ojsonpath='{.status.url}') | |
echo "ISSUER_URL=$ISSUER_URL" >> $GITHUB_ENV | |
OIDC_TOKEN=`curl -s $ISSUER_URL` | |
echo "OIDC_TOKEN=$OIDC_TOKEN" >> $GITHUB_ENV | |
TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}') | |
echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV | |
- name: Sign with cosign from the action using k8s token | |
run: | | |
cosign sign --yes --rekor-url ${{ env.REKOR_URL }} --fulcio-url ${{ env.FULCIO_URL }} --allow-insecure-registry ${{ env.demoimage }} --identity-token ${{ env.OIDC_TOKEN }} | |
- name: Verify with cosign from the action using k8s token | |
run: | | |
cosign verify --rekor-url "${{ env.REKOR_URL }}" \ | |
--allow-insecure-registry "${{ env.demoimage }}" \ | |
--certificate-identity "https://kubernetes.io/namespaces/default/serviceaccounts/default" \ | |
--certificate-oidc-issuer "https://kubernetes.default.svc.cluster.local" | |
# Test with cosign in 'airgapped mode' | |
# Uncomment these once modified cosign goes in. | |
#- name: Checkout modified cosign for testing. | |
# uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
# with: | |
# repository: vaikas/cosign | |
# ref: air-gap | |
# path: ./src/github.com/sigstore/cosign | |
#- name: Build cosign | |
# working-directory: ./src/github.com/sigstore/cosign | |
# run: | | |
# go build -o ./cosign ./cmd/cosign/main.go | |
#- name: Untar the repository from the fetched secret, initialize and verify with it | |
# working-directory: ./src/github.com/sigstore/cosign | |
# run: | | |
# # Also grab the compressed repository for airgap testing. | |
# kubectl -n tuf-system get secrets tuf-root -ojsonpath='{.data.repository}' | base64 -d > ./repository.tar.gz | |
# tar -zxvf ./repository.tar.gz | |
# PWD=$(pwd) | |
# ROOT=${PWD}/repository/1.root.json | |
# REPOSITORY=${PWD}/repository | |
# ./cosign initialize --root ${ROOT} --mirror file://${REPOSITORY} | |
# ./cosign verify --rekor-url ${{ env.REKOR_URL }} --allow-insecure-registry ${{ env.demoimage }} | |
- name: Checkout TSA for testing. | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
repository: sigstore/timestamp-authority | |
path: ./src/github.com/sigstore/timestamp-authority | |
- name: Build timestamp-cli | |
working-directory: ./src/github.com/sigstore/timestamp-authority | |
run: | | |
go build -o ./timestamp-cli ./cmd/timestamp-cli | |
- name: Exercise TSA | |
working-directory: ./src/github.com/sigstore/timestamp-authority | |
run: | | |
curl ${{ env.TSA_URL }}/api/v1/timestamp/certchain > ts_chain.pem | |
echo "myblob" > myblob | |
if ! ./timestamp-cli --timestamp_server ${{ env.TSA_URL }} timestamp --hash sha256 --artifact myblob --out response.tsr ; then | |
echo "failed to timestamp artifact" | |
exit -1 | |
fi | |
if ! ./timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem ; then | |
echo "failed to verify timestamp" | |
exit -1 | |
fi | |
if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then | |
echo "failed to inspect the timestamp" | |
exit -1 | |
fi | |
- name: Collect diagnostics | |
if: ${{ failure() }} | |
uses: chainguard-dev/actions/kind-diag@main | |
with: | |
artifact-name: logs.${{ matrix.k8s-version }} |