From 4111de2508b542d703e771977d4c3202732eb191 Mon Sep 17 00:00:00 2001 From: cpanato Date: Tue, 14 Mar 2023 14:02:08 +0100 Subject: [PATCH] refactor release job Signed-off-by: cpanato --- .github/workflows/release.yml | 54 +++++++++++++----------- .gitignore | 2 +- .goreleaser.yml | 61 +++++++++++++++------------ hack/boilerplate/boilerplate.sh.txt | 2 +- scripts/builld-sign-release-images.sh | 42 ++++++++++++++++++ 5 files changed, 107 insertions(+), 54 deletions(-) create mode 100755 scripts/builld-sign-release-images.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9d0c59c631..caddb336c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,24 +11,42 @@ jobs: hashes: ${{ steps.hash.outputs.hashes }} tag_name: ${{ steps.tag.outputs.tag_name }} + permissions: + packages: write + id-token: write + contents: write + runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + - run: git fetch --prune --unshallow + - uses: actions/setup-go@v3 with: go-version: 1.18 check-latest: true + + - uses: imjasonh/setup-ko@v0.6 # This installs the current latest release. + + - uses: sigstore/cosign-installer@v3.0.1 + - name: Set tag output id: tag run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" + - uses: goreleaser/goreleaser-action@v4.2.0 id: run-goreleaser with: version: latest - args: release --rm-dist + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GIT_HASH: ${{ github.sha }} + GIT_TAG: ${{ steps.tag.outputs.tag_name }} + RUN_ATTEMPT: ${{ github.run_attempt }} + RUN_ID: ${{ github.run_id }} + - name: Generate subject id: hash env: @@ -37,35 +55,17 @@ jobs: set -euo pipefail checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)" - - publish: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - run: git fetch --prune --unshallow - - uses: actions/setup-go@v3 - with: - go-version: 1.18 - check-latest: true - - uses: imjasonh/setup-ko@v0.6 # This installs the current latest release. - - uses: sigstore/cosign-installer@v3.0.1 - - run: | - tag=$(echo ${{ github.ref }} | cut -c11-) # get tag name without tags/refs/ prefix. - img=$(ko build --bare --platform=all -t latest -t ${{ github.sha }} -t ${tag} ./) - echo "built ${img}" - cosign sign ${img} \ - -a sha=${{ github.sha }} \ - -a run_id=${{ github.run_id }} \ - -a run_attempt=${{ github.run_attempt }} \ - -a tag=${tag} + echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" provenance: - needs: [goreleaser] + needs: + - goreleaser + permissions: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" @@ -73,9 +73,13 @@ jobs: upload-tag-name: "${{ needs.release.outputs.tag_name }}" verification: - needs: [goreleaser, provenance] + needs: + - goreleaser + - provenance + runs-on: ubuntu-latest permissions: read-all + steps: # Note: this will be replaced with the GHA in the future. - name: Install the verifier diff --git a/.gitignore b/.gitignore index 2d8e0e742f..83acd05615 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ # Ignore GoLand (IntelliJ) files. .idea/ - +imagerefs ko .DS_Store diff --git a/.goreleaser.yml b/.goreleaser.yml index 2afaa2bbab..1b6d7aa034 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,4 +1,4 @@ -# This is an example goreleaser.yaml file with some sane defaults. +--- # Make sure to check the documentation at http://goreleaser.com before: hooks: @@ -6,40 +6,47 @@ before: - go mod tidy # you may remove this if you don't need go generate - go generate ./... + - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' + - /bin/bash -c './scripts/builld-sign-release-images.sh' + builds: -- main: ./main.go - env: - - CGO_ENABLED=0 - flags: - - -trimpath - ldflags: - - "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}" - goos: - - windows - - linux - - darwin - goarch: - - amd64 - - arm64 - - s390x - - 386 - - mips64le - - ppc64le + - main: ./main.go + env: + - CGO_ENABLED=0 + flags: + - -trimpath + ldflags: + - "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}" + goos: + - windows + - linux + - darwin + goarch: + - amd64 + - arm64 + - s390x + - 386 + - mips64le + - ppc64le + archives: -- replacements: - darwin: Darwin - linux: Linux - windows: Windows - 386: i386 - amd64: x86_64 + - name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + checksum: name_template: 'checksums.txt' + snapshot: name_template: "{{ .Tag }}-next" + changelog: sort: asc use: github filters: exclude: - - '^docs:' - - '^test:' + - '^docs:' + - '^test:' diff --git a/hack/boilerplate/boilerplate.sh.txt b/hack/boilerplate/boilerplate.sh.txt index 35082a679b..fe3c7688c9 100755 --- a/hack/boilerplate/boilerplate.sh.txt +++ b/hack/boilerplate/boilerplate.sh.txt @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # Copyright 2020 Google LLC All Rights Reserved. # diff --git a/scripts/builld-sign-release-images.sh b/scripts/builld-sign-release-images.sh new file mode 100755 index 0000000000..6c681bffe4 --- /dev/null +++ b/scripts/builld-sign-release-images.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +# Copyright 2023 Google LLC All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +: "${GIT_HASH:?Environment variable empty or not defined.}" +: "${GIT_TAG:?Environment variable empty or not defined.}" +: "${RUN_ID:?Environment variable empty or not defined.}" +: "${RUN_ATTEMPT:?Environment variable empty or not defined.}" + +export LDFLAGS="-s -w -X github.com/google/ko/pkg/commands.Version=${GIT_TAG}" + +ko build --bare --platform=all -t latest -t "${GIT_HASH}" -t "${GIT_TAG}" --image-refs imagerefs ./ + +if [[ ! -f imagerefs ]]; then + echo "imagerefs not found" + exit 1 +fi + +echo "Signing images with Keyless..." +readarray -t images < <(cat imagerefs || true) +cosign sign --yes \ + -a GIT_HASH="${GIT_HASH}" \ + -a GIT_TAG="${GIT_TAG}" \ + -a RUN_ID="${RUN_ID}" \ + -a RUN_ATTEMPT="${RUN_ATTEMPT}" \ + "${images[@]}"