update release job

Signed-off-by: cpanato <ctadeu@gmail.com>
mattmoor · Jun 9, 2022 · c1e4c20 · c1e4c20
1 parent 5e9a53b
commit c1e4c20
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 47 deletions.
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,25 @@
+project_name: policy-controller
+
+env:
+  - GO111MODULE=on
+  - COSIGN_EXPERIMENTAL=true
+
+before:
+  hooks:
+    - go mod tidy
+    - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
+    - /bin/bash -c 'make build-sign-release-images'
+
+builds:
+  - skip: true
+
+release:
+  prerelease: allow # remove this when we start publishing non-prerelease or set to auto
+  draft: true # allow for manual edits
+  github:
+    owner: sigstore
+    name: policy-controller
+  footer: |
+    ### Thanks to all contributors!
+  extra_files:
+    - glob: "./policy-controller*.yaml"
diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
@@ -24,15 +24,15 @@ steps:
 
 - name: gcr.io/cloud-builders/git
   entrypoint: "bash"
-  dir: "go/src/sigstore/cosign"
+  dir: "go/src/sigstore/policy-controller"
   args:
   - '-c'
   - |
     git fetch
     echo "Checking out ${_GIT_TAG}"
     git checkout ${_GIT_TAG}
 
-- name: 'gcr.io/projectsigstore/cosign:v1.8.0@sha256:12b4d428529654c95a7550a936cbb5c6fe93a046ea7454676cb6fb0ce566d78c'
+- name: 'gcr.io/projectsigstore/cosign:v1.9.0@sha256:ef2d14e16dbb7786d8713e4898a8512e69ace4105f5b371a9c115ffcc3e85d84'
   dir: "go/src/sigstore/cosign"
   env:
   - COSIGN_EXPERIMENTAL=true
@@ -98,15 +98,13 @@ artifacts:
   objects:
     location: 'gs://${_STORAGE_LOCATION}/${_GIT_TAG}'
     paths:
-    - "go/src/sigstore/cosign/dist/*"
-    - "go/src/sigstore/cosign/release/release-cosign.pub"
-    - "go/src/sigstore/cosign/cosign*.yaml"
+    - "go/src/sigstore/policy-controller/policy-controller*.yaml"
 
 options:
   machineType: E2_HIGHCPU_32
 
 tags:
-- cosign-release
+- policy-controller-release
 - ${_GIT_TAG}
 - ${_TOOL_ORG}
 - ${_TOOL_REPO}

diff --git a/release/ko-sign-release-images.sh b/release/ko-sign-release-images.sh
@@ -26,17 +26,6 @@ set -o pipefail
 : "${KEY_NAME:?Environment variable empty or not defined.}"
 : "${KEY_VERSION:?Environment variable empty or not defined.}"
 
-
-if [[ ! -f cosignImagerefs ]]; then
-    echo "cosignImagerefs not found"
-    exit 1
-fi
-
-if [[ ! -f sgetImagerefs ]]; then
-    echo "sgetImagerefs not found"
-    exit 1
-fi
-
 if [[ ! -f policyControllerImagerefs ]]; then
     echo "policyControllerImagerefs not found"
     exit 1
@@ -47,15 +36,6 @@ if [[ ! -f policyImagerefs ]]; then
     exit 1
 fi
 
-echo "Signing cosign images with GCP KMS Key..."
-
-cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat cosignImagerefs)"
-cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat sgetImagerefs)"
-cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyControllerImagerefs)"
-cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyImagerefs)"
-
 echo "Signing images with Keyless..."
-cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat cosignImagerefs)"
-cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat sgetImagerefs)"
 cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyControllerImagerefs)"
 cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyImagerefs)"
diff --git a/release/release-cosign.pub b/release/release-cosign.pub
diff --git a/release/release.mk b/release/release.mk
@@ -4,30 +4,21 @@
 # used when releasing together with GCP CloudBuild
 .PHONY: release
 release:
-	LDFLAGS="$(LDFLAGS)" goreleaser release --parallelism 1 --timeout 120m
+	LDFLAGS="$(LDFLAGS)" goreleaser release --timeout 120m
 
 ######################
 # sign section
 ######################
 
-.PHONY: sign-release-images
-sign-release-images: ko
+.PHONY: build-sign-release-images
+build-sign-release-images: ko
 	GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
 	./release/ko-sign-release-images.sh
 
-# used when need to validate the goreleaser
-.PHONY: snapshot
-snapshot:
-	LDFLAGS="$(LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --rm-dist --timeout 60m
-
 ####################
 # copy image to GHCR
 ####################
 
-.PHONY: copy-cosign-signed-release-to-ghcr
-copy-cosign-signed-release-to-ghcr:
-	cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION)
-
 .PHONY: copy-policy-controller-signed-release-to-ghcr
 copy-policy-controller-signed-release-to-ghcr:
 	cosign copy $(KO_PREFIX)/policy-controller:$(GIT_VERSION) $(GHCR_PREFIX)/policy-controller:$(GIT_VERSION)
@@ -36,9 +27,5 @@ copy-policy-controller-signed-release-to-ghcr:
 copy-policy-webhook-signed-release-to-ghcr:
 	cosign copy $(KO_PREFIX)/policy-webhook:$(GIT_VERSION) $(GHCR_PREFIX)/policy-webhook:$(GIT_VERSION)
 
-.PHONY: copy-sget-signed-release-to-ghcr
-copy-sget-signed-release-to-ghcr:
-	cosign copy $(KO_PREFIX)/sget:$(GIT_VERSION) $(GHCR_PREFIX)/sget:$(GIT_VERSION)
-
 .PHONY: copy-signed-release-to-ghcr
-copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-policy-controller-signed-release-to-ghcr copy-sget-signed-release-to-ghcr copy-policy-webhook-signed-release-to-ghcr
+copy-signed-release-to-ghcr: copy-policy-controller-signed-release-to-ghcr copy-policy-webhook-signed-release-to-ghcr