Skip to content

Commit

Permalink
refactor validate release
Browse files Browse the repository at this point in the history
Signed-off-by: cpanato <ctadeu@gmail.com>
  • Loading branch information
cpanato committed Nov 14, 2023
1 parent 77f6bd7 commit 233adb3
Showing 1 changed file with 84 additions and 35 deletions.
119 changes: 84 additions & 35 deletions .github/workflows/validate-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,55 +20,104 @@ on:
branches:
- main
- release-*
- 1.0-fork
pull_request:

jobs:
check-signature:
runs-on: ubuntu-latest
container:
image: gcr.io/projectsigstore/cosign:v1.13.1@sha256:fd5b09be23ef1027e1bdd490ce78dcc65d2b15902e1f4ba8e04f3b4019cc1057

steps:
- name: Check Signature
run: |
cosign verify ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06
env:
TUF_ROOT: /tmp
COSIGN_EXPERIMENTAL: true

validate-release-job:
runs-on: ubuntu-latest
needs:
- check-signature

permissions:
actions: none
checks: none
contents: none
deployments: none
issues: none
packages: none
pull-requests: none
repository-projects: none
security-events: none
statuses: none
container:
image: ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06

env:
CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.19.13-0@sha256:06e3605b227948431d43f4a868b68d4a771c71c728099f37856e404f2d77cf06
COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.13.1@sha256:fd5b09be23ef1027e1bdd490ce78dcc65d2b15902e1f4ba8e04f3b4019cc1057
permissions: {}

steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Check Signature
# Error: fatal: detected dubious ownership in repository at '/__w/cosign/cosign'
# To add an exception for this directory, call:
# git config --system --add safe.directory /__w/cosign/cosign
# Reason: Recent versions of git require the .git folder to be owned
# by the same user (see https://github.blog/2022-04-12-git-security-vulnerability-announced/).
# Related
# - https://github.com/actions/runner/issues/2033
# - https://github.com/actions/checkout/issues/1048
# - https://github.com/actions/runner-images/issues/6775
- run: git config --system --add safe.directory /__w/cosign/cosign

# Related to https://github.com/sigstore/cosign/issues/3149
- name: free up disk space for the release
run: |
docker run --rm \
-e COSIGN_EXPERIMENTAL=true \
-e TUF_ROOT=/tmp \
$COSIGN_IMAGE \
verify \
$CROSS_BUILDER_IMAGE
rm -rf /usr/share/dotnet/
rm -rf "$AGENT_TOOLSDIRECTORY"
rm -rf "/usr/local/share/boost"
rm -rf /opt/ghc
docker rmi $(docker image ls -aq) || true
swapoff /swapfile || true
rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true
apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \
clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- name: check disk space
run: df -h

- name: goreleaser snapshot
run: |
docker run --rm --privileged \
-e PROJECT_ID=honk-fake-project \
-e CI=$CI \
-e RUNTIME_IMAGE=gcr.io/distroless/static:debug-nonroot \
-v ${PWD}:/go/src/sigstore/cosign \
-v /var/run/docker.sock:/var/run/docker.sock \
-w /go/src/sigstore/cosign \
--entrypoint="" \
$CROSS_BUILDER_IMAGE \
make snapshot
run: make snapshot
env:
PROJECT_ID: honk-fake-project
RUNTIME_IMAGE: gcr.io/distroless/static:debug-nonroot

- name: check binaries
run: |
./dist/cosign-linux-amd64 version
./dist/sget-linux-amd64 version

0 comments on commit 233adb3

Please sign in to comment.