From 03047f828b4cebd8422f046e608973c174de71f6 Mon Sep 17 00:00:00 2001 From: cpanato Date: Sun, 19 Nov 2023 13:27:57 +0100 Subject: [PATCH 1/3] bump builder image to use go1.21.4 Signed-off-by: cpanato --- .github/workflows/validate-release.yml | 8 ++++---- release/cloudbuild.yaml | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 52a54444f86..8da781b0555 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -26,12 +26,12 @@ jobs: check-signature: runs-on: ubuntu-latest container: - image: gcr.io/projectsigstore/cosign:v2.2.0@sha256:280b47054876d415f66a279e666e35157cae6881f3538599710290c70bb75369 + image: gcr.io/projectsigstore/cosign:v2.2.1@sha256:88498ed17e61605cd68a5fc9d1fcd756ae0ef2d5515417881d739654accf818f steps: - name: Check Signature run: | - cosign verify ghcr.io/gythialy/golang-cross:v1.21.3-0@sha256:6e2c885532ad276195d3e3f269055fb2742c8963b231d097c467758dd425a632 \ + cosign verify ghcr.io/gythialy/golang-cross:v1.21.4-0@sha256:d18679c199db258cac9876a80abf9aff69485cf8a324bf547521f3de4cf3a366 \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.3-0" env: @@ -43,7 +43,7 @@ jobs: - check-signature container: - image: ghcr.io/gythialy/golang-cross:v1.21.3-0@sha256:6e2c885532ad276195d3e3f269055fb2742c8963b231d097c467758dd425a632 + image: ghcr.io/gythialy/golang-cross:v1.21.4-0@sha256:d18679c199db258cac9876a80abf9aff69485cf8a324bf547521f3de4cf3a366 permissions: {} @@ -117,7 +117,7 @@ jobs: run: make snapshot env: PROJECT_ID: honk-fake-project - RUNTIME_IMAGE: gcr.io/distroless/static:debug-nonroot + RUNTIME_IMAGE: gcr.io/distroless/static-debian12:nonroot - name: check binaries run: | diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 83754794cda..4d042225dbb 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -32,20 +32,20 @@ steps: echo "Checking out ${_GIT_TAG}" git checkout ${_GIT_TAG} - - name: 'gcr.io/projectsigstore/cosign:v2.2.0@sha256:280b47054876d415f66a279e666e35157cae6881f3538599710290c70bb75369' + - name: 'gcr.io/projectsigstore/cosign:v2.2.1@sha256:88498ed17e61605cd68a5fc9d1fcd756ae0ef2d5515417881d739654accf818f' dir: "go/src/sigstore/cosign" env: - TUF_ROOT=/tmp args: - 'verify' - - 'ghcr.io/gythialy/golang-cross:v1.21.3-0@sha256:6e2c885532ad276195d3e3f269055fb2742c8963b231d097c467758dd425a632' + - 'ghcr.io/gythialy/golang-cross:v1.21.4-0@sha256:d18679c199db258cac9876a80abf9aff69485cf8a324bf547521f3de4cf3a366' - '--certificate-oidc-issuer' - "https://token.actions.githubusercontent.com" - '--certificate-identity' - - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.3-0" + - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.4-0" # maybe we can build our own image and use that to be more in a safe side - - name: ghcr.io/gythialy/golang-cross:v1.21.3-0@sha256:6e2c885532ad276195d3e3f269055fb2742c8963b231d097c467758dd425a632 + - name: ghcr.io/gythialy/golang-cross:v1.21.4-0@sha256:d18679c199db258cac9876a80abf9aff69485cf8a324bf547521f3de4cf3a366 entrypoint: /bin/sh dir: "go/src/sigstore/cosign" env: @@ -68,7 +68,7 @@ steps: gcloud auth configure-docker \ && make release - - name: ghcr.io/gythialy/golang-cross:v1.21.3-0@sha256:6e2c885532ad276195d3e3f269055fb2742c8963b231d097c467758dd425a632 + - name: ghcr.io/gythialy/golang-cross:v1.21.4-0@sha256:d18679c199db258cac9876a80abf9aff69485cf8a324bf547521f3de4cf3a366 entrypoint: 'bash' dir: "go/src/sigstore/cosign" env: From 383861ad286f05cc60e45bba5a52dcd3db1aeded Mon Sep 17 00:00:00 2001 From: cpanato Date: Sun, 19 Nov 2023 13:28:37 +0100 Subject: [PATCH 2/3] build -dev tag images that have a shell Signed-off-by: cpanato --- .goreleaser.yml | 4 ---- Makefile | 22 ++++++++++++++++++++-- release/cloudbuild.yaml | 2 +- release/ko-sign-release-images.sh | 11 +++++++++++ release/release.mk | 3 ++- 5 files changed, 34 insertions(+), 8 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 01da07202bc..f0da7efa543 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -12,10 +12,6 @@ before: hooks: - go mod tidy - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' - # if running a release we will generate the images in this step - # if running in the CI the CI env va is set and we dont run the ko steps - # this is needed because we are generating files that goreleaser was not aware to push to GH project release - - /bin/bash -c 'if [ -z "$CI" ]; then make sign-release-images; fi' gomod: proxy: true diff --git a/Makefile b/Makefile index 91e9a4d9380..76671f60936 100644 --- a/Makefile +++ b/Makefile @@ -98,7 +98,7 @@ cross: golangci-lint: rm -f $(GOLANGCI_LINT_BIN) || : set -e ;\ - GOBIN=$(GOLANGCI_LINT_DIR) $(GOEXE) install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.53.2 ;\ + GOBIN=$(GOLANGCI_LINT_DIR) $(GOEXE) install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.55.2 ;\ lint: golangci-lint ## Run golangci-lint linter $(GOLANGCI_LINT_BIN) run -n @@ -128,7 +128,7 @@ endef # ko build ########## .PHONY: ko -ko: ko-cosign +ko: ko-cosign ko-cosign-dev .PHONY: ko-cosign ko-cosign: @@ -139,6 +139,15 @@ ko-cosign: $(ARTIFACT_HUB_LABELS) --image-refs cosignImagerefs \ github.com/sigstore/cosign/v2/cmd/cosign +.PHONY: ko-cosign-dev +ko-cosign-dev: + $(create_kocache_path) + LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ + KOCACHE=$(KOCACHE_PATH) KO_DEFAULTBASEIMAGE=gcr.io/distroless/static-debian12:debug-nonroot ko build --base-import-paths \ + --platform=all --tags $(GIT_VERSION)-dev --tags $(GIT_HASH)-dev \ + $(ARTIFACT_HUB_LABELS) --image-refs cosignDevImagerefs \ + github.com/sigstore/cosign/v2/cmd/cosign + .PHONY: ko-local ko-local: $(create_kocache_path) @@ -148,6 +157,15 @@ ko-local: $(ARTIFACT_HUB_LABELS) \ github.com/sigstore/cosign/v2/cmd/cosign +.PHONY: ko-local-dev +ko-local-dev: + $(create_kocache_path) + KO_DOCKER_REPO=ko.local/cosign-dev LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \ + KOCACHE=$(KOCACHE_PATH) KO_DEFAULTBASEIMAGE=gcr.io/distroless/static-debian12:debug-nonroot ko build --base-import-paths \ + --tags $(GIT_VERSION) --tags $(GIT_HASH) \ + $(ARTIFACT_HUB_LABELS) \ + github.com/sigstore/cosign/v2/cmd/cosign + ################## # help ################## diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 4d042225dbb..0fe1bae4fee 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -90,7 +90,7 @@ steps: - '-c' - | echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \ - && make copy-signed-release-to-ghcr || true + && make sign-release-images && make copy-signed-release-to-ghcr || true availableSecrets: secretManager: diff --git a/release/ko-sign-release-images.sh b/release/ko-sign-release-images.sh index c9cd94c12b9..e2e9ea081e5 100755 --- a/release/ko-sign-release-images.sh +++ b/release/ko-sign-release-images.sh @@ -32,8 +32,19 @@ if [[ ! -f cosignImagerefs ]]; then exit 1 fi +if [[ ! -f cosignDevImagerefs ]]; then + echo "cosignDevImagerefs not found" + exit 1 +fi + echo "Signing cosign images with GCP KMS Key..." cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) echo "Signing images with Keyless..." cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignImagerefs) + +echo "Signing cosign images with GCP KMS Key..." +cosign sign --yes --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignDevImagerefs) + +echo "Signing images with Keyless..." +cosign sign --yes -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" $(cat cosignDevImagerefs) diff --git a/release/release.mk b/release/release.mk index e30117180d6..cd84c3c224d 100644 --- a/release/release.mk +++ b/release/release.mk @@ -18,7 +18,7 @@ sign-release-images: ko # used when need to validate the goreleaser .PHONY: snapshot snapshot: - LDFLAGS="$(LDFLAGS)" goreleaser release --skip-sign --skip-publish --snapshot --clean --timeout 120m --parallelism 1 + LDFLAGS="$(LDFLAGS)" goreleaser release --skip=sign,publish --snapshot --clean --timeout 120m --parallelism 1 #################### # copy image to GHCR @@ -27,3 +27,4 @@ snapshot: .PHONY: copy-signed-release-to-ghcr copy-signed-release-to-ghcr: cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION) + cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION)-dev $(GHCR_PREFIX)/cosign:$(GIT_VERSION)-dev From 0585df2303549561a1b8621e327e81286d107fbe Mon Sep 17 00:00:00 2001 From: cpanato Date: Sun, 19 Nov 2023 13:35:19 +0100 Subject: [PATCH 3/3] use previous cosign image, the new one does not have shell and break the current workflows Signed-off-by: cpanato --- .github/workflows/validate-release.yml | 4 ++-- release/cloudbuild.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 8da781b0555..041c60e6c99 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -26,14 +26,14 @@ jobs: check-signature: runs-on: ubuntu-latest container: - image: gcr.io/projectsigstore/cosign:v2.2.1@sha256:88498ed17e61605cd68a5fc9d1fcd756ae0ef2d5515417881d739654accf818f + image: gcr.io/projectsigstore/cosign:v2.2.0@sha256:280b47054876d415f66a279e666e35157cae6881f3538599710290c70bb75369 steps: - name: Check Signature run: | cosign verify ghcr.io/gythialy/golang-cross:v1.21.4-0@sha256:d18679c199db258cac9876a80abf9aff69485cf8a324bf547521f3de4cf3a366 \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.3-0" + --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.4-0" env: TUF_ROOT: /tmp diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 0fe1bae4fee..22f3ffcae67 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -32,7 +32,7 @@ steps: echo "Checking out ${_GIT_TAG}" git checkout ${_GIT_TAG} - - name: 'gcr.io/projectsigstore/cosign:v2.2.1@sha256:88498ed17e61605cd68a5fc9d1fcd756ae0ef2d5515417881d739654accf818f' + - name: 'gcr.io/projectsigstore/cosign:v2.2.0@sha256:280b47054876d415f66a279e666e35157cae6881f3538599710290c70bb75369' dir: "go/src/sigstore/cosign" env: - TUF_ROOT=/tmp