From 6b724ae7b436a3c080aa0155da6c9f13416fc0aa Mon Sep 17 00:00:00 2001 From: Christian Rebischke <chris@shibumi.dev> Date: Tue, 16 Nov 2021 18:51:41 +0100 Subject: [PATCH] feat: keyless realeases with goreleaser and cosign This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance --- .github/workflows/build.yml | 35 ---------------------------- .github/workflows/goreleaser.yaml | 38 +++++++++++++++++-------------- .goreleaser.yaml | 10 ++++++-- .goreleaser_client.yaml | 6 +++-- 4 files changed, 33 insertions(+), 56 deletions(-) delete mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index fcaf6775..00000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,35 +0,0 @@ -on: [push, pull_request] -name: build -jobs: - test: - strategy: - matrix: - go-version: [1.15.x, 1.16.x, 1.17.x] - os: [ubuntu-latest, macos-latest] - runs-on: ${{ matrix.os }} - steps: - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go-version }} - - name: Setup Python - uses: actions/setup-python@v2 - with: - python-version: 3.6 - - name: Checkout code - uses: actions/checkout@v2 - - name: Install Python dependencies - run: | - python -m pip install --upgrade iso8601 requests securesystemslib six tuf - - name: Format Unix - if: runner.os == 'Linux' - run: test -z $(go fmt ./...) - - name: Test - run: go test -race -covermode atomic -coverprofile='profile.cov' ./... - - name: Send coverage - if: runner.os == 'Linux' - env: - COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - GO111MODULE=off go get github.com/mattn/goveralls - $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index 9ae8401d..a00555a3 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -4,7 +4,7 @@ jobs: test: strategy: matrix: - go-version: [1.13.x, 1.14.x, 1.15.x] + go-version: [1.16.x, 1.17.x] os: [ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} steps: @@ -33,7 +33,16 @@ jobs: run: | GO111MODULE=off go get github.com/mattn/goveralls $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github + - name: Vet + run: go vet ./... + - name: Install staticcheck + run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2" + - name: Run staticcheck + run: staticcheck ./... release-server: + permissions: + id-token: write + contents: write runs-on: ubuntu-latest needs: test if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') @@ -46,25 +55,24 @@ jobs: uses: actions/setup-go@v2 with: go-version: 1.17 - - name: write cosign.key to environment - run: 'echo "$COSIGN_KEY" > .github/cosign.key' - shell: bash - env: - COSIGN_KEY: ${{ secrets.COSIGN_KEY }} - name: install cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.2.1' + cosign-release: 'v1.4.1' + - uses: anchore/sbom-action/download-syft@v0.6.0 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 with: distribution: goreleaser - version: 'v0.180.2' + version: 'v1.2.5' args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} + COSIGN_EXPERIMENTAL: 1 release-cli: + permissions: + id-token: write + contents: write runs-on: ubuntu-latest needs: test if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') @@ -77,21 +85,17 @@ jobs: uses: actions/setup-go@v2 with: go-version: 1.17 - - name: write cosign.key to environment - run: 'echo "$COSIGN_KEY" > .github/cosign.key' - shell: bash - env: - COSIGN_KEY: ${{ secrets.COSIGN_KEY }} - name: install cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.2.1' + cosign-release: 'v1.4.1' + - uses: anchore/sbom-action/download-syft@v0.6.0 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 with: distribution: goreleaser - version: 'v0.180.2' + version: 'v1.2.5' args: release --config ./.goreleaser_client.yaml --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} + COSIGN_EXPERIMENTAL: 1 diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 297984de..ee4e3257 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -15,9 +15,15 @@ builds: goarch: - amd64 main: ./cmd/tuf/ +sboms: + - artifacts: archive + - id: source + artifacts: source +source: + enabled: true signs: - cmd: cosign signature: "${artifact}.sig" - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"] + certificate: "${artifact}.pem" + args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] artifacts: all \ No newline at end of file diff --git a/.goreleaser_client.yaml b/.goreleaser_client.yaml index 9701e072..cab0b342 100644 --- a/.goreleaser_client.yaml +++ b/.goreleaser_client.yaml @@ -15,9 +15,11 @@ builds: goarch: - amd64 main: ./cmd/tuf-client/ +sboms: + - artifacts: archive signs: - cmd: cosign signature: "${artifact}.sig" - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"] + certificate: "${artifact}.pem" + args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] artifacts: all \ No newline at end of file