From 6b724ae7b436a3c080aa0155da6c9f13416fc0aa Mon Sep 17 00:00:00 2001
From: Christian Rebischke <chris@shibumi.dev>
Date: Tue, 16 Nov 2021 18:51:41 +0100
Subject: [PATCH] feat: keyless realeases with goreleaser and cosign

This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance
---
 .github/workflows/build.yml       | 35 ----------------------------
 .github/workflows/goreleaser.yaml | 38 +++++++++++++++++--------------
 .goreleaser.yaml                  | 10 ++++++--
 .goreleaser_client.yaml           |  6 +++--
 4 files changed, 33 insertions(+), 56 deletions(-)
 delete mode 100644 .github/workflows/build.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
deleted file mode 100644
index fcaf6775..00000000
--- a/.github/workflows/build.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-on: [push, pull_request]
-name: build
-jobs:
-  test:
-    strategy:
-      matrix:
-        go-version: [1.15.x, 1.16.x, 1.17.x]
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-    - name: Install Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ matrix.go-version }}
-    - name: Setup Python
-      uses: actions/setup-python@v2
-      with:
-        python-version: 3.6
-    - name: Checkout code
-      uses: actions/checkout@v2
-    - name: Install Python dependencies
-      run: |
-        python -m pip install --upgrade iso8601 requests securesystemslib six tuf
-    - name: Format Unix
-      if: runner.os == 'Linux'
-      run: test -z $(go fmt ./...)
-    - name: Test
-      run: go test -race -covermode atomic -coverprofile='profile.cov' ./...
-    - name: Send coverage
-      if: runner.os == 'Linux'
-      env:
-        COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        GO111MODULE=off go get github.com/mattn/goveralls
-        $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
index 9ae8401d..a00555a3 100644
--- a/.github/workflows/goreleaser.yaml
+++ b/.github/workflows/goreleaser.yaml
@@ -4,7 +4,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.13.x, 1.14.x, 1.15.x]
+        go-version: [1.16.x, 1.17.x]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -33,7 +33,16 @@ jobs:
       run: |
         GO111MODULE=off go get github.com/mattn/goveralls
         $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+    - name: Vet
+      run: go vet ./...
+    - name: Install staticcheck
+      run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2"
+    - name: Run staticcheck
+      run: staticcheck ./...
   release-server:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: ubuntu-latest
     needs: test
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
@@ -46,25 +55,24 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.17
-      - name: write cosign.key to environment
-        run: 'echo "$COSIGN_KEY" > .github/cosign.key'
-        shell: bash
-        env:
-          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
       - name: install cosign
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.2.1'
+          cosign-release: 'v1.4.1'
+      - uses: anchore/sbom-action/download-syft@v0.6.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           distribution: goreleaser
-          version: 'v0.180.2'
+          version: 'v1.2.5'
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
+          COSIGN_EXPERIMENTAL: 1
   release-cli:
+    permissions:
+      id-token: write
+      contents: write
     runs-on: ubuntu-latest
     needs: test
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
@@ -77,21 +85,17 @@ jobs:
         uses: actions/setup-go@v2
         with:
           go-version: 1.17
-      - name: write cosign.key to environment
-        run: 'echo "$COSIGN_KEY" > .github/cosign.key'
-        shell: bash
-        env:
-          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
       - name: install cosign
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.2.1'
+          cosign-release: 'v1.4.1'
+      - uses: anchore/sbom-action/download-syft@v0.6.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           distribution: goreleaser
-          version: 'v0.180.2'
+          version: 'v1.2.5'
           args: release --config ./.goreleaser_client.yaml --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
+          COSIGN_EXPERIMENTAL: 1
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 297984de..ee4e3257 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -15,9 +15,15 @@ builds:
     goarch:
       - amd64
     main: ./cmd/tuf/
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
+source:
+  enabled: true
 signs:
   - cmd: cosign
     signature: "${artifact}.sig"
-    stdin: '{{ .Env.COSIGN_PWD }}'
-    args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"]
+    certificate: "${artifact}.pem"
+    args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"]
     artifacts: all
\ No newline at end of file
diff --git a/.goreleaser_client.yaml b/.goreleaser_client.yaml
index 9701e072..cab0b342 100644
--- a/.goreleaser_client.yaml
+++ b/.goreleaser_client.yaml
@@ -15,9 +15,11 @@ builds:
     goarch:
       - amd64
     main: ./cmd/tuf-client/
+sboms:
+  - artifacts: archive
 signs:
   - cmd: cosign
     signature: "${artifact}.sig"
-    stdin: '{{ .Env.COSIGN_PWD }}'
-    args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"]
+    certificate: "${artifact}.pem"
+    args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"]
     artifacts: all
\ No newline at end of file