Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[action] keyless cosign for all release artifacts

Browse Source
pull/1142/head
max furman 2 years ago
parent 0af15a0538
commit c43d59a69a
No known key found for this signature in database
3 changed files with 25 additions and 24 deletions
Show Stats Download Patch File Download Diff File

38
.github/workflows/release.yml vendored
Unescape Escape View File

@ -13,8 +13,8 @@ jobs:
create_release: create_release:
name: Create Release name: Create Release
#needs: ci needs: ci
runs-on: ubuntu-20.04 runs-on: ubuntu-latest
outputs: outputs:
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
steps: steps:
@ -25,7 +25,7 @@ jobs:
echo ${{ github.ref }} | grep "\-rc.*" echo ${{ github.ref }} | grep "\-rc.*"
OUT=$? OUT=$?
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}" echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
- name: Create Release - name: Create Release
id: create_release id: create_release
uses: actions/create-release@v1 uses: actions/create-release@v1
@ -39,8 +39,11 @@ jobs:
goreleaser: goreleaser:
name: Upload Assets To Github w/ goreleaser name: Upload Assets To Github w/ goreleaser
runs-on: ubuntu-20.04 runs-on: ubuntu-latest
needs: create_release needs: create_release
permissions:
id-token: write
contents: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
@ -50,17 +53,14 @@ jobs:
go-version: 1.19 go-version: 1.19
check-latest: true check-latest: true
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@v2.7.0 uses: sigstore/cosign-installer@v2
with: with:
cosign-release: 'v1.12.1' cosign-release: 'v1.13.1'
- name: Write cosign key to disk
id: write_key
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
- name: Get Release Date - name: Get Release Date
id: release_date id: release_date
run: | run: |
RELEASE_DATE=$(date +"%y-%m-%d") RELEASE_DATE=$(date +"%y-%m-%d")
echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}" echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
- name: Run GoReleaser - name: Run GoReleaser
uses: goreleaser/goreleaser-action@v3 uses: goreleaser/goreleaser-action@v3
with: with:
@ -68,13 +68,16 @@ jobs:
args: release --rm-dist args: release --rm-dist
env: env:
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }} GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
COSIGN_PWD: ${{ secrets.COSIGN_PWD }} RELEASE_DATE: ${RELEASE_DATE}
RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }} COSIGN_EXPERIMENTAL: 1
build_upload_docker: build_upload_docker:
name: Build & Upload Docker Images name: Build & Upload Docker Images
runs-on: ubuntu-20.04 runs-on: ubuntu-latest
needs: ci needs: ci
permissions:
id-token: write
contents: write
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@v3
@ -84,12 +87,9 @@ jobs:
go-version: '1.19' go-version: '1.19'
check-latest: true check-latest: true
- name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@v1.1.0 uses: sigstore/cosign-installer@v2
with: with:
cosign-release: 'v1.1.0' cosign-release: 'v1.13.1'
- name: Write cosign key to disk
id: write_key
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
- name: Build - name: Build
id: build id: build
run: | run: |
@ -98,4 +98,4 @@ jobs:
env: env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
COSIGN_PWD: ${{ secrets.COSIGN_PWD }} COSIGN_EXPERIMENTAL: 1

9
.goreleaser.yml
Unescape Escape View File

@ -87,8 +87,9 @@ checksum:
signs: signs:
- cmd: cosign - cmd: cosign
stdin: '{{ .Env.COSIGN_PWD }}' signature: "${artifact}.sig"
args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"] certificate: "${artifact}.pem"
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
artifacts: all artifacts: all
snapshot: snapshot:
@ -154,8 +155,8 @@ release:
``` ```
cosign verify-blob \ cosign verify-blob \
-key https://raw.githubusercontent.com/smallstep/certificates/master/cosign.pub \ --certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
-signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig --signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
``` ```

2
make/docker.mk
Unescape Escape View File

@ -54,7 +54,7 @@ define DOCKER_BUILDX
# $(1) -- Image Tag # $(1) -- Image Tag
# $(2) -- Push (empty is no push | --push will push to dockerhub) # $(2) -- Push (empty is no push | --push will push to dockerhub)
docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2) docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
echo -n "$(COSIGN_PWD)" | cosign sign -key /tmp/cosign.key -r $(DOCKER_IMAGE_NAME):$(1) cosign sign -r $(DOCKER_IMAGE_NAME):$(1)
endef endef

Write Preview
Loading…
Cancel
Save