Skip to content

Commit 5c40aa0

Browse files
dopeydopey
committed
[action] keyless cosign for all release artifacts
1 parent dbec771 commit 5c40aa0

3 files changed

Lines changed: 29 additions & 22 deletions

File tree

.github/workflows/release.yml

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -25,16 +25,16 @@ jobs:
2525
run: |
2626
VVERSION=${GITHUB_REF#refs/tags/}
2727
VERSION=${GITHUB_REF#refs/tags/v}
28-
echo "::set-output name=VVERSION::${VVERSION}"
29-
echo "::set-output name=VERSION::${VERSION}"
28+
echo "VVERSION=${VVERSION}" >> ${GITHUB_OUTPUT}
29+
echo "VERSION=${VERSION}" >> ${GITHUB_OUTPUT}
3030
- name: Is Pre-release
3131
id: is_prerelease
3232
run: |
3333
set +e
3434
echo ${{ github.ref }} | grep "\-rc.*"
3535
OUT=$?
3636
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
37-
echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
37+
echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
3838
- name: Create Release
3939
id: create_release
4040
uses: actions/create-release@v1
@@ -50,6 +50,9 @@ jobs:
5050
name: Upload Assets to Github w/ goreleaser
5151
runs-on: ubuntu-latest
5252
needs: create_release
53+
permissions:
54+
id-token: write
55+
contents: write
5356
steps:
5457
- name: Checkout
5558
uses: actions/checkout@v3
@@ -63,31 +66,31 @@ jobs:
6366
run: |
6467
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
6568
- name: Install cosign
66-
uses: sigstore/cosign-installer@v2.7.0
69+
uses: sigstore/cosign-installer@v2
6770
with:
68-
cosign-release: 'v1.12.1'
69-
- name: Write cosign key to disk
70-
id: write_key
71-
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
71+
cosign-release: 'v1.13.1'
7272
- name: Get Release Date
7373
id: release_date
7474
run: |
7575
RELEASE_DATE=$(date +"%y-%m-%d")
76-
echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}"
76+
echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
7777
- name: Run GoReleaser
7878
uses: goreleaser/goreleaser-action@v3
7979
with:
8080
version: 'latest'
8181
args: release --rm-dist
8282
env:
8383
GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
84-
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
85-
RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
84+
COSIGN_EXPERIMENTAL: 1
85+
RELEASE_DATE: ${RELEASE_DATE}
8686

8787
build_upload_docker:
8888
name: Build & Upload Docker Images
8989
runs-on: ubuntu-latest
9090
needs: ci
91+
permissions:
92+
id-token: write
93+
contents: write
9194
steps:
9295
- name: Checkout
9396
uses: actions/checkout@v3
@@ -97,12 +100,9 @@ jobs:
97100
go-version: 1.19
98101
check-latest: true
99102
- name: Install cosign
100-
uses: sigstore/cosign-installer@v2.7.0
103+
uses: sigstore/cosign-installer@v2
101104
with:
102-
cosign-release: 'v1.12.1'
103-
- name: Write cosign key to disk
104-
id: write_key
105-
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
105+
cosign-release: 'v1.13.1'
106106
- name: Build
107107
id: build
108108
run: |
@@ -111,4 +111,4 @@ jobs:
111111
env:
112112
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
113113
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
114-
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
114+
COSIGN_EXPERIMENTAL: 1

.goreleaser.yml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -89,8 +89,9 @@ checksum:
8989

9090
signs:
9191
- cmd: cosign
92-
stdin: '{{ .Env.COSIGN_PWD }}'
93-
args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"]
92+
signature: "${artifact}.sig"
93+
certificate: "${artifact}.pem"
94+
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
9495
artifacts: all
9596

9697
snapshot:
@@ -135,8 +136,8 @@ release:
135136
136137
```
137138
cosign verify-blob \
138-
-key https://raw.githubusercontent.com/smallstep/step-sds/master/cosign.pub \
139-
-signature ~/Downloads/step-sds_darwin_{{ .Version }}_amd64.tar.gz.sig
139+
--certificate ~/Downloads/step-sds_darwin_{{ .Version }}_amd64.tar.gz.pem \
140+
--signature ~/Downloads/step-sds_darwin_{{ .Version }}_amd64.tar.gz.sig \
140141
~/Downloads/step-sds_darwin_{{ .Version }}_amd64.tar.gz
141142
```
142143

Makefile

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,13 @@ docker-make:
198198
#################################################
199199

200200
DOCKER_TAG=docker tag smallstep/$(1):latest smallstep/$(1):$(2)
201-
DOCKER_PUSH=docker push smallstep/$(1):$(2)
201+
202+
define DOCKER_PUSH
203+
# $(1) -- App Name
204+
# $(2) -- Image Tag
205+
docker push smallstep/$(1):$(2)
206+
cosign sign -r smallstep/$(1):$(2)
207+
endef
202208

203209
docker-tag:
204210
$(call DOCKER_TAG,step-sds,$(VERSION))

0 commit comments

Comments
 (0)