From 6ee714f4f7ef18fe446bd8c513e97db4945b1325 Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Tue, 2 Apr 2024 19:20:17 +0200 Subject: [PATCH] add gitsign image (#483) Signed-off-by: cpanato --- .github/workflows/release.yml | 21 +++++ .goreleaser.yaml | 166 +++++++++++++++++++--------------- 2 files changed, 113 insertions(+), 74 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d0eceac8..c722da52 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,6 +9,7 @@ on: permissions: contents: write # needed to write releases id-token: write # needed for keyless signing + packages: write # needed for push images jobs: release: @@ -23,13 +24,33 @@ jobs: go-version: '1.22' check-latest: true + - uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4 # v0.2 + - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - uses: anchore/sbom-action/download-syft@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # v0.15.10 + - name: Set env + run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_ENV" + + - name: Login to GitHub Containers + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + KO_DOCKER_REPO: ghcr.io/sigstore/gitsign + + - name: sign image + run: | + digest=$(crane digest ghcr.io/sigstore/gitsign:${{ env.RELEASE_VERSION }}) + cosign sign "ghcr.io/sigstore/gitsign@${digest}" + env: + COSIGN_YES: true diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 33f57a15..07cfd7f5 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -1,70 +1,88 @@ project_name: gitsign +gomod: + proxy: true + builds: -- id: gitsign - mod_timestamp: '{{ .CommitTimestamp }}' - env: - - CGO_ENABLED=0 - flags: - - -trimpath - goos: - - linux - - darwin - - freebsd - - windows - goarch: - - amd64 - - arm64 - ldflags: - - "-s -w" - - "-extldflags=-zrelro" - - "-extldflags=-znow" - - "-buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}" + - id: gitsign + mod_timestamp: '{{ .CommitTimestamp }}' + env: + - CGO_ENABLED=0 + flags: + - -trimpath + goos: + - linux + - darwin + - freebsd + - windows + goarch: + - amd64 + - arm64 + ldflags: + - "-s -w" + - "-extldflags=-zrelro" + - "-extldflags=-znow" + - "-buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}" -- id: gitsign-credential-cache - mod_timestamp: '{{ .CommitTimestamp }}' - main: ./cmd/gitsign-credential-cache - binary: gitsign-credential-cache - env: - - CGO_ENABLED=0 - flags: - - -trimpath - goos: - - linux - - darwin - - freebsd - # - windows # TODO: fix undefined: syscall.Umask for windows builds - goarch: - - amd64 - - arm64 - ldflags: - - "-s -w" - - "-extldflags=-zrelro" - - "-extldflags=-znow" - - "-buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}" + - id: gitsign-credential-cache + mod_timestamp: '{{ .CommitTimestamp }}' + main: ./cmd/gitsign-credential-cache + binary: gitsign-credential-cache + env: + - CGO_ENABLED=0 + flags: + - -trimpath + goos: + - linux + - darwin + - freebsd + # - windows # TODO: fix undefined: syscall.Umask for windows builds + goarch: + - amd64 + - arm64 + ldflags: + - "-s -w" + - "-extldflags=-zrelro" + - "-extldflags=-znow" + - "-buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}" nfpms: -- id: default - package_name: gitsign - vendor: Sigstore - homepage: https://github.com/sigstore/gitsign - maintainer: Billy Lynch - description: Keyless git commit signing using OIDC identity - builds: - - gitsign - - gitsign-credential-cache - formats: - - apk - - deb - - rpm + - id: default + package_name: gitsign + vendor: Sigstore + homepage: https://github.com/sigstore/gitsign + maintainer: Billy Lynch + description: Keyless git commit signing using OIDC identity + builds: + - gitsign + - gitsign-credential-cache + formats: + - apk + - deb + - rpm archives: -- id: binary - format: binary - allow_different_binary_count: true + - id: binary + format: binary + allow_different_binary_count: true -gomod: - proxy: true +kos: + - id: gitsign + repository: github.com/sigstore/gitsign + tags: + - 'v{{ .Version }}' + ldflags: + - "-s -w -extldflags=-zrelro -extldflags=-znow -buildid= -X github.com/sigstore/gitsign/pkg/version.gitVersion={{ .Version }}" + main: . + bare: true + preserve_import_paths: false + base_import_paths: false + sbom: spdx + base_image: cgr.dev/chainguard/git:latest + platforms: + - linux/amd64 + - linux/arm64 + - linux/arm checksum: name_template: 'checksums.txt' @@ -73,24 +91,24 @@ source: enabled: true sboms: -- id: binaries - artifacts: binary -- id: packages - artifacts: package + - id: binaries + artifacts: binary + - id: packages + artifacts: package signs: -- cmd: cosign - env: - - COSIGN_YES=true - certificate: '${artifact}.pem' - signature: '${artifact}.sig' - args: - - sign-blob - - '--output-certificate=${certificate}' - - '--output-signature=${signature}' - - '${artifact}' - artifacts: binary - output: true + - cmd: cosign + env: + - COSIGN_YES=true + certificate: '${artifact}.pem' + signature: '${artifact}.sig' + args: + - sign-blob + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + artifacts: binary + output: true release: prerelease: allow