From 09ecf71dff57de24ec5e779b4077b187956edf0e Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Fri, 4 Feb 2022 13:25:24 +0100 Subject: [PATCH] update release job (#651) * update release job Signed-off-by: Carlos Panato * update changelog Signed-off-by: Carlos Panato --- .github/workflows/validate-release.yml | 13 +++++++++++++ .goreleaser.yml | 4 +++- CHANGELOG.md | 2 ++ release/cloudbuild.yaml | 10 ++++------ 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 9bb083bc6..feacc3cd8 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -38,6 +38,10 @@ jobs: security-events: none statuses: none + env: + CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.6-3@sha256:312ac8449408302e5fdde452578607cff075bc80052f4526254cd25fa96ce9e0 + COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.5.1@sha256:6247b2e693b0e6a62dcfa75eb46b698c1f4cd1aca36aaefafd4bbb2f2b2af717 + steps: - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 - name: Extract version of Go to use @@ -51,6 +55,15 @@ jobs: with: install-only: true + - name: Check Signature + run: | + docker run --rm \ + -e COSIGN_EXPERIMENTAL=true \ + -e TUF_ROOT=/tmp \ + $COSIGN_IMAGE \ + verify \ + $CROSS_BUILDER_IMAGE + - name: snaphot run: make snapshot env: diff --git a/.goreleaser.yml b/.goreleaser.yml index 57a510ec4..cd4e19a38 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -10,6 +10,7 @@ env: before: hooks: - go mod tidy + - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' gomod: proxy: true @@ -70,7 +71,8 @@ builds: - "{{ .Env.CLIENT_LDFLAGS }}" signs: - - signature: "${artifact}.sig" + - id: rekor + signature: "${artifact}.sig" cmd: cosign args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"] artifacts: binary diff --git a/CHANGELOG.md b/CHANGELOG.md index ff7264423..d2c592286 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Highlights +* Add Rekor logo to README (https://github.com/sigstore/rekor/pull/650) * update API calls to v5 (https://github.com/sigstore/rekor/pull/591) * Refactor helm type to remove intermediate state. (https://github.com/sigstore/rekor/pull/575) * Refactor the shard map parsing so we can pass it down into the API object. (https://github.com/sigstore/rekor/pull/564) @@ -70,6 +71,7 @@ * Jason Hall (@imjasonh) * Lily Sturmann (@lkatalin) * Morten Linderud (@Foxboron) +* Nathan Smith (@nsmith5) * Sylvestre Ledru (@sylvestre) * Trishank Karthik Kuppusamy (@trishankatdatadog) diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 226e7f461..55be413d1 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -32,18 +32,16 @@ steps: echo "Checking out ${_GIT_TAG}" git checkout ${_GIT_TAG} -- name: 'gcr.io/projectsigstore/cosign:v1.4.1@sha256:502d5130431e45f28c51d2c24a05ef5ccd3fd916bcc91db0c8bee3a81e09a0bb' +- name: 'gcr.io/projectsigstore/cosign:v1.5.1@sha256:6247b2e693b0e6a62dcfa75eb46b698c1f4cd1aca36aaefafd4bbb2f2b2af717' dir: "go/src/sigstore/rekor" env: - COSIGN_EXPERIMENTAL=true - TUF_ROOT=/tmp args: - 'verify' - - '--key' - - 'https://raw.githubusercontent.com/gythialy/golang-cross/main/cosign.pub' - - 'ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766' + - 'ghcr.io/gythialy/golang-cross:v1.17.6-3@sha256:312ac8449408302e5fdde452578607cff075bc80052f4526254cd25fa96ce9e0' -- name: ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766 +- name: ghcr.io/gythialy/golang-cross:v1.17.6-3@sha256:312ac8449408302e5fdde452578607cff075bc80052f4526254cd25fa96ce9e0 entrypoint: /bin/sh dir: "go/src/sigstore/rekor" env: @@ -64,7 +62,7 @@ steps: - | make release -- name: ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766 +- name: ghcr.io/gythialy/golang-cross:v1.17.6-3@sha256:312ac8449408302e5fdde452578607cff075bc80052f4526254cd25fa96ce9e0 entrypoint: 'bash' dir: "go/src/sigstore/rekor" env: