Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 #614
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Go CI | |
on: | |
push: | |
pull_request: | |
types: [ opened, reopened ] | |
workflow_dispatch: | |
permissions: | |
contents: write | |
packages: write | |
jobs: | |
build: | |
runs-on: ubuntu-20.04 | |
name: Continuous Integration | |
steps: | |
- name: Set up Go | |
uses: actions/[email protected] | |
with: | |
go-version: 1.18 | |
check-latest: true | |
- name: Check out code | |
uses: actions/checkout@v3 | |
- name: Cache Go modules | |
uses: actions/[email protected] | |
id: go-mod-cache | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: Get dependencies | |
run: go mod download | |
- name: Lint | |
run: | | |
result=$(make lint) | |
echo $result | |
[ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0 | |
- name: Build | |
run: make build | |
- name: Test | |
run: make test | |
- name: Coverage | |
run: make coverage-out | |
- name: Upload Code Coverage | |
uses: codecov/[email protected] | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: ./coverage.out | |
flags: unittests | |
name: codecov-umbrella | |
fail_ci_if_error: true | |
verbose: true | |
release: | |
name: release | |
needs: [build] | |
runs-on: ubuntu-20.04 | |
outputs: | |
container_digest: ${{ steps.container_info.outputs.container_digest }} | |
container_tags: ${{ steps.container_info.outputs.container_tags }} | |
container_repos: ${{ steps.container_info.outputs.container_repos }} | |
steps: | |
- name: Set up Go | |
uses: actions/[email protected] | |
with: | |
go-version: 1.18 | |
check-latest: true | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.1.1' | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Login to container registries | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | |
- name: Set release variables | |
id: release-vars | |
run: | | |
make release-vars > /tmp/spiffe-vault-release-vars.env | |
source /tmp/spiffe-vault-release-vars.env | |
if [[ -n "$LDFLAGS" ]]; then | |
echo "ldflags=$LDFLAGS" >> $GITHUB_OUTPUT | |
fi | |
if [[ -n "$GIT_HASH" ]]; then | |
echo "git_hash=$GIT_HASH" >> $GITHUB_OUTPUT | |
fi | |
rm -f /tmp/spiffe-vault-release-vars.env | |
- name: Install signing key | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
- name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }} | |
uses: goreleaser/goreleaser-action@v4 | |
with: | |
version: latest | |
args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }} | |
env: | |
LDFLAGS: ${{ steps.release-vars.outputs.ldflags }} | |
GIT_HASH: ${{ steps.release-vars.outputs.git_hash }} | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Get container info | |
id: container_info | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }}) | |
echo "container_digest=$CONTAINER_DIGEST" >> $GITHUB_OUTPUT | |
echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >> $GITHUB_OUTPUT | |
echo "container_repos=$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" >> $GITHUB_OUTPUT | |
- name: Logout from container registries | |
if: ${{ always() }} | |
run: | | |
docker logout | |
docker logout ghcr.io | |
- name: Cleanup signing keys | |
if: ${{ always() }} | |
run: rm -f cosign.key | |
provenance: | |
name: Generate provenance | |
runs-on: ubuntu-20.04 | |
needs: [release] | |
if: startsWith(github.ref, 'refs/tags/') | |
steps: | |
- name: Generate provenance for release | |
uses: philips-labs/[email protected] | |
with: | |
command: generate | |
subcommand: github-release | |
arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }} | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.1.1' | |
- name: Sign provenance | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att | |
cat "${SIGNATURE}" | |
curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}") | |
curl_args+=(-H "Accept: application/vnd.github.v3+json") | |
release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')" | |
echo "Upload ${SIGNATURE} to release with id ${release_id}…" | |
curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")") | |
curl "${curl_args[@]}" \ | |
--data-binary @"${SIGNATURE}" \ | |
"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
SIGNATURE: provenance.att.sig | |
container-provenance: | |
name: container-provenance | |
needs: [release] | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: | |
repo: ${{ fromJSON(needs.release.outputs.container_repos) }} | |
steps: | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.1.1' | |
- name: Generate provenance for ${{ matrix.repo }} | |
uses: philips-labs/[email protected] | |
with: | |
command: generate | |
subcommand: container | |
arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }} | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Get slsa-provenance predicate | |
run: | | |
cat provenance.att | jq .predicate > provenance-predicate.att | |
- name: Login to Container registries | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | |
- name: Attach provenance to image | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Verify attestation | |
run: | | |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub | |
cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} | |
- name: Logout from Container registries | |
if: ${{ always() }} | |
run: | | |
docker logout | |
docker logout ghcr.io | |
rm -f cosign.key |