Skip to content

Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 #614

Bump sigstore/cosign-installer from 3.1.1 to 3.1.2

Bump sigstore/cosign-installer from 3.1.1 to 3.1.2 #614

Workflow file for this run

name: Go CI
on:
push:
pull_request:
types: [ opened, reopened ]
workflow_dispatch:
permissions:
contents: write
packages: write
jobs:
build:
runs-on: ubuntu-20.04
name: Continuous Integration
steps:
- name: Set up Go
uses: actions/[email protected]
with:
go-version: 1.18
check-latest: true
- name: Check out code
uses: actions/checkout@v3
- name: Cache Go modules
uses: actions/[email protected]
id: go-mod-cache
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Get dependencies
run: go mod download
- name: Lint
run: |
result=$(make lint)
echo $result
[ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0
- name: Build
run: make build
- name: Test
run: make test
- name: Coverage
run: make coverage-out
- name: Upload Code Coverage
uses: codecov/[email protected]
with:
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.out
flags: unittests
name: codecov-umbrella
fail_ci_if_error: true
verbose: true
release:
name: release
needs: [build]
runs-on: ubuntu-20.04
outputs:
container_digest: ${{ steps.container_info.outputs.container_digest }}
container_tags: ${{ steps.container_info.outputs.container_tags }}
container_repos: ${{ steps.container_info.outputs.container_repos }}
steps:
- name: Set up Go
uses: actions/[email protected]
with:
go-version: 1.18
check-latest: true
- name: Install cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.1.1'
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Login to container registries
if: startsWith(github.ref, 'refs/tags/')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io
- name: Set release variables
id: release-vars
run: |
make release-vars > /tmp/spiffe-vault-release-vars.env
source /tmp/spiffe-vault-release-vars.env
if [[ -n "$LDFLAGS" ]]; then
echo "ldflags=$LDFLAGS" >> $GITHUB_OUTPUT
fi
if [[ -n "$GIT_HASH" ]]; then
echo "git_hash=$GIT_HASH" >> $GITHUB_OUTPUT
fi
rm -f /tmp/spiffe-vault-release-vars.env
- name: Install signing key
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
- name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }}
uses: goreleaser/goreleaser-action@v4
with:
version: latest
args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }}
env:
LDFLAGS: ${{ steps.release-vars.outputs.ldflags }}
GIT_HASH: ${{ steps.release-vars.outputs.git_hash }}
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Get container info
id: container_info
if: startsWith(github.ref, 'refs/tags/')
run: |
export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }})
echo "container_digest=$CONTAINER_DIGEST" >> $GITHUB_OUTPUT
echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >> $GITHUB_OUTPUT
echo "container_repos=$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" >> $GITHUB_OUTPUT
- name: Logout from container registries
if: ${{ always() }}
run: |
docker logout
docker logout ghcr.io
- name: Cleanup signing keys
if: ${{ always() }}
run: rm -f cosign.key
provenance:
name: Generate provenance
runs-on: ubuntu-20.04
needs: [release]
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Generate provenance for release
uses: philips-labs/[email protected]
with:
command: generate
subcommand: github-release
arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Install cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.1.1'
- name: Sign provenance
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att
cat "${SIGNATURE}"
curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}")
curl_args+=(-H "Accept: application/vnd.github.v3+json")
release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')"
echo "Upload ${SIGNATURE} to release with id ${release_id}…"
curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")")
curl "${curl_args[@]}" \
--data-binary @"${SIGNATURE}" \
"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}"
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
SIGNATURE: provenance.att.sig
container-provenance:
name: container-provenance
needs: [release]
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-20.04
strategy:
matrix:
repo: ${{ fromJSON(needs.release.outputs.container_repos) }}
steps:
- name: Install cosign
uses: sigstore/[email protected]
with:
cosign-release: 'v2.1.1'
- name: Generate provenance for ${{ matrix.repo }}
uses: philips-labs/[email protected]
with:
command: generate
subcommand: container
arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Get slsa-provenance predicate
run: |
cat provenance.att | jq .predicate > provenance-predicate.att
- name: Login to Container registries
if: startsWith(github.ref, 'refs/tags/')
run: |
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u philipssoftware --password-stdin
echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io
- name: Attach provenance to image
run: |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Verify attestation
run: |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub
cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }}
- name: Logout from Container registries
if: ${{ always() }}
run: |
docker logout
docker logout ghcr.io
rm -f cosign.key