diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 35b9feb4f6..2b65ec1d26 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -121,6 +121,7 @@ jobs: - name: Generate release artifacts run: | make release-plugins + make checksums make manifests IMAGE_TAG=${{ github.event.inputs.tag }} - name: Generate SBOM (spdx) @@ -188,8 +189,9 @@ jobs: - name: Sign checksums and create public key for release assets run: | - cosign sign-blob --key env://COSIGN_PRIVATE_KEY dist/argo-rollouts-checksums.txt > dist/argo-rollouts-checksums.sig + cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argo-rollouts-checksums.txt > ./dist/argo-rollouts-checksums.sig cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-rollouts-cosign.pub + cosign sign-blob --key env://COSIGN_PRIVATE_KEY /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig # Displays the public key to share. cosign public-key --key env://COSIGN_PRIVATE_KEY env: @@ -222,5 +224,6 @@ jobs: manifests/notifications-install.yaml docs/features/kustomize/rollout_cr_schema.json /tmp/sbom.tar.gz + /tmp/sbom.tar.gz.sig env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/Makefile b/Makefile index 5c566df257..3f5126d912 100644 --- a/Makefile +++ b/Makefile @@ -275,3 +275,7 @@ release: release-precheck precheckin image plugin-image release-plugins trivy: @trivy fs --clear-cache @trivy fs . + +.PHONY: checksums +checksums: + shasum -a 256 ./dist/kubectl-argo-rollouts-* | awk -F './dist/' '{print $$1 $$2}' > ./dist/argo-rollouts-checksums.txt diff --git a/hack/build-release-plugins.sh b/hack/build-release-plugins.sh index 390fbdadbc..49d57a3aaa 100755 --- a/hack/build-release-plugins.sh +++ b/hack/build-release-plugins.sh @@ -17,6 +17,3 @@ done docker rm -v ${container_id} rm -f ${rollout_iid_file} - -cd ${SRCROOT}/dist/ -shasum -a 256 kubectl-argo-rollouts-* > argo-rollouts-checksums.txt