forked from argoproj/argo-rollouts
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: sign container images and checksum assets (argoproj#2334)
Signed-off-by: Justin Marquis <[email protected]>
- Loading branch information
1 parent
73ec80d
commit d161fc3
Showing
2 changed files
with
87 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -94,4 +94,54 @@ jobs: | |
target: kubectl-argo-rollouts | ||
platforms: ${{ steps.platform-matrix.outputs.platform-matrix }} | ||
push: ${{ github.event_name != 'pull_request' }} | ||
tags: ${{ steps.plugin-meta.outputs.tags }} | ||
tags: ${{ steps.plugin-meta.outputs.tags }} | ||
|
||
- name: Install cosign | ||
uses: sigstore/cosign-installer@main | ||
with: | ||
cosign-release: 'v1.13.1' | ||
|
||
- name: Install crane to get digest of image | ||
uses: imjasonh/[email protected] | ||
|
||
- name: Get digest of controller-image | ||
run: | | ||
if [[ "${{ github.ref == 'refs/heads/master' }}" ]] | ||
then | ||
echo "CONTROLLER_DIGEST=$(crane digest quay.io/argoproj/argo-rollouts:latest)" >> $GITHUB_ENV | ||
fi | ||
if [[ "${{ github.ref != 'refs/heads/master' }}" ]] | ||
then | ||
echo "CONTROLLER_DIGEST=$(crane digest ${{ steps.controller-meta.outputs.tags }})" >> $GITHUB_ENV | ||
fi | ||
if: github.event_name != 'pull_request' | ||
|
||
- name: Get digest of plugin-image | ||
run: | | ||
if [[ "${{ github.ref == 'refs/heads/master' }}" ]] | ||
then | ||
echo "PLUGIN_DIGEST=$(crane digest quay.io/argoproj/kubectl-argo-rollouts:latest)" >> $GITHUB_ENV | ||
fi | ||
if [[ "${{ github.ref != 'refs/heads/master' }}" ]] | ||
then | ||
echo "PLUGIN_DIGEST=$(crane digest ${{ steps.plugin-meta.outputs.tags }})" >> $GITHUB_ENV | ||
fi | ||
if: github.event_name != 'pull_request' | ||
|
||
- name: Sign Argo Rollouts Images | ||
run: | | ||
cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }} | ||
cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }} | ||
env: | ||
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | ||
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | ||
if: ${{ github.event_name == 'push' }} | ||
|
||
- name: Display the public key to share. | ||
run: | | ||
# Displays the public key to share | ||
cosign public-key --key env://COSIGN_PRIVATE_KEY | ||
env: | ||
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | ||
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | ||
if: ${{ github.event_name == 'push' }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -149,6 +149,40 @@ jobs: | |
cd /tmp && tar -zcf sbom.tar.gz *.spdx | ||
- name: Install cosign | ||
uses: sigstore/cosign-installer@main | ||
with: | ||
cosign-release: 'v1.13.1' | ||
|
||
- name: Install crane to get digest of image | ||
uses: imjasonh/[email protected] | ||
|
||
- name: Get digest of controller-image | ||
run: | | ||
echo "CONTROLLER_DIGEST=$(crane digest ${{ steps.controller-meta.outputs.tags }})" >> $GITHUB_ENV | ||
- name: Get digest of plugin-image | ||
run: | | ||
echo "PLUGIN_DIGEST=$(crane digest ${{ steps.plugin-meta.outputs.tags }})" >> $GITHUB_ENV | ||
- name: Sign Argo Rollouts Images | ||
run: | | ||
cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }} | ||
cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }} | ||
env: | ||
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | ||
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | ||
|
||
- name: Sign checksums and create public key for release assets | ||
run: | | ||
cosign sign-blob --key env://COSIGN_PRIVATE_KEY dist/argo-rollouts-checksums.txt > dist/argo-rollouts-checksums.sig | ||
cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-rollouts-cosign.pub | ||
# Displays the public key to share. | ||
cosign public-key --key env://COSIGN_PRIVATE_KEY | ||
env: | ||
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | ||
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | ||
|
||
- name: Draft release | ||
uses: softprops/action-gh-release@v1 | ||
with: | ||
|
@@ -161,6 +195,8 @@ jobs: | |
dist/kubectl-argo-rollouts-darwin-arm64 | ||
dist/kubectl-argo-rollouts-windows-amd64 | ||
dist/argo-rollouts-checksums.txt | ||
dist/argo-rollouts-checksums.sig | ||
dist/argo-rollouts-cosign.pub | ||
manifests/dashboard-install.yaml | ||
manifests/install.yaml | ||
manifests/namespace-install.yaml | ||
|