From 4ffbfab435dd60cca6ac0ae723d22c2170645906 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 11:59:35 +0200 Subject: [PATCH 01/12] add docs in readme Signed-off-by: Miguel Martinez Trivino --- deployment/chainloop/README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md index a15c9000e..0d6a92c9f 100644 --- a/deployment/chainloop/README.md +++ b/deployment/chainloop/README.md @@ -13,11 +13,11 @@ This chart bootstraps a [Chainloop](https://github.com/chainloop-dev/chainloop) - PV provisioner support in the underlying infrastructure - ReadWriteMany volumes for deployment scaling -## TLDR; +## TL;DR Deploy Chainloop in [development mode](#development) by running -```sh +```console helm install [RELEASE_NAME] . \ --set development=true \ --set controlplane.auth.oidc.url=[OIDC URL] \ @@ -49,7 +49,7 @@ During installation, you'll need to provide You can generate the ECDSA key-pair by running -```sh +```console # Private Key (private.ec.key) openssl ecparam -name secp521r1 -genkey -noout -out private.ec.key # Public Key (public.pem) @@ -60,7 +60,7 @@ openssl ec -in private.ec.key -pubout -out public.pem Deploy Chainloop configured to talk to the bundled PostgreSQL an external OIDC IDp and a Vault instance. -```sh +```console helm install [RELEASE_NAME] . \ # Open ID Connect (OIDC) --set controlplane.auth.oidc.url=[OIDC URL] \ @@ -76,7 +76,7 @@ helm install [RELEASE_NAME] . \ Deploy using AWS secret manager instead of Vault -```sh +```console helm install [RELEASE_NAME] . \ # Open ID Connect (OIDC) # ... @@ -90,7 +90,7 @@ helm install [RELEASE_NAME] . \ Connect to an external PostgreSQL database instead -```sh +```console helm install [RELEASE_NAME] . \ # Open ID Connect (OIDC) # ... @@ -131,7 +131,7 @@ During installation, you'll need to provide Deploy by leveraging built-in Vault and PostgreSQL instances -```sh +```console helm install [RELEASE_NAME] . \ --set development=true \ --set controlplane.auth.oidc.url=[OIDC URL] \ From 4f6a808803f16a4a64039f03a98fc97c90446cd8 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 13:27:43 +0200 Subject: [PATCH 02/12] add license Signed-off-by: Miguel Martinez Trivino --- deployment/chainloop/LICENSE.md | 201 ++++++++++++++++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100644 deployment/chainloop/LICENSE.md diff --git a/deployment/chainloop/LICENSE.md b/deployment/chainloop/LICENSE.md new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/deployment/chainloop/LICENSE.md @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. From a23bfd2f3a8f9680af6ff1d16fce379bdbcaea65 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 16:37:23 +0200 Subject: [PATCH 03/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/test.yml | 75 ++++++++++++------- .github/workflows/utils/bump-chart-version.sh | 25 +++++++ 2 files changed, 73 insertions(+), 27 deletions(-) create mode 100755 .github/workflows/utils/bump-chart-version.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7bc074785..bfb233b0c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,37 +9,58 @@ on: workflow_call: jobs: - build_and_test: - name: Test + createPullRequest: runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - app: - - main-module - - cli - - controlplane - - artifact-cas + env: + VERSION: v1.1.0 steps: - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 - with: - go-version-file: go.mod - cache: true - cache-dependency-path: go.sum - # Check that the generated ent code is up to date - # see https://entgo.io/docs/ci/ - - uses: ent/contrib/ci@master - name: "Check all generated code is checked in" - if: ${{ matrix.app != 'main-module' }} + - name: Bump Chart Version + run: .github/workflows/utils/bump-chart-version.sh deployment/chainloop/Chart.yaml ${VERSION} + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v5 with: - working-directory: app/${{ matrix.app }} + commit-message: Bump Chart Version ${VERSION} + signoff: true + delete-branch: true + title: 'Bump Chart Version' + body: | + New Chart Version ${VERSION} + labels: | + automated pr + # build_and_test: + # name: Test + # runs-on: ubuntu-latest + # strategy: + # fail-fast: false + # matrix: + # app: + # - main-module + # - cli + # - controlplane + # - artifact-cas + # steps: + # - uses: actions/checkout@v3 + # - uses: actions/setup-go@v3 + # with: + # go-version-file: go.mod + # cache: true + # cache-dependency-path: go.sum + + # # Check that the generated ent code is up to date + # # see https://entgo.io/docs/ci/ + # - uses: ent/contrib/ci@master + # name: "Check all generated code is checked in" + # if: ${{ matrix.app != 'main-module' }} + # with: + # working-directory: app/${{ matrix.app }} - - name: Test - if: ${{ matrix.app != 'main-module' }} - run: make -C app/${{ matrix.app }} test + # - name: Test + # if: ${{ matrix.app != 'main-module' }} + # run: make -C app/${{ matrix.app }} test - - name: Test top level modules - if: ${{ matrix.app == 'main-module' }} - run: make test + # - name: Test top level modules + # if: ${{ matrix.app == 'main-module' }} + # run: make test diff --git a/.github/workflows/utils/bump-chart-version.sh b/.github/workflows/utils/bump-chart-version.sh new file mode 100755 index 000000000..6a0069aef --- /dev/null +++ b/.github/workflows/utils/bump-chart-version.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +# Bump Helm Chart version, and appVersion to a given version number + +set -e + +die () { + echo >&2 "$@" + echo "usage: bump.sh [chartYamlFile] [version]" + exit 1 +} + +## debug if desired +if [[ -n "${DEBUG}" ]]; then + set -x +fi + +[ "$#" -eq 2 ] || die "2 arguments required, $# provided" + +chart_yaml="${1}" +version="${2}" + + +sed -i "s#^appVersion:.*#appVersion: ${version}#g" "${chart_yaml}" +sed -i "s#^version:.*#version: ${version}#g" "${chart_yaml}" From fcc4b40e5ee22b8be2a6a15572455a140d6a6d8e Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 16:43:34 +0200 Subject: [PATCH 04/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/test.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bfb233b0c..285e92566 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,10 +1,16 @@ name: Test on: - push: - branches: - - main - pull_request: + workflow_dispatch: + inputs: + version: + description: "Controlplane and Artifact CAS version to deploy i.e v0.0.1" + required: true + type: string + # push: + # branches: + # - main + # pull_request: # We want to call this workflow during release too workflow_call: @@ -12,7 +18,7 @@ jobs: createPullRequest: runs-on: ubuntu-latest env: - VERSION: v1.1.0 + VERSION: ${{ inputs.version }} steps: - uses: actions/checkout@v3 @@ -24,7 +30,7 @@ jobs: with: commit-message: Bump Chart Version ${VERSION} signoff: true - delete-branch: true + base: main title: 'Bump Chart Version' body: | New Chart Version ${VERSION} From c1187f913ec12f8e9d3a7f97eea30e7753285b50 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 16:44:46 +0200 Subject: [PATCH 05/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/test.yml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 285e92566..dbbc15bdc 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,15 +1,9 @@ name: Test on: - workflow_dispatch: - inputs: - version: - description: "Controlplane and Artifact CAS version to deploy i.e v0.0.1" - required: true - type: string - # push: - # branches: - # - main + push: + branches: + - main # pull_request: # We want to call this workflow during release too workflow_call: @@ -18,7 +12,7 @@ jobs: createPullRequest: runs-on: ubuntu-latest env: - VERSION: ${{ inputs.version }} + VERSION: v1.1.0 steps: - uses: actions/checkout@v3 @@ -30,7 +24,6 @@ jobs: with: commit-message: Bump Chart Version ${VERSION} signoff: true - base: main title: 'Bump Chart Version' body: | New Chart Version ${VERSION} From 5341ac3517afe1270a2941c89493486f516a77fa Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 16:45:17 +0200 Subject: [PATCH 06/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index dbbc15bdc..aac6bb82f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,8 +2,8 @@ name: Test on: push: - branches: - - main + # branches: + # - main # pull_request: # We want to call this workflow during release too workflow_call: From bdfecddf7ffbdabe8fe1c22a112dc60cad65a032 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 16:46:39 +0200 Subject: [PATCH 07/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index aac6bb82f..3a68cc8c1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,7 +4,7 @@ on: push: # branches: # - main - # pull_request: + pull_request: # We want to call this workflow during release too workflow_call: From 03d55921c509291f032aff68d6ede018e8ba63c5 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 16:48:20 +0200 Subject: [PATCH 08/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3a68cc8c1..6b7c48dfa 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,6 +24,7 @@ jobs: with: commit-message: Bump Chart Version ${VERSION} signoff: true + base: main title: 'Bump Chart Version' body: | New Chart Version ${VERSION} From b4d4c67980c515a1700551370df103301df761e4 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 16:53:48 +0200 Subject: [PATCH 09/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/release.yaml | 179 ++++++++++++++++++--------------- .github/workflows/test.yml | 79 ++++++--------- 2 files changed, 126 insertions(+), 132 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2102a1e86..897f1e040 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,12 +6,12 @@ on: - "v*.*.*" jobs: - test: - uses: chainloop-dev/chainloop/.github/workflows/test.yml@main + # test: + # uses: chainloop-dev/chainloop/.github/workflows/test.yml@main release: name: Release CLI and control-plane/artifact-cas container images - needs: test + # needs: test runs-on: ubuntu-latest if: github.ref_type == 'tag' # Guard to make sure we are releasing once permissions: @@ -40,84 +40,99 @@ jobs: with: fetch-depth: 0 - - name: Initialize Attestation - run: | - chainloop attestation init - - - name: Docker login to Github Packages - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Go - uses: actions/setup-go@v3 - with: - go-version: "1.20" + - name: Bump Chart Version + run: .github/workflows/utils/bump-chart-version.sh deployment/chainloop/Chart.yaml ${{ github.ref_name }} - - name: Run GoReleaser - id: release - uses: goreleaser/goreleaser-action@v3 + - name: Create Pull Request + uses: peter-evans/create-pull-request@v5 with: - distribution: goreleaser - version: latest - args: release --rm-dist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - COSIGN_KEY: ${{ secrets.COSIGN_KEY }} - - - uses: anchore/sbom-action@v0 - with: - image: ${{ env.CONTAINER_IMAGE_CP }} - format: cyclonedx-json - artifact-name: controlplane.cyclonedx.json - output-file: /tmp/sbom.cp.cyclonedx.json - - - uses: anchore/sbom-action@v0 - with: - image: ${{ env.CONTAINER_IMAGE_CAS }} - format: cyclonedx-json - artifact-name: cas.cyclonedx.json - output-file: /tmp/sbom.cas.cyclonedx.json - - - name: Add Attestation Artifacts (SBOM) - run: | - chainloop attestation add --name sbom-control-plane --value /tmp/sbom.cp.cyclonedx.json - chainloop attestation add --name sbom-artifact-cas --value /tmp/sbom.cas.cyclonedx.json - - - name: Add Attestation Artifacts (container images) - run: | - # Control plane image - chainloop attestation add --name control-plane-image --value ${{ env.CONTAINER_IMAGE_CP }} - # CAS image - chainloop attestation add --name artifact-cas-image --value ${{ env.CONTAINER_IMAGE_CAS }} - - - name: Add Attestation Artifacts (binaries) - run: | - # Binaries x86_64 - # TODO: add the rest of binaries - echo -n '${{ steps.release.outputs.artifacts }}' | jq -r '.[] | select(.type=="Binary" and .goos=="linux" and .goarch=="amd64") | { "name": "\(.extra.ID)-\(.goos)-\(.goarch)", "path":"\(.path)"} | @base64' | while read i; do - BINARY_NAME=$(echo "${i}" | base64 --decode | jq -r ${1} .name) - BINARY_PATH=$(echo "${i}" | base64 --decode | jq -r ${1} .path) - chainloop attestation add --name ${BINARY_NAME} --value ${BINARY_PATH} - done - - - name: Finish and Record Attestation - if: ${{ success() }} - run: | - chainloop attestation status --full - chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY - env: - CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }} - - - name: Mark attestation as failed - if: ${{ failure() }} - run: | - chainloop attestation reset - - name: Mark attestation as cancelled - if: ${{ cancelled() }} - run: | - chainloop attestation reset --trigger cancellation + commit-message: Bump Chart Version ${{ github.ref_name }} + signoff: true + base: main + title: Bump Chart Version => ${{ github.ref_name }} + body: | + New Chart Version ${{ github.ref_name }} + labels: | + automated pr + + # - name: Initialize Attestation + # run: | + # chainloop attestation init + + # - name: Docker login to Github Packages + # uses: docker/login-action@v2 + # with: + # registry: ghcr.io + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} + + # - name: Set up Go + # uses: actions/setup-go@v3 + # with: + # go-version: "1.20" + + # - name: Run GoReleaser + # id: release + # uses: goreleaser/goreleaser-action@v3 + # with: + # distribution: goreleaser + # version: latest + # args: release --rm-dist + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + # COSIGN_KEY: ${{ secrets.COSIGN_KEY }} + + # - uses: anchore/sbom-action@v0 + # with: + # image: ${{ env.CONTAINER_IMAGE_CP }} + # format: cyclonedx-json + # artifact-name: controlplane.cyclonedx.json + # output-file: /tmp/sbom.cp.cyclonedx.json + + # - uses: anchore/sbom-action@v0 + # with: + # image: ${{ env.CONTAINER_IMAGE_CAS }} + # format: cyclonedx-json + # artifact-name: cas.cyclonedx.json + # output-file: /tmp/sbom.cas.cyclonedx.json + + # - name: Add Attestation Artifacts (SBOM) + # run: | + # chainloop attestation add --name sbom-control-plane --value /tmp/sbom.cp.cyclonedx.json + # chainloop attestation add --name sbom-artifact-cas --value /tmp/sbom.cas.cyclonedx.json + + # - name: Add Attestation Artifacts (container images) + # run: | + # # Control plane image + # chainloop attestation add --name control-plane-image --value ${{ env.CONTAINER_IMAGE_CP }} + # # CAS image + # chainloop attestation add --name artifact-cas-image --value ${{ env.CONTAINER_IMAGE_CAS }} + + # - name: Add Attestation Artifacts (binaries) + # run: | + # # Binaries x86_64 + # # TODO: add the rest of binaries + # echo -n '${{ steps.release.outputs.artifacts }}' | jq -r '.[] | select(.type=="Binary" and .goos=="linux" and .goarch=="amd64") | { "name": "\(.extra.ID)-\(.goos)-\(.goarch)", "path":"\(.path)"} | @base64' | while read i; do + # BINARY_NAME=$(echo "${i}" | base64 --decode | jq -r ${1} .name) + # BINARY_PATH=$(echo "${i}" | base64 --decode | jq -r ${1} .path) + # chainloop attestation add --name ${BINARY_NAME} --value ${BINARY_PATH} + # done + + # - name: Finish and Record Attestation + # if: ${{ success() }} + # run: | + # chainloop attestation status --full + # chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY + # env: + # CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + # CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }} + + # - name: Mark attestation as failed + # if: ${{ failure() }} + # run: | + # chainloop attestation reset + # - name: Mark attestation as cancelled + # if: ${{ cancelled() }} + # run: | + # chainloop attestation reset --trigger cancellation diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6b7c48dfa..7bc074785 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,65 +2,44 @@ name: Test on: push: - # branches: - # - main + branches: + - main pull_request: # We want to call this workflow during release too workflow_call: jobs: - createPullRequest: + build_and_test: + name: Test runs-on: ubuntu-latest - env: - VERSION: v1.1.0 + strategy: + fail-fast: false + matrix: + app: + - main-module + - cli + - controlplane + - artifact-cas steps: - uses: actions/checkout@v3 - - - name: Bump Chart Version - run: .github/workflows/utils/bump-chart-version.sh deployment/chainloop/Chart.yaml ${VERSION} - - - name: Create Pull Request - uses: peter-evans/create-pull-request@v5 + - uses: actions/setup-go@v3 with: - commit-message: Bump Chart Version ${VERSION} - signoff: true - base: main - title: 'Bump Chart Version' - body: | - New Chart Version ${VERSION} - labels: | - automated pr - # build_and_test: - # name: Test - # runs-on: ubuntu-latest - # strategy: - # fail-fast: false - # matrix: - # app: - # - main-module - # - cli - # - controlplane - # - artifact-cas - # steps: - # - uses: actions/checkout@v3 - # - uses: actions/setup-go@v3 - # with: - # go-version-file: go.mod - # cache: true - # cache-dependency-path: go.sum + go-version-file: go.mod + cache: true + cache-dependency-path: go.sum - # # Check that the generated ent code is up to date - # # see https://entgo.io/docs/ci/ - # - uses: ent/contrib/ci@master - # name: "Check all generated code is checked in" - # if: ${{ matrix.app != 'main-module' }} - # with: - # working-directory: app/${{ matrix.app }} + # Check that the generated ent code is up to date + # see https://entgo.io/docs/ci/ + - uses: ent/contrib/ci@master + name: "Check all generated code is checked in" + if: ${{ matrix.app != 'main-module' }} + with: + working-directory: app/${{ matrix.app }} - # - name: Test - # if: ${{ matrix.app != 'main-module' }} - # run: make -C app/${{ matrix.app }} test + - name: Test + if: ${{ matrix.app != 'main-module' }} + run: make -C app/${{ matrix.app }} test - # - name: Test top level modules - # if: ${{ matrix.app == 'main-module' }} - # run: make test + - name: Test top level modules + if: ${{ matrix.app == 'main-module' }} + run: make test From c86a51a0fa8667d12d8f67df55ef29247004f85d Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 16:56:22 +0200 Subject: [PATCH 10/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 897f1e040..f4803ec1f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,6 +17,7 @@ jobs: permissions: contents: write # required for goreleaser to upload the release assets packages: write # to push container images + pull-request: write env: CHAINLOOP_VERSION: 0.8.92 CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT }} From 22bca9b6fde38c6feaca4d6b44ee673d95b110da Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 16:58:03 +0200 Subject: [PATCH 11/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f4803ec1f..307b2f1a1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,7 +17,7 @@ jobs: permissions: contents: write # required for goreleaser to upload the release assets packages: write # to push container images - pull-request: write + pull-requests: write env: CHAINLOOP_VERSION: 0.8.92 CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT }} From 2fb449d26b5045507a1c2970ca106fd96667f88b Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Fri, 14 Apr 2023 17:04:22 +0200 Subject: [PATCH 12/12] ci: bump chart version test Signed-off-by: Miguel Martinez Trivino --- .github/workflows/release.yaml | 177 +++++++++++++++++---------------- 1 file changed, 89 insertions(+), 88 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 307b2f1a1..d182352d2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,12 +6,12 @@ on: - "v*.*.*" jobs: - # test: - # uses: chainloop-dev/chainloop/.github/workflows/test.yml@main + test: + uses: chainloop-dev/chainloop/.github/workflows/test.yml@main release: name: Release CLI and control-plane/artifact-cas container images - # needs: test + needs: test runs-on: ubuntu-latest if: github.ref_type == 'tag' # Guard to make sure we are releasing once permissions: @@ -41,6 +41,79 @@ jobs: with: fetch-depth: 0 + - name: Initialize Attestation + run: | + chainloop attestation init + + - name: Docker login to Github Packages + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Go + uses: actions/setup-go@v3 + with: + go-version: "1.20" + + - name: Run GoReleaser + id: release + uses: goreleaser/goreleaser-action@v3 + with: + distribution: goreleaser + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_KEY: ${{ secrets.COSIGN_KEY }} + + - uses: anchore/sbom-action@v0 + with: + image: ${{ env.CONTAINER_IMAGE_CP }} + format: cyclonedx-json + artifact-name: controlplane.cyclonedx.json + output-file: /tmp/sbom.cp.cyclonedx.json + + - uses: anchore/sbom-action@v0 + with: + image: ${{ env.CONTAINER_IMAGE_CAS }} + format: cyclonedx-json + artifact-name: cas.cyclonedx.json + output-file: /tmp/sbom.cas.cyclonedx.json + + - name: Add Attestation Artifacts (SBOM) + run: | + chainloop attestation add --name sbom-control-plane --value /tmp/sbom.cp.cyclonedx.json + chainloop attestation add --name sbom-artifact-cas --value /tmp/sbom.cas.cyclonedx.json + + - name: Add Attestation Artifacts (container images) + run: | + # Control plane image + chainloop attestation add --name control-plane-image --value ${{ env.CONTAINER_IMAGE_CP }} + # CAS image + chainloop attestation add --name artifact-cas-image --value ${{ env.CONTAINER_IMAGE_CAS }} + + - name: Add Attestation Artifacts (binaries) + run: | + # Binaries x86_64 + # TODO: add the rest of binaries + echo -n '${{ steps.release.outputs.artifacts }}' | jq -r '.[] | select(.type=="Binary" and .goos=="linux" and .goarch=="amd64") | { "name": "\(.extra.ID)-\(.goos)-\(.goarch)", "path":"\(.path)"} | @base64' | while read i; do + BINARY_NAME=$(echo "${i}" | base64 --decode | jq -r ${1} .name) + BINARY_PATH=$(echo "${i}" | base64 --decode | jq -r ${1} .path) + chainloop attestation add --name ${BINARY_NAME} --value ${BINARY_PATH} + done + + - name: Finish and Record Attestation + if: ${{ success() }} + run: | + chainloop attestation status --full + chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY + env: + CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }} + - name: Bump Chart Version run: .github/workflows/utils/bump-chart-version.sh deployment/chainloop/Chart.yaml ${{ github.ref_name }} @@ -50,90 +123,18 @@ jobs: commit-message: Bump Chart Version ${{ github.ref_name }} signoff: true base: main - title: Bump Chart Version => ${{ github.ref_name }} + title: Bump Helm Chart Version => ${{ github.ref_name }} body: | - New Chart Version ${{ github.ref_name }} + A new Chainloop release is available! Bumping Helm Chart reference to ${{ github.ref_name }} labels: | - automated pr - - # - name: Initialize Attestation - # run: | - # chainloop attestation init - - # - name: Docker login to Github Packages - # uses: docker/login-action@v2 - # with: - # registry: ghcr.io - # username: ${{ github.actor }} - # password: ${{ secrets.GITHUB_TOKEN }} - - # - name: Set up Go - # uses: actions/setup-go@v3 - # with: - # go-version: "1.20" - - # - name: Run GoReleaser - # id: release - # uses: goreleaser/goreleaser-action@v3 - # with: - # distribution: goreleaser - # version: latest - # args: release --rm-dist - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - # COSIGN_KEY: ${{ secrets.COSIGN_KEY }} - - # - uses: anchore/sbom-action@v0 - # with: - # image: ${{ env.CONTAINER_IMAGE_CP }} - # format: cyclonedx-json - # artifact-name: controlplane.cyclonedx.json - # output-file: /tmp/sbom.cp.cyclonedx.json - - # - uses: anchore/sbom-action@v0 - # with: - # image: ${{ env.CONTAINER_IMAGE_CAS }} - # format: cyclonedx-json - # artifact-name: cas.cyclonedx.json - # output-file: /tmp/sbom.cas.cyclonedx.json - - # - name: Add Attestation Artifacts (SBOM) - # run: | - # chainloop attestation add --name sbom-control-plane --value /tmp/sbom.cp.cyclonedx.json - # chainloop attestation add --name sbom-artifact-cas --value /tmp/sbom.cas.cyclonedx.json - - # - name: Add Attestation Artifacts (container images) - # run: | - # # Control plane image - # chainloop attestation add --name control-plane-image --value ${{ env.CONTAINER_IMAGE_CP }} - # # CAS image - # chainloop attestation add --name artifact-cas-image --value ${{ env.CONTAINER_IMAGE_CAS }} - - # - name: Add Attestation Artifacts (binaries) - # run: | - # # Binaries x86_64 - # # TODO: add the rest of binaries - # echo -n '${{ steps.release.outputs.artifacts }}' | jq -r '.[] | select(.type=="Binary" and .goos=="linux" and .goarch=="amd64") | { "name": "\(.extra.ID)-\(.goos)-\(.goarch)", "path":"\(.path)"} | @base64' | while read i; do - # BINARY_NAME=$(echo "${i}" | base64 --decode | jq -r ${1} .name) - # BINARY_PATH=$(echo "${i}" | base64 --decode | jq -r ${1} .path) - # chainloop attestation add --name ${BINARY_NAME} --value ${BINARY_PATH} - # done - - # - name: Finish and Record Attestation - # if: ${{ success() }} - # run: | - # chainloop attestation status --full - # chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY - # env: - # CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - # CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }} - - # - name: Mark attestation as failed - # if: ${{ failure() }} - # run: | - # chainloop attestation reset - # - name: Mark attestation as cancelled - # if: ${{ cancelled() }} - # run: | - # chainloop attestation reset --trigger cancellation + automated + helm + + - name: Mark attestation as failed + if: ${{ failure() }} + run: | + chainloop attestation reset + - name: Mark attestation as cancelled + if: ${{ cancelled() }} + run: | + chainloop attestation reset --trigger cancellation