Skip to content

Commit

Permalink
add ability to opt in for gitsign verification (#224)
Browse files Browse the repository at this point in the history 
Signed-off-by: Sally O'Malley <somalley@redhat.com>

Signed-off-by: Sally O'Malley <somalley@redhat.com>
  • Loading branch information
@sallyom
sallyom committed Aug 10, 2022
1 parent 496e79b commit 6fe8705
Show file tree
Hide file tree
Showing 8 changed files with 2,094 additions and 116 deletions.
54 changes: 50 additions & 4 deletions .github/workflows/docker-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:

build-ansible-arm:
runs-on: ubuntu-latest
needs: [ build, raw-validate, fetchit-config-target-no-config-validate, fetchit-config-reload-validate, clean-validate, kube-validate, systemd-validate, systemd-enable-validate, systemd-user-enable-validate, systemd-autoupdate-validate, systemd-restart-validate, systemd-validate-exact-file, multi-engine-validate, make-change-to-repo, filetransfer-validate, filetransfer-validate-exact-file, ansible-validate, loader-validate, disconnected-validate ]
needs: [ build, raw-validate, fetchit-config-target-no-config-validate, fetchit-config-reload-validate, clean-validate, kube-validate, systemd-validate, systemd-enable-validate, systemd-user-enable-validate, systemd-autoupdate-validate, systemd-restart-validate, systemd-validate-exact-file, multi-engine-validate, make-change-to-repo, filetransfer-validate, filetransfer-validate-exact-file, gitsign-verify-validate, ansible-validate, loader-validate, disconnected-validate ]
if: >
(github.event_name == 'push' || github.event_name == 'schedule') &&
(github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
Expand Down Expand Up @@ -114,7 +114,7 @@ jobs:

build-systemd-arm:
runs-on: ubuntu-latest
needs: [ build, raw-validate, fetchit-config-target-no-config-validate, fetchit-config-reload-validate, clean-validate, kube-validate, systemd-validate, systemd-enable-validate, systemd-user-enable-validate, systemd-autoupdate-validate, systemd-restart-validate, systemd-validate-exact-file, multi-engine-validate, make-change-to-repo, filetransfer-validate, filetransfer-validate-exact-file, ansible-validate, loader-validate, disconnected-validate ]
needs: [ build, raw-validate, fetchit-config-target-no-config-validate, fetchit-config-reload-validate, clean-validate, kube-validate, systemd-validate, systemd-enable-validate, systemd-user-enable-validate, systemd-autoupdate-validate, systemd-restart-validate, systemd-validate-exact-file, multi-engine-validate, make-change-to-repo, filetransfer-validate, filetransfer-validate-exact-file, gitsign-verify-validate, ansible-validate, loader-validate, disconnected-validate ]
if: >
(github.event_name == 'push' || github.event_name == 'schedule') &&
(github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
Expand Down Expand Up @@ -366,6 +366,52 @@ jobs:
- name: ensure container is gone
run: sudo podman ps -a

gitsign-verify-validate:
runs-on: ubuntu-latest
needs: [ build , pull-and-archive ]
steps:
- uses: actions/checkout@v2

- name: Enable the podman socket
run: sudo systemctl enable --now podman.socket

- name: pull artifact
uses: actions/download-artifact@v1
with:
name: fetchit-image
path: /tmp

- name: Load the image
run: sudo podman load -i /tmp/fetchit.tar

- name: Create destination directory
run: sudo mkdir /tmp/ft

- name: tag the image
run: sudo podman tag quay.io/fetchit/fetchit-amd:latest quay.io/fetchit/fetchit:latest

- name: Start fetchit
run: sudo podman run -d --name fetchit -v fetchit-volume:/opt -v ./examples/gitsign-verify-config.yaml:/opt/mount/config.yaml -v /run/podman/podman.sock:/run/podman/podman.sock --security-opt label=disable quay.io/fetchit/fetchit-amd:latest

- name: Wait for fetchit to deploy
run: timeout 150 bash -c "until [ -f /tmp/ft/anotherfile.txt ]; do sleep 2; done"

- name: Wait for fetchit to deploy
run: timeout 150 bash -c "until [ -f /tmp/ft/hello.txt ]; do sleep 2; done"

- name: Ensure fetchit logs include Rekor entry
run: sudo podman logs fetchit 2>&1 | grep 'Validated Rekor entry'

- name: Ensure fetchit logs include git signature verification
run: sudo podman logs fetchit 2>&1 | grep 'Validated Git signature'

- name: Logs
if: always()
run: sudo podman logs fetchit

- name: ensure container is gone
run: sudo podman ps -a

systemd-validate:
runs-on: ubuntu-latest
needs: [ build, build-systemd-amd ]
Expand Down Expand Up @@ -1226,7 +1272,7 @@ jobs:

push-amd-image-to-registry:
runs-on: ubuntu-latest
needs: [ build, raw-validate, fetchit-config-target-no-config-validate, fetchit-config-reload-validate, clean-validate, kube-validate, systemd-validate, systemd-enable-validate, systemd-user-enable-validate, systemd-autoupdate-validate, systemd-restart-validate, systemd-validate-exact-file, multi-engine-validate, make-change-to-repo, filetransfer-validate, filetransfer-validate-exact-file, ansible-validate, loader-validate, disconnected-validate ]
needs: [ build, raw-validate, fetchit-config-target-no-config-validate, fetchit-config-reload-validate, clean-validate, kube-validate, systemd-validate, systemd-enable-validate, systemd-user-enable-validate, systemd-autoupdate-validate, systemd-restart-validate, systemd-validate-exact-file, multi-engine-validate, make-change-to-repo, filetransfer-validate, filetransfer-validate-exact-file, gitsign-verify-validate, ansible-validate, loader-validate, disconnected-validate ]
if: >
(github.event_name == 'push' || github.event_name == 'schedule') &&
(github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
Expand All @@ -1253,7 +1299,7 @@ jobs:

build-arm-and-manifest-list:
runs-on: ubuntu-latest
needs: [ build, raw-validate, fetchit-config-target-no-config-validate, fetchit-config-reload-validate, clean-validate, kube-validate, systemd-validate, systemd-enable-validate, systemd-user-enable-validate, systemd-autoupdate-validate, systemd-restart-validate, systemd-validate-exact-file, multi-engine-validate, make-change-to-repo, filetransfer-validate, filetransfer-validate-exact-file, ansible-validate, loader-validate, disconnected-validate ]
needs: [ build, raw-validate, fetchit-config-target-no-config-validate, fetchit-config-reload-validate, clean-validate, kube-validate, systemd-validate, systemd-enable-validate, systemd-user-enable-validate, systemd-autoupdate-validate, systemd-restart-validate, systemd-validate-exact-file, multi-engine-validate, make-change-to-repo, filetransfer-validate, filetransfer-validate-exact-file, gitsign-verify-validate, ansible-validate, loader-validate, disconnected-validate ]
if: >
(github.event_name == 'push' || github.event_name == 'schedule') &&
(github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
Expand Down
10 changes: 10 additions & 0 deletions examples/gitsign-verify-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
targetConfigs:
- url: https://github.com/sallyom/fetchit
verifyCommitsInfo:
GitsignVerify: true
filetransfer:
- name: ft-ex
targetPath: examples/filetransfer
destinationDirectory: /tmp/ft
schedule: "*/1 * * * *"
branch: gitsign

0 comments on commit 6fe8705

Please sign in to comment.