From f1b42f491ee30f828d1e3fcd07446398988cf03b Mon Sep 17 00:00:00 2001 From: Chris Suszynski Date: Mon, 13 Feb 2023 14:01:50 +0100 Subject: [PATCH] Bumping knative.dev/hack to latest main (#269) --- go.mod | 4 +- go.sum | 8 +-- vendor/knative.dev/hack/release.sh | 112 ++++++++++++++++++++--------- vendor/modules.txt | 4 +- 4 files changed, 87 insertions(+), 41 deletions(-) diff --git a/go.mod b/go.mod index e6c7cf4c7..a53ef05f9 100644 --- a/go.mod +++ b/go.mod @@ -22,8 +22,8 @@ require ( k8s.io/apimachinery v0.25.4 k8s.io/client-go v0.25.4 knative.dev/client-pkg v0.0.0-20230120062501-d4ab4e492526 - knative.dev/eventing v0.36.1 - knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 + knative.dev/eventing v0.36.4 + knative.dev/hack v0.0.0-20230210215449-d71d569c4308 knative.dev/pkg v0.0.0-20230117181655-247510c00e9d knative.dev/reconciler-test v0.0.0-20230123181139-476a442e3644 knative.dev/serving v0.36.0 diff --git a/go.sum b/go.sum index 216abfaf5..b7b6d07c8 100644 --- a/go.sum +++ b/go.sum @@ -1158,10 +1158,10 @@ k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJ k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= knative.dev/client-pkg v0.0.0-20230120062501-d4ab4e492526 h1:/3bTP61VARRn34cQ5e3P1KwRGxvuSsZmknt3akFpNvg= knative.dev/client-pkg v0.0.0-20230120062501-d4ab4e492526/go.mod h1:dpY2cjKD/xjGjLQf/esJ1jMYko0iuV15PqYOL+uCEXc= -knative.dev/eventing v0.36.1 h1:QHLVpO8i7JWg0a3rSDjbH8WZk6YlPY2g5mPvWovh5aI= -knative.dev/eventing v0.36.1/go.mod h1:Qka5Z6+LeMoHGL1QAznVdmq5LAu21b4F3rgxc2AMgRg= -knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 h1:CDa7s9KspEZqPhk7cN68ZypRLuAvSgr+knoOaXSsrHk= -knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= +knative.dev/eventing v0.36.4 h1:B9WAf1qFXP815RAEwLsBH3P5GpWJiwdVYGzlOBi/bKA= +knative.dev/eventing v0.36.4/go.mod h1:Qka5Z6+LeMoHGL1QAznVdmq5LAu21b4F3rgxc2AMgRg= +knative.dev/hack v0.0.0-20230210215449-d71d569c4308 h1:zH5OedRfo9SB22o25VNQ+vygceTvOujsnLYaALb8jos= +knative.dev/hack v0.0.0-20230210215449-d71d569c4308/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 h1:iprdS5tKTXtgV9dGryuwJJJTTdl5LusCHOelKdezR3I= knative.dev/networking v0.0.0-20230123233838-db2bcbea2560/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo= knative.dev/pkg v0.0.0-20230117181655-247510c00e9d h1:pjKDcvHoMib8nRp56eISRmMj/pFMzJljnzvMvGCIReI= diff --git a/vendor/knative.dev/hack/release.sh b/vendor/knative.dev/hack/release.sh index bc8e26b5a..dfef9083b 100644 --- a/vendor/knative.dev/hack/release.sh +++ b/vendor/knative.dev/hack/release.sh @@ -111,6 +111,7 @@ export KO_DOCKER_REPO="gcr.io/knative-nightly" # Build stripped binary to reduce size export GOFLAGS="-ldflags=-s -ldflags=-w" export GITHUB_TOKEN="" +readonly IMAGES_REFS_FILE="${IMAGES_REFS_FILE:-$(mktemp -d)/images_refs.txt}" # Convenience function to run the hub tool. # Parameters: $1..$n - arguments to hub. @@ -313,40 +314,83 @@ function build_from_source() { } function get_images_in_yamls() { - rm -rf imagerefs.txt + rm -rf "$IMAGES_REFS_FILE" echo "Assembling a list of image refences to sign" - for file in $@; do + for file in "$@"; do [[ "${file##*.}" != "yaml" ]] && continue echo "Inspecting ${file}" - for image in $(grep -oh "\S*${KO_DOCKER_REPO}\S*" "${file}"); do - echo $image >> imagerefs.txt - done + while read -r image; do + echo "$image" >> "$IMAGES_REFS_FILE" + done < <(grep -oh "\S*${KO_DOCKER_REPO}\S*" "${file}") + done + if [[ -f "$IMAGES_REFS_FILE" ]]; then + sort -uo "$IMAGES_REFS_FILE" "$IMAGES_REFS_FILE" # Remove duplicate entries + fi +} + +function find_checksums_file() { + for file in "$@"; do + if [[ "${file}" == *"checksums.txt" ]]; then + echo "${file}" + return 0 + fi done - sort -uo imagerefs.txt imagerefs.txt # Remove duplicate entries + warning "cannot find checksums file" } # Build a release from source. function sign_release() { - get_images_in_yamls "${ARTIFACTS_TO_PUBLISH}" if (( ! IS_PROW )); then # This function can't be run by devs on their laptops return 0 fi + get_images_in_yamls "${ARTIFACTS_TO_PUBLISH}" + local checksums_file + checksums_file="$(find_checksums_file "${ARTIFACTS_TO_PUBLISH}")" + + if ! [[ -f "${checksums_file}" ]]; then + echo '>> No checksums file found, generating one' + checksums_file="$(mktemp -d)/checksums.txt" + for file in ${ARTIFACTS_TO_PUBLISH}; do + pushd "$(dirname "$file")" >/dev/null + sha256sum "$(basename "$file")" >> "${checksums_file}" + popd >/dev/null + done + ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} ${checksums_file}" + fi # Notarizing mac binaries needs to be done before cosign as it changes the checksum values # of the darwin binaries if [ -n "${APPLE_CODESIGN_KEY}" ] && [ -n "${APPLE_CODESIGN_PASSWORD_FILE}" ] && [ -n "${APPLE_NOTARY_API_KEY}" ]; then banner "Notarizing macOS Binaries for the release" - FILES=$(find -- * -type f -name "*darwin*") - for file in $FILES; do - rcodesign sign "${file}" --p12-file="${APPLE_CODESIGN_KEY}" \ - --code-signature-flags=runtime \ - --p12-password-file="${APPLE_CODESIGN_PASSWORD_FILE}" - done - zip files.zip ${FILES} - rcodesign notary-submit files.zip --api-key-path="${APPLE_NOTARY_API_KEY}" --wait - sha256sum ${ARTIFACTS_TO_PUBLISH//checksums.txt/} > checksums.txt - echo "🧮 Post Notarization Checksum:" - cat checksums.txt + local macos_artifacts + declare -a macos_artifacts=() + while read -r file; do + if echo "$file" | grep -q "darwin"; then + macos_artifacts+=("${file}") + rcodesign sign "${file}" --p12-file="${APPLE_CODESIGN_KEY}" \ + --code-signature-flags=runtime \ + --p12-password-file="${APPLE_CODESIGN_PASSWORD_FILE}" + fi + done < <(echo "${ARTIFACTS_TO_PUBLISH}" | tr ' ' '\n') + if [[ -z "${macos_artifacts[*]}" ]]; then + warning "No macOS binaries found, skipping notarization" + else + local zip_file + zip_file="$(mktemp -d)/files.zip" + zip "$zip_file" -@ < <(printf "%s\n" "${macos_artifacts[@]}") + rcodesign notary-submit "$zip_file" --api-key-path="${APPLE_NOTARY_API_KEY}" --wait + true > "${checksums_file}" # Clear the checksums file + for file in ${ARTIFACTS_TO_PUBLISH}; do + if echo "$file" | grep -q "checksums.txt"; then + continue # Don't checksum the checksums file + fi + pushd "$(dirname "$file")" >/dev/null + sha256sum "$(basename "$file")" >> "${checksums_file}" + popd >/dev/null + done + echo "🧮 Post Notarization Checksum:" + cat "$checksums_file" + fi fi ID_TOKEN=$(gcloud auth print-identity-token --audiences=sigstore \ @@ -354,23 +398,25 @@ function sign_release() { --impersonate-service-account="${SIGNING_IDENTITY}") echo "Signing Images with the identity ${SIGNING_IDENTITY}" ## Sign the images with cosign - if [[ -f "imagerefs.txt" ]]; then - COSIGN_EXPERIMENTAL=1 cosign sign $(cat imagerefs.txt) --recursive --identity-token="${ID_TOKEN}" - if [ -n "${ATTEST_IMAGES:-}" ]; then # Temporary Feature Gate - provenance-generator --clone-log=/logs/clone.json \ - --image-refs=imagerefs.txt --output=attestation.json - mkdir -p "${ARTIFACTS}"/attestation && cp attestation.json "${ARTIFACTS}"/attestation - COSIGN_EXPERIMENTAL=1 cosign attest $(cat imagerefs.txt) --recursive --identity-token="${ID_TOKEN}" \ - --predicate=attestation.json --type=slsaprovenance - fi + if [[ -f "$IMAGES_REFS_FILE" ]]; then + COSIGN_EXPERIMENTAL=1 cosign sign $(cat "$IMAGES_REFS_FILE") \ + --recursive --identity-token="${ID_TOKEN}" + if [ -n "${ATTEST_IMAGES:-}" ]; then # Temporary Feature Gate + provenance-generator --clone-log=/logs/clone.json \ + --image-refs="$IMAGES_REFS_FILE" --output=attestation.json + mkdir -p "${ARTIFACTS}"/attestation && cp attestation.json "${ARTIFACTS}"/attestation + COSIGN_EXPERIMENTAL=1 cosign attest $(cat "$IMAGES_REFS_FILE") \ + --recursive --identity-token="${ID_TOKEN}" \ + --predicate=attestation.json --type=slsaprovenance + fi fi - ## Check if there is checksums.txt file. If so, sign the checksum file - if [[ -f "checksums.txt" ]]; then - echo "Signing Images with the identity ${SIGNING_IDENTITY}" - COSIGN_EXPERIMENTAL=1 cosign sign-blob checksums.txt --output-signature=checksums.txt.sig --output-certificate=checksums.txt.pem --identity-token="${ID_TOKEN}" - ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} checksums.txt.sig checksums.txt.pem" - fi + echo "Signing checksums with the identity ${SIGNING_IDENTITY}" + COSIGN_EXPERIMENTAL=1 cosign sign-blob "$checksums_file" \ + --output-signature="${checksums_file}.sig" \ + --output-certificate="${checksums_file}.pem" \ + --identity-token="${ID_TOKEN}" + ARTIFACTS_TO_PUBLISH="${ARTIFACTS_TO_PUBLISH} ${checksums_file}.sig ${checksums_file}.pem" } # Copy tagged images from the nightly GCR to the release GCR, tagging them 'latest'. diff --git a/vendor/modules.txt b/vendor/modules.txt index 8135b5b49..0ff20cf0b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1066,7 +1066,7 @@ knative.dev/client-pkg/pkg/util knative.dev/client-pkg/pkg/util/mock knative.dev/client-pkg/pkg/util/test knative.dev/client-pkg/pkg/wait -# knative.dev/eventing v0.36.1 +# knative.dev/eventing v0.36.4 ## explicit; go 1.18 knative.dev/eventing/pkg/apis/config knative.dev/eventing/pkg/apis/duck @@ -1105,7 +1105,7 @@ knative.dev/eventing/test/upgrade/prober/wathola/config knative.dev/eventing/test/upgrade/prober/wathola/event knative.dev/eventing/test/upgrade/prober/wathola/forwarder knative.dev/eventing/test/upgrade/prober/wathola/sender -# knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 +# knative.dev/hack v0.0.0-20230210215449-d71d569c4308 ## explicit; go 1.18 knative.dev/hack # knative.dev/networking v0.0.0-20230123233838-db2bcbea2560