release: add cloudbuild to run the release for fulcio

.github/workflows/validate-release.yml

@@ -0,0 +1,62 @@
+#
+# Copyright 2021 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: CI-Validate-Release-Job
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+  pull_request:
+
+jobs:
+  validate-release-job:
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: none
+      checks: none
+      contents: none
+      deployments: none
+      issues: none
+      packages: none
+      pull-requests: none
+      repository-projects: none
+      security-events: none
+      statuses: none
+
+    steps:
+      - uses: actions/checkout@v2.4.0
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | sed -r 's/^.*://g'| uniq)" >> $GITHUB_ENV
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GOVERSION }}
+
+      - name: goreleaser snapshot
+        run: |
+          docker run --rm --privileged \
+            -e PROJECT_ID=honk-fake-project \
+            -v ${PWD}:/go/src/sigstore/fulcio \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -w /go/src/sigstore/fulcio \
+            --entrypoint="" \
+            ghcr.io/gythialy/golang-cross:v1.17.6-1@sha256:f9a94f9dcc1b1396e3b64725cd5333cf9d4e3e05487bf524ecf9e43989244743 \
+            make snapshot
+
+      - name: check binaries
+        run: |
+          ./dist/fulcio-linux-amd64 version

.github/workflows/verify-k8s.yml

@@ -53,7 +53,9 @@ jobs:
       # thus allowing us to test without bypassing tag-to-digest resolution.
       REGISTRY_NAME: registry.local
       REGISTRY_PORT: 5000
-      KO_DOCKER_REPO: registry.local:5000/fulcio
+      KO_PREFIX: registry.local:5000/fulcio
+      GIT_HASH: ${{ github.sha }}
+      GIT_VERSION: test
 
     steps:
       - uses: actions/checkout@v2.4.0
@@ -134,7 +136,7 @@ jobs:
       - name: Deploy fulcio-dev
         run: |
           # Reduce the resource requests of Fulcio
-          sed -i -e 's,memory: "1G",memory: "100m",g' ${{ github.workspace }}/config/deployment.yaml
+          sed -i -e 's,memory: "1G",memory: "100Mi",g' ${{ github.workspace }}/config/deployment.yaml
           sed -i -e 's,cpu: ".5",cpu: "50m",g' ${{ github.workspace }}/config/deployment.yaml
           # Switch to one replica to make it easier to test the scraping of
           # metrics since we know all the requests then go to the same server.
@@ -181,15 +183,15 @@ jobs:
 
           kubectl create ns fulcio-dev
 
-          ko apply -Bf config/
+          make ko-apply
 
           kubectl wait --for=condition=Available --timeout=5m -n fulcio-dev deployment/fulcio-server
 
           kubectl get po -n fulcio-dev
 
       - name: Run signing job
         run: |
-          DIGEST=$(ko publish .)
+          DIGEST=$(make ko-publish | sed '1d')
 
           cat <<EOF | kubectl apply -f -
           apiVersion: batch/v1
@@ -203,7 +205,7 @@ jobs:
                 automountServiceAccountToken: false
                 containers:
                 - name: check-oidc
-                  image: gcr.io/projectsigstore/cosign:v1.4.0
+                  image: gcr.io/projectsigstore/cosign:v1.4.1
                   args: [
                     "sign",
                     "--fulcio-url=http://fulcio-server.fulcio-dev.svc",
@@ -248,6 +250,8 @@ jobs:
           EOF
 
           kubectl wait --for=condition=Complete --timeout=90s job/check-prometheus-metrics
+        env:
+          KO_DOCKER_REPO: registry.local:5000/fulcio
 
       - name: Collect logs
         if: ${{ always() }}

.goreleaser.yml

@@ -0,0 +1,134 @@
+project_name: fulcio
+
+env:
+  - GO111MODULE=on
+  - CGO_ENABLED=1
+  - DOCKER_CLI_EXPERIMENTAL=enabled
+  - COSIGN_EXPERIMENTAL=true
+
+# Prevents parallel builds from stepping on eachothers toes downloading modules
+before:
+  hooks:
+    - go mod tidy
+
+gomod:
+  proxy: true
+
+sboms:
+- artifacts: binary
+
+builds:
+- id: fulcio-linux-amd64
+  binary: fulcio-linux-amd64
+  no_unique_dist_dir: true
+  main: .
+  goos:
+  - linux
+  goarch:
+  - amd64
+  flags:
+  - -trimpath
+  mod_timestamp: '{{ .CommitTimestamp }}'
+  ldflags:
+  - "{{ .Env.LDFLAGS }}"
+  env:
+  - PKG_CONFIG_PATH="/usr/lib/x86_64-linux-gnu/pkgconfig/"
+
+- id: fulcio-linux-arm64
+  binary: fulcio-linux-arm64
+  no_unique_dist_dir: true
+  main: .
+  goos:
+  - linux
+  goarch:
+  - arm64
+  flags:
+  - -trimpath
+  mod_timestamp: '{{ .CommitTimestamp }}'
+  ldflags:
+  - "{{ .Env.LDFLAGS }}"
+  env:
+    - CC=aarch64-linux-gnu-gcc
+
+- id: fulcio-linux-arm
+  binary: fulcio-linux-arm
+  no_unique_dist_dir: true
+  main: .
+  goos:
+  - linux
+  goarch:
+  - arm
+  goarm:
+  - 7
+  flags:
+  - -trimpath
+  mod_timestamp: '{{ .CommitTimestamp }}'
+  ldflags:
+  - "{{ .Env.LDFLAGS }}"
+  env:
+  - CC=arm-linux-gnueabihf-gcc
+
+- id: fulcio-linux-s390x
+  binary: fulcio-linux-s390x
+  no_unique_dist_dir: true
+  main: .
+  goos:
+  - linux
+  goarch:
+  - s390x
+  flags:
+  - -trimpath
+  mod_timestamp: '{{ .CommitTimestamp }}'
+  ldflags:
+  - "{{ .Env.LDFLAGS }}"
+  env:
+  - CC=s390x-linux-gnu-gcc
+
+- id: fulcio-linux-ppc64le
+  binary: fulcio-linux-ppc64le
+  no_unique_dist_dir: true
+  main: .
+  goos:
+  - linux
+  goarch:
+  - ppc64le
+  flags:
+  - -trimpath
+  mod_timestamp: '{{ .CommitTimestamp }}'
+  ldflags:
+  - "{{ .Env.LDFLAGS }}"
+  env:
+  - CC=powerpc64le-linux-gnu-gcc
+
+signs:
+  - signature: "${artifact}.sig"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
+    artifacts: binary
+  # Keyless
+  - id: fulcio-keyless
+    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
+    artifacts: binary
+
+archives:
+  - format: binary
+    name_template: "{{ .Binary }}"
+    allow_different_binary_count: true
+
+checksum:
+  name_template: "{{ .ProjectName }}_checksums.txt"
+
+snapshot:
+  name_template: SNAPSHOT-{{ .ShortCommit }}
+
+release:
+  prerelease: allow # remove this when we start publishing non-prerelease or set to auto
+  draft: true # allow for manual edits
+  github:
+    owner: sigstore
+    name: fulcio
+  footer: |
+    ### Thanks for all contributors!

.ko.yaml

@@ -7,3 +7,12 @@ builds:
 # comment out above), though it does remove the support for the "createca" command.
 # But at least you can deploy it from M1 using this.
 #  - CGO_ENABLED=0
+  flags:
+  - -trimpath
+  - -tags
+  - "{{ .Env.GIT_HASH }}"
+  - -tags
+  - "{{ .Env.GIT_VERSION }}"
+  ldflags:
+  - -extldflags "-static"
+  - "{{ .Env.LDFLAGS }}"

Makefile

@@ -38,34 +38,54 @@ ifeq ($(DIFF), 1)
     GIT_TREESTATE = "dirty"
 endif
 
-SERVER_PKG=github.com/sigstore/fulcio/cmd/app
-SERVER_LDFLAGS="-X $(SERVER_PKG).gitVersion=$(GIT_VERSION) -X $(SERVER_PKG).gitCommit=$(GIT_HASH) -X $(SERVER_PKG).gitTreeState=$(GIT_TREESTATE) -X $(SERVER_PKG).buildDate=$(BUILD_DATE)"
-
+FULCIO_PKG=github.com/sigstore/fulcio/cmd/app
+LDFLAGS=-X $(FULCIO_PKG).gitVersion=$(GIT_VERSION) -X $(FULCIO_PKG).gitCommit=$(GIT_HASH) -X $(FULCIO_PKG).gitTreeState=$(GIT_TREESTATE) -X $(FULCIO_PKG).buildDate=$(BUILD_DATE)
 
-lint:
+KO_PREFIX ?= gcr.io/projectsigstore
+export KO_DOCKER_REPO=$(KO_PREFIX)
+
+lint: ## Runs golangci-lint
 	$(GOBIN)/golangci-lint run -v ./...
 
-gosec:
+gosec: ## Runs gosec
 	$(GOBIN)/gosec ./...
 
-fulcio: $(SRCS)
-	go build -trimpath -ldflags $(SERVER_LDFLAGS)
+fulcio: $(SRCS) ## Build Fulcio for local tests
+	go build -trimpath -ldflags "$(LDFLAGS)"
 
-test:
+test: ## Runs go test
 	go test ./...
 
-clean:
+clean: ## Clean the workspace
 	rm -rf dist
 	rm -rf fulcio
 
-up:
+up: ## Start docker compose
 	docker-compose -f docker-compose.yml build
 	docker-compose -f docker-compose.yml up
 
-debug:
+debug: ## Start docker compose in debug mode
 	docker-compose -f docker-compose.yml -f docker-compose.debug.yml build fulcio-server-debug
 	docker-compose -f docker-compose.yml -f docker-compose.debug.yml up fulcio-server-debug
 
+## --------------------------------------
+## Images with ko
+## --------------------------------------
+
+.PHONY: ko-local
+ko-local:
+	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
+	ko publish --base-import-paths --bare \
+		--platform=linux/amd64 --tags $(GIT_VERSION) --tags $(GIT_HASH) --local \
+		github.com/sigstore/fulcio
+
+.PHONY: ko-apply
+ko-apply:
+	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -Bf config/
+
+.PHONY: ko-publish
+ko-publish:
+	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko publish .
 
 ## --------------------------------------
 ## Modules
@@ -75,12 +95,14 @@ debug:
 modules: ## Runs go mod to ensure modules are up to date.
 	go mod tidy
 
-# --------------------------------------
-## Release
-## --------------------------------------
+##################
+# help
+##################
 
-.PHONY: dist
-dist:
-	mkdir -p dist
-	docker run -it -v $(PWD):/go/src/sigstore/fulcio -w /go/src/sigstore/fulcio golang:1.16.6 /bin/bash -c "GOOS=linux GOARCH=amd64 go build -trimpath -o dist/fulcio-server-linux-amd64"
+help: ## Display help
+	@awk -F ':|##' \
+		'/^[^\t].+?:.*?##/ {\
+			printf "\033[36m%-30s\033[0m %s\n", $$1, $$NF \
+		}' $(MAKEFILE_LIST) | sort
 
+include release/release.mk