New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automate release #407
Automate release #407
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we already have a release job similar we have for cosign/rekor https://github.com/sigstore/fulcio/tree/main/release do we want to switch that to github actions or keep it in the same way we do for others?
Thanks for the comment @cpanato |
I'm sorry @k4leung4 I did not see the last part of the job, that submits the cloudbuild job 🤦 , so sorry :( that looks great to me! |
.github/workflows/cut-release.yml
Outdated
working-directory: ./src/github.com/sigstore/fulcio | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
run: gh release create --repo github.com/sigstore/fulcio --draft ${{ env.GIT_TAG }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we don't need this, the goreleaser that will run in the cloudbuild job will create the gh release for us
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
then maybe we can remove the contents
permission
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for pointing that out.
removed.
@@ -0,0 +1,68 @@ | |||
#!/usr/bin/env bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this script is needed? i did not see that being used in the release action
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apologies for not referencing in the README.
it is needed to setup the oidc access for github actions to authenticate against GCP to kick off the gcloud builds command.
updated README.md to explain it is a one time setup.
|
||
- name: Authenticate to Google Cloud | ||
uses: google-github-actions/auth@v0 | ||
with: | ||
workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-fulcio' | ||
service_account: 'github-actions-fulcio@projectsigstore.iam.gserviceaccount.com' | ||
|
||
- name: Setup gcloud | ||
uses: 'google-github-actions/setup-gcloud@v0' | ||
with: | ||
project_id: ${{ env.PROJECT_ID }} | ||
|
||
- name: Start cloudbuild job | ||
working-directory: ./src/github.com/sigstore/fulcio | ||
run: gcloud builds submit --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.GIT_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=${{ github.event.inputs.key_ring }},_KEY_NAME=${{ github.event.inputs.key_name }} --project=${{ env.PROJECT_ID }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need google cloud, is it not something we do in github?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we are building the release using GCP cloudbuild and GCP KMS and the oidc token there as well, this will help to send the job to cloudbuild and not need to run locally
however if we decide to run the release in GitHub actions we will need to refactor somethings, but is possible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess a better way to frame the question is if there is a cost involved in running it on GCP. Right now that is OK as big G is footing the bill for us, but that might not always be the case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it costs $0.016 / build-minute
today, plus the costs of storing the secret manager and the KMS key for the cosign private key.
if we revamp this to run on GH actions we will just need to check if we will continue to use the KMS key or we will use another key or move completely to keyless signature.
the refactor to GH should be very straightforward. We just need to make a decision
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep it consistent for now. We had to use gcb initially for the auth to registries, but now that github supports OIDC we can reevaluate moving everything here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds good to me
also a commit squash / rebase (which every method you prefer) would be good (unless you have some more pending commits) |
Signed-off-by: Kenny Leung <kleung@chainguard.dev> update readme. Signed-off-by: Kenny Leung <kleung@chainguard.dev> add missing license header. Signed-off-by: Kenny Leung <kleung@chainguard.dev> remove step to draft release, update readme. Signed-off-by: Kenny Leung <kleung@chainguard.dev>
909c207
to
61dc0eb
Compare
thanks for all the feedback. commits squashed. |
Summary
Create a Github Actions Workflow that will mostly automate the cutting of a release
only inputs needed are
The last two parameter can be hardcoded or if it is sensitive, stored as a secret and referenced that way. Let me know if this is desirable and I can update the workflow.
To avoid just anyone starting the workflow to create a release, it is hardcoded to allow one of
"bobcallaway","cpanato","dlorenc","lukehinds" to start it.
Anyone else that starts it will result in an immediate failure.
if this approach makes sense, i plan to check in a reusable workflow into sigstore/sigstore and have fulcio|rekor|cosign all have release workflows using it.
Ticket Link
Fixes
https://github.com/sigstore/public-good-instance/issues/50
Release Note