Automate release #407
Automate release #407
Conversation
There was a problem hiding this comment.
we already have a release job similar we have for cosign/rekor https://github.com/sigstore/fulcio/tree/main/release do we want to switch that to github actions or keep it in the same way we do for others?
Thanks for the comment @cpanato |
I'm sorry @k4leung4 I did not see the last part of the job, that submits the cloudbuild job 🤦 , so sorry :( that looks great to me! |
.github/workflows/cut-release.yml
Outdated
| working-directory: ./src/github.com/sigstore/fulcio | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh release create --repo github.com/sigstore/fulcio --draft ${{ env.GIT_TAG }} |
There was a problem hiding this comment.
we don't need this, the goreleaser that will run in the cloudbuild job will create the gh release for us
There was a problem hiding this comment.
then maybe we can remove the contents permission
There was a problem hiding this comment.
thanks for pointing that out.
removed.
| @@ -0,0 +1,68 @@ | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
this script is needed? i did not see that being used in the release action
There was a problem hiding this comment.
apologies for not referencing in the README.
it is needed to setup the oidc access for github actions to authenticate against GCP to kick off the gcloud builds command.
updated README.md to explain it is a one time setup.
|
|
||
| - name: Authenticate to Google Cloud | ||
| uses: google-github-actions/auth@v0 | ||
| with: | ||
| workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-fulcio' | ||
| service_account: 'github-actions-fulcio@projectsigstore.iam.gserviceaccount.com' | ||
|
|
||
| - name: Setup gcloud | ||
| uses: 'google-github-actions/setup-gcloud@v0' | ||
| with: | ||
| project_id: ${{ env.PROJECT_ID }} | ||
|
|
||
| - name: Start cloudbuild job | ||
| working-directory: ./src/github.com/sigstore/fulcio | ||
| run: gcloud builds submit --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.GIT_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=${{ github.event.inputs.key_ring }},_KEY_NAME=${{ github.event.inputs.key_name }} --project=${{ env.PROJECT_ID }} |
There was a problem hiding this comment.
Do we need google cloud, is it not something we do in github?
There was a problem hiding this comment.
we are building the release using GCP cloudbuild and GCP KMS and the oidc token there as well, this will help to send the job to cloudbuild and not need to run locally
however if we decide to run the release in GitHub actions we will need to refactor somethings, but is possible
There was a problem hiding this comment.
I guess a better way to frame the question is if there is a cost involved in running it on GCP. Right now that is OK as big G is footing the bill for us, but that might not always be the case.
There was a problem hiding this comment.
it costs $0.016 / build-minute today, plus the costs of storing the secret manager and the KMS key for the cosign private key.
if we revamp this to run on GH actions we will just need to check if we will continue to use the KMS key or we will use another key or move completely to keyless signature.
the refactor to GH should be very straightforward. We just need to make a decision
There was a problem hiding this comment.
Let's keep it consistent for now. We had to use gcb initially for the auth to registries, but now that github supports OIDC we can reevaluate moving everything here.
|
also a commit squash / rebase (which every method you prefer) would be good (unless you have some more pending commits) |
Signed-off-by: Kenny Leung <kleung@chainguard.dev> update readme. Signed-off-by: Kenny Leung <kleung@chainguard.dev> add missing license header. Signed-off-by: Kenny Leung <kleung@chainguard.dev> remove step to draft release, update readme. Signed-off-by: Kenny Leung <kleung@chainguard.dev>
k4leung4
force-pushed
the
automate-release
branch
from
909c207
to
61dc0eb
Compare
|
thanks for all the feedback. commits squashed. |
Summary
Create a Github Actions Workflow that will mostly automate the cutting of a release
only inputs needed are
The last two parameter can be hardcoded or if it is sensitive, stored as a secret and referenced that way. Let me know if this is desirable and I can update the workflow.
To avoid just anyone starting the workflow to create a release, it is hardcoded to allow one of
"bobcallaway","cpanato","dlorenc","lukehinds" to start it.
Anyone else that starts it will result in an immediate failure.
if this approach makes sense, i plan to check in a reusable workflow into sigstore/sigstore and have fulcio|rekor|cosign all have release workflows using it.
Ticket Link
Fixes
https://github.com/sigstore/public-good-instance/issues/50
Release Note