-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automate release #407
Automate release #407
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
name: Cut Release | ||
|
||
on: | ||
workflow_dispatch: | ||
inputs: | ||
release_tag: | ||
required: true | ||
type: string | ||
description: 'Release tag' | ||
key_ring: | ||
required: true | ||
type: string | ||
description: 'Key ring for cosign key' | ||
key_name: | ||
required: true | ||
type: string | ||
description: 'Key name for cosign key' | ||
|
||
concurrency: cut-release | ||
|
||
jobs: | ||
cut-release: | ||
name: Cut release | ||
runs-on: ubuntu-latest | ||
permissions: | ||
id-token: write | ||
contents: read | ||
env: | ||
GIT_TAG: ${{ github.event.inputs.release_tag }} | ||
PROJECT_ID: 'projectsigstore' | ||
steps: | ||
- name: Check actor access | ||
if: ${{ !contains(fromJson('["bobcallaway","cpanato","dlorenc","lukehinds"]'), github.actor) }} | ||
run: exit 1 | ||
|
||
- name: Checkout out repo | ||
uses: actions/checkout@v2 | ||
with: | ||
path: ./src/github.com/sigstore/fulcio | ||
|
||
- name: Authenticate to Google Cloud | ||
uses: google-github-actions/auth@v0 | ||
with: | ||
workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-fulcio' | ||
service_account: 'github-actions-fulcio@projectsigstore.iam.gserviceaccount.com' | ||
|
||
- name: Setup gcloud | ||
uses: 'google-github-actions/setup-gcloud@v0' | ||
with: | ||
project_id: ${{ env.PROJECT_ID }} | ||
|
||
- name: Start cloudbuild job | ||
working-directory: ./src/github.com/sigstore/fulcio | ||
run: gcloud builds submit --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.GIT_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=fulcio,_STORAGE_LOCATION=fulcio-releases,_KEY_RING=${{ github.event.inputs.key_ring }},_KEY_NAME=${{ github.event.inputs.key_name }} --project=${{ env.PROJECT_ID }} | ||
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
#!/usr/bin/env bash | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this script is needed? i did not see that being used in the release action There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. apologies for not referencing in the README. updated README.md to explain it is a one time setup. |
||
|
||
# Copyright 2022 The Sigstore Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
# Idempotent script. | ||
# | ||
# Commands based off of Google blog post | ||
# https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions | ||
# | ||
# One addition is the attribute.repository=assertion.repository mapping. | ||
# This allows it to be pinned to given repo. | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
set -o verbose | ||
set -o xtrace | ||
|
||
PROJECT_ID="projectsigstore" | ||
PROJECT_NUMBER="498091336538" | ||
POOL_NAME="githubactions" | ||
PROVIDER_NAME="sigstore-fulcio" | ||
LOCATION="global" | ||
REPO="sigstore/fulcio" | ||
SERVICE_ACCOUNT_ID="github-actions-fulcio" | ||
SERVICE_ACCOUNT="${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com" | ||
|
||
# Create workload identity pool if not present. | ||
if ! (gcloud iam workload-identity-pools describe "${POOL_NAME}" --location=${LOCATION}); then | ||
gcloud iam workload-identity-pools create "${POOL_NAME}" \ | ||
--project="${PROJECT_ID}" \ | ||
--location="${LOCATION}" \ | ||
--display-name="Github Actions Pool" | ||
fi | ||
|
||
# Create workload identity provider if not present. | ||
if ! (gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" --location="${LOCATION}" --workload-identity-pool="${POOL_NAME}"); then | ||
gcloud iam workload-identity-pools providers create-oidc "${PROVIDER_NAME}" \ | ||
--project="${PROJECT_ID}" \ | ||
--location="${LOCATION}" \ | ||
--workload-identity-pool="${POOL_NAME}" \ | ||
--display-name="Github Actions Provider Fulcio" \ | ||
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \ | ||
--issuer-uri="https://token.actions.githubusercontent.com" | ||
fi | ||
|
||
# Create service account if not present. | ||
if ! (gcloud iam service-accounts describe "${SERVICE_ACCOUNT}"); then | ||
gcloud iam service-accounts create ${SERVICE_ACCOUNT_ID} \ | ||
--description="Service account for Github Actions Fulcio" \ | ||
--display-name="Github Actions Fulcio" | ||
fi | ||
|
||
# Adding binding is idempotent. | ||
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}" \ | ||
--project="${PROJECT_ID}" \ | ||
--role="roles/iam.workloadIdentityUser" \ | ||
--member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/${LOCATION}/workloadIdentityPools/${POOL_NAME}/attribute.repository/${REPO}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need google cloud, is it not something we do in github?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we are building the release using GCP cloudbuild and GCP KMS and the oidc token there as well, this will help to send the job to cloudbuild and not need to run locally
however if we decide to run the release in GitHub actions we will need to refactor somethings, but is possible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess a better way to frame the question is if there is a cost involved in running it on GCP. Right now that is OK as big G is footing the bill for us, but that might not always be the case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it costs
$0.016 / build-minute
today, plus the costs of storing the secret manager and the KMS key for the cosign private key.if we revamp this to run on GH actions we will just need to check if we will continue to use the KMS key or we will use another key or move completely to keyless signature.
the refactor to GH should be very straightforward. We just need to make a decision
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep it consistent for now. We had to use gcb initially for the auth to registries, but now that github supports OIDC we can reevaluate moving everything here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds good to me