From b7eecdfd630c6bb9931013c40e1addee8d5b6d45 Mon Sep 17 00:00:00 2001 From: Bence Csati Date: Mon, 2 Sep 2024 09:20:36 +0200 Subject: [PATCH] fix(ci): trigger ci on beta release Signed-off-by: Bence Csati fix: image signing --- .github/workflows/artifacts.yaml | 21 ++------------------- .github/workflows/release.yaml | 3 ++- .gitignore | 28 ++-------------------------- SECURITY.md | 27 +++++++++++++++++++++++++++ 4 files changed, 33 insertions(+), 46 deletions(-) create mode 100644 SECURITY.md diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml index 3d05438..939df3e 100644 --- a/.github/workflows/artifacts.yaml +++ b/.github/workflows/artifacts.yaml @@ -24,10 +24,6 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Set up Cosign - if: ${{ inputs.publish }} - uses: sigstore/cosign-installer@v3.6.0 - - name: Gather build metadata id: meta uses: docker/metadata-action@v5 @@ -73,19 +69,6 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max outputs: type=image, push=true - - - name: Sign image with GitHub OIDC Token - if: ${{ inputs.publish && github.repository_owner == 'csatib02' }} - env: - DIGEST: ${{ inputs.publish && steps.build.outputs.digest }} - TAGS: ${{ steps.meta.outputs.tags }} - run: | - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done - - cosign sign --yes ${images} - name: Upload image artifact uses: actions/upload-artifact@v4 @@ -120,7 +103,7 @@ jobs: with: distribution: goreleaser version: '~> v2' - args: goreleaser release + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -128,4 +111,4 @@ jobs: uses: actions/upload-artifact@v4 with: name: Kube-Pod-Autocomplete-Binary - path: build/dist + path: build/dist/* diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e5a083e..fc184e6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -5,6 +5,7 @@ on: tags: - "v[0-9]+.[0-9]+.[0-9]+" - "v[0-9]+.[0-9]+.[0-9]+-dev.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+" jobs: artifacts: @@ -13,5 +14,5 @@ jobs: with: publish: true permissions: - contents: read + contents: write packages: write diff --git a/.gitignore b/.gitignore index d54d1f2..e5e7fd4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,29 +1,5 @@ -# If you prefer the allow list template instead of the deny list, see community template: -# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore -# -# Binaries for programs and plugins -*.exe -*.exe~ -*.dll -*.so -*.dylib - -# Test binary, built with `go test -c` -*.test - -# Output of the go coverage tool, specifically when used with LiteIDE -*.out - -# Dependency directories (remove the comment below to include it) -# vendor/ - -# Go workspace file -go.work -go.work.sum - -# env file -.env - /bin/ /build/ .envrc +coverage.out +coverage.html diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..d3b0a21 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,27 @@ +# Security + +## Verifying container images + +To verify KPA container-images you can use the following public key: + +```key +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk3vpOBc1zsCdQ+vU56tETv64F5RW +ISazzb8sOyUqrkKV/JRe7Xb0OnaqGY7KopsIIxbrX+CbyCdQDtN73qf5EA== +-----END PUBLIC KEY----- +``` + +Save the key to a file: + +```bash +echo '-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk3vpOBc1zsCdQ+vU56tETv64F5RW +ISazzb8sOyUqrkKV/JRe7Xb0OnaqGY7KopsIIxbrX+CbyCdQDtN73qf5EA== +-----END PUBLIC KEY-----' > cosign.pub +``` + +Verify an image: + +```bash +cosign verify --key cosign.pub +```