From 53f1bfc534f222a091600e2acaf6d9938b8681f2 Mon Sep 17 00:00:00 2001 From: Jacob Payne Date: Wed, 10 Aug 2022 08:30:16 -0700 Subject: [PATCH] fixed cosign on publish --- .github/workflows/publish.yaml | 11 ++++++++-- Earthfile | 39 +++++++++++++++++++++++----------- 2 files changed, 36 insertions(+), 14 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index c62d2de..92bd80c 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -20,12 +20,19 @@ jobs: - v1.23.9+k3s1 - v1.22.11+k3s2 - v1.21.14+k3s1 + env: + REGISTRY: quay.io + REGISTRY_USER: ${{ secrets.QUAY_USERNAME }} + REGISTRY_PASSWORD: ${{ secrets.QUAY_PASSWORD }} steps: - uses: actions/checkout@v2 - uses: docker-practice/actions-setup-docker@master - uses: earthly/actions-setup@v1 with: version: "latest" - - run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io + - run: echo $REGISTRY_PASSWORD | docker login -u $REGISTRY_USER --password-stdin $REGISTRY + - run: env | grep ACTIONS_ID_TOKEN_REQUEST > .env + - run: env | grep REGISTRY >> .env - run: earthly --ci --push +docker --K3S_VERSION=${{ matrix.k3s-version }} --BASE_IMAGE=${{ matrix.base-image }} - - run: earthly --ci +cosign --K3S_VERSION=${{ matrix.k3s-version }} --BASE_IMAGE=${{ matrix.base-image }} \ No newline at end of file + - run: earthly --ci +cosign --K3S_VERSION=${{ matrix.k3s-version }} --BASE_IMAGE=${{ matrix.base-image }} + diff --git a/Earthfile b/Earthfile index 57562c7..c5aa5cc 100644 --- a/Earthfile +++ b/Earthfile @@ -8,6 +8,11 @@ ARG LUET_VERSION=0.32.4 ARG GOLINT_VERSION=v1.46.2 ARG GOLANG_VERSION=1.18 +ARG K3S_VERSION=latest +ARG BASE_IMAGE_NAME=$(echo $BASE_IMAGE | grep -o [^/]*: | rev | cut -c2- | rev) +ARG BASE_IMAGE_TAG=$(echo $BASE_IMAGE | grep -o :.* | cut -c2-) +ARG K3S_VERSION_TAG=$(echo $K3S_VERSION | sed s/+/-/) + build-cosign: FROM gcr.io/projectsigstore/cosign:v1.9.0 SAVE ARTIFACT /ko-app/cosign cosign @@ -54,11 +59,6 @@ lint: RUN golangci-lint run docker: - ARG K3S_VERSION=latest - ARG BASE_IMAGE_NAME=$(echo $BASE_IMAGE | grep -o [^/]*: | rev | cut -c2- | rev) - ARG BASE_IMAGE_TAG=$(echo $BASE_IMAGE | grep -o :.* | cut -c2-) - ARG K3S_VERSION_TAG=$(echo $K3S_VERSION | sed s/+/-/) - DO +VERSION ARG VERSION=$(cat VERSION) @@ -89,15 +89,30 @@ docker: SAVE IMAGE --push $IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG}_${VERSION} cosign: - ARG GITHUB_TOKEN + ARG --required ACTIONS_ID_TOKEN_REQUEST_TOKEN + ARG --required ACTIONS_ID_TOKEN_REQUEST_URL - FROM alpine + ARG --required REGISTRY + ARG --required REGISTRY_USER + ARG --required REGISTRY_PASSWORD + DO +VERSION + ARG VERSION=$(cat VERSION) + + FROM docker + + ENV ACTIONS_ID_TOKEN_REQUEST_TOKEN=${ACTIONS_ID_TOKEN_REQUEST_TOKEN} + ENV ACTIONS_ID_TOKEN_REQUEST_URL=${ACTIONS_ID_TOKEN_REQUEST_URL} + + ENV REGISTRY=${REGISTRY} + ENV REGISTRY_USER=${REGISTRY_USER} + ENV REGISTRY_PASSWORD=${REGISTRY_PASSWORD} + + ENV COSIGN_EXPERIMENTAL=1 COPY +build-cosign/cosign /usr/local/bin/ - ENV GITHUB_TOKEN=${GITHUB_TOKEN} - ENV COSIGN_EXPERIMENTAL=true + RUN echo $REGISTRY_PASSWORD | docker login -u $REGISTRY_USER --password-stdin $REGISTRY - RUN cosign sign +docker/$IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG} - RUN cosign sign +docker/$IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG} - RUN cosign sign +docker/$IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG}_${VERSION} + RUN cosign sign $IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG} + RUN cosign sign $IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG} + RUN cosign sign $IMAGE_REPOSITORY/${BASE_IMAGE_NAME}-k3s:${BASE_IMAGE_TAG}_${K3S_VERSION_TAG}_${VERSION}