Skip to content

Commit

Permalink
update cross builder image - the image is now signed using keyless me…
Browse files Browse the repository at this point in the history
…thod (#1348)

Signed-off-by: Carlos Panato <[email protected]>
  • Loading branch information
cpanato authored Jan 22, 2022
1 parent 03a2778 commit 4c23b55
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 13 deletions.
29 changes: 21 additions & 8 deletions .github/workflows/validate-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,20 +38,33 @@ jobs:
security-events: none
statuses: none

env:
CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9
COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.4.1@sha256:502d5130431e45f28c51d2c24a05ef5ccd3fd916bcc91db0c8bee3a81e09a0bb

steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0

- name: Check Signature
run: |
docker run --rm \
-e COSIGN_EXPERIMENTAL=true \
-e TUF_ROOT=/tmp \
$COSIGN_IMAGE \
verify \
$CROSS_BUILDER_IMAGE
- name: goreleaser snapshot
run: |
docker run --rm --privileged \
-e PROJECT_ID=honk-fake-project \
-e RUNTIME_IMAGE=gcr.io/distroless/static:debug-nonroot \
-v ${PWD}:/go/src/sigstore/cosign \
-v /var/run/docker.sock:/var/run/docker.sock \
-w /go/src/sigstore/cosign \
--entrypoint="" \
ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766 \
make snapshot
-e PROJECT_ID=honk-fake-project \
-e RUNTIME_IMAGE=gcr.io/distroless/static:debug-nonroot \
-v ${PWD}:/go/src/sigstore/cosign \
-v /var/run/docker.sock:/var/run/docker.sock \
-w /go/src/sigstore/cosign \
--entrypoint="" \
$CROSS_BUILDER_IMAGE \
make snapshot
- name: check binaries
run: |
Expand Down
8 changes: 3 additions & 5 deletions release/cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,10 @@ steps:
- TUF_ROOT=/tmp
args:
- 'verify'
- '--key'
- 'https://raw.githubusercontent.com/gythialy/golang-cross/main/cosign.pub'
- 'ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766'
- 'ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9'

# maybe we can build our own image and use that to be more in a safe side
- name: ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766
- name: ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9
entrypoint: /bin/sh
dir: "go/src/sigstore/cosign"
env:
Expand All @@ -65,7 +63,7 @@ steps:
- |
make release
- name: ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766
- name: ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9
entrypoint: 'bash'
dir: "go/src/sigstore/cosign"
env:
Expand Down

0 comments on commit 4c23b55

Please sign in to comment.