From 4c23b55c49b0bd935778ada484c288dfc97f73f3 Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Sat, 22 Jan 2022 17:34:08 +0100 Subject: [PATCH] update cross builder image - the image is now signed using keyless method (#1348) Signed-off-by: Carlos Panato --- .github/workflows/validate-release.yml | 29 +++++++++++++++++++------- release/cloudbuild.yaml | 8 +++---- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index c18a21fb158..486e069ed4a 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -38,20 +38,33 @@ jobs: security-events: none statuses: none + env: + CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9 + COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.4.1@sha256:502d5130431e45f28c51d2c24a05ef5ccd3fd916bcc91db0c8bee3a81e09a0bb + steps: - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0 + - name: Check Signature + run: | + docker run --rm \ + -e COSIGN_EXPERIMENTAL=true \ + -e TUF_ROOT=/tmp \ + $COSIGN_IMAGE \ + verify \ + $CROSS_BUILDER_IMAGE + - name: goreleaser snapshot run: | docker run --rm --privileged \ - -e PROJECT_ID=honk-fake-project \ - -e RUNTIME_IMAGE=gcr.io/distroless/static:debug-nonroot \ - -v ${PWD}:/go/src/sigstore/cosign \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -w /go/src/sigstore/cosign \ - --entrypoint="" \ - ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766 \ - make snapshot + -e PROJECT_ID=honk-fake-project \ + -e RUNTIME_IMAGE=gcr.io/distroless/static:debug-nonroot \ + -v ${PWD}:/go/src/sigstore/cosign \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -w /go/src/sigstore/cosign \ + --entrypoint="" \ + $CROSS_BUILDER_IMAGE \ + make snapshot - name: check binaries run: | diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index deb3eae57d6..450e8b63331 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -39,12 +39,10 @@ steps: - TUF_ROOT=/tmp args: - 'verify' - - '--key' - - 'https://raw.githubusercontent.com/gythialy/golang-cross/main/cosign.pub' - - 'ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766' + - 'ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9' # maybe we can build our own image and use that to be more in a safe side -- name: ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766 +- name: ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9 entrypoint: /bin/sh dir: "go/src/sigstore/cosign" env: @@ -65,7 +63,7 @@ steps: - | make release -- name: ghcr.io/gythialy/golang-cross:v1.17.6-0@sha256:d22430bb9b3b2ba21adae7f9774a68e9891a0458c8e487edf86311cefb32c766 +- name: ghcr.io/gythialy/golang-cross:v1.17.6-2@sha256:c03303287982360025dda196af6006fc5d1870955115efa8990d7278d8bfb7e9 entrypoint: 'bash' dir: "go/src/sigstore/cosign" env: