diff --git a/.github/build.yaml.gomplate b/.github/build.yaml.gomplate index 033702d5b1c..c934a90fbd3 100644 --- a/.github/build.yaml.gomplate +++ b/.github/build.yaml.gomplate @@ -156,7 +156,7 @@ export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -556,7 +556,7 @@ run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/resign.go b/.github/resign.go new file mode 100644 index 00000000000..a5d68a0b95d --- /dev/null +++ b/.github/resign.go @@ -0,0 +1,95 @@ +package main + +import ( + "fmt" + "github.com/mudler/luet/pkg/api/client" + "github.com/mudler/luet/pkg/api/core/types" + "github.com/mudler/luet/pkg/installer" + "io/ioutil" + "os" + "os/exec" +) + +func getRepositoryPackages(repo string, ctx *types.Context) (searchResult client.SearchResult) { + tmpdir, err := ioutil.TempDir(os.TempDir(), "ci") + if err != nil { + panic(err) + } + defer os.RemoveAll(tmpdir) + referenceID := os.Getenv("REFERENCEID") + if referenceID == "" { + referenceID = "repository.yaml" + } + d := installer.NewSystemRepository(types.LuetRepository{ + Name: "cOS", + Type: "docker", + Cached: true, + Urls: []string{repo}, + ReferenceID: referenceID, + }) + ctx.Config.GetSystem().Rootfs = "/" + ctx.Config.GetSystem().TmpDirBase = tmpdir + re, err := d.Sync(ctx, false) + if err != nil { + panic(err) + } else { + for _, p := range re.GetTree().GetDatabase().World() { + searchResult.Packages = append(searchResult.Packages, client.Package{ + Name: p.GetName(), + Category: p.GetCategory(), + Version: p.GetVersion(), + }) + } + return + } +} + +func main() { + // We want to be cool and keep the same format as luet, so we create the context here to pass around and use the logging functions + ctx := types.NewContext() + finalRepo := os.Getenv("FINAL_REPO") + if finalRepo == "" { + ctx.Error("A container repository must be specified with FINAL_REPO") + os.Exit(1) + } + cosignRepo := os.Getenv("COSIGN_REPOSITORY") + if cosignRepo == "" { + ctx.Error("A signature repository must be specified with COSIGN_REPOSITORY") + os.Exit(1) + } + packages := getRepositoryPackages(finalRepo, ctx) + for _, val := range packages.Packages { + imageTag := fmt.Sprintf("%s:%s", finalRepo, val.ImageTag()) + checkAndSign(imageTag, ctx) + } + return +} + +func checkAndSign(tag string, ctx *types.Context) { + var fulcioFlag string + + ctx.Info("Checking artifact", tag) + tmpDir, _ := os.MkdirTemp("", "sign-*") + defer os.RemoveAll(tmpDir) + + _ = os.Setenv("TUF_ROOT", tmpDir) // TUF_DIR per run, we dont want to access the same files as another process + _ = os.Setenv("COSIGN_EXPERIMENTAL", "1") // Set keyless verify/sign + + fulcioURL := os.Getenv("FULCIO_URL") // Allow to set a fulcio url + if fulcioURL != "" { + fulcioFlag = fmt.Sprintf("--fulcio-url=%s", fulcioURL) + } + + _, err := exec.Command("cosign", "verify", tag).CombinedOutput() + if err != nil { + ctx.Warning("Artifact", tag, "has no signature, signing it") + out, err := exec.Command("cosign", fulcioFlag, "sign", tag).CombinedOutput() + if err != nil { + ctx.Error("Error signing", tag, ":", string(out)) + } else { + ctx.Success("Artifact", tag, "signed") + } + } else { + ctx.Success("Artifact", tag, "has signature") + } +} diff --git a/.github/workflows/build-master-blue-arm64.yaml b/.github/workflows/build-master-blue-arm64.yaml index cf61c87e126..4984f165579 100644 --- a/.github/workflows/build-master-blue-arm64.yaml +++ b/.github/workflows/build-master-blue-arm64.yaml @@ -56,7 +56,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -164,7 +164,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-master-blue-x86_64.yaml b/.github/workflows/build-master-blue-x86_64.yaml index 5dd9ef2bcfd..98eb205f292 100644 --- a/.github/workflows/build-master-blue-x86_64.yaml +++ b/.github/workflows/build-master-blue-x86_64.yaml @@ -46,7 +46,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -147,7 +147,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-master-green-arm64.yaml b/.github/workflows/build-master-green-arm64.yaml index 07317d59916..2c9162db825 100644 --- a/.github/workflows/build-master-green-arm64.yaml +++ b/.github/workflows/build-master-green-arm64.yaml @@ -56,7 +56,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -471,7 +471,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-master-green-x86_64.yaml b/.github/workflows/build-master-green-x86_64.yaml index be50118b417..48d657de3bf 100644 --- a/.github/workflows/build-master-green-x86_64.yaml +++ b/.github/workflows/build-master-green-x86_64.yaml @@ -46,7 +46,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -688,7 +688,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-master-orange-arm64.yaml b/.github/workflows/build-master-orange-arm64.yaml index 7dd0c7f4db3..f1ba6eb6824 100644 --- a/.github/workflows/build-master-orange-arm64.yaml +++ b/.github/workflows/build-master-orange-arm64.yaml @@ -58,7 +58,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -166,7 +166,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-master-orange-x86_64.yaml b/.github/workflows/build-master-orange-x86_64.yaml index c1f8f539d3c..7f5ac6b5443 100644 --- a/.github/workflows/build-master-orange-x86_64.yaml +++ b/.github/workflows/build-master-orange-x86_64.yaml @@ -46,7 +46,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -147,7 +147,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-nightly-blue-x86_64.yaml b/.github/workflows/build-nightly-blue-x86_64.yaml index 027a0ce24a9..9fff74021ef 100644 --- a/.github/workflows/build-nightly-blue-x86_64.yaml +++ b/.github/workflows/build-nightly-blue-x86_64.yaml @@ -64,7 +64,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-nightly-green-x86_64.yaml b/.github/workflows/build-nightly-green-x86_64.yaml index 5c356d3a3d7..cdba5f9a2e6 100644 --- a/.github/workflows/build-nightly-green-x86_64.yaml +++ b/.github/workflows/build-nightly-green-x86_64.yaml @@ -64,7 +64,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-nightly-orange-x86_64.yaml b/.github/workflows/build-nightly-orange-x86_64.yaml index 77bede0a59d..8d18b04c11a 100644 --- a/.github/workflows/build-nightly-orange-x86_64.yaml +++ b/.github/workflows/build-nightly-orange-x86_64.yaml @@ -64,7 +64,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-pr-blue-arm64.yaml b/.github/workflows/build-pr-blue-arm64.yaml index ef082ce20f9..ec772a1d13b 100644 --- a/.github/workflows/build-pr-blue-arm64.yaml +++ b/.github/workflows/build-pr-blue-arm64.yaml @@ -55,7 +55,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-pr-blue-x86_64.yaml b/.github/workflows/build-pr-blue-x86_64.yaml index 8f871d74ea9..eb73e3accc3 100644 --- a/.github/workflows/build-pr-blue-x86_64.yaml +++ b/.github/workflows/build-pr-blue-x86_64.yaml @@ -49,7 +49,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-pr-green-arm64.yaml b/.github/workflows/build-pr-green-arm64.yaml index a4b18203d66..a3a4120f806 100644 --- a/.github/workflows/build-pr-green-arm64.yaml +++ b/.github/workflows/build-pr-green-arm64.yaml @@ -55,7 +55,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-pr-green-x86_64.yaml b/.github/workflows/build-pr-green-x86_64.yaml index c491c8deef3..37ffba1dbfc 100644 --- a/.github/workflows/build-pr-green-x86_64.yaml +++ b/.github/workflows/build-pr-green-x86_64.yaml @@ -49,7 +49,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-pr-orange-arm64.yaml b/.github/workflows/build-pr-orange-arm64.yaml index 9c1cc1e1d70..db6ba120318 100644 --- a/.github/workflows/build-pr-orange-arm64.yaml +++ b/.github/workflows/build-pr-orange-arm64.yaml @@ -57,7 +57,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-pr-orange-x86_64.yaml b/.github/workflows/build-pr-orange-x86_64.yaml index 2186f4e7969..4efcae25ab1 100644 --- a/.github/workflows/build-pr-orange-x86_64.yaml +++ b/.github/workflows/build-pr-orange-x86_64.yaml @@ -49,7 +49,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-releases-blue-arm64.yaml b/.github/workflows/build-releases-blue-arm64.yaml index 7f399328bdc..6b38a880f9d 100644 --- a/.github/workflows/build-releases-blue-arm64.yaml +++ b/.github/workflows/build-releases-blue-arm64.yaml @@ -56,7 +56,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -164,7 +164,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-releases-blue-x86_64.yaml b/.github/workflows/build-releases-blue-x86_64.yaml index a153db588b4..c5f9df00d0c 100644 --- a/.github/workflows/build-releases-blue-x86_64.yaml +++ b/.github/workflows/build-releases-blue-x86_64.yaml @@ -46,7 +46,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -147,7 +147,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-releases-green-arm64.yaml b/.github/workflows/build-releases-green-arm64.yaml index c44d5f76f3b..9fb7025027c 100644 --- a/.github/workflows/build-releases-green-arm64.yaml +++ b/.github/workflows/build-releases-green-arm64.yaml @@ -56,7 +56,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -471,7 +471,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-releases-green-x86_64.yaml b/.github/workflows/build-releases-green-x86_64.yaml index 3ee0fc4a2b0..7f57696a624 100644 --- a/.github/workflows/build-releases-green-x86_64.yaml +++ b/.github/workflows/build-releases-green-x86_64.yaml @@ -46,7 +46,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -688,7 +688,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-releases-orange-arm64.yaml b/.github/workflows/build-releases-orange-arm64.yaml index 7153a9e0dcd..bc41232f312 100644 --- a/.github/workflows/build-releases-orange-arm64.yaml +++ b/.github/workflows/build-releases-orange-arm64.yaml @@ -58,7 +58,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -166,7 +166,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/build-releases-orange-x86_64.yaml b/.github/workflows/build-releases-orange-x86_64.yaml index f4d5a82417d..e27b2821dd3 100644 --- a/.github/workflows/build-releases-orange-x86_64.yaml +++ b/.github/workflows/build-releases-orange-x86_64.yaml @@ -46,7 +46,7 @@ jobs: export PATH=$PATH:/usr/local/go/bin mkdir build || true pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build @@ -147,7 +147,7 @@ jobs: run: | export PATH=$PATH:/usr/local/go/bin pushd ./.github - go build -o build + go build -o build build.go popd sudo -E ./.github/build ls -liah $PWD/build diff --git a/.github/workflows/resigner.yaml b/.github/workflows/resigner.yaml new file mode 100644 index 00000000000..07268e7bf0f --- /dev/null +++ b/.github/workflows/resigner.yaml @@ -0,0 +1,72 @@ +name: resigner +on: + workflow_dispatch: + inputs: + final-repo: + required: false + default: quay.io/costoolkit/releases-green + type: string + description: Repo to check artifacts for signatures + cosign-repository: + required: false + default: raccos/releases-green + type: string + description: Repo that contains the signatures for the final_repo + fulcio-url: + required: false + default: "" + type: string + description: Set a fulcio url for the signing part. LEave empty to use cosign default url.. + reference-id: + required: false + default: "repository.yaml" + type: string + description: Name of the repository.yaml that will be downloaded. + cosign-version: + required: false + default: "v1.4.1" + type: string + description: Cosign version to install and use +concurrency: + group: ci-sign-${{ github.head_ref || github.ref }}-${{ github.repository }} + cancel-in-progress: true +jobs: + resign: + runs-on: ubuntu-latest + permissions: + id-token: write # OIDC support + env: + FINAL_REPO: ${{ github.event.inputs.final-repo }} + COSIGN_REPOSITORY: ${{ github.event.inputs.cosign-repository }} + FULCIO_URL: ${{ github.event.inputs.fulcio-url }} + REFERENCEID: ${{ github.event.inputs.reference-id }} + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: ${{ github.event.inputs.cosign-version }} + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: '^1.16' + - uses: actions/checkout@v2 + - run: | + git fetch --prune --unshallow + - name: Login to Docker Hub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to Quay.io + uses: docker/login-action@v1 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_PASSWORD }} + - name: Resign + run: | + export PATH=$PATH:/usr/local/go/bin + pushd ./.github + go build -o resign resign.go + popd + sudo -E ./.github/resign