From 4777b62e04071d1b5192dd01d01c215660c7bbd2 Mon Sep 17 00:00:00 2001 From: Christian Rebischke Date: Mon, 27 Sep 2021 00:01:53 +0200 Subject: [PATCH 1/2] task: add goreleaser + cosign releases --- .github/workflows/build.yml | 8 +-- .github/workflows/goreleaser.yaml | 97 +++++++++++++++++++++++++++++++ .goreleaser.yaml | 23 ++++++++ .goreleaser_client.yaml | 23 ++++++++ 4 files changed, 144 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/goreleaser.yaml create mode 100644 .goreleaser.yaml create mode 100644 .goreleaser_client.yaml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d1a2160c..fcaf6775 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,7 +4,7 @@ jobs: test: strategy: matrix: - go-version: [1.16.x, 1.17.x] + go-version: [1.15.x, 1.16.x, 1.17.x] os: [ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} steps: @@ -33,9 +33,3 @@ jobs: run: | GO111MODULE=off go get github.com/mattn/goveralls $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github - - name: Vet - run: go vet ./... - - name: Install staticcheck - run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2" - - name: Run staticcheck - run: staticcheck ./... diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml new file mode 100644 index 00000000..9ae8401d --- /dev/null +++ b/.github/workflows/goreleaser.yaml @@ -0,0 +1,97 @@ +on: [push, pull_request] +name: goreleaser +jobs: + test: + strategy: + matrix: + go-version: [1.13.x, 1.14.x, 1.15.x] + os: [ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + steps: + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go-version }} + - name: Setup Python + uses: actions/setup-python@v2 + with: + python-version: 3.6 + - name: Checkout code + uses: actions/checkout@v2 + - name: Install Python dependencies + run: | + python -m pip install --upgrade iso8601 requests securesystemslib six tuf + - name: Format Unix + if: runner.os == 'Linux' + run: test -z $(go fmt ./...) + - name: Test + run: go test -race -covermode atomic -coverprofile='profile.cov' ./... + - name: Send coverage + if: runner.os == 'Linux' + env: + COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + GO111MODULE=off go get github.com/mattn/goveralls + $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github + release-server: + runs-on: ubuntu-latest + needs: test + if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.17 + - name: write cosign.key to environment + run: 'echo "$COSIGN_KEY" > .github/cosign.key' + shell: bash + env: + COSIGN_KEY: ${{ secrets.COSIGN_KEY }} + - name: install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.2.1' + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v2 + with: + distribution: goreleaser + version: 'v0.180.2' + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COSIGN_PWD: ${{ secrets.COSIGN_PWD }} + release-cli: + runs-on: ubuntu-latest + needs: test + if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.17 + - name: write cosign.key to environment + run: 'echo "$COSIGN_KEY" > .github/cosign.key' + shell: bash + env: + COSIGN_KEY: ${{ secrets.COSIGN_KEY }} + - name: install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.2.1' + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v2 + with: + distribution: goreleaser + version: 'v0.180.2' + args: release --config ./.goreleaser_client.yaml --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COSIGN_PWD: ${{ secrets.COSIGN_PWD }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 00000000..297984de --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,23 @@ +project_name: tuf +builds: + - ldflags: + - "-s -w" + - "-extldflags=-zrelro" + - "-extldflags=-znow" + env: + - "CGO_ENABLED=0" + - "GO111MODULE=on" + - "GOFLAGS=-mod=readonly -trimpath" + goos: + - linux + - darwin + - windows + goarch: + - amd64 + main: ./cmd/tuf/ +signs: + - cmd: cosign + signature: "${artifact}.sig" + stdin: '{{ .Env.COSIGN_PWD }}' + args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"] + artifacts: all \ No newline at end of file diff --git a/.goreleaser_client.yaml b/.goreleaser_client.yaml new file mode 100644 index 00000000..9701e072 --- /dev/null +++ b/.goreleaser_client.yaml @@ -0,0 +1,23 @@ +project_name: tuf-client +builds: + - ldflags: + - "-s -w" + - "-extldflags=-zrelro" + - "-extldflags=-znow" + env: + - "CGO_ENABLED=0" + - "GO111MODULE=on" + - "GOFLAGS=-mod=readonly -trimpath" + goos: + - linux + - darwin + - windows + goarch: + - amd64 + main: ./cmd/tuf-client/ +signs: + - cmd: cosign + signature: "${artifact}.sig" + stdin: '{{ .Env.COSIGN_PWD }}' + args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"] + artifacts: all \ No newline at end of file From 6b724ae7b436a3c080aa0155da6c9f13416fc0aa Mon Sep 17 00:00:00 2001 From: Christian Rebischke Date: Tue, 16 Nov 2021 18:51:41 +0100 Subject: [PATCH 2/2] feat: keyless realeases with goreleaser and cosign This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance --- .github/workflows/build.yml | 35 ---------------------------- .github/workflows/goreleaser.yaml | 38 +++++++++++++++++-------------- .goreleaser.yaml | 10 ++++++-- .goreleaser_client.yaml | 6 +++-- 4 files changed, 33 insertions(+), 56 deletions(-) delete mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index fcaf6775..00000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,35 +0,0 @@ -on: [push, pull_request] -name: build -jobs: - test: - strategy: - matrix: - go-version: [1.15.x, 1.16.x, 1.17.x] - os: [ubuntu-latest, macos-latest] - runs-on: ${{ matrix.os }} - steps: - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go-version }} - - name: Setup Python - uses: actions/setup-python@v2 - with: - python-version: 3.6 - - name: Checkout code - uses: actions/checkout@v2 - - name: Install Python dependencies - run: | - python -m pip install --upgrade iso8601 requests securesystemslib six tuf - - name: Format Unix - if: runner.os == 'Linux' - run: test -z $(go fmt ./...) - - name: Test - run: go test -race -covermode atomic -coverprofile='profile.cov' ./... - - name: Send coverage - if: runner.os == 'Linux' - env: - COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - GO111MODULE=off go get github.com/mattn/goveralls - $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index 9ae8401d..a00555a3 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -4,7 +4,7 @@ jobs: test: strategy: matrix: - go-version: [1.13.x, 1.14.x, 1.15.x] + go-version: [1.16.x, 1.17.x] os: [ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} steps: @@ -33,7 +33,16 @@ jobs: run: | GO111MODULE=off go get github.com/mattn/goveralls $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github + - name: Vet + run: go vet ./... + - name: Install staticcheck + run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2" + - name: Run staticcheck + run: staticcheck ./... release-server: + permissions: + id-token: write + contents: write runs-on: ubuntu-latest needs: test if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') @@ -46,25 +55,24 @@ jobs: uses: actions/setup-go@v2 with: go-version: 1.17 - - name: write cosign.key to environment - run: 'echo "$COSIGN_KEY" > .github/cosign.key' - shell: bash - env: - COSIGN_KEY: ${{ secrets.COSIGN_KEY }} - name: install cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.2.1' + cosign-release: 'v1.4.1' + - uses: anchore/sbom-action/download-syft@v0.6.0 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 with: distribution: goreleaser - version: 'v0.180.2' + version: 'v1.2.5' args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} + COSIGN_EXPERIMENTAL: 1 release-cli: + permissions: + id-token: write + contents: write runs-on: ubuntu-latest needs: test if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') @@ -77,21 +85,17 @@ jobs: uses: actions/setup-go@v2 with: go-version: 1.17 - - name: write cosign.key to environment - run: 'echo "$COSIGN_KEY" > .github/cosign.key' - shell: bash - env: - COSIGN_KEY: ${{ secrets.COSIGN_KEY }} - name: install cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.2.1' + cosign-release: 'v1.4.1' + - uses: anchore/sbom-action/download-syft@v0.6.0 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 with: distribution: goreleaser - version: 'v0.180.2' + version: 'v1.2.5' args: release --config ./.goreleaser_client.yaml --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} + COSIGN_EXPERIMENTAL: 1 diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 297984de..ee4e3257 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -15,9 +15,15 @@ builds: goarch: - amd64 main: ./cmd/tuf/ +sboms: + - artifacts: archive + - id: source + artifacts: source +source: + enabled: true signs: - cmd: cosign signature: "${artifact}.sig" - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"] + certificate: "${artifact}.pem" + args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] artifacts: all \ No newline at end of file diff --git a/.goreleaser_client.yaml b/.goreleaser_client.yaml index 9701e072..cab0b342 100644 --- a/.goreleaser_client.yaml +++ b/.goreleaser_client.yaml @@ -15,9 +15,11 @@ builds: goarch: - amd64 main: ./cmd/tuf-client/ +sboms: + - artifacts: archive signs: - cmd: cosign signature: "${artifact}.sig" - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"] + certificate: "${artifact}.pem" + args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] artifacts: all \ No newline at end of file