Skip to content

Commit 186c5d0

Browse files
chore: update workflow to use new key (#2920)
Signed-off-by: Austin Abro <[email protected]>
1 parent 15fa119 commit 186c5d0

File tree

6 files changed

+33
-44
lines changed

6 files changed

+33
-44
lines changed

.github/workflows/publish-application-packages.yml

+9-4
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
name: Zarf Application Package Publishing
22

33
permissions:
4+
id-token: write
45
contents: read
56

67
on:
@@ -22,6 +23,14 @@ jobs:
2223
with:
2324
ref: ${{ github.event.inputs.branchName }}
2425

26+
- name: Auth with AWS
27+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
28+
with:
29+
role-to-assume: ${{ secrets.AWS_KMS_ROLE }}
30+
role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
31+
aws-region: us-east-2
32+
role-duration-seconds: 3600
33+
2534
- name: Install The Latest Release Version of Zarf
2635
uses: defenseunicorns/setup-zarf@10e539efed02f75ec39eb8823e22a5c795f492ae #v1.0.1
2736

@@ -44,7 +53,3 @@ jobs:
4453
4554
# Publish a skeleton of the dos-games package
4655
zarf package publish examples/dos-games oci://ghcr.io/zarf-dev/packages
47-
env:
48-
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
49-
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
50-
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}

.github/workflows/release.yml

+9-3
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
name: Release CLI and Packages on Tag
22

33
permissions:
4+
id-token: write
45
contents: read
56

67
on:
@@ -53,13 +54,18 @@ jobs:
5354
rm build/zarf-linux-arm64
5455
echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
5556
57+
- name: Auth with AWS
58+
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
59+
with:
60+
role-to-assume: ${{ secrets.AWS_KMS_ROLE }}
61+
role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
62+
aws-region: us-east-2
63+
role-duration-seconds: 3600
64+
5665
- name: "Zarf Agent: Sign the Image"
5766
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/zarf-dev/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
5867
env:
5968
COSIGN_EXPERIMENTAL: 1
60-
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
61-
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
62-
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
6369

6470
# Builds init packages since GoReleaser won't handle this for us
6571
- name: Build init-packages For Release

cosign.pub

+13-13
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
11
-----BEGIN PUBLIC KEY-----
2-
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9u472y/wY0tjIiR2T6rY
3-
zOG1q4qwx5ZdmnoGsiG0Zc3rYo2DMiuKciG0MI4opCf4IID7kfYOD4aWILymwFID
4-
xW0L6pEbxknHRQacWZSf/qfA+aAcjbKOY3ZWU8/uLJJeq37Y4OLc17ThJ7ZOj1Yf
5-
Uvj81Uz9ZWVW7kYY31vWCruJh4VxZLsUAmFc6CsQUtzSGordLhh1b1rDP6ZRAaIP
6-
mQnniULogwIBqnUTkIVwxiRYG+V2a3IC5vqlBLQRQ3UOWQ9mgZcfcXuTA6Fh8bwO
7-
2lG768UfI1RBYioXAgXbPwXK+kM3Idvjcr+X2F3VpYWhHTscMIQF0ERzK7BkRqRI
8-
x9l/RRm5lP+9a1kt6giYtvX2OqEsWaG3lTen3ocwblaHRlmqnaiVBtAnVny6QDHX
9-
9p1HPMD/NjWjZucxWMjtdL5FZxBywbJVlxhe7sFByMoBZYhea9vGGSn2M2Q9kPiq
10-
Bgl6bKZdeYIhaKQ7wrNkS6YVHMIqqpCIUI6/YGYwnu0hodbjR0yA2LFx4TgFZAuY
11-
uGEiRP4Oi7WEOPkjRjP7kPXGpEBB7ulZ/Wohq1B6pB1Odo8WlfJRAek319F2aqqh
12-
J1c3YdZ/w3EvCLKd+Inp1UNbamb79UN6jtwhqwKw72YbZh/yP0rim49lQ++umwPX
13-
JWqG8iY/UzGB/3ch4/Wb09UCAwEAAQ==
14-
-----END PUBLIC KEY-----
2+
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr6pqXju3qrkVae35GIuG
3+
F58+zMd5XGMVgPkxFrdrJZ/3Ag65y7j4QsrcCFkXYAYNIy9iZliXypsxrr3oajJv
4+
EgLDAc0CqtWYa0tuT2kAP4YHzxVkLC8MZLhQ1fuj9QKylm3OIMf18ZAnp12upmK8
5+
SBvrYxtWfTOv4KBgRGdIO0U9M/dwNnodGosY0znyHD9dp1G7qRA7BNpOsuXoaLa/
6+
aSQ2X0icoq5N8BLLOl3/23w6nCV+G32HFD0/AurDZVMC8o6N91AkX3smfWINkNk+
7+
QUrCkjhlAMxtBPi2TCYB4PimOKLpO/q/hwfixkHJcx8zPY/UZCCJGrsOcdFdvN/M
8+
FkxqVZ2vBv+8LaElSAmbzsjVpg4w3QMk/6fVuU2rBtwog7DekuV/J5SwGCyTfC/4
9+
R8SetTsEpYgtDWp8+vugcfZTg5+7rPnMfNG16HdwJoC+LnWbeot6X2ZepTu4CrkV
10+
qCAfFlu9G9sy2ZrwT5gnFT9JoKPVRTgkYmADgSfF0njKjuFKfk+aEVIrKRCVbExe
11+
VtfmM1A9OfP4vCtCKw7tE5fFhmAa5v2D6LS/rG2m99fbZjDdeK9y22OZZyUCZaUN
12+
TM+VQTuY1bwXY0/XEhUHxP0Fzk2VGQVslwXgW305SzR8Yh/bTbE4pkNGpOta+4s2
13+
E5ZMlZgQX8x4gSfbxmBHgP0CAwEAAQ==
14+
-----END PUBLIC KEY-----

src/pkg/utils/cosign.go

-8
Original file line numberDiff line numberDiff line change
@@ -8,15 +8,13 @@ import (
88
"context"
99
"fmt"
1010
"io"
11-
"os"
1211
"strings"
1312

1413
"github.com/defenseunicorns/pkg/helpers/v2"
1514
"github.com/google/go-containerregistry/pkg/authn"
1615
"github.com/google/go-containerregistry/pkg/name"
1716
"github.com/google/go-containerregistry/pkg/v1/remote"
1817
"github.com/pkg/errors"
19-
"github.com/zarf-dev/zarf/src/config"
2018
"github.com/zarf-dev/zarf/src/config/lang"
2119
"github.com/zarf-dev/zarf/src/pkg/message"
2220

@@ -41,12 +39,6 @@ import (
4139
func Sget(ctx context.Context, image, key string, out io.Writer) error {
4240
message.Warnf(lang.WarnSGetDeprecation)
4341

44-
// If this is a DefenseUnicorns package, use an internal sget public key
45-
if strings.HasPrefix(image, fmt.Sprintf("%s://defenseunicorns", helpers.SGETURLScheme)) {
46-
os.Setenv("DU_SGET_KEY", config.CosignPublicKey)
47-
key = "env://DU_SGET_KEY"
48-
}
49-
5042
// Remove the custom protocol header from the url
5143
image = strings.TrimPrefix(image, helpers.SGETURLPrefix)
5244

src/test/e2e/11_oci_pull_inspect_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ func (suite *PullInspectTestSuite) Test_0_Pull() {
5555

5656
// Verify the package was pulled correctly.
5757
suite.FileExists(out)
58-
stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", out, "--key", "https://zarf.dev/cosign.pub", "--sbom-out", sbomTmp)
58+
stdOut, stdErr, err = e2e.Zarf(suite.T(), "package", "inspect", out, "--key", "https://raw.githubusercontent.com/zarf-dev/zarf/v0.38.2/cosign.pub", "--sbom-out", sbomTmp)
5959
suite.NoError(err, stdOut, stdErr)
6060
suite.Contains(stdErr, "Validating SBOM checksums")
6161
suite.Contains(stdErr, "Package signature validated!")

src/test/e2e/27_deploy_regression_test.go

+1-15
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@ import (
99
"testing"
1010

1111
"github.com/stretchr/testify/require"
12-
"github.com/zarf-dev/zarf/src/pkg/utils/exec"
1312
)
1413

1514
func TestGHCRDeploy(t *testing.T) {
@@ -25,20 +24,7 @@ func TestGHCRDeploy(t *testing.T) {
2524
}
2625

2726
// Test with command from https://docs.zarf.dev/getting-started/install/
28-
stdOut, stdErr, err := e2e.Zarf(t, "package", "deploy", fmt.Sprintf("oci://🦄/dos-games:1.0.0-%s@sha256:%s", e2e.Arch, sha), "--key=https://zarf.dev/cosign.pub", "--confirm")
29-
require.NoError(t, err, stdOut, stdErr)
30-
31-
stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm")
32-
require.NoError(t, err, stdOut, stdErr)
33-
}
34-
35-
func TestCosignDeploy(t *testing.T) {
36-
t.Log("E2E: Cosign deploy")
37-
38-
// Test with command from https://docs.zarf.dev/getting-started/install/
39-
command := fmt.Sprintf("%s package deploy sget://defenseunicorns/zarf-hello-world:$(uname -m) --confirm", e2e.ZarfBinPath)
40-
41-
stdOut, stdErr, err := exec.CmdWithTesting(t, exec.PrintCfg(), "sh", "-c", command)
27+
stdOut, stdErr, err := e2e.Zarf(t, "package", "deploy", fmt.Sprintf("oci://🦄/dos-games:1.0.0-%s@sha256:%s", e2e.Arch, sha), "--key=https://raw.githubusercontent.com/zarf-dev/zarf/v0.38.2/cosign.pub", "--confirm")
4228
require.NoError(t, err, stdOut, stdErr)
4329

4430
stdOut, stdErr, err = e2e.Zarf(t, "package", "remove", "dos-games", "--confirm")

0 commit comments

Comments
 (0)