diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ce19509..9ed2255 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -57,12 +57,12 @@ jobs: with: registry: ghcr.io username: kclbot - password: ${{ secrets.GHCR_TOKEN }} + password: ${{ secrets.DEPLOY_ACCESS_TOKEN }} - name: Docker login docker.io uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: username: kclbot - password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} + password: ${{ secrets.DOCKER_PASSWORD }} - name: Docker meta id: meta uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 @@ -85,71 +85,4 @@ jobs: platforms: linux/amd64,linux/arm/v7,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - name: Sign images - env: - COSIGN_EXPERIMENTAL: 1 - run: | - cosign sign --yes kcllang/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} - cosign sign --yes ghcr.io/kcl-lang/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} - - name: GoReleaser publish signed SBOM - id: run-goreleaser - if: startsWith(github.ref, 'refs/tags/v') - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 - with: - version: latest - args: release --clean --skip-validate - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Generate SLSA hashes - id: hash - env: - ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" - run: | - set -euo pipefail - - hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) - echo "hashes=$hashes" >> $GITHUB_OUTPUT - - image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }} - image_digest=${{ steps.build-push.outputs.digest }} - echo "image_url=$image_url" >> $GITHUB_OUTPUT - echo "image_digest=$image_digest" >> $GITHUB_OUTPUT - - release-provenance: - needs: [release] - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to the release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - with: - base64-subjects: "${{ needs.release.outputs.hashes }}" - upload-assets: true - - dockerhub-provenance: - needs: [release] - permissions: - actions: read # for detecting the Github Actions environment. - id-token: write # for creating OIDC tokens for signing. - packages: write # for uploading attestations. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 - with: - image: ${{ needs.release.outputs.image_url }} - digest: ${{ needs.release.outputs.image_digest }} - registry-username: fluxcdbot - secrets: - registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} - - ghcr-provenance: - needs: [release] - permissions: - actions: read # for detecting the Github Actions environment. - id-token: write # for creating OIDC tokens for signing. - packages: write # for uploading attestations. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 - with: - image: ghcr.io/${{ needs.release.outputs.image_url }} - digest: ${{ needs.release.outputs.image_digest }} - registry-username: fluxcdbot - secrets: - registry-password: ${{ secrets.GHCR_TOKEN }} \ No newline at end of file + \ No newline at end of file diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c9aa416..9047bf9 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -28,20 +28,3 @@ sboms: - artifacts: archive - id: source artifacts: source - -# signs the checksum file -# all files (including the sboms) are included in the checksum, so we don't need to sign each one if we don't want to -# https://goreleaser.com/customization/sign -signs: - - cmd: cosign - env: - - COSIGN_EXPERIMENTAL=1 - certificate: '${artifact}.pem' - args: - - sign-blob - - "--yes" - - '--output-certificate=${certificate}' - - '--output-signature=${signature}' - - '${artifact}' - artifacts: checksum - output: true