Skip to content
release

Fix CVEs and bump go version to 1.22 (#537) #78

Sign in to view logs

Fix CVEs and bump go version to 1.22 (#537)

Fix CVEs and bump go version to 1.22 (#537) #78

Workflow file for this run

.github/workflows/release.yml at 72a4273
name: release
on:
push:
tags:
- 'v*'
jobs:
draft-release:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.22.5
- name: Set up Cosign
uses: sigstore/cosign-installer@v3
- name: Install Carvel Tools
uses: carvel-dev/setup-action@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
only: ytt, kapp, kbld, imgpkg, kctrl, vendir
ytt: v0.45.4
kapp: v0.58.0
kbld: v0.37.5
imgpkg: v0.37.3
kctrl: v0.50.2
vendir: v0.34.4
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run release script
run: |
set -e -x
minikube start --driver=docker --wait=all
docker buildx create --name minikube --use --driver=kubernetes --bootstrap
./hack/build-and-publish-release.sh
mkdir release
cp ./tmp/release.yml release/
- name: Sign secretgen-controller OCI image
run: |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml`
cosign sign --yes "$image_url"
- name: Verify signature on secretgen-controller OCI image
run: |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml`
cosign verify \
$image_url \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
- name: Run Package build
run: |
constraintVersion="${{ github.ref_name }}"
kctrl pkg release -y -v ${constraintVersion:1} --debug
mv carvel-artifacts/packages/secretgen-controller.carvel.dev/metadata.yml carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml
cp carvel-artifacts/packages/secretgen-controller.carvel.dev/* release/
- name: Sign secretgen-controller-package-bundle OCI image
run: |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
cosign sign --yes "$image_url"
- name: Verify signature on secretgen-controller-package-bundle OCI image
run: |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
cosign verify \
$image_url \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
- name: Updating release notes
run: |
RELEASE_TAG=$(git describe --tags --abbrev=0)
SGC_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml)
SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml)
RELEASE_NOTES="
<details>
<summary><h2>Installation and signature verification</h2></summary>
## Verify checksums file signature
Install cosign on your system https://docs.sigstore.dev/system_config/installation/
The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:
\`\`\`shell
# Download the checksums file, certificate, and signature
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig
### Verify the checksums file
cosign verify-blob checksums.txt \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
\`\`\`
## Installation of secretgen-controller
secretgen-controller can be installed by using kapp
\`\`\`shell
kapp deploy -a sg -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml
\`\`\`
or by using kubectl
\`\`\`shell
kubectl deploy -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml
\`\`\`
### Container Images
secretgen-controller and secretgen-controller-package-bundle images are available in Github Container Registry.
### OCI Image URLs
- $SGC_CONTROLLER_IMAGE
- $SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE
### Verify container image signature
The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands:
\`\`\`shell
# Verifying secretgen-controller image
cosign verify $SGC_CONTROLLER_IMAGE \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-o text
# Verifying secretgen-controller-package-bundle image
cosign verify $SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-o text
\`\`\`
</summary>
</details>
"
echo "$RELEASE_NOTES" > ./tmp/release_notes.txt
- name: Create checksum and add it to release notes
run: |
pushd release
shasum -a 256 ./release.yml ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt
popd
cat ./tmp/checksums.txt | tee -a ./tmp/release_notes.txt
cp ./tmp/checksums.txt release/checksums.txt
- name: Sign checksums.txt
run: |
cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem --output-signature release/checksums.txt.sig
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert release/checksums.txt.pem \
--signature release/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt
- name: Create release draft and upload release yaml
uses: softprops/action-gh-release@17cd0d34deddf848fc0e7d9be5202c148c270a0a
with:
name: ${{ github.ref_name }}
token: ${{ secrets.GITHUB_TOKEN }}
body_path: ./tmp/release_notes.txt
files: |
./release/*
draft: true
- name: Get uploaded release YAML checksum
uses: actions/github-script@v6
id: get-checksums-from-draft-release
if: startsWith(github.ref, 'refs/tags/')
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
result-encoding: string
script: |
var crypto = require('crypto');
const { owner, repo } = context.repo;
// https://docs.github.com/en/rest/reference/repos#list-releases
// https://octokit.github.io/rest.js/v18#repos-list-releases
var releases = await github.rest.repos.listReleases({
owner: owner,
repo: repo
});
var crypto = require('crypto')
var fs = require('fs')
const url = require('url');
const https = require('https');
checksums = {}
var releaseMatched = false;
var assetsFound = false;
for (const r of releases["data"]) {
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") {
releaseMatched = true;
for (const asset of r.assets) {
assetsFound = true;
var release_asset = await github.rest.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id });
const hash = crypto.createHash('sha256');
let http_promise = new Promise((resolve, reject) => {
https.get(release_asset.url, (stream) => {
stream.on('data', function (data) {
hash.update(data);
});
stream.on('end', function () {
checksums[asset.name]= hash.digest('hex');
resolve(`${asset.name}`);
});
});
});
await http_promise;
http_promise.then(
(result) => {
console.log(checksums);
},
(error) => {
console.log("Encountered an Error for " + asset.name + " asset: " + error); // Log an error
});
}
}
}
if (!releaseMatched) {
console.log("No release matched")
}
if (!assetsFound) {
console.log("No assets found for " + "${{ github.ref }}" + " release")
}
return `${checksums['release.yml']} ./release.yml
${checksums['package.yml']} ./package.yml
${checksums['package-metadata.yml']} ./package-metadata.yml`
- name: Verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: |
set -e -x
cat ./tmp/checksums.txt
diff ./tmp/checksums.txt <(cat <<EOF
${{steps.get-checksums-from-draft-release.outputs.result}}
EOF
)
- name: Run PackageCR Validation Tests
run: |
set -e -x
# deploy admin sa for secretgen-controller - enough permissions for SGC to be deployed properly
kapp deploy -a rbac -f https://raw.githubusercontent.com/carvel-dev/kapp-controller/develop/examples/rbac/cluster-admin.yml -y
# Kapp-controller is needed for our PackageInstall
kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml -y
constraintVersion="${{ github.ref_name }}"
kubectl create ns sg
kapp deploy -a sg -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package.yml -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml -n sg -y
# installing pkg with kctrl
kctrl pkg install -p secretgen-controller.carvel.dev -i scg --version ${constraintVersion:1} -n sg
export SECRETGEN_E2E_NAMESPACE=secretgen-test
./hack/test-e2e.sh