Skip to content

Commit

Permalink
Signing artifacts and updated release notes to have steps to be follo…
Browse files Browse the repository at this point in the history
…wed for installaton and verification

Signed-off-by: kumari tanushree <[email protected]>
  • Loading branch information
kumari tanushree committed Jan 25, 2024
1 parent cd0467f commit ac3da8d
Showing 1 changed file with 151 additions and 3 deletions.
154 changes: 151 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
jobs:
draft-release:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@v2
Expand All @@ -17,6 +21,8 @@ jobs:
uses: actions/setup-go@v2
with:
go-version: 1.21.3
- name: Set up Cosign
uses: sigstore/cosign-installer@v3
- name: Install Carvel Tools
uses: carvel-dev/setup-action@v1
with:
Expand All @@ -42,23 +48,165 @@ jobs:
./hack/build-and-publish-release.sh
mkdir release
cp ./tmp/release.yml release/
- name: Sign secretgen-controller OCI image
run: |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml`
cosign sign --yes "$image_url"
- name: Verify signature on secretgen-controller OCI image
run: |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml`
cosign verify \
$image_url \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
- name: Run Package build
run: |
constraintVersion="${{ github.ref_name }}"
kctrl pkg release -y -v ${constraintVersion:1} --debug
mv carvel-artifacts/packages/secretgen-controller.carvel.dev/metadata.yml carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml
cp carvel-artifacts/packages/secretgen-controller.carvel.dev/* release/
- name: Checksum
- name: Sign secretgen-controller-package-bundle OCI image
run: |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
cosign sign --yes "$image_url"
- name: Verify signature on secretgen-controller-package-bundle OCI image
run: |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
cosign verify \
$image_url \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
- name: Updating release notes
run: |
RELEASE_TAG=$(git describe --tags --abbrev=0)
KAPP_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml)
KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml)
RELEASE_NOTES="
<details>
<summary><h2>Installation and signature verification</h2></summary>
## Installation of kctrl
#### By downloading binary from the release
For instance, if you are using Linux on an AMD64 architecture:
\`\`\`shell
# Download the binary
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/kctrl-linux-amd64
# Move the binary in to your PATH
mv kctrl-linux-amd64 /usr/local/bin/kctrl
# Make the binary executable
chmod +x /usr/local/bin/kctrl
\`\`\`
#### Via Homebrew (macOS or Linux)
\`\`\`shell
$ brew tap carvel-dev/carvel
$ brew install kctrl
$ kctrl version
\`\`\`
## Verify checksums file signature
Install cosign on your system https://docs.sigstore.dev/system_config/installation/
The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:
\`\`\`shell
# Download the checksums file, certificate, and signature
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig
### Verify the checksums file
cosign verify-blob checksums.txt \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
\`\`\`
### Verify binary integrity
To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture:
\`\`\`shell
# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing
\`\`\`
## Installation of secretgen-controller
secretgen-controller can be installed by using kapp
\`\`\`shell
kapp deploy -a kc -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml
\`\`\`
or by using kubectl
\`\`\`shell
kubectl deploy -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml
\`\`\`
### Container Images
secretgen-controller and secretgen-controller-package-bundle images are available in Github Container Registry.
### OCI Image URLs
- $KAPP_CONTROLLER_IMAGE
- $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE
### Verify container image signature
The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands:
\`\`\`shell
# Verifying secretgen-controller image
cosign verify $KAPP_CONTROLLER_IMAGE \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-o text
# Verifying secretgen-controller-package-bundle image
cosign verify $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-o text
\`\`\`
</summary>
</details>
"
echo "$RELEASE_NOTES" > ./tmp/release_notes.txt
- name: Create checksum and add it to release notes
run: |
pushd release
shasum -a 256 ./release.yml ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt
popd
cat ./tmp/checksums.txt | tee -a ./tmp/release_notes.txt
- name: Sign checksums.txt
run: |
cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem --output-signature release/checksums.txt.sig
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert release/checksums.txt.pem \
--signature release/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt
- name: Create release draft and upload release yaml
uses: softprops/action-gh-release@17cd0d34deddf848fc0e7d9be5202c148c270a0a
with:
name: ${{ github.ref_name }}
token: ${{ secrets.GITHUB_TOKEN }}
body_path: ./tmp/checksums.txt
body_path: ./tmp/release_notes.txt
files: |
./release/*
draft: true
Expand Down Expand Up @@ -135,7 +283,7 @@ jobs:
${{steps.get-checksums-from-draft-release.outputs.result}}
EOF
)
- name: Run PackageCR Validation Tests
run: |
set -e -x
Expand Down

0 comments on commit ac3da8d

Please sign in to comment.