When pushing a tag ti github, github actions automatically creates release for it, with signing of release assets using github workflow identity (see this and this for more info)
So then binary files can be validated using cosign (with checksums.txt and checksubs.txt.sig upload from github release assets):
COSIGN_EXPERIMENTAL=1 cosign verify-blob -signature ~/Downloads/checksums.txt.sig ~/Downloads/checksums.txt
- Set following secrets in your repo:
- DOCKER_USERNAME
- DOCKER_PASSWORD
- COSIGN_KEY
- COSIGN_PASSWORD
- CODECOV_TOKEN
In order to generate cosign token:
# in case cosign not installed
go install github.com/sigstore/cosign/cmd/[email protected]
cosign generate-key-pair
, then copy generated key and password to github secrets
-
In
.github/workflows/github-actions-demo.yml
replaceskifdh/test
with your own docker image path. -
Codecov step is standalone, impact only build step, and can be easily commented
Install core:
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
Check storage classes:
kubectl get storageclasses
for Minikube:
kubectl create configmap config-artifact-pvc \
--from-literal=size=10Gi \
--from-literal=storageClassName=standard \
-o yaml -n tekton-pipelines \
--dry-run=client | kubectl replace -f -
Install triggers:
kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
Dashboard (optional):
kubectl apply --filename https://github.com/tektoncd/dashboard/releases/latest/download/tekton-dashboard-release.yaml
kubectl proxy --port=8080
./install.sh
Docker registry access:
kubectl -n sscs create secret docker-registry regcred \
--docker-server=<your-registry-server> \
--docker-username=<your-name> \
--docker-password=<your-pword> \
--docker-email=<your-email>
kubectl apply --filename https://storage.googleapis.com/tekton-releases/chains/latest/release.yaml
Prepare chains:
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.storage": "oci"}}'
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"transparency.enabled": "true"}}'