Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add keyless Cosign Image Signing, backport changes from argoproj/argo-workflows #299

Open
wants to merge 17 commits into
base: release-3.4
Choose a base branch
from
Open

feat: Add keyless Cosign Image Signing, backport changes from argoproj/argo-workflows #299

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
023d21c
WIP: comment out repo restriction.
korenyoni Jul 26, 2023
0e5ca1e
Empty commit.
korenyoni Jul 26, 2023
12303eb
Fix QUAYIO_ORG substitution.
korenyoni Jul 26, 2023
6b7f813
Clean up release workflow.
korenyoni Jul 30, 2023
3fbbd77
Fix var reference.
korenyoni Jul 30, 2023
aa2c942
Fix windows build.
korenyoni Jul 30, 2023
7dc287d
Bump windows version.
korenyoni Jul 30, 2023
95d827a
Revert windows runner bump.
korenyoni Jul 30, 2023
64cf26d
Sync windows container image build with upstream.
korenyoni Jul 30, 2023
4dc8ebf
Fix windows image push.
korenyoni Jul 30, 2023
8380468
Fix push multiarch.
korenyoni Jul 30, 2023
b731119
Fix tag interpolation in final push.
korenyoni Jul 30, 2023
2bc3fad
Add cosign.
korenyoni Jul 30, 2023
ffd98f7
Fix signing.
korenyoni Jul 30, 2023
4565dfc
Fix checksums.
korenyoni Jul 31, 2023
38c8b6b
Fix cosign interactive prompt.
korenyoni Jul 31, 2023
bb17f04
Uncomment-out job conditions.
korenyoni Jul 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
217 changes: 88 additions & 129 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ defaults:
permissions:
contents: read

env:
OCI_REGISTRY: quay.io
OCI_REGISTRY_REPO: ${{ vars.QUAYIO_ORG }}
OCI_REGISTRY_USERNAME: ${{ secrets.QUAYIO_USERNAME }}
OCI_REGISTRY_PASSWORD: ${{ secrets.QUAYIO_PASSWORD }}

jobs:
build-linux-amd64:
name: Build & push linux/amd64
Expand All @@ -46,23 +52,15 @@ jobs:
restore-keys: |
${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-

## Codefresh - remove dockerhub
# - name: Docker Login
# uses: docker/login-action@v1
# with:
# username: ${{ secrets.DOCKERIO_USERNAME }}
# password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Docker Login
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
registry: ${{ env.OCI_REGISTRY }}
username: ${{ env.OCI_REGISTRY_USERNAME }}
password: ${{ env.OCI_REGISTRY_PASSWORD }}

- name: Docker Buildx
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
PLATFORM: ${{ matrix.platform }}
TARGET: ${{ matrix.target }}
run: |
Expand All @@ -72,24 +70,16 @@ jobs:
fi

tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g")
image_name="${DOCKERIO_ORG}/${TARGET}:${tag}-${tag_suffix}"

## Codefresh - remove dockerhub
# docker buildx build \
# --cache-from "type=local,src=/tmp/.buildx-cache" \
# --cache-to "type=local,dest=/tmp/.buildx-cache" \
# --output "type=image,push=true" \
# --platform="${PLATFORM}" \
# --target $TARGET \
# --tag $image_name .
image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}-${tag_suffix}"
image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty

docker buildx build \
--cache-from "type=local,src=/tmp/.buildx-cache" \
--cache-to "type=local,dest=/tmp/.buildx-cache" \
--output "type=image,push=true" \
--platform="${PLATFORM}" \
--target $TARGET \
--tag quay.io/$image_name .
--tag $image_name .

build-linux-arm64:
name: Build & push linux/arm64
Expand Down Expand Up @@ -121,23 +111,15 @@ jobs:
restore-keys: |
${{ runner.os }}-${{ matrix.platform }}-${{ matrix.target }}-buildx-

## Codefresh - remove dockerhub
# - name: Docker Login
# uses: docker/login-action@v1
# with:
# username: ${{ secrets.DOCKERIO_USERNAME }}
# password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Docker Login
uses: docker/login-action@v2
with:
registry: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
registry: ${{ env.OCI_REGISTRY }}
username: ${{ env.OCI_REGISTRY_USERNAME }}
password: ${{ env.OCI_REGISTRY_PASSWORD }}

- name: Docker Buildx
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
PLATFORM: ${{ matrix.platform }}
TARGET: ${{ matrix.target }}
run: |
Expand All @@ -147,95 +129,73 @@ jobs:
fi

tag_suffix=$(echo $PLATFORM | sed -r "s/\//-/g")
image_name="${DOCKERIO_ORG}/${TARGET}:${tag}-${tag_suffix}"

## Codefresh - remove dockerhub
# docker buildx build \
# --cache-from "type=local,src=/tmp/.buildx-cache" \
# --cache-to "type=local,dest=/tmp/.buildx-cache" \
# --output "type=image,push=true" \
# --platform="${PLATFORM}" \
# --target $TARGET \
# --tag $image_name .
image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}-${tag_suffix}"
image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty

docker buildx build \
--cache-from "type=local,src=/tmp/.buildx-cache" \
--cache-to "type=local,dest=/tmp/.buildx-cache" \
--output "type=image,push=true" \
--platform="${PLATFORM}" \
--target $TARGET \
--tag quay.io/$image_name .
--tag $image_name .

build-windows:
name: Build & push windows
if: github.repository == 'codefresh-io/argo-workflows'
runs-on: windows-2019
runs-on: windows-2022
steps:
- uses: actions/checkout@v2
## Codefresh - remove dockerhub
# - name: Docker Login
# uses: Azure/docker-login@v1
# with:
# username: ${{ secrets.DOCKERIO_USERNAME }}
# password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1

- name: Docker Login
uses: docker/login-action@v2
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
registry: ${{ env.OCI_REGISTRY }}
username: ${{ env.OCI_REGISTRY_USERNAME }}
password: ${{ env.OCI_REGISTRY_PASSWORD }}

- name: Build & Push Windows Docker Images
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
run: |
docker_org=$DOCKERIO_ORG

tag=$(basename $GITHUB_REF)
if [ $tag = "master" ]; then
tag="latest"
fi

targets="argoexec"
for target in $targets; do
image_name="${docker_org}/${target}:${tag}-windows"
docker build --target $target -t $image_name -f Dockerfile.windows .
## Codefresh - remove dockerhub
# docker push $image_name
image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${target}:${tag}-windows"
image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty

docker tag $image_name quay.io/$image_name
docker push quay.io/$image_name
docker build --target $target -t $image_name -f Dockerfile.windows .
docker push $image_name
done

push-images:
name: Push manifest with all images
if: github.repository == 'codefresh-io/argo-workflows'
runs-on: ubuntu-latest
needs: [ build-linux-amd64, build-linux-arm64, build-windows ]
permissions:
contents: read
id-token: write # Needed to create an OIDC token for keyless signing
steps:
- uses: actions/checkout@v2
## Codefresh - remove dockerhub
# - name: Docker Login
# uses: Azure/docker-login@v1
# with:
# username: ${{ secrets.DOCKERIO_USERNAME }}
# password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1

- name: Docker Login
uses: docker/login-action@v2
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
registry: ${{ env.OCI_REGISTRY }}
username: ${{ env.OCI_REGISTRY_USERNAME }}
password: ${{ env.OCI_REGISTRY_PASSWORD }}

- name: Install cosign
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
with:
cosign-release: 'v2.1.1'

- name: Push Multiarch Image
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
run: |
echo $(jq -c '. + { "experimental": "enabled" }' ${DOCKER_CONFIG}/config.json) > ${DOCKER_CONFIG}/config.json

docker_org=$DOCKERIO_ORG
echo $(jq -c '. + { "experimental": "enabled" }' ${HOME}/.docker/config.json) > ${HOME}/.docker/config.json

tag=$(basename $GITHUB_REF)
if [ $tag = "master" ]; then
Expand All @@ -244,21 +204,26 @@ jobs:

targets="workflow-controller argoexec argocli"
for target in $targets; do
image_name="${docker_org}/${target}:${tag}"
image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${target}:${tag}"
image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty

if [ $target = "argoexec" ]; then
## Codefresh - remove dockerhub
# docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 ${image_name}-windows
docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64 quay.io/${image_name}-windows
docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64 ${image_name}-windows
else
## Codefresh - remove dockerhub
# docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64
docker manifest create quay.io/$image_name quay.io/${image_name}-linux-arm64 quay.io/${image_name}-linux-amd64
docker manifest create $image_name ${image_name}-linux-arm64 ${image_name}-linux-amd64
fi

## Codefresh - remove dockerhub
# docker manifest push $image_name
docker manifest push quay.io/$image_name
docker manifest push $image_name

repo="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}"
repo="${repo#/}" # remove leading slash if OCI_REGISTRY is empty
digest=$(skopeo inspect docker://$image_name | jq -r '.Digest')
cosign sign \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "sha=${{ github.sha }}" \
-y \
"${repo}/${target}@${digest}"
done

test-images-linux-amd64:
Expand All @@ -271,23 +236,15 @@ jobs:
platform: [ linux/amd64 ]
target: [ workflow-controller, argocli, argoexec ]
steps:
## Codefresh - remove dockerhub
# - name: Docker Login
# uses: Azure/docker-login@v1
# with:
# username: ${{ secrets.DOCKERIO_USERNAME }}
# password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1
- name: Docker Login
uses: docker/login-action@v2
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
registry: ${{ env.OCI_REGISTRY }}
username: ${{ env.OCI_REGISTRY_USERNAME }}
password: ${{ env.OCI_REGISTRY_PASSWORD }}

- name: Docker Buildx
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
PLATFORM: ${{ matrix.platform }}
TARGET: ${{ matrix.target }}
run: |
Expand All @@ -296,30 +253,24 @@ jobs:
tag="latest"
fi

image_name="${DOCKERIO_ORG}/${TARGET}:${tag}"
## Codefresh - remove dockerhub
# docker pull $image_name
docker pull quay.io/$image_name
image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${TARGET}:${tag}"
image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty
docker pull $image_name

test-images-windows:
name: Try pulling windows
if: github.repository == 'codefresh-io/argo-workflows'
runs-on: windows-2019
runs-on: windows-2022
needs: [ push-images ]
steps:
## Codefresh - remove dockerhub
# - name: Docker Login
# uses: Azure/docker-login@v1
# with:
# username: ${{ secrets.DOCKERIO_USERNAME }}
# password: ${{ secrets.DOCKERIO_PASSWORD }}

- name: Login to Quay
uses: Azure/docker-login@v1

- name: Docker Login
uses: docker/login-action@v2
with:
login-server: quay.io
username: ${{ secrets.QUAYIO_USERNAME }}
password: ${{ secrets.QUAYIO_PASSWORD }}
registry: ${{ env.OCI_REGISTRY }}
username: ${{ env.OCI_REGISTRY_USERNAME }}
password: ${{ env.OCI_REGISTRY_PASSWORD }}

- name: Try pulling
env:
DOCKERIO_ORG: ${{ secrets.DOCKERIO_ORG }}
Expand All @@ -332,15 +283,15 @@ jobs:

targets="argoexec"
for target in $targets; do
image_name="${docker_org}/${target}:${tag}"
## Codefresh - remove dockerhub
# docker pull $image_name
docker pull quay.io/$image_name
image_name="${{ env.OCI_REGISTRY }}/${{ env.OCI_REGISTRY_REPO }}/${target}:${tag}"
image_name="${image_name#/}" # remove leading slash if OCI_REGISTRY is empty
docker pull $image_name
done

publish-release:
permissions:
contents: write # for softprops/action-gh-release to create GitHub release
id-token: write # Needed to create an OIDC token for keyless signing
runs-on: ubuntu-latest
if: github.repository == 'codefresh-io/argo-workflows'
needs: [ push-images, test-images-linux-amd64, test-images-windows ]
Expand All @@ -366,6 +317,10 @@ jobs:
with:
path: /home/runner/go/pkg/mod
key: GOMODCACHE-v2-${{ hashFiles('**/go.mod') }}
- name: Install cosign
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
with:
cosign-release: 'v2.1.1'
# https://stackoverflow.com/questions/58033366/how-to-get-current-branch-within-github-actions
- run: make release-notes VERSION=${GITHUB_REF##*/}
- run: cat release-notes
Expand All @@ -378,6 +333,9 @@ jobs:
- name: Print version (please check it is not dirty)
run: dist/argo-linux-amd64 version
- run: make checksums
- name: Sign checksums and create public key for release assets
run: |
cosign sign-blob -y ./dist/argo-workflows-cli-checksums.txt > ./dist/argo-workflows-cli-checksums.sig
# https://github.com/softprops/action-gh-release
# This will publish the release and upload assets.
# If a conflict occurs (because you are not on a tag), the release will not be updated. This is a short coming
Expand All @@ -390,7 +348,8 @@ jobs:
body_path: release-notes
files: |
dist/argo-*.gz
dist/argo-*.gz.sha256
dist/argo-workflows-cli-checksums.txt
dist/argo-workflows-cli-checksums.sig
dist/manifests/*.yaml
dist/sbom.tar.gz
env:
Expand Down
Loading
Loading