Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ci): add cosign to sign the released binaries #459

Merged
merged 4 commits into from
Feb 5, 2024

Conversation

Mossaka
Copy link
Member

@Mossaka Mossaka commented Jan 24, 2024

This draft PR adds cosign signing for the released binaries. It is WIP.

I am testing releases in my own forked repo: https://github.com/Mossaka/runwasi/actions/runs/7634841458

Related to #417

@Mossaka Mossaka marked this pull request as draft January 24, 2024 02:48
@Mossaka Mossaka closed this Jan 24, 2024
@Mossaka Mossaka reopened this Jan 24, 2024
@Mossaka Mossaka marked this pull request as ready for review January 29, 2024 23:54
Copy link
Contributor

@jsturtevant jsturtevant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not super familiar with cosign but did a bit of reading and this seems like it is using the approach suggested in the docs.

Could we add a doc on how to run the verification after downloading the files?

.github/workflows/release.yml Outdated Show resolved Hide resolved
Comment on lines +79 to +81
make dist-${{ needs.parse.outputs.runtime }}
# Check if there's any files to archive as tar fails otherwise
if stat dist/bin/* >/dev/null 2>&1; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the scenario where there are no files after running make dist-*

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You meant afer make build-*?

If we release containerd-shim-wasm-test-modules, I think there will be no files in disk/bin.

.github/workflows/release.yml Show resolved Hide resolved
.github/workflows/release.yml Outdated Show resolved Hide resolved
@Mossaka
Copy link
Member Author

Mossaka commented Jan 31, 2024

Could we add a doc on how to run the verification after downloading the files?

Sure, I also intend to add the verification doc on the release page.

@Mossaka Mossaka requested a review from jsturtevant January 31, 2024 23:22
@Mossaka
Copy link
Member Author

Mossaka commented Feb 2, 2024

@jeremyrickard could you please take a look?

Copy link
Contributor

@jsturtevant jsturtevant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, it would be nice to have one more set of eyes on this PR since I am fairly new to cosign

Copy link

@jeremyrickard jeremyrickard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Mossaka Mossaka merged commit 71f8df9 into containerd:main Feb 5, 2024
43 checks passed
@Mossaka Mossaka deleted the signing branch February 5, 2024 22:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants