1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
timeout: 3600s
steps:
- name: gcr.io/cloud-builders/git
dir: "go/src/sigstore"
args:
- "clone"
- "https://github.com/${_TOOL_ORG}/${_TOOL_REPO}"
- name: gcr.io/cloud-builders/git
entrypoint: "bash"
dir: "go/src/sigstore/cosign"
args:
- '-c'
- |
git fetch
echo "Checking out ${_GIT_TAG}"
git checkout ${_GIT_TAG}
- name: 'ghcr.io/sigstore/cosign/cosign:v2.4.3-dev@sha256:ed76c008e733aa64d257f754a02eb07b251525ea8dc08f40974baec317dea8c9'
dir: "go/src/sigstore/cosign"
env:
- TUF_ROOT=/tmp
args:
- 'verify'
- 'ghcr.io/gythialy/golang-cross:v1.24.1-0@sha256:dcc12fa4a35c7cda162cfbaa3f612b4209d5e2e78093e7c3fd7168d258432706'
- '--certificate-oidc-issuer'
- "https://token.actions.githubusercontent.com"
- '--certificate-identity'
- "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.24.1-0"
# maybe we can build our own image and use that to be more in a safe side
- name: ghcr.io/gythialy/golang-cross:v1.24.1-0@sha256:dcc12fa4a35c7cda162cfbaa3f612b4209d5e2e78093e7c3fd7168d258432706
entrypoint: /bin/sh
dir: "go/src/sigstore/cosign"
env:
- "GOPATH=/workspace/go"
- "GOBIN=/workspace/bin"
- PROJECT_ID=${PROJECT_ID}
- KEY_LOCATION=${_KEY_LOCATION}
- KEY_RING=${_KEY_RING}
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
- COSIGN_YES=true
- KO_PREFIX=gcr.io/${PROJECT_ID}
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
gcloud auth configure-docker \
&& make release
- name: ghcr.io/gythialy/golang-cross:v1.24.1-0@sha256:dcc12fa4a35c7cda162cfbaa3f612b4209d5e2e78093e7c3fd7168d258432706
entrypoint: 'bash'
dir: "go/src/sigstore/cosign"
env:
- "GOPATH=/workspace/go"
- "GOBIN=/workspace/bin"
- PROJECT_ID=${PROJECT_ID}
- KEY_LOCATION=${_KEY_LOCATION}
- KEY_RING=${_KEY_RING}
- KEY_NAME=${_KEY_NAME}
- KEY_VERSION=${_KEY_VERSION}
- GIT_TAG=${_GIT_TAG}
- KO_PREFIX=gcr.io/${PROJECT_ID}
- COSIGN_YES=true
- GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
- GITHUB_USER=${_GITHUB_USER}
- LATEST_TAG=",latest"
secretEnv:
- GITHUB_TOKEN
args:
- '-c'
- |
echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
&& make sign-release-images && make copy-signed-release-to-ghcr || true
availableSecrets:
secretManager:
- versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
env: GITHUB_TOKEN
artifacts:
objects:
location: 'gs://${_STORAGE_LOCATION}/${_GIT_TAG}'
paths:
- "go/src/sigstore/cosign/dist/*"
- "go/src/sigstore/cosign/release/release-cosign.pub"
options:
machineType: E2_HIGHCPU_32
tags:
- cosign-release
- ${_GIT_TAG}
- ${_TOOL_ORG}
- ${_TOOL_REPO}
substitutions:
_GIT_TAG: 'v1.23.45'
_TOOL_ORG: 'honk'
_TOOL_REPO: 'honk-repo'
_STORAGE_LOCATION: 'honk'
_KEY_RING: 'honk-ring'
_KEY_NAME: 'honk-crypto'
_KEY_VERSION: '1'
_KEY_LOCATION: 'global'
_GITHUB_USER: 'placeholder'
|
