Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

draft: prototyping binary and image signing with cosign #4

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions .github/workflows/signing-proto.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: Signing Prototype

on:
push:
branches:
- signed-binaries

permissions:
# required for OIDC token used as the signing identity
id-token: write

# required to publish the release
contents: write

jobs:
goreleaser:
# deploy with the correct environment to allow DockerHub access
environment: "Publish"

runs-on: ubuntu-latest
steps:

- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Configure Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod

- name: Install Cosign
uses: sigstore/cosign-installer@v3
with:
cosign-release: 'v2.4.0'

# we're not releasing to Dockerhub on this branch
# - name: Login to Docker Hub
# uses: docker/login-action@v3
# with:
# username: ${{ secrets.DOCKERHUB_USER }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Release
uses: goreleaser/goreleaser-action@v5
with:
distribution: goreleaser
version: v2.3.2
args: build --snapshot --config .goreleaser-prototype.yaml --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Archive build
uses: actions/upload-artifact@v4
with:
name: snapshot
path: dist
retention-days: 5
87 changes: 87 additions & 0 deletions .goreleaser-prototype.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
version: 2

builds:
- id: release
binary: chinmina-bridge
env:
- CGO_ENABLED=0
goos:
- darwin
- linux
goarch:
- amd64
- arm64

checksum:
name_template: "checksums.txt"

archives:
- format: tar.gz
name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"

changelog:
use: github-native
sort: asc

# Sign with cosign -- this picks up the OIDC token from the environment in GHA.
# If you do this locally, sign with an OAuth identity you don't mind being permanently
# published to a transparency log.
binary_signs:
- cmd: cosign
args:
- "sign-blob"
- "${artifact}"
- "--yes" # needed on cosign 2.0.0+

# release:
# disable: true
# prerelease: auto
# header: |
# Distributions for this release are published as binaries and a Docker image.

# The preferred way to consume a release is via its [Docker image](https://hub.docker.com/r/chinmina/chinmina-bridge):

# ```text
# chinmina/chinmina-bridge:{{ .Tag }}
# ```

# The multi-platform image is published for Linux x86-64 and Linux ARM-64.

# If needed, binaries of this build (including Mac) can be found below.

# kos:
# -
# id: chinmina-bridge
# build: release
# working_dir: .
# base_image: cgr.dev/chainguard/static

# repository: chinmina

# # Platforms to build and publish.
# #
# # Default: 'linux/amd64'
# platforms:
# - linux/amd64
# - linux/arm64

# # Tag to build and push.
# # Empty tags are ignored.
# #
# # Default: 'latest'
# # Templates: allowed
# tags:
# - "{{if not .Prerelease}}latest{{end}}"
# - "{{.Tag}}"

# sbom: spdx

# # Bare uses a tag on the $KO_DOCKER_REPO without anything additional.
# bare: true

# # Whether to preserve the full import path after the repository name.
# preserve_import_paths: false

# # Whether to use the base path without the MD5 hash after the repository name.
# base_import_paths: true