1#
2# Copyright 2021 The Sigstore Authors.
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16timeout: 3600s
17
18steps:
19 - name: gcr.io/cloud-builders/git
20 dir: "go/src/sigstore"
21 args:
22 - "clone"
23 - "https://github.com/${_TOOL_ORG}/${_TOOL_REPO}"
24
25 - name: gcr.io/cloud-builders/git
26 entrypoint: "bash"
27 dir: "go/src/sigstore/cosign"
28 args:
29 - '-c'
30 - |
31 git fetch
32 echo "Checking out ${_GIT_TAG}"
33 git checkout ${_GIT_TAG}
34
35 - name: 'gcr.io/projectsigstore/cosign:v2.2.3-dev@sha256:0d795fa145b03026b7bc2a35e33068cdb75e1c1f974e604c17408bf7bd174967'
36 dir: "go/src/sigstore/cosign"
37 env:
38 - TUF_ROOT=/tmp
39 args:
40 - 'verify'
41 - 'ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405'
42 - '--certificate-oidc-issuer'
43 - "https://token.actions.githubusercontent.com"
44 - '--certificate-identity'
45 - "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.8-0"
46
47 # maybe we can build our own image and use that to be more in a safe side
48 - name: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405
49 entrypoint: /bin/sh
50 dir: "go/src/sigstore/cosign"
51 env:
52 - "GOPATH=/workspace/go"
53 - "GOBIN=/workspace/bin"
54 - PROJECT_ID=${PROJECT_ID}
55 - KEY_LOCATION=${_KEY_LOCATION}
56 - KEY_RING=${_KEY_RING}
57 - KEY_NAME=${_KEY_NAME}
58 - KEY_VERSION=${_KEY_VERSION}
59 - GIT_TAG=${_GIT_TAG}
60 - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
61 - COSIGN_YES=true
62 - KO_PREFIX=gcr.io/${PROJECT_ID}
63 secretEnv:
64 - GITHUB_TOKEN
65 args:
66 - '-c'
67 - |
68 gcloud auth configure-docker \
69 && make release
70
71 - name: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405
72 entrypoint: 'bash'
73 dir: "go/src/sigstore/cosign"
74 env:
75 - "GOPATH=/workspace/go"
76 - "GOBIN=/workspace/bin"
77 - PROJECT_ID=${PROJECT_ID}
78 - KEY_LOCATION=${_KEY_LOCATION}
79 - KEY_RING=${_KEY_RING}
80 - KEY_NAME=${_KEY_NAME}
81 - KEY_VERSION=${_KEY_VERSION}
82 - GIT_TAG=${_GIT_TAG}
83 - KO_PREFIX=gcr.io/${PROJECT_ID}
84 - COSIGN_YES=true
85 - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
86 - GITHUB_USER=${_GITHUB_USER}
87 secretEnv:
88 - GITHUB_TOKEN
89 args:
90 - '-c'
91 - |
92 echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
93 && make sign-release-images && make copy-signed-release-to-ghcr || true
94
95availableSecrets:
96 secretManager:
97 - versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
98 env: GITHUB_TOKEN
99
100artifacts:
101 objects:
102 location: 'gs://${_STORAGE_LOCATION}/${_GIT_TAG}'
103 paths:
104 - "go/src/sigstore/cosign/dist/*"
105 - "go/src/sigstore/cosign/release/release-cosign.pub"
106
107options:
108 machineType: E2_HIGHCPU_32
109
110tags:
111 - cosign-release
112 - ${_GIT_TAG}
113 - ${_TOOL_ORG}
114 - ${_TOOL_REPO}
115
116substitutions:
117 _GIT_TAG: 'v1.23.45'
118 _TOOL_ORG: 'honk'
119 _TOOL_REPO: 'honk-repo'
120 _STORAGE_LOCATION: 'honk'
121 _KEY_RING: 'honk-ring'
122 _KEY_NAME: 'honk-crypto'
123 _KEY_VERSION: '1'
124 _KEY_LOCATION: 'global'
125 _GITHUB_USER: 'placeholder'
View as plain text