fluxcd
/
helm-controller
mirror of https://github.com/fluxcd/helm-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Publish SBOM and sign release artifacts 

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan 2022-01-21 17:31:38 +02:00
parent ab9e4f8c95
commit 413d60f8ba
No known key found for this signature in database
GPG Key ID: 3299AEB0E4085BAF
6 changed files with 87 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/cifuzz.yaml vendored
View File

@ -3,6 +3,10 @@ on:
pull_request: pull_request:
branches: branches:
- main - main
permissions:
contents: read # for actions/checkout to fetch code
jobs: jobs:
Fuzzing: Fuzzing:
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/e2e.yaml vendored
View File

@ -1,5 +1,4 @@
name: e2e name: e2e
on: on:
workflow_dispatch: workflow_dispatch:
pull_request: pull_request:
@ -7,6 +6,10 @@ on:
branches: branches:
- main - main
- "feature/**" - "feature/**"
permissions:
contents: read # for actions/checkout to fetch code
jobs: jobs:
kind: kind:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/nightly.yaml vendored
View File

@ -4,6 +4,9 @@ on:
- cron: '0 0 * * *' - cron: '0 0 * * *'
workflow_dispatch: workflow_dispatch:
permissions:
contents: read # for actions/checkout to fetch code
env: env:
REPOSITORY: ${{ github.repository }} REPOSITORY: ${{ github.repository }}

57
.github/workflows/release.yml vendored
View File

@ -10,6 +10,11 @@ on:
default: 'rc' default: 'rc'
required: true required: true
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
env: env:
CONTROLLER: ${{ github.event.repository.name }} CONTROLLER: ${{ github.event.repository.name }}
@ -31,13 +36,9 @@ jobs:
echo ::set-output name=VERSION::${VERSION} echo ::set-output name=VERSION::${VERSION}
- name: Setup QEMU - name: Setup QEMU
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@v1
with:
platforms: all
- name: Setup Docker Buildx - name: Setup Docker Buildx
id: buildx id: buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
with:
buildkitd-flags: "--debug"
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v1 uses: docker/login-action@v1
with: with:
@ -49,7 +50,16 @@ jobs:
with: with:
username: fluxcdbot username: fluxcdbot
password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }} password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
- name: Publish multi-arch container image - name: Generate images meta
id: meta
uses: docker/metadata-action@v3
with:
images: |
fluxcd/${{ env.CONTROLLER }}
ghcr.io/fluxcd/${{ env.CONTROLLER }}
tags: |
type=raw,value=${{ steps.prep.outputs.VERSION }}
- name: Publish images
uses: docker/build-push-action@v2 uses: docker/build-push-action@v2
with: with:
push: true push: true
@ -57,35 +67,34 @@ jobs:
context: . context: .
file: ./Dockerfile file: ./Dockerfile
platforms: linux/amd64,linux/arm/v7,linux/arm64 platforms: linux/amd64,linux/arm/v7,linux/arm64
tags: | tags: ${{ steps.meta.outputs.tags }}
ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} labels: ${{ steps.meta.outputs.labels }}
docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
labels: |
org.opencontainers.image.title=${{ github.event.repository.name }}
org.opencontainers.image.description=${{ github.event.repository.description }}
org.opencontainers.image.url=${{ github.event.repository.html_url }}
org.opencontainers.image.revision=${{ github.sha }}
org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
- name: Check images - name: Check images
run: | run: |
docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }} docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
- name: Generate release manifests - uses: sigstore/cosign-installer@main
- name: Sign images
env:
COSIGN_EXPERIMENTAL: 1
run: |
cosign sign fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
cosign sign ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
- name: Generate release artifacts
if: startsWith(github.ref, 'refs/tags/v') if: startsWith(github.ref, 'refs/tags/v')
run: | run: |
mkdir -p config/release mkdir -p config/release
kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
- name: Create release echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md
- uses: anchore/sbom-action/download-syft@v0
- name: Create release and SBOM
if: startsWith(github.ref, 'refs/tags/v') if: startsWith(github.ref, 'refs/tags/v')
uses: ncipollo/release-action@v1 uses: goreleaser/goreleaser-action@v2
with: with:
prerelease: true version: latest
artifacts: "config/release/*.yaml" args: release --release-notes=config/release/notes.md --rm-dist --skip-validate
artifactContentType: "text/plain" env:
body: | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)
token: ${{ secrets.GITHUB_TOKEN }}

5
.github/workflows/scan.yaml vendored
View File

@ -1,5 +1,4 @@
name: Scan name: Scan
on: on:
push: push:
branches: [ main ] branches: [ main ]
@ -8,6 +7,10 @@ on:
schedule: schedule:
- cron: '18 10 * * 3' - cron: '18 10 * * 3'
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for codeQL to write security events
jobs: jobs:
fossa: fossa:
name: FOSSA name: FOSSA

39
.goreleaser.yaml Normal file
View File

@ -0,0 +1,39 @@
project_name: helm-controller
builds:
- skip: true
release:
prerelease: "true"
extra_files:
- glob: config/release/*.yaml
checksum:
extra_files:
- glob: config/release/*.yaml
source:
enabled: true
name_template: "{{ .ProjectName }}_{{ .Version }}_source_code"
sboms:
- id: source
artifacts: source
documents:
- "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
# signs the checksum file
# all files (including the sboms) are included in the checksum
# https://goreleaser.com/customization/sign
signs:
- cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
certificate: "${artifact}.pem"
args:
- sign-blob
- "--output-certificate=${certificate}"
- "--output-signature=${signature}"
- "${artifact}"
artifacts: checksum
output: true