diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a5f37f1f8e..86c8fb550d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -111,6 +111,7 @@ jobs: - name: Generate release artifacts run: | make release-plugins + make checksums make manifests IMAGE_TAG=${{ github.event.inputs.tag }} - name: Generate SBOM (spdx) @@ -144,6 +145,54 @@ jobs: cd /tmp && tar -zcf sbom.tar.gz *.spdx + - name: Login to Quay.io + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_ROBOT_TOKEN }} + + - name: Install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.13.1' + + - name: Install crane to get digest of image + uses: imjasonh/setup-crane@v0.2 + + - name: Get digest of controller-image + run: | + echo "CONTROLLER_DIGEST=$(crane digest quay.io/argoproj/argo-rollouts:${{ github.event.inputs.tag }})" >> $GITHUB_ENV + + - name: Get digest of plugin-image + run: | + echo "PLUGIN_DIGEST=$(crane digest quay.io/argoproj/kubectl-argo-rollouts:${{ github.event.inputs.tag }})" >> $GITHUB_ENV + + - name: Sign Argo Rollouts Images + run: | + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }} + cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }} + env: + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} + + - name: Sign checksums and create public key for release assets + run: | + cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argo-rollouts-checksums.txt > ./dist/argo-rollouts-checksums.sig + cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-rollouts-cosign.pub + cosign sign-blob --key env://COSIGN_PRIVATE_KEY /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig + # Displays the public key to share. + cosign public-key --key env://COSIGN_PRIVATE_KEY + env: + COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} + COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} + + - name: update stable tag for docs + run: | + git tag -f stable ${{ github.event.inputs.tag }} + git push -f origin stable + - name: Draft release uses: softprops/action-gh-release@v1 with: @@ -160,5 +209,6 @@ jobs: manifests/notifications-install.yaml docs/features/kustomize/rollout_cr_schema.json /tmp/sbom.tar.gz + /tmp/sbom.tar.gz.sig env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/Makefile b/Makefile index df2542169b..8e218d36ac 100644 --- a/Makefile +++ b/Makefile @@ -271,3 +271,7 @@ release: release-precheck precheckin image plugin-image release-plugins trivy: @trivy fs --clear-cache @trivy fs . + +.PHONY: checksums +checksums: + shasum -a 256 ./dist/kubectl-argo-rollouts-* | awk -F './dist/' '{print $$1 $$2}' > ./dist/argo-rollouts-checksums.txt