Skip to content
This repository has been archived by the owner on Dec 16, 2022. It is now read-only.

Improve supply chain security #21

Closed
3 tasks done
pjbgf opened this issue Mar 4, 2022 · 3 comments · Fixed by #28 or #29
Closed
3 tasks done

Improve supply chain security #21

pjbgf opened this issue Mar 4, 2022 · 3 comments · Fixed by #28 or #29
Labels
area/security Security related issues and PRs
Milestone
GA

Comments

@pjbgf
Copy link
Member

pjbgf commented Mar 4, 2022
edited
Loading

This project should align its supply chain security measures with the rest of the flux2 ecosystem:

  • Sign container images
  • Provide ways for users to verify artefact integrity
  • Generate project SBOM
@pjbgf pjbgf added the area/security Security related issues and PRs label Mar 4, 2022
@pjbgf pjbgf added this to the GA milestone Mar 29, 2022
@pjbgf
Copy link
Member Author

pjbgf commented Jun 16, 2022

Ideally this would be aligned with the implementation on other FluxCD repositories.

xref:
https://github.com/fluxcd/flux2/blob/main/.goreleaser.yml
https://github.com/fluxcd/flux2/blob/main/.github/workflows/release.yaml#L75-L83

@somtochiama somtochiama mentioned this issue Jun 23, 2022
Merged
@pjbgf pjbgf moved this to In Progress in Maintainers' Focus Jun 28, 2022
@pjbgf pjbgf closed this as completed in #28 Jul 6, 2022
Repository owner moved this from In Progress to Done in Maintainers' Focus Jul 6, 2022
@pjbgf pjbgf reopened this Jul 6, 2022
Repository owner moved this from Done to In Progress in Maintainers' Focus Jul 6, 2022
@pjbgf
Copy link
Member Author

pjbgf commented Jul 6, 2022

Reopened as goreleaser is failing:

Run goreleaser/goreleaser-action@v2
Downloading https://github.com/goreleaser/goreleaser/releases/download/v[1](https://github.com/fluxcd/golang-with-libgit2/runs/7219690733?check_suite_focus=true#step:7:1).10.1/goreleaser_Linux_x86_64.tar.gz
Extracting GoReleaser
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/8317cc04-a4dd-4d84-9[11](https://github.com/fluxcd/golang-with-libgit2/runs/7219690733?check_suite_focus=true#step:7:12)7-8c4b8318c663 -f /home/runner/work/_temp/5d2b5d48-08b6-4593-8426-39f231cc[14](https://github.com/fluxcd/golang-with-libgit2/runs/7219690733?check_suite_focus=true#step:7:15)a4
GoReleaser latest installed successfully
libgit2-1.3.1-2 tag found for commit '842e24f'
/opt/hostedtoolcache/goreleaser-action/1.10.1/x64/goreleaser release --rm-dist
  •starting release...
  • loading config file                              file=.goreleaser.yml
  •loading environment variables
  •getting and validating git state
    • building...                                    commit=842e24fcb1bf6407bcdeda71066938ea79a3[19](https://github.com/fluxcd/golang-with-libgit2/runs/7219690733?check_suite_focus=true#step:7:20)af latest tag=libgit2-1.3.1-2
  •parsing tag
  ⨯release failed after 0serror=failed to parse tag 'libgit2-1.3.1-2' as semver: Invalid Semantic Version
Error: The process '/opt/hostedtoolcache/goreleaser-action/1.10.1/x64/goreleaser' failed with exit code 1

https://github.com/fluxcd/golang-with-libgit2/runs/7219690733?check_suite_focus=true

@pjbgf pjbgf mentioned this issue Jul 7, 2022
Merged
@pjbgf
Copy link
Member Author

pjbgf commented Jul 7, 2022

The issue above was fixed by changing the current tag naming convention to be semver compatible.

@pjbgf pjbgf closed this as completed in #29 Jul 7, 2022
Repository owner moved this from In Progress to Done in Maintainers' Focus Jul 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/security Security related issues and PRs
Projects
Maintainers' Focus
Status: Done
Milestone
GA
1 participant
@pjbgf