Update cosign installer to fix download error #681
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Test Publish | |
| on: | |
| push: | |
| branches: | |
| - "*" # run for branches | |
| tags: | |
| - "*" # run for tags | |
| jobs: | |
| build-test-artifacts: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 'Checkout' | |
| uses: actions/checkout@v3 | |
| - name: 'Setup buildx' | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| install: true | |
| - name: 'Docker login' | |
| uses: docker/login-action@v2 | |
| with: | |
| username: kbstci | |
| password: ${{ secrets.DOCKER_AUTH }} | |
| - name: 'Build artifacts' | |
| env: | |
| DOCKER_PUSH: true | |
| GIT_SHA: ${{ github.sha }} | |
| GIT_REF: ${{ github.ref }} | |
| run: make dist | |
| - name: 'Upload artifacts' | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: test-artifacts | |
| path: ./quickstart/_dist | |
| build-image: | |
| runs-on: ubuntu-latest | |
| needs: [build-test-artifacts] | |
| strategy: | |
| matrix: | |
| starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"] | |
| permissions: | |
| id-token: write # needed for keyless signing | |
| steps: | |
| - name: 'Free disk space' | |
| # https://github.com/actions/runner-images/issues/2840#issuecomment-790492173 | |
| run: | | |
| sudo rm -rf /usr/share/dotnet | |
| sudo rm -rf /opt/ghc | |
| sudo rm -rf /usr/local/share/boost | |
| sudo rm -rf $AGENT_TOOLSDIRECTORY | |
| - name: 'Checkout' | |
| uses: actions/checkout@v3 | |
| - name: 'Download test-artifacts' | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: test-artifacts | |
| path: ./quickstart/_dist | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.3.0 | |
| - name: 'Setup buildx' | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| install: true | |
| - name: 'Docker login' | |
| uses: docker/login-action@v2 | |
| with: | |
| username: kbstci | |
| password: ${{ secrets.DOCKER_AUTH }} | |
| - name: Build ${{ matrix.starter }} image | |
| env: | |
| DOCKER_PUSH: true | |
| DOCKER_TARGET: ${{ matrix.starter }} | |
| run: make build | |
| - name: 'Sign Images' | |
| env: | |
| COSIGN_EXPERIMENTAL: true | |
| run: | | |
| cosign sign --yes -a GIT_HASH=${{ github.sha }} -a GIT_REF=${{ github.ref }} kubestack/framework-dev:test-${{ github.sha }}-${{ matrix.starter }} | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: [build-test-artifacts, build-image] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"] | |
| steps: | |
| - name: 'Download test-artifacts' | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: test-artifacts | |
| path: ./quickstart/_dist | |
| - name: 'Unzip ${{ matrix.starter }} quickstart' | |
| run: | | |
| unzip quickstart/_dist/kubestack-starter-${{ matrix.starter }}-*.zip | |
| - name: 'Docker login' | |
| uses: docker/login-action@v2 | |
| with: | |
| username: kbstci | |
| password: ${{ secrets.DOCKER_AUTH }} | |
| - name: 'Docker build' | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| working-directory: ./kubestack-starter-${{ matrix.starter }} | |
| # retagging here is necessary because we only push images | |
| # to kubestack/framework after they have been tested | |
| # but the Dockerfiles in the artifact have the target image name | |
| run: | | |
| SOURCE_IMAGE=kubestack/framework-dev:test-${{ github.sha }}-${{ matrix.starter }} | |
| docker pull $SOURCE_IMAGE | |
| TARGET_IMAGE=$(cat Dockerfile | sed 's/FROM //') | |
| docker tag $SOURCE_IMAGE $TARGET_IMAGE | |
| docker build -t test-image:${{ github.sha }} . | |
| - name: 'Configure Kubestack for ${{ matrix.starter }}' | |
| working-directory: ./kubestack-starter-${{ matrix.starter }} | |
| run: | | |
| # ALL: set name_prefix | |
| sed -i 's/name_prefix = ""/name_prefix = "test"/g' *_cluster.tf | |
| # ALL: set base_domain | |
| sed -i 's/base_domain = ""/base_domain = "infra.serverwolken.de"/g' *_cluster.tf | |
| # AKS: set resource_group | |
| sed -i 's/resource_group = ""/resource_group = "terraform-kubestack-testing"/g' aks_zero_cluster.tf || true | |
| # EKS: set region | |
| sed -i 's/region = ""/region = "eu-west-1"/g' eks_zero_providers.tf || true | |
| # EKS: set cluster_availability_zones | |
| sed -i 's/cluster_availability_zones = ""/cluster_availability_zones = "eu-west-1a,eu-west-1b"/g' eks_zero_cluster.tf || true | |
| # GKE: set project_id | |
| sed -i 's/project_id = ""/project_id = "terraform-kubestack-testing"/g' gke_zero_cluster.tf || true | |
| # GKE: set region | |
| sed -i 's/region = ""/region = "europe-west1"/g' gke_zero_cluster.tf || true | |
| # GKE: set cluster_node_locations | |
| sed -i 's/cluster_node_locations = ""/cluster_node_locations = "europe-west1-b,europe-west1-c,europe-west1-d"/g' gke_zero_cluster.tf || true | |
| - name: 'Terraform init' | |
| working-directory: ./kubestack-starter-${{ matrix.starter }} | |
| run: | | |
| docker run --rm \ | |
| -v `pwd`:/infra \ | |
| test-image:${{ github.sha }} \ | |
| terraform init | |
| - name: 'Terraform workspace new ops' | |
| working-directory: ./kubestack-starter-${{ matrix.starter }} | |
| run: | | |
| docker run --rm \ | |
| -v `pwd`:/infra \ | |
| test-image:${{ github.sha }} \ | |
| terraform workspace new ops | |
| - name: 'Terraform validate' | |
| working-directory: ./kubestack-starter-${{ matrix.starter }} | |
| run: | | |
| docker run --rm \ | |
| -v `pwd`:/infra \ | |
| test-image:${{ github.sha }} \ | |
| terraform validate | |
| - name: 'Terraform plan' | |
| working-directory: ./kubestack-starter-${{ matrix.starter }} | |
| env: | |
| KBST_AUTH_AWS: ${{ secrets.KBST_AUTH_AWS }} | |
| KBST_AUTH_AZ: ${{ secrets.KBST_AUTH_AZ }} | |
| KBST_AUTH_GCLOUD: ${{ secrets.KBST_AUTH_GCLOUD }} | |
| run: | | |
| docker run --rm \ | |
| -e KBST_AUTH_AWS \ | |
| -e KBST_AUTH_AZ \ | |
| -e KBST_AUTH_GCLOUD \ | |
| -v `pwd`:/infra \ | |
| -v /var/run/docker.sock:/var/run/docker.sock \ | |
| test-image:${{ github.sha }} \ | |
| terraform plan --target module.aks_zero --target module.eks_zero --target module.gke_zero | |
| publish-image: | |
| runs-on: ubuntu-latest | |
| needs: [test] | |
| strategy: | |
| matrix: | |
| starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"] | |
| steps: | |
| - name: 'Download test-artifacts' | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: test-artifacts | |
| path: ./quickstart/_dist | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.3.0 | |
| - name: 'Docker login' | |
| uses: docker/login-action@v2 | |
| with: | |
| username: kbstci | |
| password: ${{ secrets.DOCKER_AUTH }} | |
| - name: 'Docker push' | |
| # cosign copy copies the images and the signature from one place to another | |
| # then we dont need to sign again the same image | |
| env: | |
| COSIGN_EXPERIMENTAL: true | |
| run: | | |
| SOURCE_IMAGE=kubestack/framework-dev:test-${{ github.sha }}-${{ matrix.starter }} | |
| TARGET_IMAGE=$(cat quickstart/_dist/kubestack-starter-${{ matrix.starter }}/Dockerfile | sed 's/FROM //') | |
| echo "Source image $SOURCE_IMAGE will be pushed to $TARGET_IMAGE" | |
| cosign copy $SOURCE_IMAGE $TARGET_IMAGE | |
| publish-starter: | |
| runs-on: ubuntu-latest | |
| # only publish the artifacts when tests passed and images are pushed | |
| # because publishing the starter is what makes a release public | |
| needs: [test, publish-image] | |
| permissions: | |
| id-token: write # needed for keyless signing | |
| strategy: | |
| matrix: | |
| starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"] | |
| steps: | |
| - name: 'Download test-artifacts' | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: test-artifacts | |
| path: ./quickstart/_dist | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.3.0 | |
| - id: 'auth' | |
| uses: 'google-github-actions/auth@v1' | |
| with: | |
| credentials_json: ${{ secrets.GCLOUD_AUTH }} | |
| - name: 'Setup gcloud' | |
| uses: google-github-actions/setup-gcloud@v1 | |
| - name: 'Publish ${{ matrix.starter }} starter' | |
| env: | |
| COSIGN_EXPERIMENTAL: true | |
| run: | | |
| SOURCE_FILE=quickstart/_dist/kubestack-starter-${{ matrix.starter }}-${{ github.sha }}.zip | |
| COSIGN_OUTPUT=kubestack-starter-${{ matrix.starter }}-${{ github.sha }} | |
| TARGET_BUCKET=dev.quickstart.kubestack.com | |
| if [[ $GITHUB_REF = refs/tags/v* ]] | |
| then | |
| VERSION=$(echo $GITHUB_REF | sed -e "s#^refs/tags/##") | |
| SOURCE_FILE=quickstart/_dist/kubestack-starter-${{ matrix.starter }}-${VERSION}.zip | |
| COSIGN_OUTPUT=kubestack-starter-${{ matrix.starter }}-${VERSION} | |
| TARGET_BUCKET=quickstart.kubestack.com | |
| fi | |
| cosign sign-blob --yes --output-certificate $COSIGN_OUTPUT.pem --output-signature $COSIGN_OUTPUT.sig $SOURCE_FILE | |
| gsutil -m cp $SOURCE_FILE gs://$TARGET_BUCKET | |
| gsutil -m cp $COSIGN_OUTPUT.pem gs://$TARGET_BUCKET | |
| gsutil -m cp $COSIGN_OUTPUT.sig gs://$TARGET_BUCKET |