From a32c7500b98f3981ccfc2ddde6a0decafba9ecd0 Mon Sep 17 00:00:00 2001 From: Kenny Leung Date: Fri, 11 Mar 2022 13:43:03 -0800 Subject: [PATCH] Use reusuable release workflow in sigstore/sigstore Signed-off-by: Kenny Leung --- .github/workflows/cut-release.yml | 34 +++++++++++++ hack/github-oidc-setup.sh | 85 +++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+) create mode 100644 .github/workflows/cut-release.yml create mode 100755 hack/github-oidc-setup.sh diff --git a/.github/workflows/cut-release.yml b/.github/workflows/cut-release.yml new file mode 100644 index 000000000..e74b68492 --- /dev/null +++ b/.github/workflows/cut-release.yml @@ -0,0 +1,34 @@ +name: Cut Release + +on: + workflow_dispatch: + inputs: + release_tag: + required: true + type: string + description: 'Release tag' + key_ring: + required: true + type: string + description: 'Key ring for cosign key' + key_name: + required: true + type: string + description: 'Key name for cosign key' + +concurrency: cut-release + +jobs: + cut-release: + name: Cut release + uses: sigstore/sigstore/.github/workflows/reusable-release.yml@main + permissions: + id-token: write + contents: read + with: + release_tag: ${{ github.event.inputs.release_tag }} + key_ring: ${{ github.event.inputs.key_ring }} + key_name: ${{ github.event.inputs.key_name }} + workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-rekor' + service_account: 'github-actions-rekor@projectsigstore.iam.gserviceaccount.com' + repo: 'rekor' diff --git a/hack/github-oidc-setup.sh b/hack/github-oidc-setup.sh new file mode 100755 index 000000000..b3ae734f7 --- /dev/null +++ b/hack/github-oidc-setup.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env bash + +# Copyright 2022 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Idempotent script. +# +# Commands based off of Google blog post +# https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions +# +# One addition is the attribute.repository=assertion.repository mapping. +# This allows it to be pinned to given repo. + +set -o errexit +set -o nounset +set -o pipefail +set -o verbose +set -o xtrace + +PROJECT_ID="projectsigstore" +PROJECT_NUMBER="498091336538" +POOL_NAME="githubactions" +PROVIDER_NAME="sigstore-rekor" +LOCATION="global" +REPO="sigstore/rekor" +SERVICE_ACCOUNT_ID="github-actions-rekor" +SERVICE_ACCOUNT="${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com" + +# Create workload identity pool if not present. +if ! (gcloud iam workload-identity-pools describe "${POOL_NAME}" --location=${LOCATION}); then + gcloud iam workload-identity-pools create "${POOL_NAME}" \ + --project="${PROJECT_ID}" \ + --location="${LOCATION}" \ + --display-name="Github Actions Pool" +fi + +# Create workload identity provider if not present. +if ! (gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" --location="${LOCATION}" --workload-identity-pool="${POOL_NAME}"); then + gcloud iam workload-identity-pools providers create-oidc "${PROVIDER_NAME}" \ + --project="${PROJECT_ID}" \ + --location="${LOCATION}" \ + --workload-identity-pool="${POOL_NAME}" \ + --display-name="Github Actions Provider Rekor" \ + --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \ + --issuer-uri="https://token.actions.githubusercontent.com" +fi + +# Create service account if not present. +if ! (gcloud iam service-accounts describe "${SERVICE_ACCOUNT}"); then +gcloud iam service-accounts create ${SERVICE_ACCOUNT_ID} \ + --description="Service account for Github Actions Rekor" \ + --display-name="Github Actions Rekor" +fi + +# Adding binding is idempotent. +gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}" \ + --project="${PROJECT_ID}" \ + --role="roles/iam.workloadIdentityUser" \ + --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/${LOCATION}/workloadIdentityPools/${POOL_NAME}/attribute.repository/${REPO}" + +# Adding binding is idempotent. +# Used for kicking off cloud build. +gcloud projects add-iam-policy-binding "${PROJECT_ID}" \ + --project="${PROJECT_ID}" \ + --role="roles/cloudbuild.builds.editor" \ + --member="serviceAccount:${SERVICE_ACCOUNT}" + +# Adding binding is idempotent. +# Permission needed to run `gcloud builds` +# https://cloud.google.com/build/docs/securing-builds/configure-access-to-resources#granting_permissions_to_run_gcloud_commands +gcloud projects add-iam-policy-binding "${PROJECT_ID}" \ + --project="${PROJECT_ID}" \ + --role="roles/serviceusage.serviceUsageConsumer" \ + --member="serviceAccount:${SERVICE_ACCOUNT}"