Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use reusuable release workflow in sigstore/sigstore #729

Merged
merged 1 commit into from
Mar 11, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions .github/workflows/cut-release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Cut Release

on:
workflow_dispatch:
inputs:
release_tag:
required: true
type: string
description: 'Release tag'
key_ring:
required: true
type: string
description: 'Key ring for cosign key'
key_name:
required: true
type: string
description: 'Key name for cosign key'

concurrency: cut-release

jobs:
cut-release:
name: Cut release
uses: sigstore/sigstore/.github/workflows/reusable-release.yml@main
permissions:
id-token: write
contents: read
with:
release_tag: ${{ github.event.inputs.release_tag }}
key_ring: ${{ github.event.inputs.key_ring }}
key_name: ${{ github.event.inputs.key_name }}
workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-rekor'
service_account: 'github-actions-rekor@projectsigstore.iam.gserviceaccount.com'
repo: 'rekor'
85 changes: 85 additions & 0 deletions hack/github-oidc-setup.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
#!/usr/bin/env bash

# Copyright 2022 The Sigstore Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Idempotent script.
#
# Commands based off of Google blog post
# https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions
#
# One addition is the attribute.repository=assertion.repository mapping.
# This allows it to be pinned to given repo.

set -o errexit
set -o nounset
set -o pipefail
set -o verbose
set -o xtrace

PROJECT_ID="projectsigstore"
PROJECT_NUMBER="498091336538"
POOL_NAME="githubactions"
PROVIDER_NAME="sigstore-rekor"
LOCATION="global"
REPO="sigstore/rekor"
SERVICE_ACCOUNT_ID="github-actions-rekor"
SERVICE_ACCOUNT="${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com"

# Create workload identity pool if not present.
if ! (gcloud iam workload-identity-pools describe "${POOL_NAME}" --location=${LOCATION}); then
gcloud iam workload-identity-pools create "${POOL_NAME}" \
--project="${PROJECT_ID}" \
--location="${LOCATION}" \
--display-name="Github Actions Pool"
fi

# Create workload identity provider if not present.
if ! (gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" --location="${LOCATION}" --workload-identity-pool="${POOL_NAME}"); then
gcloud iam workload-identity-pools providers create-oidc "${PROVIDER_NAME}" \
--project="${PROJECT_ID}" \
--location="${LOCATION}" \
--workload-identity-pool="${POOL_NAME}" \
--display-name="Github Actions Provider Rekor" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
--issuer-uri="https://token.actions.githubusercontent.com"
fi

# Create service account if not present.
if ! (gcloud iam service-accounts describe "${SERVICE_ACCOUNT}"); then
gcloud iam service-accounts create ${SERVICE_ACCOUNT_ID} \
--description="Service account for Github Actions Rekor" \
--display-name="Github Actions Rekor"
fi

# Adding binding is idempotent.
gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/${LOCATION}/workloadIdentityPools/${POOL_NAME}/attribute.repository/${REPO}"

# Adding binding is idempotent.
# Used for kicking off cloud build.
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
--project="${PROJECT_ID}" \
--role="roles/cloudbuild.builds.editor" \
--member="serviceAccount:${SERVICE_ACCOUNT}"

# Adding binding is idempotent.
# Permission needed to run `gcloud builds`
# https://cloud.google.com/build/docs/securing-builds/configure-access-to-resources#granting_permissions_to_run_gcloud_commands
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
--project="${PROJECT_ID}" \
--role="roles/serviceusage.serviceUsageConsumer" \
--member="serviceAccount:${SERVICE_ACCOUNT}"