From 1d759dd09e795ca36fb2977e5513503b3b23bf88 Mon Sep 17 00:00:00 2001 From: Tim Hardeck Date: Mon, 3 Feb 2025 14:53:25 +0100 Subject: [PATCH] WIP --- .github/workflows/release.yml | 73 +++++++++++++---------------------- .goreleaser.yaml | 30 +++++++------- 2 files changed, 43 insertions(+), 60 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3360fb5988..d3350ebd9a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,37 +44,6 @@ jobs: secrets: | secret/data/github/repo/${{ github.repository }}/fossa/credential token | FOSSA_API_KEY - - name: Run FOSSA scan - uses: fossas/fossa-action@v1.5.0 - with: - api-key: ${{ env.FOSSA_API_KEY }} - - - name: Run FOSSA tests - uses: fossas/fossa-action@v1.5.0 - with: - api-key: ${{ env.FOSSA_API_KEY }} - run-tests: false - - - name: Check for code changes - continue-on-error: ${{ contains(github.ref, 'rc') }} - run: | - ./.github/scripts/check-for-auto-generated-changes.sh - go mod verify - - - name: Run unit tests - continue-on-error: ${{ contains(github.ref, 'rc') }} - run: go test -cover -tags=test $(go list ./... | grep -v -e /e2e -e /integrationtests -e /benchmarks) - - - name: Install Ginkgo CLI - run: go install github.com/onsi/ginkgo/v2/ginkgo - - - name: Run integration tests - continue-on-error: ${{ contains(github.ref, 'rc') }} - env: - SETUP_ENVTEST_VER: v0.0.0-20240115093953-9e6e3b144a69 - ENVTEST_K8S_VERSION: 1.28 - run: ./.github/scripts/run-integration-tests.sh - - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -133,36 +102,46 @@ jobs: args: release --clean --verbose env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GORELEASER_CURRENT_TAG: ${{ github.ref_name }} + GORELEASER_CURRENT_TAG: v0.12.0-alpha.8 PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }} + # Workaround until `docker manifest create` supports provenance meta data + - name: Create Docker manifest for Prime and sign it + shell: bash + run: | + for IMAGE in fleet fleet-agent; do + URL="${{ env.PRIME_REGISTRY }}/rancher/${IMAGE}:v0.12.0-alpha.8" + docker buildx imagetools create -t "${URL}" \ + "${URL}-linux-amd64" \ + "${URL}-linux-arm64" + + cosign sign --oidc-provider=github-actions --yes "${URL}" + done + - name: Attest provenance shell: bash - env: - PRIME_REGISTRY: ${{ env.PRIME_REGISTRY }} - CURRENT_TAG: ${{ github.ref_name }} run: | - for IMG_NAME in $(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep PRIME_REGISTRY | sed "s/{{ .Env.PRIME_REGISTRY }}/${PRIME_REGISTRY}/g" | sed "s/{{ .Tag }}/${CURRENT_TAG}/g"); do + for IMG_NAME in $(yq e '.dockers[].image_templates[0]' .goreleaser.yaml | grep PRIME_REGISTRY | sed "s/{{ .Env.PRIME_REGISTRY }}/${{ env.PRIME_REGISTRY }}/g" | sed "s/{{ .Tag }}/v0.12.0-alpha.8/g"); do # Extract Docker image reference plus digest from local image - IMAGE=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMG_NAME}) + URL=$(docker inspect --format='{{index .RepoDigests 0}}' ${IMG_NAME}) max_retries=3 retry_delay=5 i=0 while [ "${i}" -lt "${max_retries}" ]; do - if slsactl download provenance --format=slsav1 "${IMAGE}" > provenance-slsav1.json; then - break - fi - if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then - echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Prime registry." - exit 1 - fi - i=$(( i + 1 )) - sleep "${retry_delay}" + if slsactl download provenance --format=slsav1 "${URL}" > provenance-slsav1.json; then + break + fi + if [ "${i}" -eq "$(( max_retries - 1 ))" ]; then + echo "ERROR: Failed to generate slsav1 provenance. Check whether the image is present in the Prime registry." + exit 1 + fi + i=$(( i + 1 )) + sleep "${retry_delay}" done - cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${IMAGE}" + cosign attest --yes --predicate provenance-slsav1.json --type slsaprovenance1 "${URL}" done - name: Upload charts to release diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 73a8dd539b..3a2ed8698b 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -310,17 +310,20 @@ docker_manifests: - "{{ .Env.REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-amd64" - "{{ .Env.REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-arm64" - - name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}" - id: fleet-manifest-private - image_templates: - - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-amd64" - - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-arm64" - - - name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}" - id: fleet-agent-manifest-private - image_templates: - - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-amd64" - - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-arm64" + # docker manifest create has issues with provenance which results in the error: + # ... is a manifest list + # we need to use buildx in a separate step instead + # - name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}" + # id: fleet-manifest-private + # image_templates: + # - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-amd64" + # - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet:{{ .Tag }}-linux-arm64" + # + # - name_template: "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}" + # id: fleet-agent-manifest-private + # image_templates: + # - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-amd64" + # - "{{ .Env.PRIME_REGISTRY }}/rancher/fleet-agent:{{ .Tag }}-linux-arm64" docker_signs: - # ID of the sign config, must be unique. @@ -360,5 +363,6 @@ docker_signs: - fleet-arm64-private - fleet-agent-amd64-private - fleet-agent-arm64-private - - fleet-manifest-private - - fleet-agent-manifest-private \ No newline at end of file + # docker manifest create has issues with provenance that's why we can not create them here + # - fleet-manifest-private + # - fleet-agent-manifest-private \ No newline at end of file