From 054ac27e3096f7e92c89602d90f87785b72ddcb7 Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Thu, 17 Feb 2022 18:55:22 +0100 Subject: [PATCH] refactor release cloudbuild job (#1476) Signed-off-by: Carlos Panato --- .github/workflows/validate-release.yml | 1 + .goreleaser.yml | 5 +++++ release/cloudbuild.yaml | 30 ++++---------------------- release/release.mk | 2 +- 4 files changed, 11 insertions(+), 27 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index 04bd3afb350..724c72caf18 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -58,6 +58,7 @@ jobs: run: | docker run --rm --privileged \ -e PROJECT_ID=honk-fake-project \ + -e CI=$CI \ -e RUNTIME_IMAGE=gcr.io/distroless/static:debug-nonroot \ -v ${PWD}:/go/src/sigstore/cosign \ -v /var/run/docker.sock:/var/run/docker.sock \ diff --git a/.goreleaser.yml b/.goreleaser.yml index ef7680dbff7..ecf559f4b80 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -11,6 +11,10 @@ before: hooks: - go mod tidy - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi' +# if running a release we will generate the images in this step +# if running in the CI the CI env va is set and we dont run the ko steps +# this is needed because we are generating files that goreleaser was not aware to push to GH project release + - /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release && make sign-keyless-release; fi' gomod: proxy: true @@ -250,6 +254,7 @@ release: extra_files: - glob: "./release/release-cosign.pub" + - glob: "./cosign*.yaml" rigs: - rig: diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index 4cf4f3e83fc..f3c0dc376dc 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -56,36 +56,14 @@ steps: - GIT_TAG=${_GIT_TAG} - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com - COSIGN_EXPERIMENTAL=true + - KO_PREFIX=gcr.io/${PROJECT_ID} secretEnv: - GITHUB_TOKEN args: - '-c' - | - make release - -- name: ghcr.io/gythialy/golang-cross:v1.17.7-0@sha256:949325ffc52c16867d78412ce70f5ce531812c20e7528ae70dc9e718d72223e8 - entrypoint: 'bash' - dir: "go/src/sigstore/cosign" - env: - - "GOPATH=/workspace/go" - - "GOBIN=/workspace/bin" - - PROJECT_ID=${PROJECT_ID} - - KEY_LOCATION=${_KEY_LOCATION} - - KEY_RING=${_KEY_RING} - - KEY_NAME=${_KEY_NAME} - - KEY_VERSION=${_KEY_VERSION} - - GIT_TAG=${_GIT_TAG} - - KO_PREFIX=gcr.io/${PROJECT_ID} - - COSIGN_EXPERIMENTAL=true - - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com - secretEnv: - - GITHUB_TOKEN - args: - - '-c' - - | - gcloud auth configure-docker \ - && make sign-container-release \ - && make sign-keyless-release + gcloud auth configure-docker \ + && make release availableSecrets: secretManager: @@ -98,7 +76,7 @@ artifacts: paths: - "go/src/sigstore/cosign/dist/*" - "go/src/sigstore/cosign/release/release-cosign.pub" - - "go/src/sigstore/cosign/cosign*.yaml + - "go/src/sigstore/cosign/cosign*.yaml" options: machineType: E2_HIGHCPU_8 diff --git a/release/release.mk b/release/release.mk index 2ab34090e44..65ae323403e 100644 --- a/release/release.mk +++ b/release/release.mk @@ -5,7 +5,7 @@ # used when releasing together with GCP CloudBuild .PHONY: release release: - LDFLAGS="$(LDFLAGS)" goreleaser release --timeout 60m + LDFLAGS="$(LDFLAGS)" goreleaser release --timeout 120m ########################### # sign with GCP KMS section