sigstore · cpanato · Jun 9, 2022 · Jun 9, 2022 · Jun 9, 2022 · Jun 9, 2022
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -45,8 +45,7 @@ jobs:
       # will use the latest release available for ko
       - uses: imjasonh/setup-ko@2c3450ca27f6e6f2b02e72a40f2163c281a1f675 # v0.4
 
-      - name: Install goimports
-        run: go get golang.org/x/tools/cmd/goimports
+      - uses: chainguard-dev/actions/goimports@84c993eaf02da1c325854fb272a4df9184bd80fc # main
 
       - name: Set up Cloud SDK
         uses: google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955 # v0.8.0
@@ -56,7 +55,6 @@ jobs:
 
       - name: creds
         run: gcloud auth configure-docker --quiet
-      - name: container
-        run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-container
-      - name: sget
-        run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-sget
+
+      - name: containers-cosign-sget
+        run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-ci-containers
diff --git a/.github/workflows/github-oidc.yaml b/.github/workflows/github-oidc.yaml
@@ -49,7 +49,7 @@ jobs:
         run: |
           set -e
           # Build and publish an image.
-          make sign-keyless-container
+          make sign-ci-keyless-containers
 
       - name: Build and sign a blob
         run: |

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -245,4 +245,3 @@ release:
 
   extra_files:
     - glob: "./release/release-cosign.pub"
-    - glob: "./cosign*.yaml"
diff --git a/Makefile b/Makefile
@@ -57,7 +57,6 @@ GOLANGCI_LINT_BIN = $(GOLANGCI_LINT_DIR)/golangci-lint
 KO_PREFIX ?= gcr.io/projectsigstore
 export KO_DOCKER_REPO=$(KO_PREFIX)
 GHCR_PREFIX ?= ghcr.io/sigstore/cosign
-COSIGNED_YAML ?= cosign-$(GIT_TAG).yaml
 LATEST_TAG ?=
 
 .PHONY: all lint test clean cosign cross
@@ -170,10 +169,6 @@ ko-local:
 		$(ARTIFACT_HUB_LABELS) \
 		github.com/sigstore/cosign/cmd/cosign
 
-.PHONY: ko-apply
-ko-apply:
-	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -Bf config/
-
 ##################
 # help
 ##################

diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
@@ -32,7 +32,7 @@ steps:
     echo "Checking out ${_GIT_TAG}"
     git checkout ${_GIT_TAG}
 
-- name: 'gcr.io/projectsigstore/cosign:v1.8.0@sha256:12b4d428529654c95a7550a936cbb5c6fe93a046ea7454676cb6fb0ce566d78c'
+- name: 'gcr.io/projectsigstore/cosign:v1.9.0@sha256:ef2d14e16dbb7786d8713e4898a8512e69ace4105f5b371a9c115ffcc3e85d84'
   dir: "go/src/sigstore/cosign"
   env:
   - COSIGN_EXPERIMENTAL=true
@@ -100,7 +100,6 @@ artifacts:
     paths:
     - "go/src/sigstore/cosign/dist/*"
     - "go/src/sigstore/cosign/release/release-cosign.pub"
-    - "go/src/sigstore/cosign/cosign*.yaml"
 
 options:
   machineType: E2_HIGHCPU_32

diff --git a/release/ko-sign-release-images.sh b/release/ko-sign-release-images.sh
@@ -37,25 +37,11 @@ if [[ ! -f sgetImagerefs ]]; then
     exit 1
 fi
 
-if [[ ! -f policyControllerImagerefs ]]; then
-    echo "policyControllerImagerefs not found"
-    exit 1
-fi
-
-if [[ ! -f policyImagerefs ]]; then
-    echo "policyImagerefs not found"
-    exit 1
-fi
-
 echo "Signing cosign images with GCP KMS Key..."
 
 cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat cosignImagerefs)"
 cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat sgetImagerefs)"
-cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyControllerImagerefs)"
-cosign sign --force --key "gcpkms://projects/$PROJECT_ID/locations/$KEY_LOCATION/keyRings/$KEY_RING/cryptoKeys/$KEY_NAME/versions/$KEY_VERSION" -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyImagerefs)"
 
 echo "Signing images with Keyless..."
 cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat cosignImagerefs)"
 cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat sgetImagerefs)"
-cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyControllerImagerefs)"
-cosign sign --force -a GIT_HASH="$GIT_HASH" -a GIT_VERSION="$GIT_VERSION" "$(cat policyImagerefs)"
diff --git a/release/release.mk b/release/release.mk
@@ -28,17 +28,9 @@ snapshot:
 copy-cosign-signed-release-to-ghcr:
 	cosign copy $(KO_PREFIX)/cosign:$(GIT_VERSION) $(GHCR_PREFIX)/cosign:$(GIT_VERSION)
 
-.PHONY: copy-policy-controller-signed-release-to-ghcr
-copy-policy-controller-signed-release-to-ghcr:
-	cosign copy $(KO_PREFIX)/policy-controller:$(GIT_VERSION) $(GHCR_PREFIX)/policy-controller:$(GIT_VERSION)
-
-.PHONY: copy-policy-webhook-signed-release-to-ghcr
-copy-policy-webhook-signed-release-to-ghcr:
-	cosign copy $(KO_PREFIX)/policy-webhook:$(GIT_VERSION) $(GHCR_PREFIX)/policy-webhook:$(GIT_VERSION)
-
 .PHONY: copy-sget-signed-release-to-ghcr
 copy-sget-signed-release-to-ghcr:
 	cosign copy $(KO_PREFIX)/sget:$(GIT_VERSION) $(GHCR_PREFIX)/sget:$(GIT_VERSION)
 
 .PHONY: copy-signed-release-to-ghcr
-copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-policy-controller-signed-release-to-ghcr copy-sget-signed-release-to-ghcr copy-policy-webhook-signed-release-to-ghcr
+copy-signed-release-to-ghcr: copy-cosign-signed-release-to-ghcr copy-sget-signed-release-to-ghcr
diff --git a/test/ci.mk b/test/ci.mk
@@ -2,36 +2,18 @@
 # signing ci
 ############
 
-.PHONY: sign-container
-sign-container: ko
+.PHONY: sign-ci-containers
+sign-ci-container: ko
 	cosign sign --key .github/workflows/cosign-test.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosign:$(GIT_HASH)
-
-.PHONY: sign-policy-controller
-sign-policy-controller:
-	cosign sign --key .github/workflows/cosign-test.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/policy-controller:$(GIT_HASH)
-
-.PHONY: sign-sget
-sign-sget:
 	cosign sign --key .github/workflows/cosign-test.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/sget:$(GIT_HASH)
 
-.PHONY: sign-keyless-cosign
-sign-keyless-cosign:
+.PHONY: sign-ci-keyless-containers
+sign-ci-keyless-container: ko
 	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/cosign:$(GIT_HASH)
 	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/cosign:$(GIT_VERSION)
-
-.PHONY: sign-keyless-policy-controller
-sign-keyless-policy-controller:
-	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/policy-controller:$(GIT_HASH)
-	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/policy-controller:$(GIT_VERSION)
-
-.PHONY: sign-keyless-sget
-sign-keyless-sget:
 	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/sget:$(GIT_HASH)
 	cosign sign -a sha=$(GIT_HASH) -a run_id=${GITHUB_RUN_ID} -a run_attempt=${GITHUB_RUN_ATTEMPT} ${KO_PREFIX}/sget:$(GIT_VERSION)
 
-.PHONY: sign-keyless-container
-sign-keyless-container: ko sign-keyless-cosign sign-keyless-policy-controller sign-keyless-sget
-
 .PHONY: sign-blob-experimental
 sign-blob-experimental:
 	./test/sign_blob_test.sh
Original file line number	Diff line number	Diff line change
Expand Up		@@ -245,4 +245,3 @@ release:

		extra_files:
		- glob: "./release/release-cosign.pub"
		- glob: "./cosign*.yaml"