encrypt values to create the github action secret

[cpanato]

Summary

• Update go-github to v45
• fail fast if the GitHub token is not set
• encrypt values to create the github action secret

Running this patch in a repo

/~https://github.com/cpanato/testing-ci-providers/runs/6864530948?check_suite_focus=true

$ cosign verify --key cosign.pub ghcr.io/cpanato/testing-ci-providers/test:latest

Verification for ghcr.io/cpanato/testing-ci-providers/test:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"ghcr.io/cpanato/testing-ci-providers/test"},"image":{"docker-manifest-digest":"sha256:1954e3d3c624d07f1c743f9d987b9a04c0454f325fa24402993e79a1b00f0998"},"type":"cosign container image signature"},"optional":null}]

Ticket Link

Fixes #1431

[cpanato]

not sure if just this is enough or we should create something else

[znewman01]

Usually you want crypto/rand.Reader https://pkg.go.dev/crypto/rand#pkg-variables

[codecov-commenter]

Codecov Report

Merging #1990 (ac0e556) into main (655a681) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1990   +/-   ##
=======================================
  Coverage   26.16%   26.16%           
=======================================
  Files         127      127           
  Lines        7422     7422           
=======================================
  Hits         1942     1942           
  Misses       5225     5225           
  Partials      255      255           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 655a681...ac0e556. Read the comment docs.

[znewman01]

Looking good! Can I ask for you to test with env:

        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

in the CI test (instead of dumping to cosign.key)?

[znewman01]

Usually you want crypto/rand.Reader https://pkg.go.dev/crypto/rand#pkg-variables

[znewman01]

What's the advantage of this extra variable? Maybe a comment explaining why we can't just use decodedPubKey.

[cpanato]

i need to copy the 32 first and then pass that as a reference to the function, cannot use that straight

[cpanato]

Looking good! Can I ask for you to test with env:

        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

in the CI test (instead of dumping to cosign.key)?

thanks for the review and feedback

the job is not dumping the key, it actually using it, see /~https://github.com/cpanato/testing-ci-providers/blob/main/.github/workflows/cosign-key.yml

[developer-guy]

LGTM, thanks @cpanato for taking the responsibility 👍

[znewman01]

Looking good! Can I ask for you to test with env:

        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

in the CI test (instead of dumping to cosign.key)?

thanks for the review and feedback

the job is not dumping the key, it actually using it, see /~https://github.com/cpanato/testing-ci-providers/blob/main/.github/workflows/cosign-key.yml

Sorry, I was unclear. The motivation for pinging this bug was a workflow involving the $COSIGN_PRIVATE_KEY and $COSIGN_PASSWORD env vars. I was just wondering if we should test those as well, rather than a workflow that wrote $COSIGN_PRIVATE_KEY to disk and passed it through the --key flag. This is probably the workflow we'll recommend because it's 1 less step.

[cpanato]

ah, I see now

I think that does not work now, but i can test and if that does not work, propose a fix

UPDATE:
remember that we have the env:// prefix that can be used for that, then you can do the following

      - name: Build and sign a container image
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        run: |
          cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/cpanato/testing-ci-providers/test:latest

[cpanato]

Looking good! Can I ask for you to test with env:

        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

in the CI test (instead of dumping to cosign.key)?

thanks for the review and feedback
the job is not dumping the key, it actually using it, see /~https://github.com/cpanato/testing-ci-providers/blob/main/.github/workflows/cosign-key.yml

Sorry, I was unclear. The motivation for pinging this bug was a workflow involving the $COSIGN_PRIVATE_KEY and $COSIGN_PASSWORD env vars. I was just wondering if we should test those as well, rather than a workflow that wrote $COSIGN_PRIVATE_KEY to disk and passed it through the --key flag. This is probably the workflow we'll recommend because it's 1 less step.

@znewman01 to get back to you
today we cannot use the key as a environment variable, it expects a file, but i can propose a PR to add this change and get feedback

[cpanato]

gently ping to review @developer-guy @dlorenc

[znewman01]

Looking good! Can I ask for you to test with env:

        COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
        COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

in the CI test (instead of dumping to cosign.key)?

thanks for the review and feedback
the job is not dumping the key, it actually using it, see /~https://github.com/cpanato/testing-ci-providers/blob/main/.github/workflows/cosign-key.yml

Sorry, I was unclear. The motivation for pinging this bug was a workflow involving the $COSIGN_PRIVATE_KEY and $COSIGN_PASSWORD env vars. I was just wondering if we should test those as well, rather than a workflow that wrote $COSIGN_PRIVATE_KEY to disk and passed it through the --key flag. This is probably the workflow we'll recommend because it's 1 less step.

@znewman01 to get back to you today we cannot use the key as a environment variable, it expects a file, but i can propose a PR to add this change and get feedback

Whoops, I guess that was never expected to work! Sorry for the confusion.

And yes, such a PR would be great.

[znewman01]

Oh, actually @cpanato : the --key flag takes an env://ENV_VAR syntax. So this should work with env://COSIGN_PRIVATE_KEY. No need for a PR

[cpanato]

Oh, actually @cpanato : the --key flag takes an env://ENV_VAR syntax. So this should work with env://COSIGN_PRIVATE_KEY. No need for a PR

yep, i've made a comment in the PR for this exactly same thing :)

[dlorenc]

Is this one ready to go?