Sign image

AccumulateNetwork · Sep 23, 2023 · 9301c49 · 9301c49
1 parent 5bbfa7a
commit 9301c49
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 31 deletions.
diff --git a/.gitlab/all.gitlab-ci.yml b/.gitlab/all.gitlab-ci.yml
@@ -1,13 +1,3 @@
-.build validation image:
-  extends: .rules all
-  image: docker:20
-  services: [ docker:20-dind ]
-  needs: []
-  script:
-    - docker build --build-arg TAGS=production,testnet -t ${VALIDATION_IMAGE} .
-    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - docker push ${VALIDATION_IMAGE}
-
 go build:
   extends: [ .rules all, .go ]
   needs:
@@ -82,21 +72,3 @@ lint:
     - go run github.com/rinchsan/gosimports/cmd/gosimports -l */ | tee fmt.log
     - test -s fmt.log && die "Code is incorrectly formatted. Please run \`gosimports -w .\` (or \`./scripts/imports.sh\`)."
     - echo -e "${SECTION}section_end:`date +%s`:imports\r${SECTION}"
-
-.cleanup images:
-  # Once validation is done, delete the images
-  # Disabled because it doesn't appear to work, though it was copied from GitLab's docs
-  extends: .rules all
-  image: docker:20
-  services: [ docker:20-dind ]
-  needs: [ validate docker ]
-  variables:
-    REG_SHA256: ade837fc5224acd8c34732bf54a94f579b47851cc6a7fd5899a98386b782e228
-    REG_VERSION: 0.16.1
-  before_script:
-  - apk add --no-cache curl
-  - curl --fail --show-error --location "https://github.com/genuinetools/reg/releases/download/v$REG_VERSION/reg-linux-amd64" --output /usr/local/bin/reg
-  - echo "$REG_SHA256  /usr/local/bin/reg" | sha256sum -c -
-  - chmod a+x /usr/local/bin/reg
-  script:
-  - /usr/local/bin/reg rm -d --auth-url $CI_REGISTRY -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD ${VALIDATION_IMAGE}
diff --git a/.gitlab/common.gitlab-ci.yml b/.gitlab/common.gitlab-ci.yml
@@ -6,7 +6,6 @@ variables:
   NO_COLOR: '\e[0m'
   SECTION: '\e[0K'
   PRODUCTION_IMAGE: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}
-  VALIDATION_IMAGE: ${CI_REGISTRY_IMAGE}/validation:${CI_COMMIT_REF_SLUG}
   GO_CI_IMAGE: ${CI_REGISTRY_IMAGE}/ci-golang
 
 build-image:golang:

diff --git a/.gitlab/release.gitlab-ci.yml b/.gitlab/release.gitlab-ci.yml
@@ -1,6 +1,6 @@
 .rules release:
   rules:
-  - if: ($CI_COMMIT_BRANCH == 'release-1.0' || $CI_COMMIT_TAG != null) && $CI_PIPELINE_SOURCE != 'merge_request_event'
+  - if: (($CI_COMMIT_BRANCH == 'release-1.0' || $CI_COMMIT_TAG != null) && $CI_PIPELINE_SOURCE != 'merge_request_event') || $BUILD_BIN != null
 
 git describe:
   stage: test
@@ -39,14 +39,22 @@ build main image:
   services:
     - name: docker:20-dind
       command: [ --experimental ] # Do we need this?
+  variables:
+    COSIGN_YES: "true"
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
   before_script:
     - mkdir -p ~/.docker/cli-plugins
     - mv buildx ~/.docker/cli-plugins/docker-buildx
     - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+    - apk add --update cosign
   script:
     - docker buildx create --use
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - make docker-push IMAGE=${PRODUCTION_IMAGE}
+    - make docker-push IMAGE=$PRODUCTION_IMAGE
+    - IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $PRODUCTION_IMAGE)
+    - cosign sign $IMAGE_DIGEST
 
 build binaries:
   stage: test