From c9da3d17849a0a7906b6ab423f4dd55f912e72b4 Mon Sep 17 00:00:00 2001 From: Ethan Reesor Date: Sat, 23 Sep 2023 15:45:16 -0500 Subject: [PATCH] Sign image --- .gitlab/all.gitlab-ci.yml | 28 ------------------------ .gitlab/common.gitlab-ci.yml | 1 - .gitlab/release.gitlab-ci.yml | 41 ++++++++++++----------------------- 3 files changed, 14 insertions(+), 56 deletions(-) diff --git a/.gitlab/all.gitlab-ci.yml b/.gitlab/all.gitlab-ci.yml index 4a114e533..24ad6c6d0 100644 --- a/.gitlab/all.gitlab-ci.yml +++ b/.gitlab/all.gitlab-ci.yml @@ -1,13 +1,3 @@ -.build validation image: - extends: .rules all - image: docker:20 - services: [ docker:20-dind ] - needs: [] - script: - - docker build --build-arg TAGS=production,testnet -t ${VALIDATION_IMAGE} . - - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - - docker push ${VALIDATION_IMAGE} - go build: extends: [ .rules all, .go ] needs: @@ -82,21 +72,3 @@ lint: - go run github.com/rinchsan/gosimports/cmd/gosimports -l */ | tee fmt.log - test -s fmt.log && die "Code is incorrectly formatted. Please run \`gosimports -w .\` (or \`./scripts/imports.sh\`)." - echo -e "${SECTION}section_end:`date +%s`:imports\r${SECTION}" - -.cleanup images: - # Once validation is done, delete the images - # Disabled because it doesn't appear to work, though it was copied from GitLab's docs - extends: .rules all - image: docker:20 - services: [ docker:20-dind ] - needs: [ validate docker ] - variables: - REG_SHA256: ade837fc5224acd8c34732bf54a94f579b47851cc6a7fd5899a98386b782e228 - REG_VERSION: 0.16.1 - before_script: - - apk add --no-cache curl - - curl --fail --show-error --location "https://github.com/genuinetools/reg/releases/download/v$REG_VERSION/reg-linux-amd64" --output /usr/local/bin/reg - - echo "$REG_SHA256 /usr/local/bin/reg" | sha256sum -c - - - chmod a+x /usr/local/bin/reg - script: - - /usr/local/bin/reg rm -d --auth-url $CI_REGISTRY -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD ${VALIDATION_IMAGE} diff --git a/.gitlab/common.gitlab-ci.yml b/.gitlab/common.gitlab-ci.yml index d110a3cce..4ed7a0a58 100644 --- a/.gitlab/common.gitlab-ci.yml +++ b/.gitlab/common.gitlab-ci.yml @@ -6,7 +6,6 @@ variables: NO_COLOR: '\e[0m' SECTION: '\e[0K' PRODUCTION_IMAGE: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG} - VALIDATION_IMAGE: ${CI_REGISTRY_IMAGE}/validation:${CI_COMMIT_REF_SLUG} GO_CI_IMAGE: ${CI_REGISTRY_IMAGE}/ci-golang build-image:golang: diff --git a/.gitlab/release.gitlab-ci.yml b/.gitlab/release.gitlab-ci.yml index d5f96200b..dd35309ae 100644 --- a/.gitlab/release.gitlab-ci.yml +++ b/.gitlab/release.gitlab-ci.yml @@ -1,6 +1,6 @@ .rules release: rules: - - if: ($CI_COMMIT_BRANCH == 'release-1.0' || $CI_COMMIT_TAG != null) && $CI_PIPELINE_SOURCE != 'merge_request_event' + - if: (($CI_COMMIT_BRANCH == 'release-1.0' || $CI_COMMIT_TAG != null) && $CI_PIPELINE_SOURCE != 'merge_request_event') || $BUILD_BIN != null git describe: stage: test @@ -9,44 +9,31 @@ git describe: script: - git fetch --unshallow - echo "GIT_DESCRIBE=$(git describe --dirty)" >> git.env + - echo "GIT_COMMIT=$(git rev-parse HEAD)" >> git.env artifacts: reports: dotenv: git.env -docker buildx: - stage: test - extends: .rules release - image: docker:20-git - needs: [] - variables: - GIT_STRATEGY: none - artifacts: - paths: - - buildx - expire_in: 1 day - services: [ docker:20-dind ] - script: - - export DOCKER_BUILDKIT=1 - - git clone https://github.com/docker/buildx ./docker-buildx - - docker build --platform=local -o . ./docker-buildx - build main image: stage: test extends: .rules release - needs: [ docker buildx ] - image: docker:20 + needs: [git describe] + image: docker:24 timeout: 2 hours services: - - name: docker:20-dind - command: [ --experimental ] # Do we need this? + - name: docker:24-dind + variables: + COSIGN_YES: "true" + id_tokens: + SIGSTORE_ID_TOKEN: + aud: sigstore before_script: - - mkdir -p ~/.docker/cli-plugins - - mv buildx ~/.docker/cli-plugins/docker-buildx - - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes + - apk add --update cosign make script: - - docker buildx create --use - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - - make docker-push IMAGE=${PRODUCTION_IMAGE} + - make docker-push IMAGE=$PRODUCTION_IMAGE GIT_DESCRIBE=$GIT_DESCRIBE GIT_COMMIT=$GIT_COMMIT + - IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $PRODUCTION_IMAGE) + - cosign sign $IMAGE_DIGEST build binaries: stage: test