From 612750c8aecd14d20ff265b8ec2d0209131c2c24 Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Tue, 8 Nov 2022 12:13:27 +0100 Subject: [PATCH] feat: sign pulumi binaries with cosign --- .github/workflows/ci-build-binaries.yml | 3 ++ .github/workflows/ci-prepare-release.yml | 39 +++++++------------ .github/workflows/ci.yml | 1 + .github/workflows/on-merge.yml | 4 ++ .github/workflows/on-pr.yml | 10 ++++- .../pr-test-acceptance-on-dispatch.yml | 4 ++ .goreleaser.yml | 11 ++++++ ...-ci--sign-pulumi-binaries-with-cosign.yaml | 4 ++ 8 files changed, 51 insertions(+), 25 deletions(-) create mode 100644 changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml diff --git a/.github/workflows/ci-build-binaries.yml b/.github/workflows/ci-build-binaries.yml index 4990d1627a18..861490348cac 100644 --- a/.github/workflows/ci-build-binaries.yml +++ b/.github/workflows/ci-build-binaries.yml @@ -48,6 +48,9 @@ jobs: env: PULUMI_VERSION: ${{ inputs.version }} + permissions: + id-token: write + steps: - name: "Windows cache workaround" # https://github.com/actions/cache/issues/752#issuecomment-1222415717 diff --git a/.github/workflows/ci-prepare-release.yml b/.github/workflows/ci-prepare-release.yml index e5cb4359a323..34f51f2f3f87 100644 --- a/.github/workflows/ci-prepare-release.yml +++ b/.github/workflows/ci-prepare-release.yml @@ -3,6 +3,8 @@ name: Prepare permissions: # To create a draft release contents: write + # To sign artifacts. + id-token: write on: workflow_call: @@ -63,11 +65,10 @@ jobs: uses: actions/download-artifact@v2 with: path: artifacts.tmp - + - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - name: Flatten artifact directories run: | mkdir -p ./artifacts - mkdir -p ./sums.tmp mv ./artifacts.tmp/artifacts-*/* ./artifacts # Each of these commands strips the ./ prefix to match existing (<=3.39) formatting. @@ -75,47 +76,37 @@ jobs: working-directory: artifacts env: version: ${{ inputs.version }} - run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt" + run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../artifacts/pulumi-${version}-checksums.txt" - name: Checksums with BLAKE3 working-directory: artifacts - run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS + run: b3sum ./* | sed 's/.\///' | tee ../artifacts/B3SUMS - name: Checksums with SHA512 working-directory: artifacts - run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS + run: sha512sum ./* | sed 's/.\///' | tee ../artifacts/SHA512SUMS - - name: Sign checksums - working-directory: sums.tmp - # Requires a signing key to be configured. - if: false + - name: Sign binaries and checksums + working-directory: artifacts shell: bash env: - # RELEASE_KEY: ${{ secrets.RELEASE_KEY }} version: ${{ inputs.version }} run: | - set -u - releaseKey="$(mktemp -d)/release.key" - echo "$RELEASE_KEY" > "${releaseKey}" - set -x + ls -la for file in *; do - echo | rsign sign \ - -p "${GITHUB_WORKSPACE}/.github/workflows/release.pub" \ - -s "${releaseKey}" \ - -t "${{ inputs.project }} v$version signed with automated key" \ - -c 'see website for signing information' \ - -x "${file}.auto.minisig" \ - "${file}" + echo "$file" + COSIGN_EXPERIMENTAL=1 cosign sign-blob \ + --output-signature="${file}".sig \ + --output-certificate="${file}".pem \ + "${file}" done - rm "${releaseKey}" - cat ./*.auto.minisig - uses: actions/upload-artifact@v2 with: name: artifacts-signatures retention-days: 1 path: | - sums.tmp/* + artifacts/*.sig if-no-files-found: error publish: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4914670397b7..4f6c4cf2cdf2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,7 @@ name: CI permissions: contents: read + id-token: write on: workflow_call: diff --git a/.github/workflows/on-merge.yml b/.github/workflows/on-merge.yml index ef50c79a980c..c193635afac0 100644 --- a/.github/workflows/on-merge.yml +++ b/.github/workflows/on-merge.yml @@ -3,6 +3,8 @@ name: Merge permissions: # To create a draft release. contents: write + # To sign artifacts. + id-token: write on: push: @@ -37,6 +39,8 @@ jobs: uses: ./.github/workflows/ci.yml permissions: contents: read + # To sign artifacts. + id-token: write with: ref: ${{ github.ref }} version: ${{ needs.info.outputs.version }} diff --git a/.github/workflows/on-pr.yml b/.github/workflows/on-pr.yml index 7156c82b7200..da91a55c580a 100644 --- a/.github/workflows/on-pr.yml +++ b/.github/workflows/on-pr.yml @@ -1,8 +1,12 @@ name: Pull Request permissions: + # To create a draft release. contents: write + # To comment on PRs. pull-requests: write + # To sign artifacts. + id-token: write on: pull_request: @@ -42,6 +46,8 @@ jobs: uses: ./.github/workflows/ci.yml permissions: contents: read + # To sign artifacts. + id-token: write with: ref: ${{ github.ref }} version: ${{ needs.info.outputs.version }} @@ -65,11 +71,13 @@ jobs: prepare-release: name: prepare - if: ${{ contains(github.event.pull_request.labels.*.name, 'ci/test') }} + #if: ${{ contains(github.event.pull_request.labels.*.name, 'ci/test') }} needs: [info, ci] uses: ./.github/workflows/ci-prepare-release.yml permissions: contents: write + # To sign artifacts. + id-token: write with: ref: ${{ github.ref }} version: ${{ needs.info.outputs.version }} diff --git a/.github/workflows/pr-test-acceptance-on-dispatch.yml b/.github/workflows/pr-test-acceptance-on-dispatch.yml index 04f4b72c8828..c74a53592ba2 100644 --- a/.github/workflows/pr-test-acceptance-on-dispatch.yml +++ b/.github/workflows/pr-test-acceptance-on-dispatch.yml @@ -12,6 +12,8 @@ permissions: contents: read # Only the 'changelog-comment' job should use this permission. pull-requests: write + # To sign artifacts. + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.client_payload.pull_request.number }} @@ -51,6 +53,8 @@ jobs: uses: pulumi/pulumi/.github/workflows/ci.yml@master permissions: contents: read + # To sign artifacts. + id-token: write with: ref: refs/pull/${{ github.event.client_payload.pull_request.number }}/merge version: ${{ needs.info.outputs.version }} diff --git a/.goreleaser.yml b/.goreleaser.yml index eb3031a9776d..7199c2fce7ec 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -58,6 +58,17 @@ archives: strip_parent: true name_template: "{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}" +signs: +- cmd: cosign + certificate: '${artifact}.pem' + args: + - sign-blob + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + artifacts: binary + output: true + snapshot: name_template: "{{ .Version }}-SNAPSHOT" diff --git a/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml b/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml new file mode 100644 index 000000000000..8abd9f4b57f4 --- /dev/null +++ b/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml @@ -0,0 +1,4 @@ +changes: +- type: feat + scope: ci + description: sign pulumi binaries with cosign