From 3757c7043d5c677fd2d642d69e3b44bea96fcd2e Mon Sep 17 00:00:00 2001 From: Daniel Areste Hernandez Date: Wed, 25 Sep 2024 15:42:38 +0200 Subject: [PATCH 1/3] feat: improve github actions permissions for OpenSSF --- .github/workflows/go-builder.yml | 41 --------------------------- .github/workflows/release-builder.yml | 6 ++++ .github/workflows/scorecards.yml | 2 +- 3 files changed, 7 insertions(+), 42 deletions(-) delete mode 100644 .github/workflows/go-builder.yml diff --git a/.github/workflows/go-builder.yml b/.github/workflows/go-builder.yml deleted file mode 100644 index 6c69c54..0000000 --- a/.github/workflows/go-builder.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Build and Release - -on: - push: - branches: [ "main" ] - -jobs: - - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: '1.22.4' - - - name: Build - run: | - BUILD=$(git log --format='%H' -n 1) - VERSION="dev" - OSES="linux darwin windows" - ARCHS="amd64 arm64" - IFS=" " - - for OS in $OSES; do - for ARCH in $ARCHS; do - echo "OS: ${OS} and ARCH: ${ARCH}" - CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -ldflags "-w -s -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Build=$BUILD\ - -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Version=$VERSION"\ - -o release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/kubectl-nginx_supportpkg - cp LICENSE release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ - tar czvf release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz -C release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ . - done; done - - - name: Upload Artifacts - uses: actions/upload-artifact@v4 - with: - name: release-artifacts - path: release/**/*.gz diff --git a/.github/workflows/release-builder.yml b/.github/workflows/release-builder.yml index b066bc2..ffb29ad 100644 --- a/.github/workflows/release-builder.yml +++ b/.github/workflows/release-builder.yml @@ -1,5 +1,8 @@ name: Build and upload release artifact +permissions: + contents: read + on: release: types: [created] @@ -9,6 +12,9 @@ env: jobs: build: + permissions: + contents: write + runs-on: ubuntu-latest steps: diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 2ff39cc..b2a9dd5 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -2,7 +2,7 @@ name: OpenSSF Scorecards on: branch_protection_rule: # yamllint disable-line rule:empty-values schedule: - - cron: "28 14 * * 2" # Run every Tuesday at 14:28 UTC + - cron: "28 14 * * *" # Run daily at 14:28 UTC push: branches: - main From 1b4bd1a72ab51c9113543c2c3097dc70dcb36752 Mon Sep 17 00:00:00 2001 From: Daniel Areste Hernandez Date: Thu, 26 Sep 2024 12:36:03 +0200 Subject: [PATCH 2/3] feat: add asses signing --- .github/workflows/release-builder.yml | 86 +++++++++++++++------------ 1 file changed, 48 insertions(+), 38 deletions(-) diff --git a/.github/workflows/release-builder.yml b/.github/workflows/release-builder.yml index ffb29ad..d697230 100644 --- a/.github/workflows/release-builder.yml +++ b/.github/workflows/release-builder.yml @@ -18,41 +18,51 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set Release Version - run: echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV - - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: '1.22.4' - - - name: Build - run: | - BUILD=$(git log --format='%H' -n 1) - VERSION=$RELEASE_VERSION - OSES="linux darwin windows" - ARCHS="amd64 arm64" - IFS=" " - - for OS in $OSES; do - for ARCH in $ARCHS; do - echo "OS: ${OS} and ARCH: ${ARCH}" - CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -ldflags "-w -s -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Build=$BUILD\ - -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Version=$VERSION"\ - -o release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/kubectl-nginx_supportpkg - cp LICENSE release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ - tar czvf release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz -C release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ . - done; done - - - name: Upload release binaries - uses: alexellis/upload-assets@0.4.0 - env: - GITHUB_TOKEN: ${{ github.token }} - with: - asset_paths: '["./release/*.gz"]' - - - name: Update new version in krew-index - uses: rajatjindal/krew-release-bot@v0.0.46 \ No newline at end of file + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set Release Version + run: echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: '1.22.4' + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.6.0 + with: + cosign-release: 'v2.4.0' + + - name: Check cosign version + run: cosign version + + - name: Build + run: | + set -e + BUILD=$(git log --format='%H' -n 1) + VERSION=$RELEASE_VERSION + OSES="linux darwin windows" + ARCHS="amd64 arm64" + IFS=" " + + for OS in $OSES; do + for ARCH in $ARCHS; do + echo "OS: ${OS} and ARCH: ${ARCH}" + CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -ldflags "-w -s -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Build=$BUILD\ + -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Version=$VERSION"\ + -o release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/kubectl-nginx_supportpkg + cp LICENSE release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ + tar czvf release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz -C release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ . + sha256sum "release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz" >> "release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt" + done; done + cosign sign-blob "release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt" \ + --output-signature="release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt.sig" \ + --output-certificate="release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt.pem" -y + + - name: Upload release binaries + uses: alexellis/upload-assets@0.4.1 + env: + GITHUB_TOKEN: ${{ github.token }} + with: + asset_paths: '["./release/*.gz", "./release/*.txt", "./release/*.sig", "./release/*.pem"]' \ No newline at end of file From fe9d905fb879bc4b4afd4075f0a62db299988154 Mon Sep 17 00:00:00 2001 From: Daniel Areste Hernandez Date: Thu, 26 Sep 2024 13:47:45 +0200 Subject: [PATCH 3/3] fix: include back krew action --- .github/workflows/release-builder.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-builder.yml b/.github/workflows/release-builder.yml index d697230..a93d027 100644 --- a/.github/workflows/release-builder.yml +++ b/.github/workflows/release-builder.yml @@ -65,4 +65,7 @@ jobs: env: GITHUB_TOKEN: ${{ github.token }} with: - asset_paths: '["./release/*.gz", "./release/*.txt", "./release/*.sig", "./release/*.pem"]' \ No newline at end of file + asset_paths: '["./release/*.gz", "./release/*.txt", "./release/*.sig", "./release/*.pem"]' + + - name: Update new version in krew-index + uses: rajatjindal/krew-release-bot@v0.0.46 \ No newline at end of file