From 4bbd263fed73f5f9bb0a3ca06f2eb3514cba6b21 Mon Sep 17 00:00:00 2001
From: Kenny Leung <kleung@chainguard.dev>
Date: Mon, 7 Mar 2022 04:57:27 -0800
Subject: [PATCH] Mirror signed release images from GCR to GHCR as part of
release (#701)
Signed-off-by: Kenny Leung <kleung@chainguard.dev>
---
Makefile | 1 +
release/README.md | 3 ++-
release/cloudbuild.yaml | 25 +++++++++++++++++++++++++
release/release.mk | 15 +++++++++++++++
4 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 7ef6c29..2230c26 100644
--- a/Makefile
+++ b/Makefile
@@ -46,6 +46,7 @@ endif
KO_PREFIX ?= gcr.io/projectsigstore
export KO_DOCKER_REPO=$(KO_PREFIX)
REKOR_YAML ?= rekor-$(GIT_TAG).yaml
+GHCR_PREFIX ?= ghcr.io/sigstore/rekor
# Binaries
SWAGGER := $(TOOLS_BIN_DIR)/swagger
diff --git a/release/README.md b/release/README.md
index f6a57bc..76ff1fc 100644
--- a/release/README.md
+++ b/release/README.md
@@ -31,7 +31,7 @@ $ git push origin ${RELEASE_TAG}
```shell
$ gcloud builds submit --config <PATH_TO_CLOUDBUILD> \
- --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=rekor,_STORAGE_LOCATION=rekor-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME> \
+ --substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=rekor,_STORAGE_LOCATION=rekor-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME>,_GITHUB_USER=<GITHUB_USER> \
--project <GCP_PROJECT>
```
@@ -47,6 +47,7 @@ Where:
- `_KEY_NAME` key name of your cosign key.
- `_KEY_VERSION` version of the key storaged in KMS. Default `1`.
- `_KEY_LOCATION` location in GCP where the key is storaged. Default `global`.
+- `_GITHUB_USER` GitHub user to authenticate for pushing to GHCR.
4. When the job finish, whithout issues, you should be able to see in GitHub a draft release.
You now can review the release, make any changes if needed and then publish to make it an official release.
diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml
index 1402f98..2e099a5 100644
--- a/release/cloudbuild.yaml
+++ b/release/cloudbuild.yaml
@@ -86,6 +86,30 @@ steps:
&& make sign-container-release \
&& make sign-keyless-release
+- name: gcr.io/cloud-builders/docker
+ entrypoint: 'bash'
+ dir: "go/src/sigstore/fulcio"
+ env:
+ - "GOPATH=/workspace/go"
+ - "GOBIN=/workspace/bin"
+ - PROJECT_ID=${PROJECT_ID}
+ - KEY_LOCATION=${_KEY_LOCATION}
+ - KEY_RING=${_KEY_RING}
+ - KEY_NAME=${_KEY_NAME}
+ - KEY_VERSION=${_KEY_VERSION}
+ - GIT_TAG=${_GIT_TAG}
+ - KO_PREFIX=gcr.io/${PROJECT_ID}
+ - COSIGN_EXPERIMENTAL=true
+ - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
+ - GITHUB_USER=${_GITHUB_USER}
+ secretEnv:
+ - GITHUB_TOKEN
+ args:
+ - '-c'
+ - |
+ echo $$GITHUB_TOKEN | docker login ghcr.io -u $$GITHUB_USER --password-stdin \
+ && make copy-signed-release-to-ghcr
+
availableSecrets:
secretManager:
- versionName: projects/${PROJECT_NUMBER}/secrets/GITHUB_TOKEN/versions/latest
@@ -117,3 +141,4 @@ substitutions:
_KEY_NAME: 'honk-crypto'
_KEY_VERSION: '1'
_KEY_LOCATION: 'global'
+ _GITHUB_USER: 'placeholder'
diff --git a/release/release.mk b/release/release.mk
index 937afcc..201aaa7 100644
--- a/release/release.mk
+++ b/release/release.mk
@@ -42,6 +42,21 @@ sign-keyless-rekor-cli-release:
.PHONY: sign-keyless-release
sign-keyless-release: sign-keyless-rekor-server-release sign-keyless-rekor-cli-release
+####################
+# copy image to GHCR
+####################
+
+.PHONY: copy-rekor-server-signed-release-to-ghcr
+copy-cosign-signed-release-to-ghcr:
+ cosign copy $(KO_PREFIX)/rekor-server:$(GIT_VERSION) $(GHCR_PREFIX)/rekor-server:$(GIT_VERSION)
+
+.PHONY: copy-rekor-cli-signed-release-to-ghcr
+copy-cosigned-signed-release-to-ghcr:
+ cosign copy $(KO_PREFIX)/rekor-cli:$(GIT_VERSION) $(GHCR_PREFIX)/rekor-cli:$(GIT_VERSION)
+
+.PHONY: copy-signed-release-to-ghcr
+copy-signed-release-to-ghcr: copy-rekor-server-signed-release-to-ghcr copy-rekor-cli-signed-release-to-ghcr
+
## --------------------------------------
## Dist / maybe we can deprecate
## --------------------------------------
--
GitLab