add container builds for rekor (#330)

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

.github/workflows/build.yml

+#
+# Copyright 2021 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: CI-Container-Build
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+    tags:
+      - '*'
+
+jobs:
+  build:
+    name: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2.3.4
+      - uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v0.5.0'
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(cat Dockerfile|grep golang | awk ' { print $2 } ' | sed -r 's/^.*://g'| uniq)" >> $GITHUB_ENV
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GOVERSION }}
+      - name: deps
+        run: sudo apt-get update && sudo apt-get install -yq libpcsclite-dev
+      - uses: imjasonh/setup-ko@v0.4
+        with:
+          version: v0.8.3
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@master
+        with:
+          project_id: projectsigstore
+          service_account_key: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+          export_default_credentials: true
+      - name: creds
+        run: gcloud auth configure-docker --quiet
+      - name: container
+        run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_DOCKER_REPO=gcr.io/projectsigstore/rekor/ci/rekor make sign-container

.github/workflows/cosign.key

+-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
+OCwicCI6MX0sInNhbHQiOiJxM1c0U29HL0JhNGY5YUZWbXZlYWNFelJjTmU4amRq
+Qlo5MXFZR0lGK2EwPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJEa2JGQ2hwUE84b0krRzVxQ01lRE5TaDhUOUJETGpZUSJ9LCJj
+aXBoZXJ0ZXh0IjoiYTl4YkdDUnJRUnVrTWNvZmh1QWFXOUo3UDEvazBzemgvUjJM
+QWNVTVdrT1B5QkVKQndMSEYzaEZLWlFxOHIwRVcyQ0d4VmJyd1FxaG1Zd0NXUmg2
+RlBuSUdBbVFZbmc3MmNSaUZmTEZZVUg3czl5bnFhcWYzOFQzc1dTUGhhcTlZRHJU
+d0k3Q2djR1Yyc0pzUUZRd2hFZVAwV2p1SGFXdWVyeDJRdDBKdEl2K2llbG0rb0gy
+UUI5L2NJb0w4T2grUE0xN3NzOXRCMUdwQkE9PSJ9
+-----END ENCRYPTED COSIGN PRIVATE KEY-----

.github/workflows/cosign.pub

+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEm8IPMv4eqH6+t8T18QEtG3aziut1
+3QVroceRyBtKOFpFLhPLpFOwznV2rHaXPmYjVTmy0uwiRvBVTinrmyITfQ==
+-----END PUBLIC KEY-----

Makefile

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-.PHONY: all test clean clean-gen lint gosec
+.PHONY: all test clean clean-gen lint gosec ko sign-container
 
 all: rekor-cli rekor-server
 
@@ -79,3 +79,12 @@ up:
 debug:
 	docker-compose -f docker-compose.yml -f docker-compose.debug.yml build --build-arg SERVER_LDFLAGS=$(SERVER_LDFLAGS) rekor-server-debug
 	docker-compose -f docker-compose.yml -f docker-compose.debug.yml up rekor-server-debug
+
+ko:
+	# We can't pass more than one LDFLAG via GOFLAGS, you can't have spaces in there.
+	CGO_ENABLED=0 GOFLAGS="-tags=pivkeydisabled -ldflags=-X=$(SERVER_PKG).gitCommit=$(GIT_HASH)" ko publish --bare \
+                --tags $(GIT_VERSION) --tags $(GIT_HASH) \
+                github.com/sigstore/rekor/cmd/rekor-server
+
+sign-container: ko
+	cosign sign -key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_DOCKER_REPO}:$(GIT_HASH)