From a67bc434f07b19219fe672cf6efb7bf6bfc0c3a3 Mon Sep 17 00:00:00 2001 From: Jigar Joshi Date: Fri, 24 Jan 2025 17:19:57 +0530 Subject: [PATCH] remove cosign --- .github/workflows/reuse.yaml | 118 ----------------------------------- 1 file changed, 118 deletions(-) diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml index e1cb1a3..6e88aed 100644 --- a/.github/workflows/reuse.yaml +++ b/.github/workflows/reuse.yaml @@ -37,17 +37,6 @@ jobs: with: fetch-depth: 0 - - name: Checkout image - if: ${{ inputs.tag == 'image'}} - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 - - - name: Unshallow - if: ${{ inputs.tag == 'image'}} - run: git fetch --prune --unshallow --tags - - - name: Install Cosign - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - - name: Log into ghcr.io uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: @@ -69,114 +58,7 @@ jobs: run: | echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV - - name: Generate SBOM JSON - if: ${{inputs.tag == 'release'}} - uses: CycloneDX/gh-gomod-generate-sbom@c18e41a4e3defe6dbf69b594e4d831a89db82ead # v1.0.0 - with: - version: v1 - args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}} - - - name: Upload SBOM JSON - if: ${{inputs.tag == 'release'}} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: ${{inputs.image_name}}-bom-cdx - path: ${{inputs.image_name}}-v*-bom.cdx.json - - - name: Extract branch name - if: ${{inputs.tag == 'image'}} - shell: bash - run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" - id: extract_branch - - - name: Check branch - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}} - id: check-branch - run: | - if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then - echo ::set-output name=match::true - fi - - - name: Debug Inputs - run: | - echo "Tag: ${{ inputs.tag }}" - echo "publish_command : ${{ inputs.publish_command}}" - echo "Digest Command: ${{ inputs.digest_command }}" - echo "Image Name: ${{ inputs.image_name }}" - echo "Repository: ${{ github.repository }}" - echo "Workflow: ${{ github.workflow }}" - echo "SHA: ${{ github.sha }}" - echo "secrets.GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}" - echo "github.actor: ${{ github.actor }}" - echo "Branch: ${{ steps.extract_branch.outputs.branch }}" - - - name: Docker images publish - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - run: make ${{inputs.publish_command}} FIPS_ENABLED=1 - - - name: get image digest - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - id: get-step-image - run: | - digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1) - echo "digest=${digest}" >> $GITHUB_ENV - - name: Docker release-images publish if: ${{inputs.tag == 'release' || inputs.tag == 'image' }} run: make ${{inputs.publish_command}} FIPS_ENABLED=1 - - name: Clear Sigstore TUF Cache - run: | - rm -rf ~/.sigstore - - - name: Get release-image digest - if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }} - id: get-step - run: | - digest=$(make ${{inputs.digest_command}} FIPS_ENABLED=1 2>/dev/null || true) - if [[ -z "$digest" ]]; then - echo "Error: Unable to generate digest. Ensure the repository exists and credentials are valid." >&2 - exit 1 - fi - echo "digest=$digest" >> $GITHUB_ENV - echo "Digest: $digest" - - - name: Debug Digest - run: | - echo "Digest: ${{ env.digest }}" - if [[ -z "${{ env.digest }}" || "${{ env.digest }}" == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" ]]; then - echo "Error: Digest is empty or invalid." >&2 - exit 1 - fi - - - name: Sign image - if: ${{ inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main' }} - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures" - run: | - cosign sign --yes \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:${digest} - - - name: Sign release-image - if: ${{ inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true') }} - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/signatures" - digest: ${{ env.digest }} - run: | - echo "Signing with digest: $digest" - cosign sign --yes \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ghcr.io/${{ github.repository_owner }}/${{ inputs.image_name }}@sha256:$digest - - - name: Attach SBOM - if: ${{inputs.tag == 'release'}} - env: - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.repository }}/sbom" - run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ghcr.io/${{ github.repository_owner }}/${{inputs.image_name}}@sha256:${{ env.digest }}