Upgrade Golang to 1.23 to Fix CVEs (#538) #79
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- 'v*' | |
jobs: | |
draft-release: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v2 | |
with: | |
go-version: 1.23.3 | |
- name: Set up Cosign | |
uses: sigstore/cosign-installer@v3 | |
- name: Install Carvel Tools | |
uses: carvel-dev/setup-action@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
only: ytt, kapp, kbld, imgpkg, kctrl, vendir | |
ytt: v0.45.4 | |
kapp: v0.58.0 | |
kbld: v0.37.5 | |
imgpkg: v0.37.3 | |
kctrl: v0.50.2 | |
vendir: v0.34.4 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run release script | |
run: | | |
set -e -x | |
minikube start --driver=docker --wait=all | |
docker buildx create --name minikube --use --driver=kubernetes --bootstrap | |
./hack/build-and-publish-release.sh | |
mkdir release | |
cp ./tmp/release.yml release/ | |
- name: Sign secretgen-controller OCI image | |
run: | | |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml` | |
cosign sign --yes "$image_url" | |
- name: Verify signature on secretgen-controller OCI image | |
run: | | |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml` | |
cosign verify \ | |
$image_url \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
- name: Run Package build | |
run: | | |
constraintVersion="${{ github.ref_name }}" | |
kctrl pkg release -y -v ${constraintVersion:1} --debug | |
mv carvel-artifacts/packages/secretgen-controller.carvel.dev/metadata.yml carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml | |
cp carvel-artifacts/packages/secretgen-controller.carvel.dev/* release/ | |
- name: Sign secretgen-controller-package-bundle OCI image | |
run: | | |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml` | |
cosign sign --yes "$image_url" | |
- name: Verify signature on secretgen-controller-package-bundle OCI image | |
run: | | |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml` | |
cosign verify \ | |
$image_url \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
- name: Updating release notes | |
run: | | |
RELEASE_TAG=$(git describe --tags --abbrev=0) | |
SGC_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "secretgen-controller") | .image' release/release.yml) | |
SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml) | |
RELEASE_NOTES=" | |
<details> | |
<summary><h2>Installation and signature verification</h2></summary> | |
## Verify checksums file signature | |
Install cosign on your system https://docs.sigstore.dev/system_config/installation/ | |
The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands: | |
\`\`\`shell | |
# Download the checksums file, certificate, and signature | |
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt | |
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem | |
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig | |
### Verify the checksums file | |
cosign verify-blob checksums.txt \ | |
--certificate checksums.txt.pem \ | |
--signature checksums.txt.sig \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
\`\`\` | |
## Installation of secretgen-controller | |
secretgen-controller can be installed by using kapp | |
\`\`\`shell | |
kapp deploy -a sg -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml | |
\`\`\` | |
or by using kubectl | |
\`\`\`shell | |
kubectl deploy -f https://github.com/carvel-dev/secretgen-controller/releases/$RELEASE_TAG/download/release.yml | |
\`\`\` | |
### Container Images | |
secretgen-controller and secretgen-controller-package-bundle images are available in Github Container Registry. | |
### OCI Image URLs | |
- $SGC_CONTROLLER_IMAGE | |
- $SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE | |
### Verify container image signature | |
The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands: | |
\`\`\`shell | |
# Verifying secretgen-controller image | |
cosign verify $SGC_CONTROLLER_IMAGE \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
-o text | |
# Verifying secretgen-controller-package-bundle image | |
cosign verify $SGC_CONTROLLER_PACKAGE_BUNDLE_IMAGE \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
-o text | |
\`\`\` | |
</summary> | |
</details> | |
" | |
echo "$RELEASE_NOTES" > ./tmp/release_notes.txt | |
- name: Create checksum and add it to release notes | |
run: | | |
pushd release | |
shasum -a 256 ./release.yml ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt | |
popd | |
cat ./tmp/checksums.txt | tee -a ./tmp/release_notes.txt | |
cp ./tmp/checksums.txt release/checksums.txt | |
- name: Sign checksums.txt | |
run: | | |
cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem --output-signature release/checksums.txt.sig | |
- name: Verify checksums signature | |
run: | | |
cosign verify-blob \ | |
--cert release/checksums.txt.pem \ | |
--signature release/checksums.txt.sig \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt | |
- name: Create release draft and upload release yaml | |
uses: softprops/action-gh-release@17cd0d34deddf848fc0e7d9be5202c148c270a0a | |
with: | |
name: ${{ github.ref_name }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
body_path: ./tmp/release_notes.txt | |
files: | | |
./release/* | |
draft: true | |
- name: Get uploaded release YAML checksum | |
uses: actions/github-script@v6 | |
id: get-checksums-from-draft-release | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
result-encoding: string | |
script: | | |
var crypto = require('crypto'); | |
const { owner, repo } = context.repo; | |
// https://docs.github.com/en/rest/reference/repos#list-releases | |
// https://octokit.github.io/rest.js/v18#repos-list-releases | |
var releases = await github.rest.repos.listReleases({ | |
owner: owner, | |
repo: repo | |
}); | |
var crypto = require('crypto') | |
var fs = require('fs') | |
const url = require('url'); | |
const https = require('https'); | |
checksums = {} | |
var releaseMatched = false; | |
var assetsFound = false; | |
for (const r of releases["data"]) { | |
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") { | |
releaseMatched = true; | |
for (const asset of r.assets) { | |
assetsFound = true; | |
var release_asset = await github.rest.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id }); | |
const hash = crypto.createHash('sha256'); | |
let http_promise = new Promise((resolve, reject) => { | |
https.get(release_asset.url, (stream) => { | |
stream.on('data', function (data) { | |
hash.update(data); | |
}); | |
stream.on('end', function () { | |
checksums[asset.name]= hash.digest('hex'); | |
resolve(`${asset.name}`); | |
}); | |
}); | |
}); | |
await http_promise; | |
http_promise.then( | |
(result) => { | |
console.log(checksums); | |
}, | |
(error) => { | |
console.log("Encountered an Error for " + asset.name + " asset: " + error); // Log an error | |
}); | |
} | |
} | |
} | |
if (!releaseMatched) { | |
console.log("No release matched") | |
} | |
if (!assetsFound) { | |
console.log("No assets found for " + "${{ github.ref }}" + " release") | |
} | |
return `${checksums['release.yml']} ./release.yml | |
${checksums['package.yml']} ./package.yml | |
${checksums['package-metadata.yml']} ./package-metadata.yml` | |
- name: Verify uploaded artifacts | |
if: startsWith(github.ref, 'refs/tags/') | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
set -e -x | |
cat ./tmp/checksums.txt | |
diff ./tmp/checksums.txt <(cat <<EOF | |
${{steps.get-checksums-from-draft-release.outputs.result}} | |
EOF | |
) | |
- name: Run PackageCR Validation Tests | |
run: | | |
set -e -x | |
# deploy admin sa for secretgen-controller - enough permissions for SGC to be deployed properly | |
kapp deploy -a rbac -f https://raw.githubusercontent.com/carvel-dev/kapp-controller/develop/examples/rbac/cluster-admin.yml -y | |
# Kapp-controller is needed for our PackageInstall | |
kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/latest/download/release.yml -y | |
constraintVersion="${{ github.ref_name }}" | |
kubectl create ns sg | |
kapp deploy -a sg -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package.yml -f carvel-artifacts/packages/secretgen-controller.carvel.dev/package-metadata.yml -n sg -y | |
# installing pkg with kctrl | |
kctrl pkg install -p secretgen-controller.carvel.dev -i scg --version ${constraintVersion:1} -n sg | |
export SECRETGEN_E2E_NAMESPACE=secretgen-test | |
./hack/test-e2e.sh |