Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce OCI artifacts signatures #66

Merged
merged 3 commits into from
Jul 18, 2023
Merged

Introduce OCI artifacts signatures #66

merged 3 commits into from
Jul 18, 2023

Conversation

maxgio92
Copy link
Member

@maxgio92 maxgio92 commented May 25, 2023
edited
Loading

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area registry
/area build

What this PR does / why we need it:

This PR introduces the signature of the rules' OCI artifact, usign cosign.

Which issue(s) this PR fixes:

Fixes #65

Special notes for your reviewer:

This is part of the work for securing the Falco supply chain. In detail of signatures of Falco OCI artifacts, you can read here:

@maxgio92
Copy link
Member Author

/cc @LucaGuerra

@poiana poiana added the size/M label May 25, 2023
@maxgio92
Copy link
Member Author

/hold

This is a work in progress and the publish to S3-steps are missing.

LucaGuerra
LucaGuerra reviewed May 31, 2023
View reviewed changes
.github/workflows/release.yaml Outdated
Comment on lines 50 to 57
run: >-
echo "::set-output name=ARTIFACT_DIGEST::$(
build/registry/rules-registry push-to-oci registry.yaml ${{ github.ref_name }}
)"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe ::set-output is deprecated and we should use the GITHUB variables instead: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch @LucaGuerra thanks!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LucaGuerra fixed it, PTAL, thanks

@LucaGuerra
Copy link
Contributor

This is a work in progress and the publish to S3-steps are missing.

Why? That step is embedded in the Go builder binary normally 💡 , was it disabled somewhere?

@maxgio92
Copy link
Member Author

Just in the GitHub workflow @LucaGuerra for testing purposes. I'm going to re-establish the related steps :)

@maxgio92
Copy link
Member Author

This is a work in progress and the publish to S3-steps are missing.

Why? That step is embedded in the Go builder binary normally bulb , was it disabled somewhere?

Just fixed it @LucaGuerra

@maxgio92 maxgio92 changed the title wip: ci(release): add oci artifact signature with cosign ci(release): add oci artifact signature with cosign May 31, 2023
@maxgio92 maxgio92 mentioned this pull request Jun 30, 2023
Merged
@maxgio92 maxgio92 changed the title ci(release): add oci artifact signature with cosign Introduce OCI artifacts signatures Jun 30, 2023
@LucaGuerra
Copy link
Contributor

@maxgio92 do we want to merge plugins first and adapt this? I guess the two will use the same mechanism we discussed in the other PR!

@maxgio92
Copy link
Member Author

maxgio92 commented Jul 3, 2023

Totally agree @LucaGuerra

@maxgio92 maxgio92 mentioned this pull request Jul 3, 2023
Closed
@maxgio92
Copy link
Member Author

Rebased on main branch

LucaGuerra
LucaGuerra approved these changes Jul 17, 2023
View reviewed changes
Copy link
Contributor

@LucaGuerra LucaGuerra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@poiana poiana added the lgtm label Jul 17, 2023
@poiana
Copy link

poiana commented Jul 17, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: LucaGuerra, maxgio92

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@LucaGuerra
Copy link
Contributor

@maxgio92 if this is ready you can remove the hold :)

@maxgio92
Copy link
Member Author

/unhold

@poiana poiana merged commit b165df9 into falcosecurity:main Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LucaGuerra LucaGuerra LucaGuerra approved these changes

@darryk10 darryk10 Awaiting requested review from darryk10

@loresuso loresuso Awaiting requested review from loresuso

Assignees

@LucaGuerra LucaGuerra

Labels
approved area/build area/registry dco-signoff: yes kind/feature New feature or request lgtm size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign the OCI artifact with cosign
3 participants
@maxgio92 @LucaGuerra @poiana