Sign image with github oidc #88
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - "v*.*.*" | |
| jobs: | |
| build-and-run-tests: | |
| name: Build & run tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| # https://github.com/actions/checkout/tree/v4.1.1 | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - name: Get GO version | |
| id: goversion | |
| run: echo "goversion=$(<.goversion)" > "${GITHUB_OUTPUT}" | |
| - name: Set up Go | |
| # https://github.com/actions/setup-go/tree/v5.0.0 | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 | |
| with: | |
| go-version: ${{steps.goversion.outputs.goversion}} | |
| - name: Generate files | |
| run: go generate ./... | |
| - name: Build | |
| run: go build ./... | |
| - name: Run go vet | |
| run: go vet ./... | |
| - name: Run go tests | |
| run: go test -failfast ./... | |
| - name: Run go tests (noquic) | |
| run: go test -failfast -tags noquic ./... | |
| - name: Run go tests (-race) | |
| run: go test -race -timeout=5m -failfast ./... | |
| - name: Run govulncheck | |
| run: go install golang.org/x/vuln/cmd/govulncheck@latest && govulncheck ./... | |
| - name: Build test docker image | |
| run: | | |
| touch version.sh | |
| docker build -t c2fmzq/tlsproxy:test . | |
| docker run --rm --interactive c2fmzq/tlsproxy:test -v | |
| create-release: | |
| name: Create release | |
| needs: build-and-run-tests | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| # https://github.com/actions/checkout/tree/v4.1.1 | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - name: Get GO version | |
| id: goversion | |
| run: echo "goversion=$(<.goversion)" > "${GITHUB_OUTPUT}" | |
| - name: Set up Go | |
| # https://github.com/actions/setup-go/tree/v5.0.0 | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 | |
| with: | |
| go-version: ${{steps.goversion.outputs.goversion}} | |
| - name: Extract release notes | |
| run: | | |
| ./scripts/release-notes.sh "${GITHUB_REF_NAME}" > release-notes.md | |
| if [[ $(stat -c %s release-notes.md) == 0 ]]; then | |
| echo "No release notes for ${GITHUB_REF_NAME}. Please update CHANGELOG.md" | |
| exit 1 | |
| fi | |
| - name: Build release binaries | |
| run: | | |
| export GNUPGHOME="$(mktemp -d)" | |
| chmod 700 "${GNUPGHOME}" | |
| cleanup() { | |
| rm -rf "${GNUPGHOME}" | |
| } | |
| trap cleanup EXIT | |
| # The key is generated with: | |
| # GPG_PASSPHRASE=$(dd if=/dev/random bs=32 count=1 | base64) | |
| # gpg --passphrase "${GPG_PASSPHRASE}" --quick-generate-key c2FmZQ-bot ed25519 sign never | |
| # gpg --local-user [email protected] --sign-key c2FmZQ-bot | |
| # gpg --armor --export c2FmZQ-bot > keys/c2FmZQ-bot.pub | |
| # gpg --passphrase "${GPG_PASSPHRASE}" --armor --export-secret-keys c2FmZQ-bot | base64 -w0 | |
| echo "${GPG_PRIVATE_KEY}" | base64 -d | gpg --batch --pinentry-mode loopback --passphrase "${GPG_PASSPHRASE}" --import | |
| ./scripts/build-release-binaries.sh | |
| env: | |
| GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| - name: Create release | |
| # https://github.com/softprops/action-gh-release/releases/tag/v2.0.4 | |
| uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 | |
| with: | |
| token: ${{ secrets.UPDATE_TOKEN }} | |
| draft: false | |
| prerelease: ${{ contains(github.ref, '-') }} | |
| body_path: release-notes.md | |
| fail_on_unmatched_files: true | |
| files: bin/* | |
| push-to-registry: | |
| name: Push image to docker hub | |
| needs: | |
| - build-and-run-tests | |
| - create-release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Check out the repo | |
| # https://github.com/actions/checkout/tree/v4.1.1 | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| - name: Install cosign | |
| # https://github.com/sigstore/cosign-installer/releases/tag/v3.4.0 | |
| uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 | |
| - name: Cosign version | |
| run: cosign version | |
| - name: Log in to docker hub | |
| # https://github.com/docker/login-action/tree/v3.0.0 | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Get release version | |
| run: | | |
| echo "VERSION=${GITHUB_REF_NAME}" > version.sh | |
| echo "BUILD_TAGS='$(echo ${GITHUB_REF_NAME} | sed -re 's/^v[^+]+[+]?//' -e 's/[.]/,/g')'" >> version.sh | |
| - name: Set up QEMU | |
| # https://github.com/docker/setup-qemu-action/releases/tag/v3.0.0 | |
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 | |
| - name: Set up Docker Buildx | |
| # https://github.com/docker/setup-buildx-action/releases/tag/v3.0.0 | |
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| # https://github.com/docker/metadata-action/releases/tag/v5.0.0 | |
| uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 | |
| with: | |
| images: c2fmzq/tlsproxy | |
| flavor: ${{ (contains(github.ref, '+') || contains(github.ref, '-')) && 'latest=false' || 'latest=auto' }} | |
| - name: Build and push docker image | |
| # https://github.com/docker/build-push-action/releases/tag/v5.1.0 | |
| uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 | |
| id: build-and-push | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: true | |
| platforms: linux/amd64,linux/arm64,linux/arm/v7 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Sign docker image | |
| run: | | |
| images="" | |
| for tag in ${TAGS}; do | |
| images+="${tag}@${DIGEST} " | |
| done | |
| # Sign with key | |
| cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY ${images} | |
| # Sign with oidc | |
| unset COSIGN_PRIVATE_KEY COSIGN_PASSWORD | |
| cosign sign --yes --recursive ${images} | |
| env: | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| DIGEST: ${{ steps.build-and-push.outputs.digest }} |