feat: Integrate GoReleaser, Cosign and Syft (#595)

* build: integrate goreleaser, syft and cosign Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: chmod for all binaries Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: version-env Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: remove prefix Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: remove prefix Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: schellcheck Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: shellcheck Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: several script updates Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: remove main-prefix Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
2026-02-14 17:39:49 +00:00 · 2022-10-02 15:25:17 +02:00
parent 8cabfb7d75
commit ba1328ca12
12 changed files with 237 additions and 75 deletions
--- a/.github/scripts/goreleaser-install.sh
+++ b/.github/scripts/goreleaser-install.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+set -e
+
+RELEASES_URL="https://github.com/goreleaser/goreleaser/releases"
+FILE_BASENAME="goreleaser"
+
+test -z "$VERSION" && {
+    echo "Unable to get goreleaser version." >&2
+    exit 1
+}
+
+test -z "$TMPDIR" && TMPDIR="$(mktemp -d)"
+TAR_FILE="$TMPDIR/${FILE_BASENAME}_$(uname -s)_$(uname -m).tar.gz"
+export TAR_FILE
+
+(
+    echo "Downloading GoReleaser $VERSION..."
+    curl -sfLo "$TAR_FILE" \
+        "$RELEASES_URL/download/$VERSION/${FILE_BASENAME}_$(uname -s)_$(uname -m).tar.gz"
+    cd "$TMPDIR"
+    curl -sfLo "checksums.txt" "$RELEASES_URL/download/$VERSION/checksums.txt"
+    curl -sfLo "checksums.txt.sig" "$RELEASES_URL/download/$VERSION/checksums.txt.sig"
+    echo "Verifying checksums..."
+    sha256sum --ignore-missing --quiet --check checksums.txt
+    if command -v cosign >/dev/null 2>&1; then
+        echo "Verifying signatures..."
+        COSIGN_EXPERIMENTAL=1 cosign verify-blob \
+            --signature checksums.txt.sig \
+            checksums.txt
+    else
+        echo "Could not verify signatures, cosign is not installed."
+    fi
+)
+
+tar -xf "$TAR_FILE" -O goreleaser > "$TMPDIR/goreleaser"
+rm "$TMPDIR/checksums.txt" "$TMPDIR/checksums.txt.sig"
+rm "$TAR_FILE"
--- a/.github/workflows/on-main-push.yaml
+++ b/.github/workflows/on-main-push.yaml
@@ -14,6 +14,10 @@ jobs:
  tag-scan-and-push-final-image:
    name: "Build, scan, and publish tagged image"
    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
    steps:
      - uses: actions/checkout@v3

@@ -46,20 +50,42 @@ jobs:
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
-        id: buildx
        uses: docker/setup-buildx-action@v2

      - name: Find current tag version
        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
        id: tags

+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+
+      - name: Build binaries
+        run: make kured-release-snapshot
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_EXPERIMENTAL: 1
+
      - name: Build image
        uses: docker/build-push-action@v3
        with:
          context: .
-          file: cmd/kured/Dockerfile.multi
          platforms: linux/arm64, linux/amd64, linux/arm/v7, linux/arm/v6, linux/386
          push: true
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main-${{ steps.tags.outputs.sha_short }}
          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+
+      - name: Generate SBOM
+        run: |
+          .tmp/syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }} -o spdx | jq --compact-output > kured.sbom
+
+      - name: Sign and attest artifacts
+        run: |
+          .tmp/cosign sign -f -r ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+
+          .tmp/cosign sign-blob --output-signature kured.sbom.sig --output-certificate kured.sbom.pem kured.sbom
+
+          .tmp/cosign attest -f --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+          .tmp/cosign attach sbom --type syft --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.sha_short }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
--- a/.github/workflows/on-pr.yaml
+++ b/.github/workflows/on-pr.yaml
@@ -6,7 +6,7 @@ on:
 jobs:
  pr-gotest:
    name: Run go tests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@v3
@@ -91,13 +91,23 @@ jobs:
        with:
          go-version: "${{ steps.awk_gomod.outputs.version }}"
          check-latest: true
-      - run: make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+      - name: Find current tag version
+        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+        id: tags
+      - name: Build image
+        run: VERSION="${{ steps.tags.outputs.sha_short }}" make image
      - uses: Azure/container-scan@v0
        env:
          # See https://github.com/goodwithtech/dockle/issues/188
          DOCKLE_HOST: "unix:///var/run/docker.sock"
        with:
-          image-name: ghcr.io/${{ github.repository_owner }}/kured:${{ github.sha }}
+          image-name: ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }}

  # This ensures the latest code works with the manifests built from tree.
  # It is useful for two things:
@@ -127,10 +137,19 @@ jobs:
        with:
          go-version: "${{ steps.awk_gomod.outputs.version }}"
          check-latest: true
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+      - name: Find current tag version
+        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+        id: tags
      - name: Build artifacts
        run: |
-          make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
-          make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" manifest
+          VERSION="${{ steps.tags.outputs.sha_short }}" make image
+          VERSION="${{ steps.tags.outputs.sha_short }}" make manifest

      - name: Workaround "Failed to attach 1 to compat systemd cgroup /actions_job/..." on gh actions
        run: |
@@ -149,7 +168,7 @@ jobs:
          version: v0.14.0

      - name: Preload previously built images onto kind cluster
-        run: kind load docker-image ghcr.io/${{ github.repository_owner }}/kured:${{ github.sha }} --name chart-testing
+        run: kind load docker-image ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }} --name chart-testing

      - name: Do not wait for an hour before detecting the rebootSentinel
        run: |
--- a/.github/workflows/on-tag.yaml
+++ b/.github/workflows/on-tag.yaml
@@ -16,6 +16,10 @@ jobs:
  tag-scan-and-push-final-image:
    name: "Build, scan, and publish tagged image"
    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
    steps:
      - uses: actions/checkout@v3
      - name: Find go version
@@ -31,14 +35,33 @@ jobs:
      - name: Find current tag version
        run: echo "::set-output name=version::${GITHUB_REF#refs/tags/}"
        id: tags
-      - run: |
-          make DH_ORG="${{ github.repository_owner }}" VERSION="${{ steps.tags.outputs.version }}" image
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+      - name: Build binaries
+        run: make kured-release-tag
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_EXPERIMENTAL: 1
+      - name: Build single image for scan
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+
      - uses: Azure/container-scan@v0
        env:
          # See https://github.com/goodwithtech/dockle/issues/188
          DOCKLE_HOST: "unix:///var/run/docker.sock"
        with:
-          image-name: ghcr.io/${{ github.repository_owner }}/kured:${{ steps.tags.outputs.version }}
+          image-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}

      - name: Login to ghcr.io
        uses: docker/login-action@v2
@@ -53,23 +76,27 @@ jobs:
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Build image
+      - name: Build release images
        uses: docker/build-push-action@v3
        with:
          context: .
-          file: cmd/kured/Dockerfile.multi
          platforms: linux/arm64, linux/amd64, linux/arm/v7, linux/arm/v6, linux/386
          push: true
-#          cache-from: type=registry,ref=user/app:buildcache
-#          cache-to: type=inline
+          labels: ${{ steps.meta.outputs.labels }}
          tags: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
-          labels: ${{ steps.meta.outputs.labels }}

+      - name: Generate SBOM
+        run: |
+          .tmp/syft ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }} -o spdx | jq --compact-output > kured.sbom
+
+      - name: Sign and attest artifacts
+        run: |
+          .tmp/cosign sign -f -r ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+
+          .tmp/cosign sign-blob --output-signature kured.sbom.sig kured.sbom
+
+          .tmp/cosign attest -f --type spdx --predicate kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+          .tmp/cosign attach sbom --type syft --sbom kured.sbom ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tags.outputs.version }}
+        env:
+          COSIGN_EXPERIMENTAL: 1
--- a/.github/workflows/periodics-daily.yaml
+++ b/.github/workflows/periodics-daily.yaml
@@ -7,7 +7,7 @@ on:
 jobs:
  periodics-gotest:
    name: Run go tests
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@v3
@@ -63,10 +63,20 @@ jobs:
        with:
          go-version: "${{ steps.awk_gomod.outputs.version }}"
          check-latest: true
-      - run: make DH_ORG="${{ github.repository_owner }}" VERSION="${{ github.sha }}" image
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Setup GoReleaser
+        run: make bootstrap-tools
+      - name: Find current tag version
+        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+        id: tags
+      - name: Build artifacts
+        run: VERSION="${{ steps.tags.outputs.sha_short }}" make image
      - uses: Azure/container-scan@v0
        env:
          # See https://github.com/goodwithtech/dockle/issues/188
          DOCKLE_HOST: "unix:///var/run/docker.sock"
        with:
-          image-name: ghcr.io/${{ github.repository_owner }}/kured:${{ github.sha }}
+          image-name: ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }}
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 cmd/kured/kured
 vendor
 build
+dist
+.tmp
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -0,0 +1,32 @@
+project_name: kured
+before:
+  hooks:
+    - go mod tidy
+builds:
+  - main: ./cmd/kured
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+      - "386"
+    goarm:
+      - "6"
+      - "7"
+    ldflags:
+      - -s -w -X main.version={{ if .IsSnapshot }}{{ .ShortCommit }}{{ else }}{{ .Version }}{{ end }}
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    flags:
+      - -trimpath
+
+snapshot:
+  name_template: "{{ .ShortCommit }}"
+
+release:
+  disable: true
+
+changelog:
+  skip: true
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -33,6 +33,11 @@ you can sign your commit automatically with `git commit -s`.

 ## Regular development activities

+### Prepare environment
+
+Please run `make bootstrap-tools` once on a fresh repository clone to download several needed tools, e.g. GoReleaser.
+
+
 ### Updating k8s support

 Whenever we want to update e.g. the `kubectl` or `client-go` dependencies,
--- a/25
+++ b/25
@@ -0,0 +1,25 @@
+FROM --platform=$TARGETPLATFORM alpine:3.16.2 as bin
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+COPY dist/ /dist
+RUN set -ex \
+  && case "${TARGETARCH}" in \
+      amd64) \
+          SUFFIX="_v1" \
+          ;; \
+      arm) \
+          SUFFIX="_${TARGETVARIANT:1}" \
+          ;; \
+      *) \
+          SUFFIX="" \
+          ;; \
+    esac \
+  && cp /dist/kured_${TARGETOS}_${TARGETARCH}${SUFFIX}/kured /dist/kured;
+
+FROM --platform=$TARGETPLATFORM alpine:3.16.2
+RUN apk update --no-cache && apk upgrade --no-cache && apk add --no-cache ca-certificates tzdata
+COPY --from=bin /dist/kured /usr/bin/kured
+ENTRYPOINT ["/usr/bin/kured"]
--- a/49
+++ b/49
@@ -1,38 +1,41 @@
 .DEFAULT: all
-.PHONY: all clean image publish-image minikube-publish manifest test tests kured-multi
+.PHONY: all clean image minikube-publish manifest test kured-all

+TEMPDIR=./.tmp
+GORELEASER_CMD=$(TEMPDIR)/goreleaser
 DH_ORG=kubereboot
-VERSION=$(shell git symbolic-ref --short HEAD)-$(shell git rev-parse --short HEAD)
+VERSION=$(shell git rev-parse --short HEAD)
 SUDO=$(shell docker info >/dev/null 2>&1 || echo "sudo -E")

 all: image

+$(TEMPDIR):
+	mkdir -p $(TEMPDIR)
+
+.PHONY: bootstrap-tools
+bootstrap-tools: $(TEMPDIR)
+	VERSION=v1.11.4 TMPDIR=.tmp bash .github/scripts/goreleaser-install.sh
+	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b .tmp v0.58.0
+	curl -sSfL https://github.com/sigstore/cosign/releases/download/v1.12.1/cosign-linux-amd64 -o .tmp/cosign
+	chmod +x .tmp/goreleaser .tmp/cosign .tmp/syft
+
 clean:
-	rm -f cmd/kured/kured
-	rm -rf ./build
+	rm -rf ./dist

-godeps=$(shell go list -f '{{join .Deps "\n"}}' $1 | grep -v /vendor/ | xargs go list -f '{{if not .Standard}}{{ $$dep := . }}{{range .GoFiles}}{{$$dep.Dir}}/{{.}} {{end}}{{end}}')
+kured:
+	$(GORELEASER_CMD) build --rm-dist --single-target --snapshot

-DEPS=$(call godeps,./cmd/kured)
+kured-all:
+	$(GORELEASER_CMD) build --rm-dist --snapshot

-cmd/kured/kured: $(DEPS)
-cmd/kured/kured: cmd/kured/*.go
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-X main.version=$(VERSION)" -o $@ cmd/kured/*.go
+kured-release-tag:
+	$(GORELEASER_CMD) release --rm-dist

-kured-multi: 
-	CGO_ENABLED=0 go build -ldflags "-X main.version=$(VERSION)" -o cmd/kured/kured cmd/kured/*.go
+kured-release-snapshot:
+	$(GORELEASER_CMD) release --rm-dist --snapshot

-build/.image.done: cmd/kured/Dockerfile cmd/kured/kured
-	mkdir -p build
-	cp $^ build
-	$(SUDO) docker build -t ghcr.io/$(DH_ORG)/kured -f build/Dockerfile ./build
-	$(SUDO) docker tag ghcr.io/$(DH_ORG)/kured ghcr.io/$(DH_ORG)/kured:$(VERSION)
-	touch $@
-
-image: build/.image.done
-
-publish-image: image
-	$(SUDO) docker push ghcr.io/$(DH_ORG)/kured:$(VERSION)
+image: kured
+	$(SUDO) docker buildx build --load -t ghcr.io/$(DH_ORG)/kured:$(VERSION) .

 minikube-publish: image
 	$(SUDO) docker save ghcr.io/$(DH_ORG)/kured | (eval $$(minikube docker-env) && docker load)
@@ -41,7 +44,7 @@ manifest:
 	sed -i "s#image: ghcr.io/.*kured.*#image: ghcr.io/$(DH_ORG)/kured:$(VERSION)#g" kured-ds.yaml
 	echo "Please generate combined manifest if necessary"

-test: tests
+test:
 	echo "Running go tests"
 	go test ./...
 	echo "Running golint on pkg"
--- a/cmd/kured/Dockerfile
+++ b/cmd/kured/Dockerfile
@@ -1,4 +0,0 @@
-FROM alpine:3.16.2
-RUN apk update --no-cache && apk upgrade --no-cache && apk add --no-cache ca-certificates tzdata
-COPY ./kured /usr/bin/kured
-ENTRYPOINT ["/usr/bin/kured"]
--- a/cmd/kured/Dockerfile.multi
+++ b/cmd/kured/Dockerfile.multi
@@ -1,20 +0,0 @@
-FROM --platform=$BUILDPLATFORM golang:bullseye AS build
-
-ARG TARGETOS
-ARG TARGETARCH
-ARG TARGETVARIANT
-
-ENV GOOS=$TARGETOS
-ENV GOARCH=$TARGETARCH
-ENV GOVARIANT=$TARGETVARIANT
-
-WORKDIR /src
-COPY go.mod go.sum .
-RUN go mod download
-COPY . .
-RUN make kured-multi
-
-FROM --platform=$TARGETPLATFORM alpine:3.16.2 as bin
-RUN apk update --no-cache && apk upgrade --no-cache && apk add --no-cache ca-certificates tzdata
-COPY --from=build /src/cmd/kured/kured /usr/bin/kured
-ENTRYPOINT ["/usr/bin/kured"]