From 525412fcf254a4251a47f3e32390e51066658f0c Mon Sep 17 00:00:00 2001 From: David Personette Date: Sun, 10 Dec 2023 01:24:26 -0500 Subject: [PATCH 1/7] Fix: release-iso.yml to not fail if no images are returned (#202) Builds started failing once #195 was merged. This fixed the release-iso workflow for me. --- .github/workflows/release-iso.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-iso.yml b/.github/workflows/release-iso.yml index 4b17e8d8fe..90afd21cf5 100644 --- a/.github/workflows/release-iso.yml +++ b/.github/workflows/release-iso.yml @@ -35,7 +35,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} run: | if gh release list -R ${{ github.repository_owner }}/${{ github.event.repository.name }} | grep "auto-iso"; then - gh release view auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --json assets -q .assets[].name | xargs -L 1 gh release delete-asset auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }} + gh release view auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --json assets -q .assets[].name | xargs --no-run-if-empty -L 1 gh release delete-asset auto-iso -R ${{ github.repository_owner }}/${{ github.event.repository.name }} gh release upload auto-iso ${{ steps.isogenerator.outputs.iso-path }} -R ${{ github.repository_owner }}/${{ github.event.repository.name }} --clobber else gh release create auto-iso ${{ steps.isogenerator.outputs.iso-path }} -t ISO -n "This is an automatically generated ISO release." -R ${{ github.repository_owner }}/${{ github.event.repository.name }} From 9aa7bb27404d97e862eb6065096a23ad2b6ea7f7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 10 Dec 2023 15:58:59 +0000 Subject: [PATCH 2/7] build(deps): bump mikefarah/yq from 4.40.3 to 4.40.4 (#201) Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.3 to 4.40.4. - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/v4.40.3...v4.40.4) --- updated-dependencies: - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 33fd6933e1..61f22e97e3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -58,7 +58,7 @@ jobs: uses: ublue-os/just-action@v1 - name: Add yq (for reading recipe.yml) - uses: mikefarah/yq@v4.40.3 + uses: mikefarah/yq@v4.40.4 - name: Gather image data from recipe run: | From f432ff4accc5a30eea7b31912aaafa9942b62f7e Mon Sep 17 00:00:00 2001 From: plata Date: Wed, 13 Dec 2023 20:10:52 +0100 Subject: [PATCH 3/7] fix: do not format just files in CI (#205) --- .github/workflows/build.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 61f22e97e3..e35cdc0fae 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -54,9 +54,6 @@ jobs: - name: Checkout Push to Registry action uses: actions/checkout@v4 - - name: Check just syntax - uses: ublue-os/just-action@v1 - - name: Add yq (for reading recipe.yml) uses: mikefarah/yq@v4.40.4 From d124a99d38549f8aaa0d4722f69f9a40dbd43ca5 Mon Sep 17 00:00:00 2001 From: Menno Finlay-Smits Date: Sun, 17 Dec 2023 23:31:35 +1300 Subject: [PATCH 4/7] feat: Check that cosign.pub matches private key (#193) This avoids images which can't be updated due to `invalid signature` errors because cosign.pub doesn't match the private key actually used for signing. The error is caught early in the build process as there's no point creating an image if cosign.pub is wrong. Co-authored-by: mjs --- .github/workflows/build.yml | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e35cdc0fae..ec476cbe68 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -54,6 +54,28 @@ jobs: - name: Checkout Push to Registry action uses: actions/checkout@v4 + # Confirm that cosign.pub matches SIGNING_SECRET + - uses: sigstore/cosign-installer@v3.2.0 + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' + + - name: Check SIGNING_SECRET matches cosign.pub + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PASSWORD: "" + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} + shell: bash + run: | + echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub" + delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub) + if [ -z "$delta" ]; then + echo "cosign.pub matches SIGNING_SECRET" + else + echo "cosign.pub does not match SIGNING_SECRET" + echo "$delta" + exit 1 + fi + - name: Add yq (for reading recipe.yml) uses: mikefarah/yq@v4.40.4 @@ -180,9 +202,6 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} # Sign container - - uses: sigstore/cosign-installer@v3.2.0 - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - - name: Sign container image if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' run: | From be8810523e2b8e0c2cc5ae46281014e9f910c9d0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 17:51:00 +0000 Subject: [PATCH 5/7] build(deps): bump mikefarah/yq from 4.40.4 to 4.40.5 (#207) Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.4 to 4.40.5. - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/v4.40.4...v4.40.5) --- updated-dependencies: - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec476cbe68..744920686a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,7 +77,7 @@ jobs: fi - name: Add yq (for reading recipe.yml) - uses: mikefarah/yq@v4.40.4 + uses: mikefarah/yq@v4.40.5 - name: Gather image data from recipe run: | From b597ecd833fb2a477fee8d6d1ca26ca9ec4ce795 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 17:59:24 +0000 Subject: [PATCH 6/7] build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#208) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.2.0...v3.3.0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 744920686a..2f961cf1f4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -55,7 +55,7 @@ jobs: uses: actions/checkout@v4 # Confirm that cosign.pub matches SIGNING_SECRET - - uses: sigstore/cosign-installer@v3.2.0 + - uses: sigstore/cosign-installer@v3.3.0 if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - name: Check SIGNING_SECRET matches cosign.pub From 52e6a456ad47d52ccd45b10a5164e8d6359b725a Mon Sep 17 00:00:00 2001 From: RJ Trujillo Date: Sun, 31 Dec 2023 03:41:45 -0700 Subject: [PATCH 7/7] feat(ci): Verify base image with cosign before building (#211) * feat(ci): Verify base image with cosign before building Validates the integrity of the base image being built from via cosign before continuing to build. Ensures we only build with signed images * fix(ci): Extract base image name from base image URL for verification --- .github/workflows/build.yml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2f961cf1f4..34638af9d7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -43,13 +43,6 @@ jobs: # !!! steps: - - name: Maximize build space - uses: AdityaGarg8/remove-unwanted-software@v1 - with: - remove-dotnet: 'true' - remove-android: 'true' - remove-haskell: 'true' - # Checkout push-to-registry action GitHub repository - name: Checkout Push to Registry action uses: actions/checkout@v4 @@ -84,7 +77,14 @@ jobs: echo "IMAGE_NAME=$(yq '.name' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV echo "IMAGE_DESCRIPTION=$(yq '.description' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV echo "IMAGE_MAJOR_VERSION=$(yq '.image-version' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV - echo "BASE_IMAGE_URL=$(yq '.base-image' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV + BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }}) + echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV + echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV + + - name: Verify base image + uses: EyeCantCU/cosign-action/verify@v0.2.1 + with: + containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }} - name: Get current version id: labels @@ -158,6 +158,13 @@ jobs: with: string: ${{ env.IMAGE_NAME }} + - name: Maximize build space + uses: AdityaGarg8/remove-unwanted-software@v1 + with: + remove-dotnet: 'true' + remove-android: 'true' + remove-haskell: 'true' + # Build image using Buildah action - name: Build Image id: build_image