From f432ff4accc5a30eea7b31912aaafa9942b62f7e Mon Sep 17 00:00:00 2001 From: plata Date: Wed, 13 Dec 2023 20:10:52 +0100 Subject: [PATCH 1/4] fix: do not format just files in CI (#205) --- .github/workflows/build.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 61f22e97e3..e35cdc0fae 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -54,9 +54,6 @@ jobs: - name: Checkout Push to Registry action uses: actions/checkout@v4 - - name: Check just syntax - uses: ublue-os/just-action@v1 - - name: Add yq (for reading recipe.yml) uses: mikefarah/yq@v4.40.4 From d124a99d38549f8aaa0d4722f69f9a40dbd43ca5 Mon Sep 17 00:00:00 2001 From: Menno Finlay-Smits Date: Sun, 17 Dec 2023 23:31:35 +1300 Subject: [PATCH 2/4] feat: Check that cosign.pub matches private key (#193) This avoids images which can't be updated due to `invalid signature` errors because cosign.pub doesn't match the private key actually used for signing. The error is caught early in the build process as there's no point creating an image if cosign.pub is wrong. Co-authored-by: mjs --- .github/workflows/build.yml | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e35cdc0fae..ec476cbe68 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -54,6 +54,28 @@ jobs: - name: Checkout Push to Registry action uses: actions/checkout@v4 + # Confirm that cosign.pub matches SIGNING_SECRET + - uses: sigstore/cosign-installer@v3.2.0 + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' + + - name: Check SIGNING_SECRET matches cosign.pub + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PASSWORD: "" + COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} + shell: bash + run: | + echo "Checking for difference between public key from SIGNING_SECRET and cosign.pub" + delta=$(diff -u <(cosign public-key --key env://COSIGN_PRIVATE_KEY) cosign.pub) + if [ -z "$delta" ]; then + echo "cosign.pub matches SIGNING_SECRET" + else + echo "cosign.pub does not match SIGNING_SECRET" + echo "$delta" + exit 1 + fi + - name: Add yq (for reading recipe.yml) uses: mikefarah/yq@v4.40.4 @@ -180,9 +202,6 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} # Sign container - - uses: sigstore/cosign-installer@v3.2.0 - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - - name: Sign container image if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' run: | From be8810523e2b8e0c2cc5ae46281014e9f910c9d0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 17:51:00 +0000 Subject: [PATCH 3/4] build(deps): bump mikefarah/yq from 4.40.4 to 4.40.5 (#207) Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.40.4 to 4.40.5. - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/v4.40.4...v4.40.5) --- updated-dependencies: - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ec476cbe68..744920686a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,7 +77,7 @@ jobs: fi - name: Add yq (for reading recipe.yml) - uses: mikefarah/yq@v4.40.4 + uses: mikefarah/yq@v4.40.5 - name: Gather image data from recipe run: | From b597ecd833fb2a477fee8d6d1ca26ca9ec4ce795 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Dec 2023 17:59:24 +0000 Subject: [PATCH 4/4] build(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#208) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/v3.2.0...v3.3.0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 744920686a..2f961cf1f4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -55,7 +55,7 @@ jobs: uses: actions/checkout@v4 # Confirm that cosign.pub matches SIGNING_SECRET - - uses: sigstore/cosign-installer@v3.2.0 + - uses: sigstore/cosign-installer@v3.3.0 if: github.event_name != 'pull_request' && github.ref == 'refs/heads/live' - name: Check SIGNING_SECRET matches cosign.pub