2022-07-13 08:04:46 -04:00
|
|
|
name: Build CLI
|
2022-07-04 06:16:11 -04:00
|
|
|
description: |
|
2023-03-20 11:05:08 -04:00
|
|
|
Builds CLI. Optionally, Sigstore tools
|
2022-07-13 08:04:46 -04:00
|
|
|
are used to sign CLI when inputs are provided. A draft release is published
|
|
|
|
when run on v* tag.
|
2022-07-04 06:16:11 -04:00
|
|
|
inputs:
|
2022-08-23 07:43:20 -04:00
|
|
|
targetOS:
|
2022-09-02 06:44:20 -04:00
|
|
|
description: "Build CLI for this OS. [linux, darwin]"
|
2022-08-23 07:43:20 -04:00
|
|
|
required: true
|
2022-09-02 06:44:20 -04:00
|
|
|
default: "linux"
|
2022-08-23 07:43:20 -04:00
|
|
|
targetArch:
|
2022-09-02 06:44:20 -04:00
|
|
|
description: "Build CLI for this architecture. [amd64, arm64]"
|
2022-08-23 07:43:20 -04:00
|
|
|
required: true
|
2022-09-02 06:44:20 -04:00
|
|
|
default: "amd64"
|
2022-09-13 08:27:38 -04:00
|
|
|
enterpriseCLI:
|
|
|
|
description: "Build CLI with enterprise flag."
|
|
|
|
required: false
|
|
|
|
default: "false"
|
2022-07-13 08:04:46 -04:00
|
|
|
cosignPublicKey:
|
2022-09-02 06:44:20 -04:00
|
|
|
description: "Cosign public key"
|
2022-07-07 06:18:41 -04:00
|
|
|
required: false
|
2022-09-02 06:44:20 -04:00
|
|
|
default: ""
|
2022-07-13 08:04:46 -04:00
|
|
|
cosignPrivateKey:
|
2022-09-02 06:44:20 -04:00
|
|
|
description: "Cosign private key"
|
2022-07-07 06:18:41 -04:00
|
|
|
required: false
|
2022-09-02 06:44:20 -04:00
|
|
|
default: ""
|
2022-07-13 08:04:46 -04:00
|
|
|
cosignPassword:
|
2022-09-02 06:44:20 -04:00
|
|
|
description: "Password for Cosign private key"
|
2022-07-07 06:18:41 -04:00
|
|
|
required: false
|
2022-09-02 06:44:20 -04:00
|
|
|
default: ""
|
2023-03-20 11:05:08 -04:00
|
|
|
outputPath:
|
|
|
|
description: "Output path of the binary"
|
|
|
|
required: false
|
2022-05-03 05:15:53 -04:00
|
|
|
runs:
|
2022-06-30 05:27:23 -04:00
|
|
|
using: "composite"
|
2022-05-03 05:15:53 -04:00
|
|
|
steps:
|
2022-06-30 05:27:23 -04:00
|
|
|
# https://github.blog/2022-04-12-git-security-vulnerability-announced/
|
|
|
|
- name: Mark repository safe
|
2023-01-18 04:15:58 -05:00
|
|
|
shell: bash
|
2022-06-30 05:27:23 -04:00
|
|
|
run: |
|
|
|
|
git config --global --add safe.directory /__w/constellation/constellation
|
2022-06-23 11:52:25 -04:00
|
|
|
|
2022-06-30 05:27:23 -04:00
|
|
|
- name: Build CLI
|
2023-01-18 04:15:58 -05:00
|
|
|
shell: bash
|
2023-03-20 11:05:08 -04:00
|
|
|
env:
|
|
|
|
GOOS: ${{ inputs.targetOS }}
|
|
|
|
GOARCH: ${{ inputs.targetArch }}
|
|
|
|
OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
|
2022-06-30 05:27:23 -04:00
|
|
|
run: |
|
2022-09-02 10:59:56 -04:00
|
|
|
echo "::group::Build CLI"
|
2023-03-20 11:05:08 -04:00
|
|
|
mkdir -p "$(dirname "${OUTPUT_PATH}")"
|
2022-09-13 08:27:38 -04:00
|
|
|
if [ ${{ inputs.enterpriseCLI }} == 'true' ]
|
|
|
|
then
|
2023-03-20 11:05:08 -04:00
|
|
|
cli_variant=enterprise
|
2022-09-13 08:27:38 -04:00
|
|
|
else
|
2023-03-20 11:05:08 -04:00
|
|
|
cli_variant=oss
|
2022-09-13 08:27:38 -04:00
|
|
|
fi
|
2023-03-20 11:05:08 -04:00
|
|
|
label="//cli:cli_${cli_variant}_${GOOS}_${GOARCH}"
|
|
|
|
bazel build "${label}"
|
|
|
|
repository_root=$(git rev-parse --show-toplevel)
|
|
|
|
out_rel=$(bazel cquery --output=files "${label}")
|
|
|
|
out_loc="$(realpath "${repository_root}/${out_rel}")"
|
|
|
|
cp "${out_loc}" "${OUTPUT_PATH}"
|
|
|
|
chmod +w "${OUTPUT_PATH}"
|
|
|
|
echo "$(dirname "${OUTPUT_PATH}")" >> $GITHUB_PATH
|
|
|
|
export PATH="$PATH:$(dirname "${OUTPUT_PATH}")"
|
2022-09-02 10:59:56 -04:00
|
|
|
echo "::endgroup::"
|
2022-07-04 06:16:11 -04:00
|
|
|
|
2022-08-23 07:43:20 -04:00
|
|
|
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
|
|
|
|
# once it has the functionality
|
|
|
|
- name: Install Cosign
|
2023-01-17 12:49:00 -05:00
|
|
|
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
2023-01-18 04:15:58 -05:00
|
|
|
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # tag=v2.8.1
|
2022-09-13 05:16:19 -04:00
|
|
|
|
2022-08-23 07:43:20 -04:00
|
|
|
- name: Install Rekor
|
2023-01-18 04:15:58 -05:00
|
|
|
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
|
|
|
shell: bash
|
|
|
|
working-directory: build
|
2022-08-23 07:43:20 -04:00
|
|
|
run: |
|
2022-09-14 10:30:13 -04:00
|
|
|
HOSTOS="$(go env GOOS)"
|
|
|
|
HOSTARCH="$(go env GOARCH)"
|
2023-01-19 05:22:31 -05:00
|
|
|
curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-${HOSTOS}-${HOSTARCH}
|
2022-09-14 10:30:13 -04:00
|
|
|
sudo install rekor-cli-${HOSTOS}-${HOSTARCH} /usr/local/bin/rekor-cli
|
|
|
|
rm rekor-cli-${HOSTOS}-${HOSTARCH}
|
2022-09-13 05:16:19 -04:00
|
|
|
|
2022-07-04 06:16:11 -04:00
|
|
|
- name: Sign CLI
|
2023-01-18 04:15:58 -05:00
|
|
|
if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
|
|
|
|
shell: bash
|
|
|
|
working-directory: build
|
|
|
|
env:
|
|
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
|
|
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
|
|
|
|
COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
|
2023-03-20 11:05:08 -04:00
|
|
|
OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
|
2022-06-30 05:27:23 -04:00
|
|
|
run: |
|
2022-07-04 06:16:11 -04:00
|
|
|
echo "$COSIGN_PUBLIC_KEY" > cosign.pub
|
|
|
|
# Enabling experimental mode also publishes signature to Rekor
|
2023-03-20 11:05:08 -04:00
|
|
|
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY "${OUTPUT_PATH}" > "${OUTPUT_PATH}.sig"
|
2022-07-04 06:16:11 -04:00
|
|
|
# Verify - As documentation & check
|
|
|
|
# Local Signature (input: artifact, key, signature)
|
2023-03-20 11:05:08 -04:00
|
|
|
cosign verify-blob --key cosign.pub --signature "${OUTPUT_PATH}.sig" "${OUTPUT_PATH}"
|
2022-07-04 06:16:11 -04:00
|
|
|
# Transparency Log Signature (input: artifact, key)
|
2023-03-20 11:05:08 -04:00
|
|
|
uuid=$(rekor-cli search --artifact "${OUTPUT_PATH}" | tail -n 1)
|
2022-07-04 06:16:11 -04:00
|
|
|
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
|
2023-03-20 11:05:08 -04:00
|
|
|
cosign verify-blob --key cosign.pub --signature <(echo $sig) "${OUTPUT_PATH}"
|