Skip to content

Commit

Permalink
remove cosign user/pass env and uncomment other workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@momentmaker
momentmaker committed Aug 16, 2024
1 parent 193f36b commit ec2dd8a
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 111 deletions.
13 changes: 0 additions & 13 deletions .github/actions/goreleaser-build-sign-publish/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,15 +62,6 @@ inputs:
description: Enable signing of docker images
default: "false"
required: false
cosign-private-key:
description: The private key to be used with cosign to sign the image
required: false
cosign-public-key:
description: The public key to be used with cosign for verification
required: false
cosign-password:
description: The password to decrypt the cosign private key needed to sign the image
required: false
runs:
using: composite
steps:
Expand Down Expand Up @@ -113,7 +104,6 @@ runs:
- name: Run goreleaser release
shell: bash
env:
# ENABLE_COSIGN: ${{ inputs.enable-cosign }}
ENABLE_GORELEASER_SNAPSHOT: ${{ inputs.enable-goreleaser-snapshot }}
ENABLE_GORELEASER_SPLIT: ${{ inputs.enable-goreleaser-split }}
ENABLE_DOCKER_PUBLISH: ${{ inputs.enable-docker-publish }}
Expand All @@ -124,9 +114,6 @@ runs:
GORELEASER_CONFIG: ${{ inputs.goreleaser-config }}
GORELEASER_KEY: ${{ inputs.goreleaser-key }}
GITHUB_TOKEN: ${{ github.token }}
# COSIGN_PASSWORD: ${{ inputs.cosign-password }}
# COSIGN_PUBLIC_KEY: ${{ inputs.cosign-public-key }}
# COSIGN_PRIVATE_KEY: ${{ inputs.cosign-private-key }}
MACOS_SDK_DIR: ${{ inputs.macos-sdk-dir }}
run: |
# https://github.com/orgs/community/discussions/24950
Expand Down
12 changes: 0 additions & 12 deletions .github/actions/goreleaser-build-sign-publish/action_utils
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,9 @@
set -x
set -euo pipefail

# ENABLE_COSIGN=${ENABLE_COSIGN:-false}
ENABLE_GORELEASER_SNAPSHOT=${ENABLE_GORELEASER_SNAPSHOT:-false}
ENABLE_GORELEASER_SPLIT=${ENABLE_GORELEASER_SPLIT:-false}
ENABLE_DOCKER_PUBLISH=${ENABLE_DOCKER_PUBLISH:-false}
# COSIGN_PASSWORD=${COSIGN_PASSWORD:-""}
GORELEASER_EXEC=${GORELEASER_EXEC:-goreleaser}
GORELEASER_CONFIG=${GORELEASER_CONFIG:-.goreleaser.yaml}
IMAGE_PREFIX=${IMAGE_PREFIX:-"localhost:5001"}
Expand Down Expand Up @@ -69,11 +67,6 @@ goreleaser_release() {
flags=$(printf "%s " "${goreleaser_flags[@]}")
flags=$(echo "$flags" | sed 's/ *$//')

# if [[ $ENABLE_COSIGN == "true" ]]; then
# echo "$COSIGN_PUBLIC_KEY" > cosign.pub
# echo "$COSIGN_PRIVATE_KEY" > cosign.key
# fi

if [[ -n $MACOS_SDK_DIR ]]; then
MACOS_SDK_DIR=$(echo "$(cd "$(dirname "$MACOS_SDK_DIR")" || exit; pwd)/$(basename "$MACOS_SDK_DIR")")
fi
Expand All @@ -84,11 +77,6 @@ goreleaser_release() {
_publish_snapshot_images
_publish_snapshot_manifests
fi

# if [[ $ENABLE_COSIGN == "true" ]]; then
# rm -rf cosign.pub
# rm -rf cosign.key
# fi
}

"$@"
168 changes: 82 additions & 86 deletions .github/workflows/build-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ on:
- "v*"
branches:
- "release/**"
- "re-2756/build-sign-publish-gha-goreleaser"

env:
ECR_HOSTNAME: public.ecr.aws
Expand All @@ -27,51 +26,51 @@ jobs:
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

# build-sign-publish-chainlink:
# needs: [checks]
# if: ${{ ! startsWith(github.ref_name, 'release/') }}
# runs-on: ubuntu-20.04
# environment: build-publish
# permissions:
# id-token: write
# contents: read
# outputs:
# docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }}
# docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
# steps:
# - name: Checkout repository
# uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
build-sign-publish-chainlink:
needs: [checks]
if: ${{ ! startsWith(github.ref_name, 'release/') }}
runs-on: ubuntu-20.04
environment: build-publish
permissions:
id-token: write
contents: read
outputs:
docker-image-tag: ${{ steps.build-sign-publish.outputs.docker-image-tag }}
docker-image-digest: ${{ steps.build-sign-publish.outputs.docker-image-digest }}
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2

# - name: Build, sign and publish chainlink image
# id: build-sign-publish
# uses: ./.github/actions/build-sign-publish-chainlink
# with:
# publish: true
# aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
# aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
# aws-region: ${{ secrets.AWS_REGION }}
# ecr-hostname: ${{ env.ECR_HOSTNAME }}
# ecr-image-name: ${{ env.ECR_IMAGE_NAME }}
# sign-images: true
# sign-method: "keypair"
# cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
# cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }}
# cosign-password: ${{ secrets.COSIGN_PASSWORD }}
# dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
# dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
# verify-signature: true
- name: Build, sign and publish chainlink image
id: build-sign-publish
uses: ./.github/actions/build-sign-publish-chainlink
with:
publish: true
aws-role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE_ARN }}
aws-role-duration-seconds: ${{ secrets.AWS_ROLE_DURATION_SECONDS }}
aws-region: ${{ secrets.AWS_REGION }}
ecr-hostname: ${{ env.ECR_HOSTNAME }}
ecr-image-name: ${{ env.ECR_IMAGE_NAME }}
sign-images: true
sign-method: "keypair"
cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }}
cosign-password: ${{ secrets.COSIGN_PASSWORD }}
dockerhub_username: ${{ secrets.DOCKERHUB_READONLY_USERNAME }}
dockerhub_password: ${{ secrets.DOCKERHUB_READONLY_PASSWORD }}
verify-signature: true

# - name: Collect Metrics
# if: always()
# id: collect-gha-metrics
# uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
# with:
# id: build-chainlink-publish
# org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
# basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
# hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
# this-job-name: build-sign-publish-chainlink
# continue-on-error: true
- name: Collect Metrics
if: always()
id: collect-gha-metrics
uses: smartcontractkit/push-gha-metrics-action@d9da21a2747016b3e13de58c7d4115a3d5c97935 # v3.0.1
with:
id: build-chainlink-publish
org-id: ${{ secrets.GRAFANA_INTERNAL_TENANT_ID }}
basic-auth: ${{ secrets.GRAFANA_INTERNAL_BASIC_AUTH }}
hostname: ${{ secrets.GRAFANA_INTERNAL_HOST }}
this-job-name: build-sign-publish-chainlink
continue-on-error: true

goreleaser-build-sign-publish-chainlink:
needs: [checks]
Expand Down Expand Up @@ -107,9 +106,6 @@ jobs:
zig-version: 0.11.0
enable-cosign: "true"
cosign-version: "v2.4.0"
cosign-password: ${{ secrets.COSIGN_PASSWORD }}
cosign-public-key: ${{ secrets.COSIGN_PUBLIC_KEY }}
cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}

- name: Output image name and digest
shell: sh
Expand All @@ -135,42 +131,42 @@ jobs:
continue-on-error: true

# Notify Slack channel for new git tags.
# slack-notify:
# if: github.ref_type == 'tag'
# needs: [build-sign-publish-chainlink]
# runs-on: ubuntu-24.04
# environment: build-publish
# steps:
# - name: Checkout repository
# uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
# - name: Notify Slack
# uses: smartcontractkit/.github/actions/slack-notify-git-ref@7fa90bbeff35aa6ce3a9054f542bcf10b7d47cec # slack-notify-git-ref@0.1.0
# with:
# slack-channel-id: ${{ secrets.SLACK_CHANNEL_RELEASE_NOTIFICATIONS }}
# slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot
# git-ref: ${{ github.ref_name }}
# git-ref-type: ${{ github.ref_type }}
# changelog-url: >-
# ${{
# github.ref_type == 'tag' &&
# format(
# 'https://github.com/{0}/blob/{1}/CHANGELOG.md',
# github.repository,
# github.ref_name
# ) || ''
# }}
# docker-image-name: >-
# ${{
# github.ref_type == 'tag' &&
# format(
# '{0}/{1}:{2}',
# env.ECR_HOSTNAME,
# env.ECR_IMAGE_NAME,
# needs.build-sign-publish-chainlink.outputs.docker-image-tag
# ) || ''
# }}
# docker-image-digest: >-
# ${{
# github.ref_type == 'tag' &&
# needs.build-sign-publish-chainlink.outputs.docker-image-digest || ''
# }}
slack-notify:
if: github.ref_type == 'tag'
needs: [build-sign-publish-chainlink]
runs-on: ubuntu-24.04
environment: build-publish
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Notify Slack
uses: smartcontractkit/.github/actions/slack-notify-git-ref@7fa90bbeff35aa6ce3a9054f542bcf10b7d47cec # slack-notify-git-ref@0.1.0
with:
slack-channel-id: ${{ secrets.SLACK_CHANNEL_RELEASE_NOTIFICATIONS }}
slack-bot-token: ${{ secrets.SLACK_BOT_TOKEN_RELENG }} # Releng Bot
git-ref: ${{ github.ref_name }}
git-ref-type: ${{ github.ref_type }}
changelog-url: >-
${{
github.ref_type == 'tag' &&
format(
'https://github.com/{0}/blob/{1}/CHANGELOG.md',
github.repository,
github.ref_name
) || ''
}}
docker-image-name: >-
${{
github.ref_type == 'tag' &&
format(
'{0}/{1}:{2}',
env.ECR_HOSTNAME,
env.ECR_IMAGE_NAME,
needs.build-sign-publish-chainlink.outputs.docker-image-tag
) || ''
}}
docker-image-digest: >-
${{
github.ref_type == 'tag' &&
needs.build-sign-publish-chainlink.outputs.docker-image-digest || ''
}}

0 comments on commit ec2dd8a

Please sign in to comment.