From a3eba2baa9b13c24a549f9f7bd6d5d2f6be61e21 Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Tue, 8 Nov 2022 12:13:27 +0100 Subject: [PATCH] feat: sign pulumi binaries with cosign Co-authored-by: Aaron Friel --- .github/workflows/ci-build-binaries.yml | 3 + .github/workflows/ci-prepare-release.yml | 68 +++++++++++-------- .github/workflows/ci.yml | 1 + .github/workflows/on-merge.yml | 6 ++ .github/workflows/on-pr.yml | 8 +++ .../pr-test-acceptance-on-dispatch.yml | 4 ++ ...-ci--sign-pulumi-binaries-with-cosign.yaml | 4 ++ 7 files changed, 67 insertions(+), 27 deletions(-) create mode 100644 changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml diff --git a/.github/workflows/ci-build-binaries.yml b/.github/workflows/ci-build-binaries.yml index 4990d1627a18..861490348cac 100644 --- a/.github/workflows/ci-build-binaries.yml +++ b/.github/workflows/ci-build-binaries.yml @@ -48,6 +48,9 @@ jobs: env: PULUMI_VERSION: ${{ inputs.version }} + permissions: + id-token: write + steps: - name: "Windows cache workaround" # https://github.com/actions/cache/issues/752#issuecomment-1222415717 diff --git a/.github/workflows/ci-prepare-release.yml b/.github/workflows/ci-prepare-release.yml index e5cb4359a323..0775eee3d941 100644 --- a/.github/workflows/ci-prepare-release.yml +++ b/.github/workflows/ci-prepare-release.yml @@ -3,6 +3,8 @@ name: Prepare permissions: # To create a draft release contents: write + # To sign artifacts. + id-token: write on: workflow_call: @@ -47,29 +49,47 @@ jobs: with: ref: ${{ inputs.ref }} - - name: Install rsign2 - uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0 - with: - crate: rsign2 - version: 0.6.1 - - name: Install b3sum uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0 with: crate: b3sum version: 1.3.0 + - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 + - name: Download all artifacts uses: actions/download-artifact@v2 with: path: artifacts.tmp - + - name: Rename SDKs + # This step must match the rename SDKs step in the "publish" job below. + run: | + ( + cd artifacts.tmp/artifacts-dotnet-sdk + for file in *.nupkg ; do + mv -vT "$file" "sdk-dotnet-$file" + done + ) + ( + cd artifacts.tmp/artifacts-python-sdk + for file in *.whl ; do + mv -vT "$file" "sdk-python-$file" + done + ) + ( + cd artifacts.tmp/artifacts-nodejs-sdk + for file in *.tgz ; do + mv -vT "$file" "sdk-nodejs-$file" + done + ) - name: Flatten artifact directories run: | mkdir -p ./artifacts - mkdir -p ./sums.tmp mv ./artifacts.tmp/artifacts-*/* ./artifacts + - name: Create sums.tmp + run: mkdir -p ./sums.tmp + # Each of these commands strips the ./ prefix to match existing (<=3.39) formatting. - name: Checksums with SHA256 working-directory: artifacts @@ -85,30 +105,23 @@ jobs: working-directory: artifacts run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS - - name: Sign checksums - working-directory: sums.tmp - # Requires a signing key to be configured. - if: false + - name: Sign binaries and checksums shell: bash env: - # RELEASE_KEY: ${{ secrets.RELEASE_KEY }} version: ${{ inputs.version }} run: | - set -u - releaseKey="$(mktemp -d)/release.key" - echo "$RELEASE_KEY" > "${releaseKey}" - set -x - for file in *; do - echo | rsign sign \ - -p "${GITHUB_WORKSPACE}/.github/workflows/release.pub" \ - -s "${releaseKey}" \ - -t "${{ inputs.project }} v$version signed with automated key" \ - -c 'see website for signing information' \ - -x "${file}.auto.minisig" \ - "${file}" + ls -la + # Sign all artifacts and checksums: + for dir in "artifacts" "sums.tmp"; do + pushd "$dir" + for file in ./{artifacts,sums.tmp}/*; do + echo "$file" + COSIGN_EXPERIMENTAL=1 cosign sign-blob \ + --bundle="../sums.tmp/${file}".sig \ + "${file}" + done + popd done - rm "${releaseKey}" - cat ./*.auto.minisig - uses: actions/upload-artifact@v2 with: @@ -136,6 +149,7 @@ jobs: with: path: artifacts.tmp - name: Rename SDKs + # This step must match the rename SDKs step in the "sign" job above. run: | ( cd artifacts.tmp/artifacts-dotnet-sdk diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 68530abe8e14..f95a79e13646 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,7 @@ name: CI permissions: contents: read + id-token: write on: workflow_call: diff --git a/.github/workflows/on-merge.yml b/.github/workflows/on-merge.yml index ef50c79a980c..55a267c909b3 100644 --- a/.github/workflows/on-merge.yml +++ b/.github/workflows/on-merge.yml @@ -3,6 +3,8 @@ name: Merge permissions: # To create a draft release. contents: write + # To sign artifacts. + id-token: write on: push: @@ -37,6 +39,8 @@ jobs: uses: ./.github/workflows/ci.yml permissions: contents: read + # To sign artifacts. + id-token: write with: ref: ${{ github.ref }} version: ${{ needs.info.outputs.version }} @@ -49,6 +53,8 @@ jobs: uses: ./.github/workflows/ci-prepare-release.yml permissions: contents: write + # To sign artifacts. + id-token: write with: ref: ${{ github.ref }} version: ${{ needs.info.outputs.version }} diff --git a/.github/workflows/on-pr.yml b/.github/workflows/on-pr.yml index 804c332fcb48..187f78e82b1f 100644 --- a/.github/workflows/on-pr.yml +++ b/.github/workflows/on-pr.yml @@ -1,8 +1,12 @@ name: Pull Request permissions: + # To create a draft release. contents: write + # To comment on PRs. pull-requests: write + # To sign artifacts. + id-token: write on: pull_request: @@ -48,6 +52,8 @@ jobs: uses: ./.github/workflows/ci.yml permissions: contents: read + # To sign artifacts. + id-token: write with: ref: ${{ github.ref }} version: ${{ needs.info.outputs.version }} @@ -80,6 +86,8 @@ jobs: uses: ./.github/workflows/ci-prepare-release.yml permissions: contents: write + # To sign artifacts. + id-token: write with: ref: ${{ github.ref }} version: ${{ needs.info.outputs.version }} diff --git a/.github/workflows/pr-test-acceptance-on-dispatch.yml b/.github/workflows/pr-test-acceptance-on-dispatch.yml index 04f4b72c8828..c74a53592ba2 100644 --- a/.github/workflows/pr-test-acceptance-on-dispatch.yml +++ b/.github/workflows/pr-test-acceptance-on-dispatch.yml @@ -12,6 +12,8 @@ permissions: contents: read # Only the 'changelog-comment' job should use this permission. pull-requests: write + # To sign artifacts. + id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.client_payload.pull_request.number }} @@ -51,6 +53,8 @@ jobs: uses: pulumi/pulumi/.github/workflows/ci.yml@master permissions: contents: read + # To sign artifacts. + id-token: write with: ref: refs/pull/${{ github.event.client_payload.pull_request.number }}/merge version: ${{ needs.info.outputs.version }} diff --git a/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml b/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml new file mode 100644 index 000000000000..28e1ef1dab01 --- /dev/null +++ b/changelog/pending/20221109--ci--sign-pulumi-binaries-with-cosign.yaml @@ -0,0 +1,4 @@ +changes: +- type: feat + scope: ci + description: GitHub release artifacts are now signed using [cosign](https://github.com/sigstore/cosign) and signatures are uploaded to the [Rekor transparency log](https://rekor.tlog.dev/).