feat: sign pulumi binaries with cosign #11310
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Changelog[uncommitted] (2022-12-16)Features
|
3 tasks
dirien
force-pushed
the
cosign
branch
3 times, most recently
from
563a33d
to
612750c
Compare
AaronFriel
force-pushed
the
cosign
branch
2 times, most recently
from
73284f3
to
f2c419b
Compare
bors bot
added a commit
that referenced
this pull request
Nov 12, 2022
11310: feat: sign pulumi binaries with cosign r=AaronFriel a=dirien <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This PR adds cosign to the build process of the Pulumi binaries. I changed the pipeline so cosign can sign without keys by authenticating with OIDC. GitHub supports this. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Engin Diri <engin.diri@ediri.de>
|
Timed out. |
|
bors merge |
bors bot
added a commit
that referenced
this pull request
Nov 14, 2022
11310: feat: sign pulumi binaries with cosign r=dirien a=dirien <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This PR adds cosign to the build process of the Pulumi binaries. I changed the pipeline so cosign can sign without keys by authenticating with OIDC. GitHub supports this. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Engin Diri <engin.diri@ediri.de>
|
Timed out. |
|
bors merge |
bors bot
added a commit
that referenced
this pull request
Nov 14, 2022
11310: feat: sign pulumi binaries with cosign r=AaronFriel a=dirien <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This PR adds cosign to the build process of the Pulumi binaries. I changed the pipeline so cosign can sign without keys by authenticating with OIDC. GitHub supports this. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> 11341: Add tfconvert to pulumi convert r=Frassle a=Frassle <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This adds tfconvert to `pulumi convert`, inline with the intention that all conversions will be mediated by the CLI/engine. There are two reasons for adding other conversion systems to pulumi convert: 1. It means only the engine needs to worry about calling into all the language code generators, tfconvert now just has to concern itself with returning PCL output. 2. It means only the engine needs to worry about plugin and schema loading, tfconvert now just gets an interface passed to it for accessing schemas. The longer term intention is that we shouldn't have a direct build link to tfconvert here, but instead "pluginify" converters in some way. Hopefully yaml, terraform, arm, helm, etc could all be handled by individual plugins. With that in mind, we should name this such that it fits into our plugin system. I've currently set the `--from` argument as "terraform" but we probably don't want to use that as a plugin name because that would map to github.com/pulumi/pulumi-terraform which already exists and is a provider for terraform state. I think we _probably_ want to go with "hcl", but open to other suggestions. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> 11345: Do not reference Pulumi nuget if a project reference to Pulumi.csproj already exists r=Zaid-Ajaj a=Zaid-Ajaj When generating dotnet SDKs, if a schema doesn't specify a package reference to Pulumi nuget, we add it automatically by default. However, when generating test dotnet sdks, we also use project references that refer to the local Pulumi SDK and it is not correct to have either (although usually it compiles if you don't use latest SDK changes) This PR makes it so that if we are already referencing a local Pulumi SDK via a project reference, then we don't add a package reference to Pulumi Co-authored-by: Engin Diri <engin.diri@ediri.de> Co-authored-by: Fraser Waters <fraser@pulumi.com> Co-authored-by: Zaid Ajaj <zaid.naom@gmail.com>
|
This PR was included in a batch that timed out, it will be automatically retried |
|
Canceled. |
|
bors merge |
|
🕐 Waiting for PR status (GitHub check) to be set, probably by CI. Bors will automatically try to run when all required PR statuses are set. |
bors bot
added a commit
that referenced
this pull request
Nov 14, 2022
11310: feat: sign pulumi binaries with cosign r=AaronFriel a=dirien <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This PR adds cosign to the build process of the Pulumi binaries. I changed the pipeline so cosign can sign without keys by authenticating with OIDC. GitHub supports this. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> 11341: Add tfconvert to pulumi convert r=Frassle a=Frassle <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This adds tfconvert to `pulumi convert`, inline with the intention that all conversions will be mediated by the CLI/engine. There are two reasons for adding other conversion systems to pulumi convert: 1. It means only the engine needs to worry about calling into all the language code generators, tfconvert now just has to concern itself with returning PCL output. 2. It means only the engine needs to worry about plugin and schema loading, tfconvert now just gets an interface passed to it for accessing schemas. The longer term intention is that we shouldn't have a direct build link to tfconvert here, but instead "pluginify" converters in some way. Hopefully yaml, terraform, arm, helm, etc could all be handled by individual plugins. With that in mind, we should name this such that it fits into our plugin system. I've currently set the `--from` argument as "terraform" but we probably don't want to use that as a plugin name because that would map to github.com/pulumi/pulumi-terraform which already exists and is a provider for terraform state. I think we _probably_ want to go with "hcl", but open to other suggestions. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> 11345: Do not reference Pulumi nuget if a project reference to Pulumi.csproj already exists r=Zaid-Ajaj a=Zaid-Ajaj When generating dotnet SDKs, if a schema doesn't specify a package reference to Pulumi nuget, we add it automatically by default. However, when generating test dotnet sdks, we also use project references that refer to the local Pulumi SDK and it is not correct to have either (although usually it compiles if you don't use latest SDK changes) This PR makes it so that if we are already referencing a local Pulumi SDK via a project reference, then we don't add a package reference to Pulumi Co-authored-by: Engin Diri <engin.diri@ediri.de> Co-authored-by: Fraser Waters <fraser@pulumi.com> Co-authored-by: Zaid Ajaj <zaid.naom@gmail.com>
|
Build failed (retrying...): |
bors bot
added a commit
that referenced
this pull request
Nov 14, 2022
11310: feat: sign pulumi binaries with cosign r=AaronFriel a=dirien <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This PR adds cosign to the build process of the Pulumi binaries. I changed the pipeline so cosign can sign without keys by authenticating with OIDC. GitHub supports this. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Engin Diri <engin.diri@ediri.de>
|
Build failed: |
|
bors retry |
bors bot
added a commit
that referenced
this pull request
Nov 14, 2022
11310: feat: sign pulumi binaries with cosign r=AaronFriel a=dirien <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This PR adds cosign to the build process of the Pulumi binaries. I changed the pipeline so cosign can sign without keys by authenticating with OIDC. GitHub supports this. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Engin Diri <engin.diri@ediri.de>
|
Build failed: |
|
bors retry |
1 similar comment
|
bors retry |
bors bot
added a commit
that referenced
this pull request
Nov 15, 2022
11310: feat: sign pulumi binaries with cosign r=AaronFriel a=dirien <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This PR adds cosign to the build process of the Pulumi binaries. I changed the pipeline so cosign can sign without keys by authenticating with OIDC. GitHub supports this. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Engin Diri <engin.diri@ediri.de>
|
Build failed: |
AaronFriel
force-pushed
the
cosign
branch
3 times, most recently
from
8462d93
to
8a9f8a0
Compare
AaronFriel
force-pushed
the
cosign
branch
2 times, most recently
from
a3eba2b
to
ed22426
Compare
3 tasks
AaronFriel
force-pushed
the
cosign
branch
2 times, most recently
from
ed16cbe
to
b8178cf
Compare
|
bors merge |
bors bot
added a commit
that referenced
this pull request
Dec 16, 2022
11310: feat: sign pulumi binaries with cosign r=AaronFriel a=dirien <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> This PR adds cosign to the build process of the Pulumi binaries. I changed the pipeline so cosign can sign without keys by authenticating with OIDC. GitHub supports this. ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [ ] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Engin Diri <engin.diri@ediri.de>
|
Build failed: |
Co-authored-by: Aaron Friel <mayreply@aaronfriel.com>
|
bors merge |
|
Build succeeded: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds cosign to the build process of the Pulumi binaries. I changed the pipeline so cosign can sign without keys by authenticating with OIDC. GitHub supports this.
Checklist
make changelogand committed thechangelog/pending/<file>documenting my change