refactor release cloudbuild job

.github/workflows/validate-release.yml

@@ -58,6 +58,7 @@ jobs:
         run: |
           docker run --rm --privileged \
           -e PROJECT_ID=honk-fake-project \
+          -e CI=$CI \
           -e RUNTIME_IMAGE=gcr.io/distroless/static:debug-nonroot \
           -v ${PWD}:/go/src/sigstore/cosign \
           -v /var/run/docker.sock:/var/run/docker.sock \

.goreleaser.yml

@@ -11,6 +11,10 @@ before:
   hooks:
   - go mod tidy
   - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
+# if running a release we will generate the images in this step
+# if running in the CI the CI env va is set and we dont run the ko steps
+# this is needed because we are generating files that goreleaser was not aware to push to GH project release
+  - /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release && make sign-keyless-release; fi'
 
 gomod:
   proxy: true
@@ -250,6 +254,7 @@ release:
 
   extra_files:
     - glob: "./release/release-cosign.pub"
+    - glob: "./cosign*.yaml"
 
 rigs:
   - rig:

release/cloudbuild.yaml

@@ -56,36 +56,14 @@ steps:
   - GIT_TAG=${_GIT_TAG}
   - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
   - COSIGN_EXPERIMENTAL=true
+  - KO_PREFIX=gcr.io/${PROJECT_ID}
   secretEnv:
   - GITHUB_TOKEN
   args:
     - '-c'
     - |
-      make release
-
-- name: ghcr.io/gythialy/golang-cross:v1.17.7-0@sha256:949325ffc52c16867d78412ce70f5ce531812c20e7528ae70dc9e718d72223e8
-  entrypoint: 'bash'
-  dir: "go/src/sigstore/cosign"
-  env:
-  - "GOPATH=/workspace/go"
-  - "GOBIN=/workspace/bin"
-  - PROJECT_ID=${PROJECT_ID}
-  - KEY_LOCATION=${_KEY_LOCATION}
-  - KEY_RING=${_KEY_RING}
-  - KEY_NAME=${_KEY_NAME}
-  - KEY_VERSION=${_KEY_VERSION}
-  - GIT_TAG=${_GIT_TAG}
-  - KO_PREFIX=gcr.io/${PROJECT_ID}
-  - COSIGN_EXPERIMENTAL=true
-  - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
-  secretEnv:
-  - GITHUB_TOKEN
-  args:
-  - '-c'
-  - |
-    gcloud auth configure-docker \
-    && make sign-container-release \
-    && make sign-keyless-release
+      gcloud auth configure-docker \
+      && make release
 
 availableSecrets:
   secretManager:
@@ -98,7 +76,7 @@ artifacts:
     paths:
     - "go/src/sigstore/cosign/dist/*"
     - "go/src/sigstore/cosign/release/release-cosign.pub"
-    - "go/src/sigstore/cosign/cosign*.yaml
+    - "go/src/sigstore/cosign/cosign*.yaml"
 
 options:
   machineType: E2_HIGHCPU_8

release/release.mk

@@ -5,7 +5,7 @@
 # used when releasing together with GCP CloudBuild
 .PHONY: release
 release:
-	LDFLAGS="$(LDFLAGS)" goreleaser release --timeout 60m
+	LDFLAGS="$(LDFLAGS)" goreleaser release --timeout 120m
 
 ###########################
 # sign with GCP KMS section