Skip to content

Commit a91aa20

Browse files
Jake Sanderscpanato
Jake Sanders
and
cpanato
authored
Fix the release (#987)
* fix goreleaser * add platform flag to Dockerfiles, explicitly state TARGETARCH for goreleaser * specify architecture-specific images to prevent race conditions with runtime images Signed-off-by: Jake Sanders <[email protected]> Co-authored-by: Carlos Panato <[email protected]>
1 parent ae36ba5 commit a91aa20

File tree

7 files changed

+54
-34
lines changed

7 files changed

+54
-34
lines changed

.github/workflows/validate-release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ jobs:
5050
-v /var/run/docker.sock:/var/run/docker.sock \
5151
-w /go/src/sigstore/cosign \
5252
--entrypoint="" \
53-
ghcr.io/gythialy/golang-cross:v1.17.2@sha256:24bb133da23e0d21a8e8a54416f652d753c7cb2ad8efb3e6a3ef652f597ada8f \
53+
ghcr.io/gythialy/golang-cross:v1.17.2-1@sha256:51f3c71079f6e1d7d0732b33bcc54ebd310f6ea155ac7dbe244a8695334bd50a \
5454
make snapshot
5555
5656
- name: check binaries

.goreleaser.yml

Lines changed: 29 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ project_name: cosign
33
env:
44
- GO111MODULE=on
55
- CGO_ENABLED=1
6+
- DOCKER_CLI_EXPERIMENTAL=enabled
67

78
# Prevents parallel builds from stepping on eachothers toes downloading modules
89
before:
@@ -166,59 +167,68 @@ dockers:
166167
# cosign Image
167168
- image_templates:
168169
- "gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}-amd64"
169-
use: buildx
170170
dockerfile: Dockerfile
171+
goos: linux
172+
goarch: amd64
171173
build_flag_templates:
172174
- "--platform=linux/amd64"
173-
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
174-
- "--build-arg=ARCH=amd64"
175+
# TODO(dekkagaijin): remove suffix when race condition fixed
176+
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-amd64"
177+
- "--build-arg=TARGETARCH=amd64"
175178
- image_templates:
176179
- "gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}-arm64v8"
177-
use: buildx
180+
goos: linux
178181
goarch: arm64
179182
dockerfile: Dockerfile
180183
build_flag_templates:
181184
- "--platform=linux/arm64/v8"
182-
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
183-
- "--build-arg=ARCH=arm64"
185+
# TODO(dekkagaijin): remove suffix when race condition fixed
186+
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-arm64"
187+
- "--build-arg=TARGETARCH=arm64"
184188

185189
# cosigned Image
186190
- image_templates:
187191
- "gcr.io/{{ .Env.PROJECT_ID }}/cosigned:{{ .Version }}-amd64"
188-
use: buildx
189192
dockerfile: Dockerfile.cosigned
193+
goos: linux
194+
goarch: amd64
190195
build_flag_templates:
191196
- "--platform=linux/amd64"
192-
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
193-
- "--build-arg=ARCH=amd64"
197+
# TODO(dekkagaijin): remove suffix when race condition fixed
198+
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-amd64"
199+
- "--build-arg=TARGETARCH=amd64"
194200
- image_templates:
195201
- "gcr.io/{{ .Env.PROJECT_ID }}/cosigned:{{ .Version }}-arm64v8"
196-
use: buildx
202+
goos: linux
197203
goarch: arm64
198204
dockerfile: Dockerfile.cosigned
199205
build_flag_templates:
200206
- "--platform=linux/arm64/v8"
201-
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
202-
- "--build-arg=ARCH=arm64"
207+
# TODO(dekkagaijin): remove suffix when race condition fixed
208+
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-arm64"
209+
- "--build-arg=TARGETARCH=arm64"
203210

204211
# sget Image
205212
- image_templates:
206213
- "gcr.io/{{ .Env.PROJECT_ID }}/sget:{{ .Version }}-amd64"
207-
use: buildx
208214
dockerfile: Dockerfile.sget
215+
goos: linux
216+
goarch: amd64
209217
build_flag_templates:
210218
- "--platform=linux/amd64"
211-
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
212-
- "--build-arg=ARCH=amd64"
219+
# TODO(dekkagaijin): remove suffix when race condition fixed
220+
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-amd64"
221+
- "--build-arg=TARGETARCH=amd64"
213222
- image_templates:
214223
- "gcr.io/{{ .Env.PROJECT_ID }}/sget:{{ .Version }}-arm64v8"
215-
use: buildx
224+
goos: linux
216225
goarch: arm64
217226
dockerfile: Dockerfile.sget
218227
build_flag_templates:
219228
- "--platform=linux/arm64/v8"
220-
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}"
221-
- "--build-arg=ARCH=arm64"
229+
# TODO(dekkagaijin): remove suffix when race condition fixed
230+
- "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-arm64"
231+
- "--build-arg=TARGETARCH=arm64"
222232

223233
docker_manifests:
224234
- name_template: gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}
@@ -236,6 +246,7 @@ docker_manifests:
236246

237247
docker_signs:
238248
- artifacts: all
249+
cmd: ./dist/cosign-linux-amd64
239250
args: [ "sign", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}" ]
240251

241252
archives:

Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@ ARG RUNTIME_IMAGE=gcr.io/distroless/base:debug
1616

1717
FROM $RUNTIME_IMAGE
1818

19-
ARG ARCH
20-
COPY cosign-linux-${ARCH} /bin/cosign
19+
ARG TARGETARCH
20+
COPY cosign-linux-${TARGETARCH} /bin/cosign
2121

2222
USER nobody
2323
ENTRYPOINT [ "/bin/cosign" ]

Dockerfile.cosigned

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@ ARG RUNTIME_IMAGE=gcr.io/distroless/base:debug
1616

1717
FROM $RUNTIME_IMAGE
1818

19-
ARG ARCH
20-
COPY cosigned-linux-${ARCH} /bin/cosigned
19+
ARG TARGETARCH
20+
COPY cosigned-linux-${TARGETARCH} /bin/cosigned
2121

2222
USER nobody
2323
ENTRYPOINT [ "/bin/cosigned" ]

Dockerfile.sget

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@ ARG RUNTIME_IMAGE=gcr.io/distroless/base:debug
1616

1717
FROM $RUNTIME_IMAGE
1818

19-
ARG ARCH
20-
COPY sget-linux-${ARCH} /bin/sget
19+
ARG TARGETARCH
20+
COPY sget-linux-${TARGETARCH} /bin/sget
2121

2222
USER nobody
2323
ENTRYPOINT [ "/bin/sget" ]

Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ ifeq ($(DIFF), 1)
3939
GIT_TREESTATE = "dirty"
4040
endif
4141

42-
PKG=github.com/sigstore/cosign/cmd/cosign/cli
42+
PKG=github.com/sigstore/cosign/cmd/cosign/cli/options
4343

4444
LDFLAGS="-X $(PKG).GitVersion=$(GIT_VERSION) -X $(PKG).gitCommit=$(GIT_HASH) -X $(PKG).gitTreeState=$(GIT_TREESTATE) -X $(PKG).buildDate=$(BUILD_DATE)"
4545

release/cloudbuild.yaml

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ steps:
3232
echo "Checking out ${_TOOL_REF}"
3333
git checkout ${_TOOL_REF}
3434
35-
- name: 'gcr.io/projectsigstore/cosign:v1.2.0@sha256:96ef6fb02c5a56901dc3c2e0ca34eec9ed926ab8d936ea30ec38f9ec9db017a5'
35+
- name: 'gcr.io/projectsigstore/cosign:v1.2.1@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498'
3636
dir: "go/src/sigstore/cosign"
3737
env:
3838
- RUNTIME_IMAGE=${_RUNTIME_IMAGE}
@@ -43,9 +43,8 @@ steps:
4343
- '-key'
4444
- 'https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub'
4545
- './Dockerfile'
46-
waitFor: ['-']
4746

48-
- name: 'gcr.io/projectsigstore/cosign:v1.2.0@sha256:96ef6fb02c5a56901dc3c2e0ca34eec9ed926ab8d936ea30ec38f9ec9db017a5'
47+
- name: 'gcr.io/projectsigstore/cosign:v1.2.1@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498'
4948
dir: "go/src/sigstore/cosign"
5049
env:
5150
- RUNTIME_IMAGE=${_RUNTIME_IMAGE}
@@ -56,19 +55,29 @@ steps:
5655
- '-key'
5756
- 'https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub'
5857
- './Dockerfile.cosigned'
59-
waitFor: ['-']
6058

61-
- name: 'gcr.io/projectsigstore/cosign:v1.2.0@sha256:96ef6fb02c5a56901dc3c2e0ca34eec9ed926ab8d936ea30ec38f9ec9db017a5'
59+
- name: 'gcr.io/projectsigstore/cosign:v1.2.1@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498'
60+
dir: "go/src/sigstore/cosign"
61+
env:
62+
- RUNTIME_IMAGE=${_RUNTIME_IMAGE}
63+
args:
64+
- 'dockerfile'
65+
- 'verify'
66+
- '-base-image-only'
67+
- '-key'
68+
- 'https://raw.githubusercontent.com/GoogleContainerTools/distroless/main/cosign.pub'
69+
- './Dockerfile.sget'
70+
71+
- name: 'gcr.io/projectsigstore/cosign:v1.2.1@sha256:68801416e6ae0a48820baa3f071146d18846d8cd26ca8ec3a1e87fca8a735498'
6272
dir: "go/src/sigstore/cosign"
6373
args:
6474
- 'verify'
6575
- '-key'
6676
- 'https://raw.githubusercontent.com/gythialy/golang-cross/master/cosign.pub'
67-
- 'ghcr.io/gythialy/golang-cross:v1.17.2@sha256:24bb133da23e0d21a8e8a54416f652d753c7cb2ad8efb3e6a3ef652f597ada8f'
68-
waitFor: ['-']
77+
- 'ghcr.io/gythialy/golang-cross:v1.17.2-1@sha256:51f3c71079f6e1d7d0732b33bcc54ebd310f6ea155ac7dbe244a8695334bd50a'
6978

7079
# maybe we can build our own image and use that to be more in a safe side
71-
- name: ghcr.io/gythialy/golang-cross:v1.17.2@sha256:24bb133da23e0d21a8e8a54416f652d753c7cb2ad8efb3e6a3ef652f597ada8f
80+
- name: ghcr.io/gythialy/golang-cross:v1.17.2-1@sha256:51f3c71079f6e1d7d0732b33bcc54ebd310f6ea155ac7dbe244a8695334bd50a
7281
entrypoint: /bin/sh
7382
dir: "go/src/sigstore/cosign"
7483
env:

0 commit comments

Comments
 (0)