Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ci): add cosign to sign the released binaries #459

Merged
merged 4 commits into from
Feb 5, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 44 additions & 4 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,10 @@ jobs:
shell: bash
run: ./scripts/parse_ref.sh ${{ github.ref }} >> ${GITHUB_OUTPUT}

build:
build-and-sign:
permissions:
# cosign uses the GitHub OIDC token
id-token: write
Mossaka marked this conversation as resolved.
Show resolved Hide resolved
needs:
- parse
strategy:
Expand All @@ -38,30 +41,67 @@ jobs:
runs-on: "ubuntu-22.04"
steps:
- uses: actions/checkout@v3

- name: Setup build env
run: ./scripts/setup-linux.sh
- uses: actions-rust-lang/setup-rust-toolchain@v1

- name: Setup rust toolchain
uses: actions-rust-lang/setup-rust-toolchain@v1
env:
RUST_CACHE_KEY_OS: rust-release-cache-${{ needs.parse.outputs.crate }}-${{ matrix.arch }}
with:
rustflags: '' #Disable. By default this action sets environment variable is set to -D warnings. We manage this in the Makefile

- name: Setup cross-rs
run: ./scripts/setup-cross.sh ${{ matrix.arch }}-unknown-linux-musl

- name: Setup build profile
shell: bash
run: echo "OPT_PROFILE=release" >> ${GITHUB_ENV}

- name: Setup cosign for signing
uses: sigstore/[email protected]
with:
cosign-release: 'v2.2.2'

- name: Build
timeout-minutes: 20
run: make build-${{ needs.parse.outputs.runtime }}

- name: Test
if: ${{ matrix.arch == 'x86_64' }}
timeout-minutes: 10
run: make test-${{ needs.parse.outputs.runtime }}

- name: Sign the binary
if: ${{ needs.parse.outputs.runtime != 'wasm' }}
run: |
make dist-${{ needs.parse.outputs.runtime }}
# Check if there's any files to archive as tar fails otherwise
if stat dist/bin/* >/dev/null 2>&1; then
Comment on lines +79 to +81
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the scenario where there are no files after running make dist-*

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You meant afer make build-*?

If we release containerd-shim-wasm-test-modules, I think there will be no files in disk/bin.

cosign sign-blob --yes \
--bundle containerd-shim-${{ needs.parse.outputs.runtime }}-v1.bundle \
dist/bin/containerd-shim-${{ needs.parse.outputs.runtime }}-v1

cosign sign-blob --yes \
--bundle containerd-shim-${{ needs.parse.outputs.runtime }}d-v1.bundle \
dist/bin/containerd-shim-${{ needs.parse.outputs.runtime }}d-v1

cosign sign-blob --yes \
--bundle containerd-${{ needs.parse.outputs.runtime }}d.bundle \
dist/bin/containerd-${{ needs.parse.outputs.runtime }}d

# Copy the certs to the dist/bin folder
cp *.sig dist/bin/
cp *.pem dist/bin/
else
echo "No files to sign"
fi

- name: Package artifacts
if: ${{ needs.parse.outputs.runtime != 'wasm' }}
shell: bash
run: |
make dist-${{ needs.parse.outputs.runtime }}
# Check if there's any files to archive as tar fails otherwise
if stat dist/bin/* >/dev/null 2>&1; then
tar -czf dist/containerd-shim-${{ needs.parse.outputs.runtime }}-${{ matrix.arch }}.tar.gz -C dist/bin .
Expand All @@ -79,7 +119,7 @@ jobs:
permissions:
contents: write
needs:
- build
- build-and-sign
- parse
runs-on: ubuntu-latest
steps:
Expand Down
15 changes: 14 additions & 1 deletion RELEASE.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,26 @@ containerd-shim-wasm = { path = "crates/containerd-shim-wasm", version = "0.4.0"
2. PR can be merged after 2 LGTMs
3. Tag the release with the format `<crate>/v<version>` (e.g. `containerd-shim-wasm/v0.2.0`)
4. Wait for the release workflow to complete
5. Manually verify the release on crates.io and on the GitHub releases page.
5. Manually verify the release on crates.io and on the GitHub releases page (See [Verify signing](#Verify-signing) section for more details on verifying the release on GitHub releases page.)
6. If this is the first time publishing this crate, see the [First release of a crate](#First-release-of-a-crate) section.

> Note: If step 1 and/or 2 is skipped, the release workflow will fail because the version in the Cargo.toml will not match the tag.
>
> For step 5, some crates have binaries, such as the containerd-shim-wasmtime crate. These binaries are built as part of the release workflow and uploaded to the GitHub release page. You can download the binaries from the release page and verify that they work as expected.

## Verify signing

The release pipeline uses `cosign` to sign the release blobs, if any. It uses Github's OIDC token to authenticate with Sigstore to prove identity and outputs a `.bundle` file, which contains a signature and a key. This file can be verified using `cosign verify-blob` command, providing the workflow tag and Github as the issuer. The full command looks like this (e.g. wasmtime shim):

```sh
cosign verify-blob --bundle containerd-shim-wasmtime-v1.bundle \
--certificate-identity https://github.com/containerd/runwasi/.github/workflows/release.yml@refs/tags/containerd-shim-wasmtime/<tag> \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
containerd-shim-wasmtime-v1
```

In the Github release page, please provide the above command in the instructions for the consumer to verify the release.

## First release of a crate

If the crate has never been published to crates.io before then ownership of the crate will need to be configured.
Expand Down
Loading