1010 kapp-controller-release :
1111 name : kapp-controller release
1212 runs-on : ubuntu-latest
13+ permissions :
14+ contents : write
15+ packages : write
16+ id-token : write
1317 steps :
1418 - name : Check out code
15193741 with :
3842 go-version : 1.21.6
3943
44+ - name : Set up Cosign
45+ uses : sigstore/cosign-installer@v3
46+
4047 - name : Run release script
4148 run : |
4249 set -e -x
@@ -50,14 +57,146 @@ jobs:
5057 ./hack/build-binaries.sh
5158 cp ./kctrl-* ../release/
5259
60+ name : Sign kapp-controller OCI image
61+ run : |
62+ image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml`
63+ cosign sign --yes "$image_url"
64+
65+ name : Verify signature on Kapp-controller OCI image
66+ run : |
67+ image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml`
68+ cosign verify \
69+ $image_url \
70+ --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
71+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com
72+
5373name : Run Package build
5474 run : |
5575 constraintVersion="${{ github.ref_name }}"
5676 ./cli/kctrl-linux-amd64 pkg release -y -v ${constraintVersion:1} --debug
5777 mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/metadata.yml ./carvel-artifacts/packages/kapp-controller.carvel.dev/package-metadata.yml
5878 mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/* release/
5979
60- name : Add to formatted checksum
80+ name : Sign kapp-controller-package-bundle OCI image
81+ run : |
82+ image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
83+ cosign sign --yes "$image_url"
84+
85+ name : Verify signature on kapp-controller-package-bundle OCI image
86+ run : |
87+ image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
88+ cosign verify \
89+ $image_url \
90+ --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
91+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com
92+
93+ name : Generate release notes
94+ run : |
95+ RELEASE_TAG=$(git describe --tags --abbrev=0)
96+ KAPP_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml)
97+ KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml)
98+
99+ RELEASE_NOTES="
100+ <details>
101+ <summary><h2>Installation and signature verification</h2></summary>
102+
103+ ## Installation of kctrl
104+
105+ #### By downloading binary from the release
106+ For instance, if you are using Linux on an AMD64 architecture:
107+
108+ \`\`\`shell
109+ # Download the binary
110+ curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/kctrl-linux-amd64
111+ # Move the binary in to your PATH
112+ mv kctrl-linux-amd64 /usr/local/bin/kctrl
113+ # Make the binary executable
114+ chmod +x /usr/local/bin/kctrl
115+ \`\`\`
116+
117+ #### Via Homebrew (macOS or Linux)
118+ \`\`\`shell
119+ $ brew tap carvel-dev/carvel
120+ $ brew install kctrl
121+ $ kctrl version
122+ \`\`\`
123+
124+ ## Verify checksums file signature
125+
126+ Install cosign on your system https://docs.sigstore.dev/system_config/installation/
127+
128+ The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:
129+
130+ \`\`\`shell
131+ # Download the checksums file, certificate, and signature
132+ curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt
133+ curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem
134+ curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig
135+
136+ ### Verify the checksums file
137+ cosign verify-blob checksums.txt \
138+ --certificate checksums.txt.pem \
139+ --signature checksums.txt.sig \
140+ --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
141+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com
142+ \`\`\`
143+
144+ ### Verify binary integrity
145+
146+ To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture:
147+
148+ \`\`\`shell
149+ # Verify the binary using the checksums file
150+ sha256sum -c checksums.txt --ignore-missing
151+ \`\`\`
152+
153+ ## Installation of kapp-controller
154+
155+ kapp-controller can be installed by using kapp
156+
157+ \`\`\`shell
158+ kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/$RELEASE_TAG/download/release.yml
159+ \`\`\`
160+
161+ or by using kubectl
162+ \`\`\`shell
163+ kubectl deploy -f https://github.com/carvel-dev/kapp-controller/releases/$RELEASE_TAG/download/release.yml
164+ \`\`\`
165+
166+ ### Container Images
167+
168+ Kapp-controller and Kapp-controller-package-bundle images are available in Github Container Registry.
169+
170+ ### OCI Image URLs
171+
172+ - $KAPP_CONTROLLER_IMAGE
173+ - $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE
174+
175+ ### Verify container image signature
176+
177+ The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands:
178+
179+ \`\`\`shell
180+ # Verifying kapp-controller image
181+ cosign verify $KAPP_CONTROLLER_IMAGE \
182+ --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
183+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
184+ -o text
185+
186+ # Verifying kapp-controller-package-bundle image
187+ cosign verify $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE \
188+ --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
189+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
190+ -o text
191+ \`\`\`
192+ </summary>
193+ </details>
194+
195+
196+ "
197+ echo "$RELEASE_NOTES" > ./tmp/release_notes.txt
198+
199+ name : Create formatted checksum and add it to release notes
61200 run : |
62201 pushd release
63202 shasum -a 256 ./release.yml ./kctrl-* ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt
@@ -66,13 +205,26 @@ jobs:
66205 echo '```' | tee -a ./tmp/checksums-formatted.txt
67206 cat ./tmp/checksums.txt | tee -a ./tmp/checksums-formatted.txt
68207 echo '```' | tee -a ./tmp/checksums-formatted.txt
208+ cat ./tmp/checksums-formatted.txt | tee -a ./tmp/release_notes.txt
209+
210+ name : Sign checksums.txt
211+ run : |
212+ cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem --output-signature release/checksums.txt.sig
213+
214+ name : Verify checksums signature
215+ run : |
216+ cosign verify-blob \
217+ --cert release/checksums.txt.pem \
218+ --signature release/checksums.txt.sig \
219+ --certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
220+ --certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt
69221
70222name : Create release draft and upload release yaml
71223 uses : softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844
72224 with :
73225 name : ${{ github.ref_name }}
74226 token : ${{ secrets.GITHUB_TOKEN }}
75- body_path : ./tmp/checksums-formatted .txt
227+ body_path : ./tmp/release_notes .txt
76228 files : |
77229 ./release/*
78230 ./tmp/checksums.txt
0 commit comments