Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: generate attestations during a release #2785

Merged
merged 6 commits into from
Jul 12, 2023

Conversation

34fathombelow
Copy link
Member

@34fathombelow 34fathombelow commented May 17, 2023

closes #2353
Can supersede #2783

This PR generates attestations during a release using a new release process. Each attestation contains a SLSA Level 3 provenance which is then cryptographically signed. A SLSA provenance is generated for Argo Rollouts container images and CLI binaries that are published during a release. These provenances are non-falsifable and generated using slsa-github-generator. The release workflow needed to be refactored in order to provide a isolated environment for each step of the build process. This ensures a build will not influence another build, while also denying access to the required permissions to sign a artifact or generate a provenance.

Notable Changes

  • Provenance for containers images
  • Provenance for CLI binaries

Low Impact Breaking Changes

  • Container images and a provenance are signed using a keyless method that produce ephemeral certificates(we no longer manage private keys)
  • Only the latest tag will be used, master tag has been removed on a push events of the master branch.

Testing

All new and modified files have been fully tested in a public repo. Access to the repo can be requested for testing or trying out the new process.

@github-actions
Copy link
Contributor

github-actions bot commented May 17, 2023

Go Published Test Results

1 990 tests   1 990 ✔️  2m 37s ⏱️
   118 suites         0 💤
       1 files           0

Results for commit b281958.

♻️ This comment has been updated with latest results.

@codecov
Copy link

codecov bot commented May 17, 2023

Codecov Report

Patch and project coverage have no change.

Comparison is base (3c5ac36) 81.67% compared to head (b281958) 81.67%.

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #2785   +/-   ##
=======================================
  Coverage   81.67%   81.67%           
=======================================
  Files         133      133           
  Lines       20193    20193           
=======================================
  Hits        16493    16493           
  Misses       2847     2847           
  Partials      853      853           

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@github-actions
Copy link
Contributor

github-actions bot commented May 17, 2023

E2E Tests Published Test Results

    4 files      4 suites   3h 26m 4s ⏱️
  97 tests   85 ✔️   5 💤   7
402 runs  369 ✔️ 20 💤 13

For more details on these failures, see this check.

Results for commit b281958.

♻️ This comment has been updated with latest results.

@zachaller zachaller enabled auto-merge (squash) June 14, 2023 13:59
@zachaller zachaller disabled auto-merge June 14, 2023 14:07
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
6.1% 6.1% Duplication

@zachaller zachaller merged commit 48e9aa3 into argoproj:master Jul 12, 2023
zachaller added a commit that referenced this pull request Jul 12, 2023
* ci: use keyless signing for main and release branches

Signed-off-by: Justin Marquis <[email protected]>

* fix typo

Signed-off-by: Justin Marquis <[email protected]>

* ci: generate attestations during a release

Signed-off-by: Justin Marquis <[email protected]>

* add release trigger script

Signed-off-by: Justin Marquis <[email protected]>

---------

Signed-off-by: Justin Marquis <[email protected]>
Signed-off-by: zachaller <[email protected]>
Co-authored-by: zachaller <[email protected]>
Signed-off-by: zachaller <[email protected]>
zachaller added a commit that referenced this pull request Jul 12, 2023
* ci: use keyless signing for main and release branches

Signed-off-by: Justin Marquis <[email protected]>

* fix typo

Signed-off-by: Justin Marquis <[email protected]>

* ci: generate attestations during a release

Signed-off-by: Justin Marquis <[email protected]>

* add release trigger script

Signed-off-by: Justin Marquis <[email protected]>

---------

Signed-off-by: Justin Marquis <[email protected]>
Signed-off-by: zachaller <[email protected]>
Co-authored-by: zachaller <[email protected]>
Signed-off-by: zachaller <[email protected]>
zachaller added a commit that referenced this pull request Jul 12, 2023
* ci: use keyless signing for main and release branches

Signed-off-by: Justin Marquis <[email protected]>

* fix typo

Signed-off-by: Justin Marquis <[email protected]>

* ci: generate attestations during a release

Signed-off-by: Justin Marquis <[email protected]>

* add release trigger script

Signed-off-by: Justin Marquis <[email protected]>

---------

Signed-off-by: Justin Marquis <[email protected]>
Signed-off-by: zachaller <[email protected]>
Co-authored-by: zachaller <[email protected]>
Signed-off-by: zachaller <[email protected]>
@zachaller zachaller added the cherry-pick-completed Used once we have cherry picked the PR to all requested releases label Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Document cosign verification
2 participants