Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add SLSA to goreleaser workflow #3075

Closed
manno opened this issue Nov 13, 2024 · 4 comments
Closed

Add SLSA to goreleaser workflow #3075

manno opened this issue Nov 13, 2024 · 4 comments
Assignees
@thardeck
Labels
area/release kind/enhancement
Milestone
v2.11.0

Comments

@manno
Copy link
Member

manno commented Nov 13, 2024
edited
Loading

When doing prime releases, goreleaser needs to push to that registry.

Similar to https://github.com/rancher/ecm-distro-tools/blob/45fe661ce4c4d58e938e480383ce5ef26c251cb6/actions/publish-image/action.yaml#L163-L175

goreleaser should sign the image, when doing the buildx of the image.
@manno manno added this to Fleet Nov 11, 2024
@manno manno converted this from a draft issue Nov 13, 2024
@manno manno added this to the v2.11.0 milestone Nov 13, 2024
@thardeck thardeck self-assigned this Nov 26, 2024
@thardeck thardeck moved this from 📋 Backlog to 🏗 In progress in Fleet Nov 26, 2024
@manno manno mentioned this issue Dec 11, 2024
Closed
@thardeck thardeck mentioned this issue Jan 27, 2025
Merged
@thardeck
Copy link
Contributor

thardeck commented Jan 31, 2025
edited
Loading

Todo

  • Fix creating docker manifests for Prime (see issue mentioned above)
  • Add exception for fleet-agent to slsactl
  • Add attestation of provenance to the workflow
  • Use Docker image digest for cosign

@thardeck
Copy link
Contributor

PR for slsactl.

This was referenced Jan 31, 2025
Merged
Merged
Merged
@thardeck
Copy link
Contributor

thardeck commented Feb 3, 2025
edited
Loading

The docker manifest creation issue is not related the Prime registry permissions, but the fact that we only use provenance meta data there.

docker manifest create then complains that the referenced docker image is a manifest list.

The issue is explained here.

Unfortunately the "real solution" does not work (as confirmed in the comments) because we are already using containerd as storage.

So until this is fixed I suppose we have to rely on yet another step. And signing for the manifest in GoReleaser is then also not possible.

@thardeck thardeck mentioned this issue Feb 3, 2025
Merged
@thardeck
Copy link
Contributor

thardeck commented Feb 3, 2025

All new releases should be signed in the Prime registry.

Successful run for Fleet v0.12.0-alpha.9: https://github.com/rancher/fleet/actions/runs/13118758740/job/36601584636

@thardeck thardeck closed this as completed Feb 3, 2025
@github-project-automation github-project-automation bot moved this from 🏗 In progress to ✅ Done in Fleet Feb 3, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@thardeck thardeck

Labels
area/release kind/enhancement
Projects
Fleet
Status: Done
Milestone
v2.11.0
Development

No branches or pull requests
3 participants
@kkaempf @manno @thardeck