Merge pull request #49 from nginxinc/areste-contributing

dareste · web-flow · commit 307593a909e6 · 2024-09-27T09:38:08.000+02:00
Define Github actions permissions and sign assets
diff --git a/.github/workflows/go-builder.yml b/.github/workflows/go-builder.yml
diff --git a/.github/workflows/release-builder.yml b/.github/workflows/release-builder.yml
@@ -1,5 +1,8 @@
 name: Build and upload release artifact
 
+permissions:
+  contents: read
+
 on:
   release:
     types: [created]
@@ -9,44 +12,60 @@ env:
 
 jobs:
   build:
+    permissions:
+      contents: write
+
     runs-on: ubuntu-latest
 
     steps:
-    - name: Checkout code
-      uses: actions/checkout@v4
-
-    - name: Set Release Version
-      run: echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV
-
-    - name: Set up Go
-      uses: actions/setup-go@v5
-      with:
-        go-version: '1.22.4'
-
-    - name: Build
-      run: |
-        BUILD=$(git log --format='%H' -n 1)
-        VERSION=$RELEASE_VERSION
-        OSES="linux darwin windows"
-        ARCHS="amd64 arm64"
-        IFS=" "
-
-        for OS in $OSES; do
-        for ARCH in $ARCHS; do
-        echo "OS: ${OS} and ARCH: ${ARCH}"
-        CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -ldflags "-w -s -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Build=$BUILD\
-                                                   -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Version=$VERSION"\
-                                                   -o release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/kubectl-nginx_supportpkg
-        cp LICENSE release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/
-        tar czvf release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz -C release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ .
-        done; done
-
-    - name: Upload release binaries
-      uses: alexellis/upload-assets@0.4.0
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
-      with:
-        asset_paths: '["./release/*.gz"]'
-
-    - name: Update new version in krew-index
-      uses: rajatjindal/krew-release-bot@v0.0.46
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set Release Version
+        run: echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22.4'
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.6.0
+        with:
+          cosign-release: 'v2.4.0'
+
+      - name: Check cosign version
+        run: cosign version
+
+      - name: Build
+        run: |
+          set -e
+          BUILD=$(git log --format='%H' -n 1)
+          VERSION=$RELEASE_VERSION
+          OSES="linux darwin windows"
+          ARCHS="amd64 arm64"
+          IFS=" "
+          
+          for OS in $OSES; do
+          for ARCH in $ARCHS; do
+          echo "OS: ${OS} and ARCH: ${ARCH}"
+          CGO_ENABLED=0 GOOS=${OS} GOARCH=${ARCH} go build -ldflags "-w -s -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Build=$BUILD\
+                                                     -X github.com/nginxinc/nginx-k8s-supportpkg/pkg/version.Version=$VERSION"\
+                                                     -o release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/kubectl-nginx_supportpkg
+          cp LICENSE release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/
+          tar czvf release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz -C release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}/ .
+          sha256sum "release/kubectl-nginx_supportpkg_${VERSION}_${OS}_${ARCH}.tar.gz" >> "release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt"
+          done; done
+          cosign sign-blob "release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt" \
+                --output-signature="release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt.sig" \
+                --output-certificate="release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt.pem" -y
+
+      - name: Upload release binaries
+        uses: alexellis/upload-assets@0.4.1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          asset_paths: '["./release/*.gz", "./release/*.txt", "./release/*.sig", "./release/*.pem"]'
+
+      - name: Update new version in krew-index
+        uses: rajatjindal/krew-release-bot@v0.0.46
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -2,7 +2,7 @@ name: OpenSSF Scorecards
 on:
   branch_protection_rule: # yamllint disable-line rule:empty-values
   schedule:
-    - cron: "28 14 * * 2" # Run every Tuesday at 14:28 UTC
+    - cron: "28 14 * * *" # Run daily at 14:28 UTC
   push:
     branches:
       - main
