Skip to content

Commit 0b43c43

Browse files
authored
Digestabotctl signing (#245)
Adds commit signing to digestabotctl with a flag. Works with any of the cosign providers here: https://github.com/sigstore/cosign/tree/main/pkg/providers and also a custom provider for GitLab .
1 parent 841a111 commit 0b43c43

22 files changed

+2616
-89
lines changed

digestabotctl/README.md

Lines changed: 74 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,76 @@
11
# digestabotctl
22

3-
## Docs are [here](./docs)
3+
Updates image digests in files.
4+
5+
## GitHub
6+
7+
```
8+
jobs:
9+
digestabot:
10+
name: Digestabot
11+
runs-on: ubuntu-latest
12+
13+
permissions:
14+
contents: write
15+
pull-requests: write
16+
id-token: write
17+
18+
steps:
19+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
20+
- uses: chainguard-dev/setup-chainctl@v0.3.2
21+
with:
22+
identity: '<your-assumable-id>'
23+
24+
- name: digestabot
25+
env:
26+
DIGESTABOT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
27+
DIGESTABOT_BRANCH: digestabot-update # branch to push commits to
28+
DIGESTABOT_CREATE_PR: true
29+
DIGESTABOT_PLATFORM: github
30+
DIGESTABOT_OWNER: org-owner
31+
DIGESTABOT_REPO: repo-name
32+
DIGESTABOT_SIGN: true # set to true if you want to sign commits with sigstore
33+
DIGESTABOT_EMAIL: committer email
34+
DIGESTABOT_NAME: committer username
35+
run: |
36+
./digestabotctl update files
37+
```
38+
39+
## GitLab
40+
41+
```
42+
stages:
43+
- update
44+
workflow:
45+
rules:
46+
- if: $CI_PIPELINE_SOURCE == "web" || $CI_PIPELINE_SOURCE == "schedule"
47+
variables:
48+
DIGESTABOT_TOKEN: ${PUSH_TOKEN}
49+
DIGESTABOT_BRANCH: digestabot-update # branch to push commits to
50+
DIGESTABOT_CREATE_PR: true
51+
DIGESTABOT_PLATFORM: gitlab
52+
DIGESTABOT_OWNER: $CI_PROJECT_NAMESPACE
53+
DIGESTABOT_REPO: $CI_PROJECT_ID
54+
DIGESTABOT_SIGN: true
55+
DIGESTABOT_SIGNING_TOKEN: $SIGSTORE_TOKEN # needed for GitLab since it's not an API exchange
56+
DIGESTABOT_EMAIL: $GITLAB_USER_EMAIL
57+
DIGESTABOT_NAME: $GITLAB_USER_NAME
58+
59+
digestabot:
60+
stage: update
61+
id_tokens:
62+
ID_TOKEN_1:
63+
aud: https://gitlab.com
64+
SIGSTORE_TOKEN:
65+
aud: sigstore # get token with audience for commit signing
66+
script:
67+
- wget -O /bin/chainctl "https://dl.enforce.dev/chainctl/latest/chainctl_linux_$(uname -m)"
68+
- chmod 755 /bin/chainctl
69+
- chainctl auth login --identity-token $ID_TOKEN_1 --identity $CGR_IDENTITY --audience apk.cgr.dev
70+
- chainctl auth configure-docker --identity-token $ID_TOKEN_1 --identity $CGR_IDENTITY
71+
- digestabotctl update files
72+
73+
```
74+
75+
76+
## CLI Reference is [here](./docs)

digestabotctl/cmd/files.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ var requiredPRFlags = []string{
2424
"branch",
2525
"token",
2626
"platform",
27+
"email",
2728
}
2829

2930
func init() {
@@ -56,6 +57,9 @@ func files(cmd *cobra.Command, args []string) error {
5657
When: time.Now(),
5758
Branch: viper.GetString("branch"),
5859
Token: viper.GetString("token"),
60+
Signer: signer,
61+
Name: viper.GetString("name"),
62+
Email: viper.GetString("email"),
5963
}
6064

6165
checkout, err := versioncontrol.Checkout(opts)
@@ -113,5 +117,5 @@ func handlePRForPlatform(platform string, checkout versioncontrol.CheckoutRespon
113117
return err
114118
}
115119

116-
return creator.CreatePR()
120+
return creator.CreatePR(cfg.Logger)
117121
}

digestabotctl/cmd/flags.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,10 @@ func bindPRFlags(cmd *cobra.Command) {
5353
viper.BindPFlag("token", cmd.Flags().Lookup("token"))
5454
viper.BindPFlag("description", cmd.Flags().Lookup("description"))
5555
viper.BindPFlag("platform", cmd.Flags().Lookup("platform"))
56+
viper.BindPFlag("sign", cmd.Flags().Lookup("sign"))
57+
viper.BindPFlag("signing-token", cmd.Flags().Lookup("signing-token"))
58+
viper.BindPFlag("name", cmd.Flags().Lookup("name"))
59+
viper.BindPFlag("email", cmd.Flags().Lookup("email"))
5660
}
5761

5862
// prFlags adds the pr flags to the passed in command
@@ -66,4 +70,8 @@ func prFlags(cmd *cobra.Command) {
6670
cmd.PersistentFlags().String("token", "", "API token")
6771
cmd.PersistentFlags().String("description", "Updating image digests", "PR description")
6872
cmd.PersistentFlags().String("platform", "", fmt.Sprintf("Platform to create the PR. Options are %s", slices.Collect(maps.Keys(platforms.ValidPlatforms))))
73+
cmd.PersistentFlags().Bool("sign", false, "Sign the commit")
74+
cmd.PersistentFlags().String("signing-token", "", "OIDC token for signing commit")
75+
cmd.PersistentFlags().String("name", "digestabotctl", "Name for commit")
76+
cmd.PersistentFlags().String("email", "", "Email for commit")
6977
}

digestabotctl/cmd/update.go

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,10 @@
11
package cmd
22

33
import (
4+
"github.com/chainguard-dev/platform-examples/digestabotctl/versioncontrol"
5+
"github.com/go-git/go-git/v6"
46
"github.com/spf13/cobra"
7+
"github.com/spf13/viper"
58
)
69

710
// updateCmd represents the update command
@@ -15,6 +18,8 @@ var requiredUpdateFlags = []string{
1518
"branch",
1619
}
1720

21+
var signer git.Signer
22+
1823
func init() {
1924
rootCmd.AddCommand(updateCmd)
2025
prFlags(updateCmd)
@@ -28,6 +33,12 @@ func updatePreRunE(cmd *cobra.Command, args []string) error {
2833
if err := validateEnvs(requiredUpdateFlags...); err != nil {
2934
return err
3035
}
31-
36+
if viper.GetBool("sign") {
37+
var err error
38+
signer, err = versioncontrol.NewSigner(cmd.Context())
39+
if err != nil {
40+
return err
41+
}
42+
}
3243
return nil
3344
}

digestabotctl/docs/digestabotctl.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,4 +16,4 @@ Update image hashes in your files
1616
* [digestabotctl update](digestabotctl_update.md) - Command to control updates to digests
1717
* [digestabotctl version](digestabotctl_version.md) - Prints the version
1818

19-
###### Auto generated by spf13/cobra on 8-Aug-2025
19+
###### Auto generated by spf13/cobra on 3-Sep-2025

digestabotctl/docs/digestabotctl_completion.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,4 @@ See each sub-command's help for details on how to use the generated script.
2828
* [digestabotctl completion powershell](digestabotctl_completion_powershell.md) - Generate the autocompletion script for powershell
2929
* [digestabotctl completion zsh](digestabotctl_completion_zsh.md) - Generate the autocompletion script for zsh
3030

31-
###### Auto generated by spf13/cobra on 8-Aug-2025
31+
###### Auto generated by spf13/cobra on 3-Sep-2025

digestabotctl/docs/digestabotctl_completion_bash.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,4 +47,4 @@ digestabotctl completion bash
4747

4848
* [digestabotctl completion](digestabotctl_completion.md) - Generate the autocompletion script for the specified shell
4949

50-
###### Auto generated by spf13/cobra on 8-Aug-2025
50+
###### Auto generated by spf13/cobra on 3-Sep-2025

digestabotctl/docs/digestabotctl_completion_fish.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,4 +38,4 @@ digestabotctl completion fish [flags]
3838

3939
* [digestabotctl completion](digestabotctl_completion.md) - Generate the autocompletion script for the specified shell
4040

41-
###### Auto generated by spf13/cobra on 8-Aug-2025
41+
###### Auto generated by spf13/cobra on 3-Sep-2025

digestabotctl/docs/digestabotctl_completion_powershell.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,4 +35,4 @@ digestabotctl completion powershell [flags]
3535

3636
* [digestabotctl completion](digestabotctl_completion.md) - Generate the autocompletion script for the specified shell
3737

38-
###### Auto generated by spf13/cobra on 8-Aug-2025
38+
###### Auto generated by spf13/cobra on 3-Sep-2025

digestabotctl/docs/digestabotctl_completion_zsh.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,4 +49,4 @@ digestabotctl completion zsh [flags]
4949

5050
* [digestabotctl completion](digestabotctl_completion.md) - Generate the autocompletion script for the specified shell
5151

52-
###### Auto generated by spf13/cobra on 8-Aug-2025
52+
###### Auto generated by spf13/cobra on 3-Sep-2025

0 commit comments

Comments
 (0)