Refactored provider signing to use Azure Trusted Signing (#5837) #426
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: goreleaser | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| workflow_dispatch: | |
| inputs: | |
| skip-publish: | |
| description: 'Skip publishing to releases.mondoo.com?' | |
| type: boolean | |
| required: false | |
| default: false | |
| use-test-cert: | |
| description: "Use test certificate profile (not publicly trusted)" | |
| required: false | |
| default: false | |
| type: boolean | |
| goreleaser-snapshot: | |
| description: 'Run goreleaser in snapshot mode, which will not publish and bypass tag checks.' | |
| required: false | |
| default: false | |
| type: boolean | |
| upload-artifacts: | |
| description: "Uploading artifacts to workflow" | |
| required: false | |
| default: false | |
| type: boolean | |
| env: | |
| REGISTRY: docker.io | |
| jobs: | |
| goreleaser: | |
| permissions: | |
| # Add "contents" to write release | |
| contents: 'write' | |
| # Add "id-token" for google-github-actions/auth | |
| id-token: 'write' | |
| runs-on: self-hosted | |
| environment: prod | |
| timeout-minutes: 120 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Dump all inputs | |
| run: echo "${{ toJSON(inputs) }}" | |
| - name: Skip Publish for Alpha and Beta Tags | |
| id: skip-publish | |
| if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == true | |
| run: | | |
| echo "Skipping publish for alpha and beta tags" | |
| echo "skip-publish=true" >> $GITHUB_OUTPUT | |
| echo "skip-publish=true" >> $GITHUB_ENV | |
| - name: Import environment variables from file | |
| run: cat ".github/env" >> $GITHUB_ENV | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ">=${{ env.golang-version }}" | |
| cache: false | |
| - name: Install Protoc | |
| uses: arduino/setup-protoc@v3 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| version: ${{ env.protoc-version }} | |
| - name: 'Authenticate to Google Cloud' | |
| uses: 'google-github-actions/auth@v2' | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_WIP }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| - name: "Write RPM Signing Cert" | |
| run: | | |
| gpgkey="$(mktemp -t gpgkey.XXX)" | |
| base64 -d <<<"$GPG_KEY" > "$gpgkey" | |
| echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV | |
| env: | |
| GPG_KEY: '${{ secrets.GPG_KEY}}' | |
| # jsign and azure-cli are both requirements for Azure Trusted Signing and these actions to authenticate | |
| # These packages have been installed on the self-hosted runner using ansible from the private repo | |
| - name: Azure login | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.TSIGN_AZURE_CLIENT_ID }} | |
| tenant-id: ${{ vars.TSIGN_AZURE_TENANT_ID}} | |
| subscription-id: ${{ vars.TSIGN_AZURE_SUBSCRIPTION_ID }} | |
| - name: Get Azure AD Access Token to trusted signing | |
| id: get_token | |
| run: | | |
| set -e # Stop on first error | |
| TSIGN_ACCESS_TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv) | |
| if [ -z "$TSIGN_ACCESS_TOKEN" ]; then | |
| echo "Error: Access token is empty" | |
| exit 1 | |
| fi | |
| PREFIX="${TSIGN_ACCESS_TOKEN:0:8}" | |
| echo "Access token prefix: ${PREFIX}..." | |
| echo "TSIGN_ACCESS_TOKEN=$TSIGN_ACCESS_TOKEN" >> $GITHUB_OUTPUT | |
| - name: Install Quill for Mac Signing and Notarization | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp | |
| /tmp/quill help | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| # Run GoReleaser | |
| # This will build the binaries, create the docker images, and publish the release to Git | |
| # we are currently pinned to v2.5.1 because of a bug in v2.6.0 that causes the release to fail | |
| # specifically with the signing of the RPM packages | |
| # if you upgrade then when validating the signatures 'rpm -qpi dist/*.rpm' it will error with | |
| # Header RSA signature: BAD (package tag 268: invalid OpenPGP signature) | |
| # This is because a goreleaser dep was changed to https://github.com/goreleaser/nfpm/releases/tag/v2.41.2 | |
| # created a discussion on the issue here https://github.com/orgs/goreleaser/discussions/5943 | |
| - name: Run GoReleaser (w/ Docker Release) | |
| if: ${{ inputs.skip-publish != true }} | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser | |
| version: v2.5.1 | |
| args: > | |
| release | |
| --config .goreleaser.yml | |
| --clean | |
| --timeout 120m | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} | |
| NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| QUILL_SIGN_PASSWORD: '' | |
| QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }} | |
| QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} | |
| QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} | |
| QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} | |
| TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }} | |
| TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }} | |
| TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }} | |
| TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }} | |
| - name: Run GoReleaser (w/o Docker Release) | |
| if: ${{ inputs.skip-publish == true }} | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser | |
| version: v2.5.1 | |
| args: > | |
| release | |
| ${{ inputs.goreleaser-snapshot == true && '--snapshot' || '' }} | |
| --config .github/.goreleaser-unstable.yml | |
| --clean | |
| --timeout 120m | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} | |
| NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| QUILL_SIGN_PASSWORD: '' | |
| QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }} | |
| QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} | |
| QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} | |
| QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} | |
| TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }} | |
| TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }} | |
| TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }} | |
| TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }} | |
| - name: Check RPMs | |
| run: | | |
| rpm -qpi dist/*.rpm | |
| - name: Output Quill Logs | |
| if: ${{ failure() }} | |
| run: | | |
| for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do | |
| echo "=== $f ===" | |
| ls -l $f | |
| cat $f | |
| done | |
| - name: Upload artifacts | |
| if: ${{ inputs.upload-artifacts == true }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: windows-artifacts | |
| path: dist/*.zip | |
| retention-days: 7 | |
| # At this point we know the docker container is published. | |
| # We can now trigger the cnquery bump in cnspec, which will also trigger the release of cnspec. | |
| # The docker container is a pre-requisite for cnspec release. | |
| - name: Trigger cnquery bump in cnspec | |
| if: ${{ inputs.skip-publish != true }} | |
| uses: peter-evans/repository-dispatch@v3 | |
| with: | |
| token: ${{ secrets.RELEASR_ACTION_TOKEN }} | |
| repository: "mondoohq/cnspec" | |
| event-type: update-cnquery | |
| client-payload: '{ | |
| "version": "${{ github.ref_name }}" | |
| }' |