diff --git a/.github/.goreleaser-unstable.yml b/.github/.goreleaser-unstable.yml index b007e18d37..9cc8225a50 100644 --- a/.github/.goreleaser-unstable.yml +++ b/.github/.goreleaser-unstable.yml @@ -64,7 +64,7 @@ builds: - -s -w -X go.mondoo.com/cnquery/v9.Version={{.Version}} -X go.mondoo.com/cnquery/v9.Build={{.ShortCommit}} -X go.mondoo.com/cnquery/v9.Date={{.Date}} hooks: post: - - cmd: jsign --storetype DIGICERTONE --alias "{{ .Env.SM_CERT_ALIAS }}" --storepass "{{ .Env.SM_API_KEY }}|{{ .Env.SM_CLIENT_CERT_FILE}}|{{ .Env.SM_CLIENT_CERT_PASSWORD }}" --tsaurl "http://timestamp.digicert.com" '{{ .Path }}' + - cmd: jsign --storetype TRUSTEDSIGNING --keystore {{ .Env.TSIGN_AZURE_ENDPOINT }} --storepass {{ .Env.TSIGN_ACCESS_TOKEN }} --alias {{ .Env.TSIGN_ACCOUNT_NAME }}/{{ .Env.TSIGN_CERT_PROFILE_NAME }} '{{ .Path }}' nfpms: - maintainer: Mondoo @@ -89,7 +89,7 @@ checksum: name_template: '{{ .ProjectName }}_v{{ .Version }}_SHA256SUMS' algorithm: sha256 snapshot: - name_template: "{{ .Tag }}-snapshot" + version_template: "{{ .Tag }}-snapshot" changelog: use: github-native dockers: # https://goreleaser.com/customization/docker/ diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 22029e3634..600d9d8c23 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -11,7 +11,21 @@ on: type: boolean required: false default: false - + use-test-cert: + description: "Use test certificate profile (not publicly trusted)" + required: false + default: false + type: boolean + goreleaser-snapshot: + description: 'Run goreleaser in snapshot mode, which will not publish and bypass tag checks.' + required: false + default: false + type: boolean + upload-artifacts: + description: "Uploading artifacts to workflow" + required: false + default: false + type: boolean env: REGISTRY: docker.io @@ -25,6 +39,7 @@ jobs: id-token: 'write' runs-on: self-hosted + environment: prod timeout-minutes: 120 steps: - name: Checkout @@ -32,9 +47,12 @@ jobs: with: fetch-depth: 0 + - name: Dump all inputs + run: echo "${{ toJSON(inputs) }}" + - name: Skip Publish for Alpha and Beta Tags id: skip-publish - if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == 'true' + if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == true run: | echo "Skipping publish for alpha and beta tags" echo "skip-publish=true" >> $GITHUB_OUTPUT @@ -61,13 +79,6 @@ jobs: workload_identity_provider: ${{ secrets.GCP_WIP }} service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} - - id: 'gcp_secrets' - uses: 'google-github-actions/get-secretmanager-secrets@v2' - with: - secrets: |- - code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64 - code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge - - name: "Write RPM Signing Cert" run: | gpgkey="$(mktemp -t gpgkey.XXX)" @@ -76,33 +87,30 @@ jobs: env: GPG_KEY: '${{ secrets.GPG_KEY}}' - - name: "Write Windows Signing Cert" - run: | - cert="$(mktemp -t cert.XXX)" - base64 -d <<<"$CERT_CONTENTS" > "$cert" - echo "CERT_FILE=$cert" >> $GITHUB_ENV - env: - CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}' +# jsign and azure-cli are both requirements for Azure Trusted Signing and these actions to authenticate +# These packages have been installed on the self-hosted runner using ansible from the private repo + + - name: Azure login + uses: azure/login@v2 + with: + client-id: ${{ secrets.TSIGN_AZURE_CLIENT_ID }} + tenant-id: ${{ vars.TSIGN_AZURE_TENANT_ID}} + subscription-id: ${{ vars.TSIGN_AZURE_SUBSCRIPTION_ID }} - - name: Configure DigiCert Signing Variables - shell: bash + - name: Get Azure AD Access Token to trusted signing + id: get_token run: | - # CertLocker Authentication Certifiate - CERT_PATH="$(mktemp -t cert.XXX)" - echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH} - echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV" - echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" - # CertLocker API Key & Host - echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" - echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" - # DigiCert CertLocker Code Signing Certificate - echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" - echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV" - - # - name: Install jSign (Windows Signing Tool) -- Required for public runners - # run: | - # curl -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb - # sudo dpkg -i ./jsign_5.0_all.deb + set -e # Stop on first error + TSIGN_ACCESS_TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv) + + if [ -z "$TSIGN_ACCESS_TOKEN" ]; then + echo "Error: Access token is empty" + exit 1 + fi + PREFIX="${TSIGN_ACCESS_TOKEN:0:8}" + echo "Access token prefix: ${PREFIX}..." + echo "TSIGN_ACCESS_TOKEN=$TSIGN_ACCESS_TOKEN" >> $GITHUB_OUTPUT + - name: Install Quill for Mac Signing and Notarization run: | @@ -116,13 +124,26 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + # Run GoReleaser + # This will build the binaries, create the docker images, and publish the release to Git + # we are currently pinned to v2.5.1 because of a bug in v2.6.0 that causes the release to fail + # specifically with the signing of the RPM packages + # if you upgrade then when validating the signatures 'rpm -qpi dist/*.rpm' it will error with + # Header RSA signature: BAD (package tag 268: invalid OpenPGP signature) + # This is because a goreleaser dep was changed to https://github.com/goreleaser/nfpm/releases/tag/v2.41.2 + # created a discussion on the issue here https://github.com/orgs/goreleaser/discussions/5943 + - name: Run GoReleaser (w/ Docker Release) - if: ${{ ! steps.skip-publish.outputs.skip-publish }} + if: ${{ inputs.skip-publish != true }} uses: goreleaser/goreleaser-action@v6 with: distribution: goreleaser version: v2.5.1 - args: release --clean --timeout 120m + args: > + release + --config .goreleaser.yml + --clean + --timeout 120m env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} @@ -132,14 +153,23 @@ jobs: QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} + TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }} + TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }} + TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }} + TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }} - name: Run GoReleaser (w/o Docker Release) - if: ${{ steps.skip-publish.outputs.skip-publish == 'true' }} + if: ${{ inputs.skip-publish == true }} uses: goreleaser/goreleaser-action@v6 with: distribution: goreleaser - version: latest - args: release -f .github/.goreleaser-unstable.yml --clean --timeout 120m + version: v2.5.1 + args: > + release + ${{ inputs.goreleaser-snapshot == true && '--snapshot' || '' }} + --config .github/.goreleaser-unstable.yml + --clean + --timeout 120m env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} @@ -149,10 +179,15 @@ jobs: QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} + TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }} + TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }} + TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }} + TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }} - name: Check RPMs run: | rpm -qpi dist/*.rpm + - name: Output Quill Logs if: ${{ failure() }} run: | @@ -162,11 +197,19 @@ jobs: cat $f done + - name: Upload artifacts + if: ${{ inputs.upload-artifacts == true }} + uses: actions/upload-artifact@v4 + with: + name: windows-artifacts + path: dist/*.zip + retention-days: 7 + # At this point we know the docker container is published. # We can now trigger the cnquery bump in cnspec, which will also trigger the release of cnspec. # The docker container is a pre-requisite for cnspec release. - name: Trigger cnquery bump in cnspec - if: ${{ ! steps.skip-publish.outputs.skip-publish }} + if: ${{ inputs.skip-publish != true }} uses: peter-evans/repository-dispatch@v3 with: token: ${{ secrets.RELEASR_ACTION_TOKEN }} @@ -175,8 +218,3 @@ jobs: client-payload: '{ "version": "${{ github.ref_name }}" }' - - - name: Cleanup - if: always() - run: - rm -f ${CERT_PATH} diff --git a/.goreleaser.yml b/.goreleaser.yml index 7fe5e19a8c..6f79e63824 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -64,7 +64,7 @@ builds: - -s -w -X go.mondoo.com/cnquery/v11.Version={{.Version}} -X go.mondoo.com/cnquery/v11.Build={{.ShortCommit}} -X go.mondoo.com/cnquery/v11.Date={{.Date}} hooks: post: - - cmd: jsign --storetype DIGICERTONE --alias "{{ .Env.SM_CERT_ALIAS }}" --storepass "{{ .Env.SM_API_KEY }}|{{ .Env.SM_CLIENT_CERT_FILE}}|{{ .Env.SM_CLIENT_CERT_PASSWORD }}" --tsaurl "http://timestamp.digicert.com" '{{ .Path }}' + - cmd: jsign --storetype TRUSTEDSIGNING --keystore {{ .Env.TSIGN_AZURE_ENDPOINT }} --storepass {{ .Env.TSIGN_ACCESS_TOKEN }} --alias {{ .Env.TSIGN_ACCOUNT_NAME }}/{{ .Env.TSIGN_CERT_PROFILE_NAME }} '{{ .Path }}' nfpms: - maintainer: Mondoo