From 588fd06564893db4d3dcb828ee886f3f66655157 Mon Sep 17 00:00:00 2001 From: priyawadhwa Date: Tue, 30 Mar 2021 14:29:37 -0700 Subject: [PATCH] Release 1.5.2 with signed kaniko images (#1608) * Add cloudbuild job for signing releases * Add cosign to github actions * Update to 1.5.2 to release and sign images --- .github/workflows/release.yaml | 36 +++++++++++++++++++++++++++++++++- CHANGELOG.md | 29 +++++++++++++++++++++++++++ Makefile | 2 +- 3 files changed, 65 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ccf2a3917..6e3483c4c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -73,6 +73,20 @@ jobs: gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }} gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }} gcr.io/kaniko-project/executor:latest + + - name: Sign images + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v0.2.0' + run: | + export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-slim + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-slim + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:slim + + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }} + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }} + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:latest build-debug: env: @@ -131,6 +145,16 @@ jobs: gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug gcr.io/kaniko-project/executor:debug + - name: Sign images + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v0.2.0' + run: | + export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-debug + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:debug + build-warmer: env: GITHUB_SHA: ${{ github.sha }} @@ -185,4 +209,14 @@ jobs: tags: | gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }} gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }} - gcr.io/kaniko-project/warmer:latest \ No newline at end of file + gcr.io/kaniko-project/warmer:latest + + - name: Sign images + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v0.2.0' + run: | + export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }} + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }} + cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:latest diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d188d80c..f5f25c3e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,32 @@ +# v1.5.2 Release 2021-03-30 + +The executor images in this release are: +``` +gcr.io/kaniko-project/executor:v1.5.2 +gcr.io/kaniko-project/executor:latest +``` +The debug images are available at: +``` +gcr.io/kaniko-project/executor:debug +gcr.io/kaniko-project/executor:debug-v1.5.2 and +``` + +The slim executor images which don't contain any authentication binaries are available at: +``` +gcr.io/kaniko-project/executor:slim +gcr.io/kaniko-project/executor:slim-v1.5.2 +``` + +This release is the first to be signed by [cosign](https://github.com/sigstore/cosign)! +The PEM-encoded public key to validate against the released kaniko images is: + +``` +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9aAfAcgAxIFMTstJUv8l/AMqnSKw +P+vLu3NnnBDHCfREQpV/AJuiZ1UtgGpFpHlJLCNPmFkzQTnfyN5idzNl6Q== +-----END PUBLIC KEY----- +``` + # v1.5.1 Release 2021-02-22 This release is a minor release with following a fix to version number for v1.5.0 The kaniko images now report the right version number. diff --git a/Makefile b/Makefile index 87767586a..1fbb6c297 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ # Bump these on release VERSION_MAJOR ?= 1 VERSION_MINOR ?= 5 -VERSION_BUILD ?= 1 +VERSION_BUILD ?= 2 VERSION ?= v$(VERSION_MAJOR).$(VERSION_MINOR).$(VERSION_BUILD) VERSION_PACKAGE = $(REPOPATH/pkg/version)