Release 1.5.2 with signed kaniko images (#1608)

* Add cloudbuild job for signing releases

* Add cosign to github actions

* Update to 1.5.2 to release and sign images

.github/workflows/release.yaml

@@ -73,6 +73,20 @@ jobs:
           gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}
           gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}
           gcr.io/kaniko-project/executor:latest
+    
+    - name: Sign images 
+      uses: sigstore/cosign-installer@main
+      with:
+        cosign-release: 'v0.2.0'
+      run: |
+        export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-slim  
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-slim 
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:slim  
+
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:latest  
 
   build-debug:
     env:
@@ -131,6 +145,16 @@ jobs:
           gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug
           gcr.io/kaniko-project/executor:debug
 
+    - name: Sign images 
+      uses: sigstore/cosign-installer@main
+      with:
+        cosign-release: 'v0.2.0'
+      run: |
+        export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ env.GITHUB_SHA }}-debug
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:${{ steps.vars.outputs.tag }}-debug
+        cosign sign -kms $KMS_VAL gcr.io/kaniko-project/executor:debug
+
   build-warmer:
     env:
       GITHUB_SHA: ${{ github.sha }}
@@ -185,4 +209,14 @@ jobs:
         tags: |
           gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }}
           gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }}
-          gcr.io/kaniko-project/warmer:latest
+          gcr.io/kaniko-project/warmer:latest
+  
+  - name: Sign images 
+    uses: sigstore/cosign-installer@main
+    with:
+      cosign-release: 'v0.2.0'
+    run: |
+      export KMS_VAL=gcpkms://projects/kaniko-project/locations/global/keyRings/cosign/cryptoKeys/cosign
+      cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ env.GITHUB_SHA }}
+      cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:${{ steps.vars.outputs.tag }}
+      cosign sign -kms $KMS_VAL gcr.io/kaniko-project/warmer:latest

CHANGELOG.md

@@ -1,3 +1,32 @@
+# v1.5.2 Release 2021-03-30
+
+The executor images in this release are:
+```
+gcr.io/kaniko-project/executor:v1.5.2
+gcr.io/kaniko-project/executor:latest
+```
+The debug images are available at:
+```
+gcr.io/kaniko-project/executor:debug
+gcr.io/kaniko-project/executor:debug-v1.5.2 and
+```
+
+The slim executor images which don't contain any authentication binaries are available at:
+```
+gcr.io/kaniko-project/executor:slim
+gcr.io/kaniko-project/executor:slim-v1.5.2
+```
+
+This release is the first to be signed by [cosign](https://github.com/sigstore/cosign)!
+The PEM-encoded public key to validate against the released kaniko images is:
+
+```
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9aAfAcgAxIFMTstJUv8l/AMqnSKw
+P+vLu3NnnBDHCfREQpV/AJuiZ1UtgGpFpHlJLCNPmFkzQTnfyN5idzNl6Q==
+-----END PUBLIC KEY-----
+```
+
 # v1.5.1 Release 2021-02-22
 This release is a minor release with following a fix to version number for v1.5.0
 The kaniko images now report the right version number.

Makefile

@@ -15,7 +15,7 @@
 # Bump these on release
 VERSION_MAJOR ?= 1
 VERSION_MINOR ?= 5
-VERSION_BUILD ?= 1
+VERSION_BUILD ?= 2
 
 VERSION ?= v$(VERSION_MAJOR).$(VERSION_MINOR).$(VERSION_BUILD)
 VERSION_PACKAGE = $(REPOPATH/pkg/version)