mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
0e5541979a
for #23825 This PR fixes the previous implementation for attesting fleet/fleetctl/orbit binaries, and adds attestation to the fleet desktop and osqueryd artifacts. * correct permissions are added to all jobs * tag removed from `subject-name` when attesting docker image * using `artifacts.json` rather than the `artifacts` step output from goreleaser to determine image digest I'd like to add a separate job verifying the attestations, working on that now but since all attestation steps are marked as `continue-on-error` it can be a follow-on if we don't get it in with this PR.
217 lines
8.6 KiB
YAML
217 lines
8.6 KiB
YAML
name: GoReleaser Orbit
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "orbit-*" # For testing, use a pre-release tag like 'orbit-1.24.0-1'
|
|
|
|
defaults:
|
|
run:
|
|
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
|
|
shell: bash
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
goreleaser-macos:
|
|
runs-on: macos-latest
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
packages: write
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
|
|
# paid version. We pay for goreleaser, but using the closed source build would weaken our
|
|
# supply-chain integrity goals, so we hack around it by replacing the tag.
|
|
- name: Replace tag
|
|
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
|
|
|
|
- name: Import signing keys
|
|
env:
|
|
APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
|
|
APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
|
|
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
|
|
run: |
|
|
echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
|
|
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
|
|
security default-keychain -s build.keychain
|
|
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
|
|
security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
|
|
security find-identity -vv
|
|
rm certificate.p12
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Run GoReleaser
|
|
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-macos.yml # v2.4.4
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}
|
|
AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
|
|
AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
|
|
AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
|
CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: "dist/orbit-macos_darwin_all/orbit"
|
|
|
|
- name: Upload
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: orbit-macos
|
|
path: dist/orbit-macos_darwin_all/orbit
|
|
|
|
goreleaser-linux:
|
|
runs-on: ubuntu-20.04
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
packages: write
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
|
|
# paid version. We pay for goreleaser, but using the closed source build would weaken our
|
|
# supply-chain integrity goals, so we hack around it by replacing the tag.
|
|
- name: Replace tag
|
|
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Run GoReleaser
|
|
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-linux.yml # v2.4.4
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: "dist/orbit_linux_amd64_v1/orbit"
|
|
|
|
- name: Upload
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: orbit-linux
|
|
path: dist/orbit_linux_amd64_v1/orbit
|
|
|
|
goreleaser-linux-arm64:
|
|
runs-on: ubuntu-20.04
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
packages: write
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
|
|
# paid version. We pay for goreleaser, but using the closed source build would weaken our
|
|
# supply-chain integrity goals, so we hack around it by replacing the tag.
|
|
- name: Replace tag
|
|
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Run GoReleaser
|
|
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-linux-arm64.yml # v2.4.4
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: "dist/orbit_linux_arm64_v8.0/orbit"
|
|
|
|
- name: Upload
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: orbit-linux-arm64
|
|
path: dist/orbit_linux_arm64_v8.0/orbit
|
|
|
|
goreleaser-windows:
|
|
runs-on: windows-2022
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
packages: write
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
|
|
# paid version. We pay for goreleaser, but using the closed source build would weaken our
|
|
# supply-chain integrity goals, so we hack around it by replacing the tag.
|
|
- name: Replace tag
|
|
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Run GoReleaser
|
|
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-windows.yml # v2.4.4
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: "dist/orbit_windows_amd64_v1/orbit.exe"
|
|
|
|
- name: Upload
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: unsigned-windows
|
|
path: dist/orbit_windows_amd64_v1/orbit.exe
|
|
|
|
code-sign-windows:
|
|
needs: goreleaser-windows
|
|
uses: ./.github/workflows/code-sign-windows.yml
|
|
with:
|
|
filename: orbit.exe
|
|
upload_name: orbit-windows
|
|
secrets:
|
|
DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }}
|
|
DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }}
|
|
DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }}
|
|
DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }}
|
|
DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }}
|