github · codysoyland · Jun 3, 2024 · May 21, 2024 · May 22, 2024 · May 29, 2024
@@ -19,7 +19,7 @@ on:
   push:
     branches:
       - main
-      - release-*
+      - release
 
 permissions: read-all
 

@@ -17,7 +17,7 @@ name: CodeQL
 
 on:
   push:
-    branches: [ main ]
+    branches: [ release ]
   schedule:
     - cron: '45 10 * * 1'
 

@@ -2,7 +2,7 @@ name: Do Not Submit
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -16,7 +16,7 @@ name: Test policy-controller with ClusterImagePolicy TUF disabled
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 defaults:
   run:

@@ -16,7 +16,7 @@ name: Test policy-controller with ClusterImagePolicy resync period
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 defaults:
   run:

@@ -16,7 +16,7 @@ name: Test policy-controller with TrustRoot - Bring your own keys
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 defaults:
   run:

@@ -16,7 +16,7 @@ name: Test policy-controller with TSA
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 defaults:
   run:

@@ -16,7 +16,7 @@ name: Test policy-controller with ClusterImagePolicy
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 defaults:
   run:

@@ -16,7 +16,7 @@ name: Policy Controller KinD E2E
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -16,7 +16,7 @@ name: TrustRoot CRD KinD E2E
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -18,7 +18,7 @@ name: Verify examples using policy-tester
 on:
   workflow_dispatch:
   push:
-    branches: ['main', 'release-*']
+    branches: ['main', 'release']
   pull_request:
 
 jobs:

@@ -1,92 +1,47 @@
-name: Cut Release
+name: Release
 
 on:
   push:
     tags:
       - "v*"
 
-concurrency: cut-release
-
-permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for pushing the images to ghcr.io
-
 jobs:
   release:
-    outputs:
-      hashes: ${{ steps.hash.outputs.hashes }}
-      tag_name: ${{ steps.tag.outputs.tag_name }}
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
+    env:
+      KO_DOCKER_REPO: ghcr.io/github/policy-controller-webhook
+      KOCACHE: /tmp/ko
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        with:
+          ref: "release"
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version-file: './go.mod'
+          go-version-file: "./go.mod"
           check-latest: true
-
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
-
-      - uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
-
       - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
-
-      - name: Set up Cloud SDK
-        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
-        with:
-          workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'
-          service_account: '[email protected]'
-
-      - name: 'Set up Cloud SDK'
-        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
-
-      - name: creds
-        run: gcloud auth configure-docker --quiet
-
-      - name: Set LDFLAGS
-        id: ldflags
+      - name: Build and publish webhook to GHCR
+        id: build
         run: |
-           source ./release/ldflags.sh
-           goflags=$(ldflags)
-           echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
-
-      - name: Set tag output
-        id: tag
-        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
-
-      - name: Run GoReleaser
-        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+          export GIT_HASH=`git rev-parse HEAD`
+          export GIT_VERSION=`git describe --tags --always --dirty`
+          export BUILD_DATE=`date +%Y-%m-%dT%H:%M:%SZ`
+          export LDFLAGS="-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$GIT_VERSION -X sigs.k8s.io/release-utils/version.gitCommit=$GIT_HASH -X sigs.k8s.io/release-utils/version.buildDate=$BUILD_DATE"
+
+          mkdir -p ${{ env.KOCACHE }}
+          # ko build should print ghcr.io/github/policy-controller-webhook@sha256:<digest>
+          # to standard out. Capture the image digest for the build provenance step
+          IMAGE_DIGEST=$(ko build --bare --tags $GIT_VERSION --tags $GIT_HASH --platform=linux/amd64 github.com/sigstore/policy-controller/cmd/webhook | cut -d'@' -f2)
+          echo "image_digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT
+      - name: Attest
+        uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1
+        id: attest
         with:
-          version: latest
-          args: release --rm-dist --timeout 120m
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          LDFLAGS: ${{ env.GO_FLAGS }}
-
-      - name: Generate subject
-        id: hash
-        env:
-          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
-
-      - name: copy-signed-release-to-ghcr
-        run: make copy-signed-release-to-ghcr || true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  provenance:
-    needs: [release]
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      base64-subjects: "${{ needs.release.outputs.hashes }}"
-      upload-assets: true # upload to a new release
-      upload-tag-name: "${{ needs.release.outputs.tag_name }}"
+          subject-name: ${{ env.KO_DOCKER_REPO }}
+          subject-digest: ${{ steps.build.outputs.image_digest }}
+          push-to-registry: true
@@ -2,7 +2,7 @@ name: Code Style
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -17,7 +17,7 @@ name: CI-Tests
 on:
   workflow_dispatch:
   push:
-    branches: ['main', 'release-*']
+    branches: ['main', 'release']
   pull_request:
 
 permissions: read-all

@@ -18,7 +18,7 @@ name: Codegen
 on:
   workflow_dispatch:
   push:
-    branches: ['main', 'release-*']
+    branches: ['main', 'release']
   pull_request:
 
 permissions: read-all

@@ -18,7 +18,7 @@ name: API Docs Generator
 on:
   workflow_dispatch:
   push:
-    branches: ['main', 'release-*']
+    branches: ['main', 'release']
   pull_request:
 
 permissions: read-all

@@ -2,7 +2,7 @@ name: Whitespace
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches: [ 'main', 'release' ]
 
 permissions: read-all
 

@@ -30,4 +30,3 @@ builds:
     ldflags:
       - -extldflags "-static"
       - "{{ .Env.LDFLAGS }}"
-
@@ -145,12 +145,16 @@ This policy-controller's versions are able to run in the following versions of K
 
 note: not fully tested yet, but can be installed
 
-## Release Cadence
+## Cutting a new release
 
-We are intending to move to a monthly cadence for minor releases.
-Minor releases will be published around the beginning of the month.
-We may cut a patch release instead, if the changes are small enough not to warrant a minor release.
-We will also cut patch releases periodically as needed to address bugs.
+The branch `release` on the private fork is used for customer-facing released code. 
+
+In order to push a new release, follow these steps:
+
+1. Merge any changes into the `release` branch.
+1. Tag as `v0.9.0+githubX` (incrementing the `X` as needed).
+1. Push the tag to the private fork.
+1. The [Release GitHub Action workflow](https://github.com/github/policy-controller/actions/workflows/release.yaml) will triggered automatically when the tag is pushed
 
 ## Security
 

@@ -209,6 +209,9 @@ spec:
                           trustRootRef:
                             description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
                             type: string
+                      signatureFormat:
+                        description: SignatureFormat specifies the format the authority expects. Supported formats are "simplesigning" and "bundle". If not specified, the default is "simplesigning" (cosign's default).
+                        type: string
                       source:
                         description: Sources sets the configuration to specify the sources from where to consume the signatures.
                         type: array
@@ -545,6 +548,9 @@ spec:
                           trustRootRef:
                             description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
                             type: string
+                      signatureFormat:
+                        description: SignatureFormat specifies the format the authority expects. Supported formats are "simplesigning" and "bundle". If not specified, the default is "simplesigning" (cosign's default).
+                        type: string
                       source:
                         description: Sources sets the configuration to specify the sources from where to consume the signatures.
                         type: array

@@ -170,6 +170,7 @@ Attestation defines the type of attestation to validate and optionally apply a p
 | ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |
 | attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |
 | rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |
+| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"simplesigning\" and \"bundle\". If not specified, the default is \"simplesigning\" (cosign's default). | string | false |
 
 [Back to TOC](#table-of-contents)
 

@@ -49,6 +49,7 @@ The authorities block defines the rules for discovering and validating signature
 | ctlog | CTLog sets the configuration to verify the authority against a Rekor instance. | [TLog](#tlog) | false |
 | attestations | Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified. | [][Attestation](#attestation) | false |
 | rfc3161timestamp | RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance. | [RFC3161Timestamp](#rfc3161timestamp) | false |
+| signatureFormat | SignatureFormat specifies the format the authority expects. Supported formats are \"simplesigning\" and \"bundle\". If not specified, the default is \"simplesigning\" (cosign's default). | string | false |
 
 [Back to TOC](#table-of-contents)
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,7 +19,7 @@ on: @@
       push:
         branches:
           - main
-          - release-*
+          - release
     permissions: read-all
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
Expand Up		@@ -30,4 +30,3 @@ builds:
		ldflags:
		- -extldflags "-static"
		- "{{ .Env.LDFLAGS }}"