
Primary LanguageGo

Github actions

When pushing a tag ti github, github actions automatically creates release for it, with signing of release assets using github workflow identity (see this and this for more info)

So then binary files can be validated using cosign (with checksums.txt and checksubs.txt.sig upload from github release assets):

COSIGN_EXPERIMENTAL=1 cosign verify-blob -signature ~/Downloads/checksums.txt.sig ~/Downloads/checksums.txt

Fork instructions:

  1. Set following secrets in your repo:

In order to generate cosign token:

# in case cosign not installed
go install github.com/sigstore/cosign/cmd/cosign@v1.4.0

cosign generate-key-pair

, then copy generated key and password to github secrets

  1. In .github/workflows/github-actions-demo.yml replace skifdh/test with your own docker image path.

  2. Codecov step is standalone, impact only build step, and can be easily commented

Preparing before installing scss

Install core:

kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml

Check storage classes:

kubectl get storageclasses

for Minikube:

kubectl create configmap config-artifact-pvc \
                         --from-literal=size=10Gi \
                         --from-literal=storageClassName=standard \
                         -o yaml -n tekton-pipelines \
                         --dry-run=client | kubectl replace -f -

Install triggers:

kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/release.yaml
kubectl apply --filename https://storage.googleapis.com/tekton-releases/triggers/latest/interceptors.yaml

Dashboard (optional):

kubectl apply --filename https://github.com/tektoncd/dashboard/releases/latest/download/tekton-dashboard-release.yaml
kubectl proxy --port=8080

Install scss


Docker registry access:

kubectl -n sscs create secret docker-registry regcred \
                    --docker-server=<your-registry-server> \
                    --docker-username=<your-name> \
                    --docker-password=<your-pword> \

Tektok chains

kubectl apply --filename https://storage.googleapis.com/tekton-releases/chains/latest/release.yaml

Prepare chains:

kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.format": "in-toto"}}'
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"artifacts.taskrun.storage": "oci"}}'
kubectl patch configmap chains-config -n tekton-chains -p='{"data":{"transparency.enabled": "true"}}'