From a258650dce0fd381a3edf20fd8c222aec3da1c64 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 12:00:04 -0500 Subject: [PATCH 01/20] use reproducible source archive as homebrew release source --- .github/workflows/homebrew.yml | 42 ++++++++++++++++++++++++++-------- .github/workflows/release.yml | 9 +++++++- 2 files changed, 40 insertions(+), 11 deletions(-) diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index a1d1d994..f3bb7e8a 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -23,20 +23,42 @@ jobs: exit 1 fi - update-brew: + brew_formula: needs: enforce_stable_semver - if: github.repository_owner == 'openziti' - runs-on: ubuntu-latest + if: github.repository_owner == 'openziti' || github.repository_owner == 'openziti-test-kitchen' + runs-on: ubuntu-24.04 steps: - - name: Extract Version - id: extract-version - run: | - echo "tag-name=${GITHUB_REF#refs/tags/}" | tee -a ${GITHUB_OUTPUT} - - uses: mislav/bump-homebrew-formula-action@v3.1 - if: ${{ !contains(github.ref, '-') }} + - name: Get Checksums File + shell: bash + run: | + curl -sSLf -o checksums.sha256.txt \ + https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/checksums.sha256.txt + + - name: Get Source Archive + shell: bash + run: | + curl -sSLf -o source.tar.gz \ + https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz + + - name: Verify Source Archive Checksum + shell: bash + run: | + shasum --algorithm 256 --ignore-missing --check checksums.sha256.txt + + - name: Extract Source Archive Checksum + id: source + shell: bash + run: | + CHECKSUM=$(grep -E '\bsource\.tar\.gz$' checksums.sha256.txt | cut -d' ' -f1) + echo "sha256=${CHECKSUM}" | tee -a "$GITHUB_OUTPUT" + + - name: Upload Release Source Archive to Homebrew + uses: mislav/bump-homebrew-formula-action@v3.2 with: formula-name: zrok - download-url: https://github.com/openziti/zrok/archive/refs/tags/${{ steps.extract-version.outputs.tag-name }}.tar.gz + download-url: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz + download-sha256: ${{ steps.source.outputs.sha256 }} + homebrew-tap: ${{ vars.ZROK_BREW_TAP || 'Homebrew/homebrew-core' }} env: COMMITTER_TOKEN: ${{ secrets.BREW_COMMITTER_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 11ddbe79..8ec9a3da 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -269,6 +269,12 @@ jobs: - run: | mkdir -p ./automated-release-build + - name: Fetch Source Archive + shell: bash + run: | + curl -L -o ./automated-release-build/source.tar.gz \ + https://api.github.com/repos/${{ github.repository }}/tarball/${{ github.ref_name }} + - uses: actions/download-artifact@v4 with: path: ./automated-release-build @@ -277,7 +283,8 @@ jobs: - run: | ls -lAR ./automated-release-build/ - shasum ./automated-release-build/* > ./automated-release-build/checksums.txt + cd ./automated-release-build/ + shasum --algorithm 256 ./* | tee ./checksums.sha256.txt - uses: goreleaser/goreleaser-action@v6 with: From 2634fea2af18d499329e900d58ba367f1a2ba7c4 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 12:10:30 -0500 Subject: [PATCH 02/20] announce reproducible source artifact --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6be8142e..dad2d9ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,11 @@ ## v0.4.49 -FIX: Pre-releases are no longer uploaded to the stable Linux package repo. +FIX: Release artifacts now include a reproducible source archive. The archive's download URL is now used by the Homebrew formula when building from source instead of the archive generated on-demand by GitHub (https://github.com/openziti/zrok/issues/858). + +FIX: Pre-releases are no longer uploaded to the stable Linux package repo, and workflows that promote stable release artifacts to downstream distribution channels enforce semver stable release tags, i.e., not having a semver hyphenated prerelease suffix. + +CHANGE: The release `checksums.txt` has been renamed `checksums.sha256.txt` to reflect the use of a collision-resistant algorithm instead of `shasum`'s default algorithm, SHA-1. CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Docker Hub for testing. [RELEASING.md](./RELEASING.md) describes releaser steps and the events they trigger. From 691f254e615a0af60aec84fe3fd4b412e5f55008 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 12:21:20 -0500 Subject: [PATCH 03/20] set brew formula path for all taps --- .github/workflows/homebrew.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index f3bb7e8a..5b12dde8 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -57,6 +57,7 @@ jobs: uses: mislav/bump-homebrew-formula-action@v3.2 with: formula-name: zrok + formula-path: Formula/z/zrok.rb download-url: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz download-sha256: ${{ steps.source.outputs.sha256 }} homebrew-tap: ${{ vars.ZROK_BREW_TAP || 'Homebrew/homebrew-core' }} From 9df45f300408a054729376f1385a89089208dc08 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 12:31:22 -0500 Subject: [PATCH 04/20] raise exceptions --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8ec9a3da..f6340e28 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -272,7 +272,7 @@ jobs: - name: Fetch Source Archive shell: bash run: | - curl -L -o ./automated-release-build/source.tar.gz \ + curl -sSLf -o ./automated-release-build/source.tar.gz \ https://api.github.com/repos/${{ github.repository }}/tarball/${{ github.ref_name }} - uses: actions/download-artifact@v4 From dedfa98e91ef2aa4e2c273328be5b446820981e1 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 12:54:01 -0500 Subject: [PATCH 05/20] add release version to source archive filename --- .github/workflows/homebrew.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index 5b12dde8..09bfdb5a 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -39,7 +39,7 @@ jobs: shell: bash run: | curl -sSLf -o source.tar.gz \ - https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz + https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source-${{ github.ref_name }}.tar.gz - name: Verify Source Archive Checksum shell: bash diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f6340e28..410baee5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -272,7 +272,7 @@ jobs: - name: Fetch Source Archive shell: bash run: | - curl -sSLf -o ./automated-release-build/source.tar.gz \ + curl -sSLf -o ./automated-release-build/source-${{ github.ref_name }}.tar.gz \ https://api.github.com/repos/${{ github.repository }}/tarball/${{ github.ref_name }} - uses: actions/download-artifact@v4 From 2b276197fad441aaf77877201c9b6fa60c1c7992 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 12:54:01 -0500 Subject: [PATCH 06/20] add release version to source archive filename --- .github/workflows/homebrew.yml | 6 +++--- .github/workflows/release.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index 5b12dde8..70c63c01 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -38,8 +38,8 @@ jobs: - name: Get Source Archive shell: bash run: | - curl -sSLf -o source.tar.gz \ - https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz + curl -sSLf -o source-${{ github.ref_name }}.tar.gz \ + https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source-${{ github.ref_name }}.tar.gz - name: Verify Source Archive Checksum shell: bash @@ -58,7 +58,7 @@ jobs: with: formula-name: zrok formula-path: Formula/z/zrok.rb - download-url: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source.tar.gz + download-url: https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/source-${{ github.ref_name }}.tar.gz download-sha256: ${{ steps.source.outputs.sha256 }} homebrew-tap: ${{ vars.ZROK_BREW_TAP || 'Homebrew/homebrew-core' }} env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f6340e28..410baee5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -272,7 +272,7 @@ jobs: - name: Fetch Source Archive shell: bash run: | - curl -sSLf -o ./automated-release-build/source.tar.gz \ + curl -sSLf -o ./automated-release-build/source-${{ github.ref_name }}.tar.gz \ https://api.github.com/repos/${{ github.repository }}/tarball/${{ github.ref_name }} - uses: actions/download-artifact@v4 From c25325ea7fe050ed2a31cb5f41ba0e6ff115c467 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 13:22:35 -0500 Subject: [PATCH 07/20] add sbom to release artifacts --- .github/workflows/release.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 410baee5..5a2dac4a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -275,6 +275,15 @@ jobs: curl -sSLf -o ./automated-release-build/source-${{ github.ref_name }}.tar.gz \ https://api.github.com/repos/${{ github.repository }}/tarball/${{ github.ref_name }} + - name: Build SBOM from Dependency Graph as SPDX JSON + shell: bash + run: | + gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + /repos/${{ github.repository }}/dependency-graph/sbom \ + | tee ./automated-release-build/sbom-${{ github.ref_name }}.spdx.json + - uses: actions/download-artifact@v4 with: path: ./automated-release-build From 3d5519117cd87caf928a50ecf0f26be28d2a4908 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 13:43:26 -0500 Subject: [PATCH 08/20] add github token to authenticate to the api --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5a2dac4a..fe96cfee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -277,6 +277,8 @@ jobs: - name: Build SBOM from Dependency Graph as SPDX JSON shell: bash + env: + GH_TOKEN: ${{ github.token }} run: | gh api \ -H "Accept: application/vnd.github+json" \ From 1844769572c2f43c27c8a5d4f703aea09264ccf9 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 13:59:44 -0500 Subject: [PATCH 09/20] attest release provenance --- .github/workflows/release.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe96cfee..2bc6e522 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,10 +5,6 @@ on: tags: - 'v*.*.*' -# grant write permission to GITHUB_TOKEN for goreleaser -permissions: - contents: write - env: ZITI_DEB_TEST_REPO: ${{ vars.ZITI_DEB_TEST_REPO || 'zitipax-openziti-deb-test' }} ZITI_RPM_TEST_REPO: ${{ vars.ZITI_RPM_TEST_REPO || 'zitipax-openziti-rpm-test' }} @@ -263,6 +259,10 @@ jobs: draft-release: runs-on: ubuntu-latest needs: call-publish-docker-images + permissions: + contents: write # need write to draft the release + id-token: write # need write to get OIDC token for generating attestations + attestations: write # need write to create attestations steps: - uses: actions/checkout@v4 @@ -292,12 +292,20 @@ jobs: merge-multiple: true pattern: release-builds-* - - run: | + - name: Create Checksums File + shell: bash + run: | ls -lAR ./automated-release-build/ cd ./automated-release-build/ shasum --algorithm 256 ./* | tee ./checksums.sha256.txt - - uses: goreleaser/goreleaser-action@v6 + - name: Attest Build Provenance + uses: actions/attest-build-provenance@v2 + with: + subject-checksums: ./checksums.sha256.txt + + - name: Draft Release + uses: goreleaser/goreleaser-action@v6 with: distribution: goreleaser version: '~> v2' From ad89a719aaad7791a8a0f528c478c157d01c0f35 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 14:07:01 -0500 Subject: [PATCH 10/20] fix regex --- .github/workflows/homebrew.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index 70c63c01..072d0ec4 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -50,7 +50,7 @@ jobs: id: source shell: bash run: | - CHECKSUM=$(grep -E '\bsource\.tar\.gz$' checksums.sha256.txt | cut -d' ' -f1) + CHECKSUM=$(grep -E "\bsource-${{ github.ref_name }}\.tar\.gz$" checksums.sha256.txt | cut -d' ' -f1) echo "sha256=${CHECKSUM}" | tee -a "$GITHUB_OUTPUT" - name: Upload Release Source Archive to Homebrew From 69a29fee95505f896f8ec4638c6085545121f256 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 14:26:37 -0500 Subject: [PATCH 11/20] add an attestations subject checksums file --- .github/workflows/release.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2bc6e522..0531ebc9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -292,17 +292,23 @@ jobs: merge-multiple: true pattern: release-builds-* - - name: Create Checksums File + - name: Create Checksum Files shell: bash run: | + ls -lAR ./automated-release-build/ + + # create checksum file for the attestations + shasum --algorithm 256 ./automated-release-build/* | tee ./attestation-subject-checksums.sha256.txt + + # create checksum file for the release cd ./automated-release-build/ shasum --algorithm 256 ./* | tee ./checksums.sha256.txt - name: Attest Build Provenance uses: actions/attest-build-provenance@v2 with: - subject-checksums: ./checksums.sha256.txt + subject-checksums: ./attestation-subject-checksums.sha256.txt - name: Draft Release uses: goreleaser/goreleaser-action@v6 From e059f0ff5943103bbbfe9cdb864db72c46bf39ec Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 14:26:37 -0500 Subject: [PATCH 12/20] add an attestations subject checksums file --- .github/workflows/release.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2bc6e522..0531ebc9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -292,17 +292,23 @@ jobs: merge-multiple: true pattern: release-builds-* - - name: Create Checksums File + - name: Create Checksum Files shell: bash run: | + ls -lAR ./automated-release-build/ + + # create checksum file for the attestations + shasum --algorithm 256 ./automated-release-build/* | tee ./attestation-subject-checksums.sha256.txt + + # create checksum file for the release cd ./automated-release-build/ shasum --algorithm 256 ./* | tee ./checksums.sha256.txt - name: Attest Build Provenance uses: actions/attest-build-provenance@v2 with: - subject-checksums: ./checksums.sha256.txt + subject-checksums: ./attestation-subject-checksums.sha256.txt - name: Draft Release uses: goreleaser/goreleaser-action@v6 From c97f2074c5204cb4e040a8ce4e02189a0fa923e3 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 14:41:19 -0500 Subject: [PATCH 13/20] Update CHANGELOG.md Signed-off-by: Kenneth Bingham --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dad2d9ea..fc945094 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ FIX: Pre-releases are no longer uploaded to the stable Linux package repo, and w CHANGE: The release `checksums.txt` has been renamed `checksums.sha256.txt` to reflect the use of a collision-resistant algorithm instead of `shasum`'s default algorithm, SHA-1. +CHANGE: The dependency graph is now published as a release artifact named `sbom-{version}.spdx.json` (https://github.com/openziti/zrok/issues/888). + CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Docker Hub for testing. [RELEASING.md](./RELEASING.md) describes releaser steps and the events they trigger. CHANGE: Linux release binaries are now built on the ziti-builder container image based on Ubuntu Focal 20.04 to preserve backward compatibility as the ubuntu-20.04 GitHub runner is end of life. From d56d6c222e969921b6d2d4d3c188080e5a3a8880 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 14:45:46 -0500 Subject: [PATCH 14/20] place attestations subject checksums file outside git wc --- .github/workflows/release.yml | 4 ++-- .gitignore | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0531ebc9..63b37405 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -299,7 +299,7 @@ jobs: ls -lAR ./automated-release-build/ # create checksum file for the attestations - shasum --algorithm 256 ./automated-release-build/* | tee ./attestation-subject-checksums.sha256.txt + shasum --algorithm 256 ./automated-release-build/* | tee ./dist/attestation-subject-checksums.sha256.txt # create checksum file for the release cd ./automated-release-build/ @@ -308,7 +308,7 @@ jobs: - name: Attest Build Provenance uses: actions/attest-build-provenance@v2 with: - subject-checksums: ./attestation-subject-checksums.sha256.txt + subject-checksums: ./dist/attestation-subject-checksums.sha256.txt - name: Draft Release uses: goreleaser/goreleaser-action@v6 diff --git a/.gitignore b/.gitignore index a830fe64..4566b841 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,7 @@ .idea .vscode *.db -automated-release-build +/automated-release-build/ etc/dev.yml etc/dev-frontend.yml @@ -10,7 +10,7 @@ etc/dev-frontend.yml node_modules/ # Artifacts -dist/ +/dist/ # Generated files .docusaurus From a8419a0fdb520d8af8268e1524a5957a5269a26f Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 15:02:34 -0500 Subject: [PATCH 15/20] create dist dir --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63b37405..a21d9c57 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -299,6 +299,7 @@ jobs: ls -lAR ./automated-release-build/ # create checksum file for the attestations + mkdir -p ./dist shasum --algorithm 256 ./automated-release-build/* | tee ./dist/attestation-subject-checksums.sha256.txt # create checksum file for the release From 8dd8392cb8e4c5f2f7df6e8e3258eaab2d0bc00f Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 15:17:27 -0500 Subject: [PATCH 16/20] write attestation subjects outside work tree --- .github/workflows/release.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a21d9c57..c0aa572e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -299,8 +299,7 @@ jobs: ls -lAR ./automated-release-build/ # create checksum file for the attestations - mkdir -p ./dist - shasum --algorithm 256 ./automated-release-build/* | tee ./dist/attestation-subject-checksums.sha256.txt + shasum --algorithm 256 ./automated-release-build/* | tee /tmp/attestation-subjects.sha256.txt # create checksum file for the release cd ./automated-release-build/ @@ -309,7 +308,7 @@ jobs: - name: Attest Build Provenance uses: actions/attest-build-provenance@v2 with: - subject-checksums: ./dist/attestation-subject-checksums.sha256.txt + subject-checksums: /tmp/attestation-subjects.sha256.txt - name: Draft Release uses: goreleaser/goreleaser-action@v6 From 86095fc205e05dc8f0b091e8edb9092d4a8aeada Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 15:35:21 -0500 Subject: [PATCH 17/20] publish container image attestations --- .github/workflows/publish-docker-images.yml | 25 ++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 4faf43c1..5a71f652 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -11,13 +11,19 @@ on: jobs: publish-docker-images: runs-on: ubuntu-24.04 + permissions: + contents: write # need write to draft the release + id-token: write # need write to get OIDC token for generating attestations + attestations: write # need write to create attestations env: + REGISTRY: docker.io RELEASE_REF: ${{ inputs.zrok-version }} steps: # compose the semver string without leading "refs/tags" or "v" so we can predict the # release artifact filename - name: Set zrok Version Semver from Tag Ref id: semver + shell: bash run: | echo "zrok_semver=${RELEASE_REF#v}" | tee -a $GITHUB_OUTPUT @@ -37,6 +43,7 @@ jobs: path: dist/arm64/linux - name: Unpack the Release Artifacts + shell: bash run: | for TGZ in dist/{amd,arm}64/linux; do tar -xvzf ${TGZ}/*.tar.gz -C ${TGZ} @@ -54,6 +61,7 @@ jobs: - name: Login to Docker Hub uses: docker/login-action@v3 with: + registry: ${{ env.REGISTRY}} username: ${{ vars.DOCKER_HUB_API_USER || secrets.DOCKER_HUB_API_USER }} password: ${{ secrets.DOCKER_HUB_API_TOKEN }} @@ -62,14 +70,14 @@ jobs: ZROK_CONTAINER_IMAGE_REPO: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }} ZROK_CONTAINER_IMAGE_TAG: ${{ steps.semver.outputs.zrok_semver }} id: tagprep_cli + shell: bash run: | DOCKER_TAGS="${ZROK_CONTAINER_IMAGE_REPO}:${ZROK_CONTAINER_IMAGE_TAG}" echo "DOCKER_TAGS=${DOCKER_TAGS}" | tee -a $GITHUB_OUTPUT - # this is the CLI image with the Linux binary for each - # arch that was downloaded in ./dist/ - name: Build & Push Multi-Platform CLI Container Image to Hub - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 + id: push with: builder: ${{ steps.buildx.outputs.name }} context: ${{ github.workspace }}/ @@ -79,4 +87,15 @@ jobs: build-args: | DOCKER_BUILD_DIR=./docker/images/zrok ARTIFACTS_DIR=./dist + provenance: mode=max + sbom: true push: true + + - name: Publish Attestations to GitHub + uses: actions/attest-build-provenance@v1 + env: + IMAGE_REPO_TAG: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }}:${{ steps.semver.outputs.zrok_semver }} + with: + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_REPO_TAG}} + subject-digest: ${{ steps.push.outputs.digest }} + push-to-registry: true From 9e0c2c42dbabfa3130e00311a354187d78a97f84 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 15:46:00 -0500 Subject: [PATCH 18/20] announce attestations --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dad2d9ea..f8c2d45b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Dock CHANGE: Linux release binaries are now built on the ziti-builder container image based on Ubuntu Focal 20.04 to preserve backward compatibility as the ubuntu-20.04 GitHub runner is end of life. +CHANGE: Release binary and text artifacts are now accompanied by provenance attestations (https://github.com/openziti/zrok/issues/889). + ## v0.4.48 FEATURE: The controller configuration now supports a `disable_auto_migration` boolean in the `store` stanza. When set to `true`, the controller will not attempt to auto-migrate (or otherwise validate the migration state) of the underlying database. Leaving `disable_auto_migration` out, or setting it to false will retain the default behavior of auto-migrating when starting the zrok controller. The `zrok admin migrate` command will still perform a migration regardless of how this setting is configured in the controller configuration (https://github.com/openziti/zrok/issues/866) From 66a88151ce3205dd669a3195c2e1ef57952ba2fe Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 16:04:27 -0500 Subject: [PATCH 19/20] announce container image attestations --- .github/workflows/publish-docker-images.yml | 4 ++-- CHANGELOG.md | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index 5a71f652..d1006c16 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -94,8 +94,8 @@ jobs: - name: Publish Attestations to GitHub uses: actions/attest-build-provenance@v1 env: - IMAGE_REPO_TAG: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }}:${{ steps.semver.outputs.zrok_semver }} + IMAGE_REPO: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }} with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_REPO_TAG}} + subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_REPO }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true diff --git a/CHANGELOG.md b/CHANGELOG.md index f8c2d45b..b7fe3250 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Dock CHANGE: Linux release binaries are now built on the ziti-builder container image based on Ubuntu Focal 20.04 to preserve backward compatibility as the ubuntu-20.04 GitHub runner is end of life. +CHANGE: Container images now include SLSA and SBOM attestations, and these are also published to the Docker Hub registry (https://github.com/openziti/zrok/issues/890). + CHANGE: Release binary and text artifacts are now accompanied by provenance attestations (https://github.com/openziti/zrok/issues/889). ## v0.4.48 From c7e85eb911c54ec3b766903d5e407a114f940ea9 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 16:07:39 -0500 Subject: [PATCH 20/20] minimize workflow privs --- .github/workflows/publish-docker-images.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/publish-docker-images.yml b/.github/workflows/publish-docker-images.yml index d1006c16..8f8f0b5b 100644 --- a/.github/workflows/publish-docker-images.yml +++ b/.github/workflows/publish-docker-images.yml @@ -12,8 +12,7 @@ jobs: publish-docker-images: runs-on: ubuntu-24.04 permissions: - contents: write # need write to draft the release - id-token: write # need write to get OIDC token for generating attestations + id-token: write # need write to get OIDC token for generating attestations attestations: write # need write to create attestations env: REGISTRY: docker.io