Skip to content

Commit

Permalink
Install pinned version of krel and verify signed artifact with cosign
Browse files Browse the repository at this point in the history 
Signed-off-by: Vyom-Yadav <[email protected]>
  • Loading branch information
@Vyom-Yadav
Vyom-Yadav committed Jan 5, 2025
1 parent cfd069d commit e8d1d5a
Showing 1 changed file with 41 additions and 30 deletions.
71 changes: 41 additions & 30 deletions .github/workflows/krel-release-notes-validate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ on:
paths:
- releases/**/release-notes/**.yaml
# Allow manual triggering
workflow_dispatch: {}
workflow_dispatch: { }

concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
Expand All @@ -29,43 +29,55 @@ jobs:
runs-on: ubuntu-latest
if: ${{ !github.event.pull_request.draft }}
steps:
- name: Cancel Previous Actions
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # v0.12.1
with:
access_token: ${{ github.token }}
- name: Check out code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
# we need to fetch the full history in order to check changes across all commits on the branch
fetch-depth: '0'
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: '1.23'
check-latest: true
go-version: '1.23'
check-latest: true
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
use-sudo: false
- id: install-krel
shell: bash
run: |
#!/usr/bin/env bash
set -euo pipefail
echo "Installing krel..."
if ! go install k8s.io/release/cmd/krel@latest; then
echo "::error::Failed to install krel"
exit 1
fi
echo "Verifying krel installation..."
if ! command -v krel &> /dev/null; then
echo "::error::krel not found in PATH after installation"
exit 1
fi
echo "Testing krel..."
if ! krel --help &> /dev/null; then
echo "::error::krel --help failed, installation may be corrupted"
exit 1
fi
echo "krel installed successfully"
KREL_PATH=$(which krel)
echo "krel-path=$KREL_PATH" >> "$GITHUB_OUTPUT"
echo "Krel path: $KREL_PATH"
#!/bin/bash
set -euo pipefail
KREL_VERSION=v0.17.12
ARTIFACT_NAME=krel-amd64-linux
TEMP_DIR=$(mktemp -d)
cd "$TEMP_DIR"
echo "Downloading krel version $KREL_VERSION..."
if ! curl -sL "https://github.com/kubernetes/release/releases/download/$KREL_VERSION/$ARTIFACT_NAME" -o krel; then
echo "Failed to download krel"
exit 1
fi
KREL_CERT="https://github.com/kubernetes/release/releases/download/$KREL_VERSION/$ARTIFACT_NAME.pem"
KREL_SIG="https://github.com/kubernetes/release/releases/download/$KREL_VERSION/$ARTIFACT_NAME.sig"
echo "Using cosign to verify signature of krel version $KREL_VERSION"
if ! cosign verify-blob --certificate "$KREL_CERT" --signature "$KREL_SIG" \
--certificate-identity "https://github.com/kubernetes/release/.github/workflows/release.yml@refs/tags/$KREL_VERSION" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" krel; then
echo "Signature verification failed for krel version: '$KREL_VERSION'"
exit 1
fi
chmod +x krel
mkdir -p "$HOME/.local/bin"
mv krel "$HOME/.local/bin/"
cd - > /dev/null
rm -rf "$TEMP_DIR"
KREL_PATH="$HOME/.local/bin/krel"
echo "krel-path=$KREL_PATH" >> "$GITHUB_OUTPUT"
echo "Krel installed at: $KREL_PATH"
- name: Get the latest commit from the base branch
id: base_branch_commit
run: |
Expand Down Expand Up @@ -104,8 +116,7 @@ jobs:
# If there are any invalid files, set the output variable and fail the job
if [ -n "$INVALID_FILES" ]; then
echo "invalid_files=$INVALID_FILES" >> $GITHUB_ENV
echo "::set-output name=invalid_files::$(echo -n "$INVALID_FILES")"
echo "invalid_files=$(echo -n "$INVALID_FILES")" >> "$GITHUB_OUTPUT"
exit 1
else
echo "All YAML files are valid."
Expand Down

0 comments on commit e8d1d5a

Please sign in to comment.