diff --git a/.github/workflows/krel-release-notes-validate.yaml b/.github/workflows/krel-release-notes-validate.yaml index 70d4c01af31..fd8a7f22454 100644 --- a/.github/workflows/krel-release-notes-validate.yaml +++ b/.github/workflows/krel-release-notes-validate.yaml @@ -18,7 +18,7 @@ on: paths: - releases/**/release-notes/**.yaml # Allow manual triggering - workflow_dispatch: {} + workflow_dispatch: { } concurrency: group: ${{ github.ref }}-${{ github.workflow }} @@ -29,10 +29,6 @@ jobs: runs-on: ubuntu-latest if: ${{ !github.event.pull_request.draft }} steps: - - name: Cancel Previous Actions - uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # v0.12.1 - with: - access_token: ${{ github.token }} - name: Check out code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: @@ -40,32 +36,48 @@ jobs: fetch-depth: '0' - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: - go-version: '1.23' - check-latest: true + go-version: '1.23' + check-latest: true + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + with: + use-sudo: false - id: install-krel shell: bash run: | - #!/usr/bin/env bash - set -euo pipefail - echo "Installing krel..." - if ! go install k8s.io/release/cmd/krel@latest; then - echo "::error::Failed to install krel" - exit 1 - fi - echo "Verifying krel installation..." - if ! command -v krel &> /dev/null; then - echo "::error::krel not found in PATH after installation" - exit 1 - fi - echo "Testing krel..." - if ! krel --help &> /dev/null; then - echo "::error::krel --help failed, installation may be corrupted" - exit 1 - fi - echo "krel installed successfully" - KREL_PATH=$(which krel) - echo "krel-path=$KREL_PATH" >> "$GITHUB_OUTPUT" - echo "Krel path: $KREL_PATH" + #!/bin/bash + set -euo pipefail + + KREL_VERSION=v0.17.12 + ARTIFACT_NAME=krel-amd64-linux + TEMP_DIR=$(mktemp -d) + cd "$TEMP_DIR" + + echo "Downloading krel version $KREL_VERSION..." + if ! curl -sL "https://github.com/kubernetes/release/releases/download/$KREL_VERSION/$ARTIFACT_NAME" -o krel; then + echo "Failed to download krel" + exit 1 + fi + + KREL_CERT="https://github.com/kubernetes/release/releases/download/$KREL_VERSION/$ARTIFACT_NAME.pem" + KREL_SIG="https://github.com/kubernetes/release/releases/download/$KREL_VERSION/$ARTIFACT_NAME.sig" + + echo "Using cosign to verify signature of krel version $KREL_VERSION" + if ! cosign verify-blob --certificate "$KREL_CERT" --signature "$KREL_SIG" \ + --certificate-identity "https://github.com/kubernetes/release/.github/workflows/release.yml@refs/tags/$KREL_VERSION" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" krel; then + echo "Signature verification failed for krel version: '$KREL_VERSION'" + exit 1 + fi + + chmod +x krel + mkdir -p "$HOME/.local/bin" + mv krel "$HOME/.local/bin/" + cd - > /dev/null + rm -rf "$TEMP_DIR" + + KREL_PATH="$HOME/.local/bin/krel" + echo "krel-path=$KREL_PATH" >> "$GITHUB_OUTPUT" + echo "Krel installed at: $KREL_PATH" - name: Get the latest commit from the base branch id: base_branch_commit run: | @@ -104,8 +116,7 @@ jobs: # If there are any invalid files, set the output variable and fail the job if [ -n "$INVALID_FILES" ]; then - echo "invalid_files=$INVALID_FILES" >> $GITHUB_ENV - echo "::set-output name=invalid_files::$(echo -n "$INVALID_FILES")" + echo "invalid_files=$(echo -n "$INVALID_FILES")" >> "$GITHUB_OUTPUT" exit 1 else echo "All YAML files are valid."