Skip to content

Commit

Permalink
fix: prevent attempt of double publishing of cosign.pub
Browse files Browse the repository at this point in the history
  • Loading branch information
@jskelin
jskelin committed Nov 21, 2024
1 parent 3ca846a commit cf5571f
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 32 deletions.
8 changes: 4 additions & 4 deletions .ci/jenkins/tools/ko.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@ void install() {
private def registrySecret(String registry) {
String path
switch (registry) {
case "DockerHub": path = "keptn-jenkins/monaco/dockerhub-deploy"
case "DT": path = "keptn-jenkins/monaco/registry-deploy"
default: path = "keptn-jenkins/monaco/registry-deploy"
case "DockerHub": path = "keptn-jenkins/monaco/dockerhub-deploy"; break
case "DT": path = "keptn-jenkins/monaco/registry-deploy"; break
default: path = "keptn-jenkins/monaco/registry-deploy"; break
}

return [[path : "${path}",
Expand All @@ -37,7 +37,7 @@ private def registrySecret(String registry) {

void loginToRegistry(Map args = [registry: null]) {
withVault(vaultSecrets: registrySecret(args.registry)) {
sh(label: "sign in to container registry",
sh(label: "sign in to ${args.registry} registry",
script: 'ko login --username=$username --password=$password $registry')
}
}
Expand Down
47 changes: 24 additions & 23 deletions .ci/releasePipeline.groovy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,16 +35,7 @@ pipeline {
stage("Build binaries") {
def tasks = [:]

tasks["Docker container"] = {
stage("for testing") {
releaseDockerContainer(ctx, "DT")
}
if (isRelease(ctx)) {
stage ("for DockerHub") {
releaseDockerContainer(ctx, "DockerHub")
}
}
}
tasks["Docker container"] = { releaseDockerContainer(ctx) }

//linux
for (arch in ["amd64", "arm64", "386"]) {
Expand Down Expand Up @@ -189,23 +180,33 @@ void releaseBinary(Context ctx, Release release) {
}
}

void releaseDockerContainer(Context ctx, String registry) {
stage("Build Docker") {
def ko = load(".ci/jenkins/tools/ko.groovy")
ko.install()
void releaseDockerContainer(Context ctx) {
createAndPublishContainer(ctx, "DT")

if (isRelease(ctx)) {
createAndPublishContainer(ctx, "DockerHub")

def cosign = load(".ci/jenkins/tools/cosign.groovy")
cosign.install("latest")
ctx.githubRelease.addToRelease(rawData: cosign.getPublicKey(), underName: "cosign.pub")
}
}

List<String> tags = [ctx.version]
if (isFinal(ctx)) {
tags << "latest"
ctx.githubRelease.addToRelease(rawData: cosign.getPublicKey(), underName: "cosign.pub")
}
void createAndPublishContainer(Context ctx, String registry) {
def ko = load(".ci/jenkins/tools/ko.groovy")
ko.install()
def cosign = load(".ci/jenkins/tools/cosign.groovy")
cosign.install("latest")

ko.loginToRegistry(registry: registry)
image = ko.buildContainer(tags: tags, registry: registry)
cosign.sign(image)
List<String> tags = [ctx.version]
if (isFinal(ctx)) {
tags << "latest"
}

ko.loginToRegistry(registry: registry)
image = ko.buildContainer(tags: tags, registry: registry)
cosign.sign(image)

echo "Created docker image ${image}"
}

void signWinBinaries(Map args = [source: null, version: null, destDir: null, projectName: null]) {
Expand Down
5 changes: 0 additions & 5 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,8 +135,3 @@ IMAGE_PATH ?= $(REPO_PATH)/$(CONTAINER_NAME)
docker-container: install-ko
@echo Building docker container...
KO_DOCKER_REPO=$(IMAGE_PATH) VERSION=$(VERSION) ko build --bare --sbom=none --tags=$(TAGS) ./cmd/monaco

sign-verify-image:
@go install github.com/sigstore/cosign/v2/cmd/[email protected]
COSIGN_PASSWORD=$(COSIGN_PASSWORD) cosign sign --key env://cosign_key $(FULL_IMAGE_NAME) -y
cosign verify --key env://cosign_pub $(FULL_IMAGE_NAME)

0 comments on commit cf5571f

Please sign in to comment.