chore: fix checksum generation (#2481)

* chore: fix checksum generation and sign sbom

Signed-off-by: Justin Marquis <[email protected]>

* cosign public key for public record

Signed-off-by: Justin Marquis <[email protected]>

* remove pub key for cosign

Signed-off-by: zachaller <[email protected]>

Signed-off-by: Justin Marquis <[email protected]>
Signed-off-by: zachaller <[email protected]>
Co-authored-by: zachaller <[email protected]>

Author: 34fathombelow

.github/workflows/release.yaml

@@ -111,6 +111,7 @@ jobs:
       - name: Generate release artifacts
         run: |
           make release-plugins
+          make checksums
           make manifests IMAGE_TAG=${{ github.event.inputs.tag }}
 
       - name: Generate SBOM (spdx)
@@ -144,6 +145,54 @@ jobs:
 
           cd /tmp && tar -zcf sbom.tar.gz *.spdx
 
+      - name: Login to Quay.io
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/[email protected]
+
+      - name: Get digest of controller-image
+        run: |
+          echo "CONTROLLER_DIGEST=$(crane digest quay.io/argoproj/argo-rollouts:${{ github.event.inputs.tag }})" >> $GITHUB_ENV
+
+      - name: Get digest of plugin-image
+        run: |
+          echo "PLUGIN_DIGEST=$(crane digest quay.io/argoproj/kubectl-argo-rollouts:${{ github.event.inputs.tag }})" >> $GITHUB_ENV
+
+      - name: Sign Argo Rollouts Images
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argo-rollouts@${{ env.CONTROLLER_DIGEST }}
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/kubectl-argo-rollouts@${{ env.PLUGIN_DIGEST }}
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+
+      - name: Sign checksums and create public key for release assets
+        run: |
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argo-rollouts-checksums.txt > ./dist/argo-rollouts-checksums.sig
+          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argo-rollouts-cosign.pub
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig
+          # Displays the public key to share.
+          cosign public-key --key env://COSIGN_PRIVATE_KEY
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+
+      - name: update stable tag for docs
+        run: |
+          git tag -f stable ${{ github.event.inputs.tag }}
+          git push -f origin stable  
+
       - name: Draft release
         uses: softprops/action-gh-release@v1
         with:
@@ -160,5 +209,6 @@ jobs:
             manifests/notifications-install.yaml
             docs/features/kustomize/rollout_cr_schema.json
             /tmp/sbom.tar.gz
+            /tmp/sbom.tar.gz.sig
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Makefile

@@ -271,3 +271,7 @@ release: release-precheck precheckin image plugin-image release-plugins
 trivy:
 	@trivy fs --clear-cache
 	@trivy fs .
+
+.PHONY: checksums
+checksums:
+	shasum -a 256 ./dist/kubectl-argo-rollouts-* | awk -F './dist/' '{print $$1 $$2}' > ./dist/argo-rollouts-checksums.txt