From e197eca42076b9d6b0c9475eee052a3f18c6d4fd Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 7 Dec 2023 15:45:27 +1100 Subject: [PATCH 01/17] ci(release): add notation release workflow --- .github/workflows/release-notation.yaml | 120 ++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 .github/workflows/release-notation.yaml diff --git a/.github/workflows/release-notation.yaml b/.github/workflows/release-notation.yaml new file mode 100644 index 000000000..0bacd294d --- /dev/null +++ b/.github/workflows/release-notation.yaml @@ -0,0 +1,120 @@ +name: release + +on: + push: + +permissions: + contents: read + +jobs: + release: + runs-on: ubuntu-latest + permissions: + contents: write # needed to write releases + id-token: write # needed for keyless signing + packages: write # needed for ghcr access + steps: + - uses: actions/checkout@v4 + - name: Setup Notation CLI + uses: notaryproject/notation-action/setup@v1 + with: + version: "1.0.0" + - name: Generate + run: | + notation cert generate-test --default "fluxcd.io" + # - uses: fluxcd/flux2/action@main + # - name: Setup Go + # uses: actions/setup-go@v4 + # with: + # go-version: 1.21.x + # - name: Setup Helm + # uses: azure/setup-helm@v3 + # with: + # version: v3.12.3 + # - name: Setup QEMU + # uses: docker/setup-qemu-action@v3 + # with: + # platforms: all + # - name: Setup Docker Buildx + # id: buildx + # uses: docker/setup-buildx-action@v3 + # - name: Login to GitHub Container Registry + # uses: docker/login-action@v3 + # with: + # registry: ghcr.io + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} + # - name: Prepare + # id: prep + # run: | + # VERSION=sha-${GITHUB_SHA::8} + # if [[ $GITHUB_REF == refs/tags/* ]]; then + # VERSION=${GITHUB_REF/refs\/tags\//} + # fi + # echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + # echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT + # echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT + # - name: Generate images meta + # id: meta + # uses: docker/metadata-action@v5 + # with: + # images: | + # ghcr.io/jasonthedeveloper/podinfo + # tags: | + # type=raw,value=${{ steps.prep.outputs.VERSION }} + # type=raw,value=latest + # - name: Publish multi-arch image + # uses: docker/build-push-action@v5 + # with: + # sbom: true + # provenance: true + # push: true + # builder: ${{ steps.buildx.outputs.name }} + # context: . + # file: ./Dockerfile.xx + # build-args: | + # REVISION=${{ steps.prep.outputs.REVISION }} + # platforms: linux/amd64,linux/arm/v7,linux/arm64 + # tags: ${{ steps.meta.outputs.tags }} + # labels: ${{ steps.meta.outputs.labels }} + # - name: Publish Helm chart to GHCR + # run: | + # helm package charts/podinfo + # helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/jasonthedeveloper/charts + # rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz + # - name: Publish Flux OCI artifact to GHCR + # run: | + # flux push artifact oci://ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \ + # --path="./kustomize" \ + # --source="${{ github.event.repository.html_url }}" \ + # --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" + # flux tag artifact oci://ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest + # - name: Sign OCI artifacts + # env: + # COSIGN_EXPERIMENTAL: 1 + # run: | + # cosign sign ghcr.io/jasonthedeveloper/podinfo:${{ steps.prep.outputs.VERSION }} --yes + # cosign sign ghcr.io/jasonthedeveloper/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes + # cosign sign ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes + # - name: Publish config artifact + # run: | + # flux push artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \ + # --path="./kustomize" \ + # --source="${{ github.event.repository.html_url }}" \ + # --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" + # flux tag artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest + # - name: Sign config artifact + # run: | + # echo "$COSIGN_KEY" > /tmp/cosign.key + # cosign sign -key /tmp/cosign.key ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes + # cosign sign -key /tmp/cosign.key ghcr.io/jasonthedeveloper/podinfo-deploy:latest --yes + # env: + # COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} + # COSIGN_KEY: ${{secrets.COSIGN_KEY}} + # - name: Publish release + # uses: goreleaser/goreleaser-action@v5 + # with: + # version: latest + # args: release --skip-validate + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 5aaf95849eaf87c8242757b4da53c2a7042ddbd8 Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 7 Dec 2023 15:50:30 +1100 Subject: [PATCH 02/17] ci(release): setup signing keys for notation --- .github/workflows/release-notation.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-notation.yaml b/.github/workflows/release-notation.yaml index 0bacd294d..455a7bcab 100644 --- a/.github/workflows/release-notation.yaml +++ b/.github/workflows/release-notation.yaml @@ -19,9 +19,12 @@ jobs: uses: notaryproject/notation-action/setup@v1 with: version: "1.0.0" - - name: Generate + - name: Setup Notation signing keys run: | - notation cert generate-test --default "fluxcd.io" + cp ./.notation/signingkeys.json ~/.config/notation/ + ls ~/.config/notation/ + cat ~/.config/notation/signingkeys.json + # notation cert generate-test --default "fluxcd.io" # - uses: fluxcd/flux2/action@main # - name: Setup Go # uses: actions/setup-go@v4 From b22dd96a54bae88615f8d7f68f18416e65e41cb3 Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 7 Dec 2023 15:51:22 +1100 Subject: [PATCH 03/17] feat(notation): add signingkey.json config --- .notation/signingkeys.json | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .notation/signingkeys.json diff --git a/.notation/signingkeys.json b/.notation/signingkeys.json new file mode 100644 index 000000000..846371d8f --- /dev/null +++ b/.notation/signingkeys.json @@ -0,0 +1,10 @@ +{ + "default": "fluxcd.io", + "keys": [ + { + "name": "fluxcd.io", + "keyPath": "/home/runner/.config/notation/localkeys/flux.key", + "certPath": "/home/runner/.config/notation/localkeys/flux.crt" + } + ] +} From 86f3b1a57c286ccce11ce4d0009f7e8648b5475c Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 7 Dec 2023 15:52:29 +1100 Subject: [PATCH 04/17] ci(release): create notation config folder --- .github/workflows/release-notation.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-notation.yaml b/.github/workflows/release-notation.yaml index 455a7bcab..1c44196cc 100644 --- a/.github/workflows/release-notation.yaml +++ b/.github/workflows/release-notation.yaml @@ -21,6 +21,7 @@ jobs: version: "1.0.0" - name: Setup Notation signing keys run: | + mkdir -p ~/.config/notation/ cp ./.notation/signingkeys.json ~/.config/notation/ ls ~/.config/notation/ cat ~/.config/notation/signingkeys.json From ca9c6bb4f8d3414eb5e4371f5f7330bf314a9228 Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 7 Dec 2023 16:03:53 +1100 Subject: [PATCH 05/17] ci(release): sign artefacts using notaiton --- .github/workflows/release-notation.yaml | 188 +++++++++++------------- .notation/notation.crt | 20 +++ .notation/signingkeys.json | 4 +- 3 files changed, 110 insertions(+), 102 deletions(-) create mode 100644 .notation/notation.crt diff --git a/.github/workflows/release-notation.yaml b/.github/workflows/release-notation.yaml index 1c44196cc..9a13a6355 100644 --- a/.github/workflows/release-notation.yaml +++ b/.github/workflows/release-notation.yaml @@ -21,104 +21,92 @@ jobs: version: "1.0.0" - name: Setup Notation signing keys run: | - mkdir -p ~/.config/notation/ + mkdir -p ~/.config/notation/localkeys/ cp ./.notation/signingkeys.json ~/.config/notation/ - ls ~/.config/notation/ - cat ~/.config/notation/signingkeys.json - # notation cert generate-test --default "fluxcd.io" - # - uses: fluxcd/flux2/action@main - # - name: Setup Go - # uses: actions/setup-go@v4 - # with: - # go-version: 1.21.x - # - name: Setup Helm - # uses: azure/setup-helm@v3 - # with: - # version: v3.12.3 - # - name: Setup QEMU - # uses: docker/setup-qemu-action@v3 - # with: - # platforms: all - # - name: Setup Docker Buildx - # id: buildx - # uses: docker/setup-buildx-action@v3 - # - name: Login to GitHub Container Registry - # uses: docker/login-action@v3 - # with: - # registry: ghcr.io - # username: ${{ github.actor }} - # password: ${{ secrets.GITHUB_TOKEN }} - # - name: Prepare - # id: prep - # run: | - # VERSION=sha-${GITHUB_SHA::8} - # if [[ $GITHUB_REF == refs/tags/* ]]; then - # VERSION=${GITHUB_REF/refs\/tags\//} - # fi - # echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT - # echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - # echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT - # - name: Generate images meta - # id: meta - # uses: docker/metadata-action@v5 - # with: - # images: | - # ghcr.io/jasonthedeveloper/podinfo - # tags: | - # type=raw,value=${{ steps.prep.outputs.VERSION }} - # type=raw,value=latest - # - name: Publish multi-arch image - # uses: docker/build-push-action@v5 - # with: - # sbom: true - # provenance: true - # push: true - # builder: ${{ steps.buildx.outputs.name }} - # context: . - # file: ./Dockerfile.xx - # build-args: | - # REVISION=${{ steps.prep.outputs.REVISION }} - # platforms: linux/amd64,linux/arm/v7,linux/arm64 - # tags: ${{ steps.meta.outputs.tags }} - # labels: ${{ steps.meta.outputs.labels }} - # - name: Publish Helm chart to GHCR - # run: | - # helm package charts/podinfo - # helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/jasonthedeveloper/charts - # rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz - # - name: Publish Flux OCI artifact to GHCR - # run: | - # flux push artifact oci://ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \ - # --path="./kustomize" \ - # --source="${{ github.event.repository.html_url }}" \ - # --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" - # flux tag artifact oci://ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest - # - name: Sign OCI artifacts - # env: - # COSIGN_EXPERIMENTAL: 1 - # run: | - # cosign sign ghcr.io/jasonthedeveloper/podinfo:${{ steps.prep.outputs.VERSION }} --yes - # cosign sign ghcr.io/jasonthedeveloper/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes - # cosign sign ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes - # - name: Publish config artifact - # run: | - # flux push artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \ - # --path="./kustomize" \ - # --source="${{ github.event.repository.html_url }}" \ - # --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" - # flux tag artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest - # - name: Sign config artifact - # run: | - # echo "$COSIGN_KEY" > /tmp/cosign.key - # cosign sign -key /tmp/cosign.key ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes - # cosign sign -key /tmp/cosign.key ghcr.io/jasonthedeveloper/podinfo-deploy:latest --yes - # env: - # COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} - # COSIGN_KEY: ${{secrets.COSIGN_KEY}} - # - name: Publish release - # uses: goreleaser/goreleaser-action@v5 - # with: - # version: latest - # args: release --skip-validate - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + cp ./.notation/notation.crt ~/.config/notation/localkeys/ + echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key + env: + NOTATION_KEY: ${{ secrets.SIGNING_KEY }} + - uses: fluxcd/flux2/action@main + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version: 1.21.x + - name: Setup Helm + uses: azure/setup-helm@v3 + with: + version: v3.12.3 + - name: Setup QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: all + - name: Setup Docker Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Prepare + id: prep + run: | + VERSION=sha-${GITHUB_SHA::8} + if [[ $GITHUB_REF == refs/tags/* ]]; then + VERSION=${GITHUB_REF/refs\/tags\//} + fi + echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT + echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT + echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT + - name: Generate images meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/jasonthedeveloper/podinfo + tags: | + type=raw,value=${{ steps.prep.outputs.VERSION }} + type=raw,value=latest + - name: Publish multi-arch image + uses: docker/build-push-action@v5 + with: + sbom: true + provenance: true + push: true + builder: ${{ steps.buildx.outputs.name }} + context: . + file: ./Dockerfile.xx + build-args: | + REVISION=${{ steps.prep.outputs.REVISION }} + platforms: linux/amd64,linux/arm/v7,linux/arm64 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + - name: Publish Helm chart to GHCR + run: | + helm package charts/podinfo + helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/jasonthedeveloper/charts + rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz + - name: Publish Flux OCI artifact to GHCR + run: | + flux push artifact oci://ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \ + --path="./kustomize" \ + --source="${{ github.event.repository.html_url }}" \ + --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" + flux tag artifact oci://ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest + - name: Sign OCI artifacts + run: | + notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo:${{ steps.prep.outputs.VERSION }} --yes + notation sign --signature-format cose ghcr.io/jasonthedeveloper/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes + notation sign --signature-format cose ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes + - name: Publish config artifact + run: | + flux push artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \ + --path="./kustomize" \ + --source="${{ github.event.repository.html_url }}" \ + --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" + flux tag artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest + - name: Sign config artifact + run: | + notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes + notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo-deploy:latest --yes diff --git a/.notation/notation.crt b/.notation/notation.crt new file mode 100644 index 000000000..7e59823fc --- /dev/null +++ b/.notation/notation.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWjCCAkKgAwIBAgIUBk/7TYVIUsiCeUm5c11abfwMrZUwDQYJKoZIhvcNAQEL +BQAwUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxl +MQ8wDQYDVQQKDAZOb3RhcnkxEjAQBgNVBAMMCWZsdXhjZC5pbzAeFw0yMzEyMDcw +NDIwNDhaFw0yNDEyMDYwNDIwNDhaMFExCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJX +QTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwGTm90YXJ5MRIwEAYDVQQDDAlm +bHV4Y2QuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx1hpkMmSD +rlyjjL8UYaciLBmMtwbpFUcejDgKSSKAqHGtTPrzSHrza1oFybyjwkG7SlbR6k23 +fuWTIz7gVjx+rEmbnJuAnzhGCES4TY+dPO/svhuAT9iGVlJ4TKuPXFO53c+GKY+t +AJoWO04uzVbZsCNPlYmKoq3XvaMc3bnn2APr9xb7aHqF7LggqWe7GeKQEJvEdBYZ +m1KLKym6+pqnEDSPENUVGMYKQwQHNmpVz6y+HdvuR4AQxHrHGvDxo+G7GIjrDe8l +cW4PurFAbv3yLLvpC4ZkppPLuVv7p0kUwy1sSeWVu7uxZ/MPGqI2HSMctDbAvGLj +bPY+rkVf3+4ZAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAK +BggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAO2TSX5ewQXidW14UzhjNKTXt +Yc8O6qMGNlv2PuCWT9k0ce6qC7s2XYAbvEWYNAS/fwdFC6cJMT/6/Y3s/zbFNrAH +TMJTmGKZvtJnWywcCOg+HcRrLIpExJB1bAaTUW+oea9ABiitMeUEY6oiBGqacPeA +4eVoDQ8wVS8oNHx71fmC9G6iNHaBTip3x81j0koz3JhHf1Mc3gKN56ww1RF/LMEa +NW473dG/8pkuFOp6kuz775/EKBNuYfR6bEYx9zPNIpYAzVsveTnXTHsec3xkUoCQ +xtfR15R8dfbvNFB1iFiew6oiBQ5Wz9abB0PU7b/pE21SjT1+lBKJ9xmMOzFwag== +-----END CERTIFICATE----- diff --git a/.notation/signingkeys.json b/.notation/signingkeys.json index 846371d8f..c3f6e9d7a 100644 --- a/.notation/signingkeys.json +++ b/.notation/signingkeys.json @@ -3,8 +3,8 @@ "keys": [ { "name": "fluxcd.io", - "keyPath": "/home/runner/.config/notation/localkeys/flux.key", - "certPath": "/home/runner/.config/notation/localkeys/flux.crt" + "keyPath": "/home/runner/.config/notation/localkeys/notation.key", + "certPath": "/home/runner/.config/notation/localkeys/notation.crt" } ] } From 4868f430c70c95ba978d28628c13ecf5a77e4dcb Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 7 Dec 2023 16:15:17 +1100 Subject: [PATCH 06/17] ci(release): trigger on tag --- .github/workflows/release-notation.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-notation.yaml b/.github/workflows/release-notation.yaml index 9a13a6355..b23880534 100644 --- a/.github/workflows/release-notation.yaml +++ b/.github/workflows/release-notation.yaml @@ -2,6 +2,8 @@ name: release on: push: + tags: + - '*' permissions: contents: read From 45ecda63bb1a24b5f60dc6ac034170f2c02e1b8f Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 7 Dec 2023 16:22:05 +1100 Subject: [PATCH 07/17] ci(release): don't trigger on tag push --- .github/workflows/release-notation.yaml | 10 +++++----- .github/workflows/release.yml | 5 +++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-notation.yaml b/.github/workflows/release-notation.yaml index b23880534..850193c7e 100644 --- a/.github/workflows/release-notation.yaml +++ b/.github/workflows/release-notation.yaml @@ -98,9 +98,9 @@ jobs: flux tag artifact oci://ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest - name: Sign OCI artifacts run: | - notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo:${{ steps.prep.outputs.VERSION }} --yes - notation sign --signature-format cose ghcr.io/jasonthedeveloper/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes - notation sign --signature-format cose ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes + notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo:${{ steps.prep.outputs.VERSION }} + notation sign --signature-format cose ghcr.io/jasonthedeveloper/charts/podinfo:${{ steps.prep.outputs.VERSION }} + notation sign --signature-format cose ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} - name: Publish config artifact run: | flux push artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \ @@ -110,5 +110,5 @@ jobs: flux tag artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest - name: Sign config artifact run: | - notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes - notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo-deploy:latest --yes + notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} + notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo-deploy:latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8e8fb2ea6..210900c66 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,9 +1,10 @@ name: release on: + pull_request: push: - tags: - - '*' + branches: + - 'master' permissions: contents: read From c29e013a3394cf665841597591b8a52bcdc70fee Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 7 Dec 2023 16:57:04 +1100 Subject: [PATCH 08/17] feat(notation): add trust store policy --- .notation/policy.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .notation/policy.json diff --git a/.notation/policy.json b/.notation/policy.json new file mode 100644 index 000000000..e811ef62d --- /dev/null +++ b/.notation/policy.json @@ -0,0 +1,16 @@ +{ + "version": "1.0", + "trustPolicies": [ + { + "name": "fluxcd.io", + "registryScopes": [ "ghcr.io/jasonthedeveloper/podinfo-deploy" ], + "signatureVerification": { + "level" : "strict" + }, + "trustStores": [ "ca:fluxcd.io" ], + "trustedIdentities": [ + "*" + ] + } + ] +} From 49a4b31d5364dc4327f546b3d59e2ac9fde55360 Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 7 Dec 2023 18:06:52 +1100 Subject: [PATCH 09/17] feat(notation): update registry scopes --- .notation/policy.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.notation/policy.json b/.notation/policy.json index e811ef62d..0a6a15ab5 100644 --- a/.notation/policy.json +++ b/.notation/policy.json @@ -3,7 +3,10 @@ "trustPolicies": [ { "name": "fluxcd.io", - "registryScopes": [ "ghcr.io/jasonthedeveloper/podinfo-deploy" ], + "registryScopes": [ + "ghcr.io/jasonthedeveloper/podinfo-display", + "ghcr.io/jasonthedeveloper/charts/podinfo" + ], "signatureVerification": { "level" : "strict" }, From 7bb64e75676c0b00e647af3f6db61fea817ae533 Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 8 Dec 2023 17:30:47 +1100 Subject: [PATCH 10/17] fix(trustpolicy): small typo in registryScopes --- .notation/policy.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.notation/policy.json b/.notation/policy.json index 0a6a15ab5..a51066547 100644 --- a/.notation/policy.json +++ b/.notation/policy.json @@ -4,7 +4,7 @@ { "name": "fluxcd.io", "registryScopes": [ - "ghcr.io/jasonthedeveloper/podinfo-display", + "ghcr.io/jasonthedeveloper/podinfo-deploy", "ghcr.io/jasonthedeveloper/charts/podinfo" ], "signatureVerification": { @@ -12,7 +12,7 @@ }, "trustStores": [ "ca:fluxcd.io" ], "trustedIdentities": [ - "*" + "x509.subject: C=US, ST=WA, L=Seattle, O=Notary, CN=fluxcd.io" ] } ] From 174d183056208124c28910d249900e74fe2d959e Mon Sep 17 00:00:00 2001 From: Jason Date: Thu, 14 Dec 2023 16:16:12 +1100 Subject: [PATCH 11/17] refactor(rename): policy.json -> trustpolicy.json --- .notation/{policy.json => trustpolicy.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .notation/{policy.json => trustpolicy.json} (100%) diff --git a/.notation/policy.json b/.notation/trustpolicy.json similarity index 100% rename from .notation/policy.json rename to .notation/trustpolicy.json From 9371d6d1537da0c5d43d5f982ef6a68c154dae7a Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 9 Feb 2024 10:39:31 +1100 Subject: [PATCH 12/17] ci(release): sign artefacts using notation --- .github/workflows/release.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 210900c66..d4e6aabe6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,6 +21,18 @@ jobs: - uses: sigstore/cosign-installer@v3 - uses: fluxcd/flux2/action@main - uses: stefanprodan/timoni/actions/setup@main + - name: Setup Notation CLI + uses: notaryproject/notation-action/setup@v1 + with: + version: "1.0.0" + - name: Setup Notation signing keys + run: | + mkdir -p ~/.config/notation/localkeys/ + cp ./.notation/signingkeys.json ~/.config/notation/ + cp ./.notation/notation.crt ~/.config/notation/localkeys/ + echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key + env: + NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }} - name: Setup Go uses: actions/setup-go@v4 with: @@ -110,6 +122,10 @@ jobs: cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes + notation sign --signature-format cose docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} + notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} + notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} + notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} - name: Publish base image uses: docker/build-push-action@v5 with: @@ -135,6 +151,8 @@ jobs: echo "$COSIGN_KEY" > /tmp/cosign.key cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes + notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} + notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest env: COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} COSIGN_KEY: ${{secrets.COSIGN_KEY}} From 8447b6985b7b93ba0fa04adc565bb6de36e11ee7 Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 9 Feb 2024 10:42:51 +1100 Subject: [PATCH 13/17] ci(notation): remove release workflow --- .github/workflows/release-notation.yaml | 114 ------------------------ 1 file changed, 114 deletions(-) delete mode 100644 .github/workflows/release-notation.yaml diff --git a/.github/workflows/release-notation.yaml b/.github/workflows/release-notation.yaml deleted file mode 100644 index 850193c7e..000000000 --- a/.github/workflows/release-notation.yaml +++ /dev/null @@ -1,114 +0,0 @@ -name: release - -on: - push: - tags: - - '*' - -permissions: - contents: read - -jobs: - release: - runs-on: ubuntu-latest - permissions: - contents: write # needed to write releases - id-token: write # needed for keyless signing - packages: write # needed for ghcr access - steps: - - uses: actions/checkout@v4 - - name: Setup Notation CLI - uses: notaryproject/notation-action/setup@v1 - with: - version: "1.0.0" - - name: Setup Notation signing keys - run: | - mkdir -p ~/.config/notation/localkeys/ - cp ./.notation/signingkeys.json ~/.config/notation/ - cp ./.notation/notation.crt ~/.config/notation/localkeys/ - echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key - env: - NOTATION_KEY: ${{ secrets.SIGNING_KEY }} - - uses: fluxcd/flux2/action@main - - name: Setup Go - uses: actions/setup-go@v4 - with: - go-version: 1.21.x - - name: Setup Helm - uses: azure/setup-helm@v3 - with: - version: v3.12.3 - - name: Setup QEMU - uses: docker/setup-qemu-action@v3 - with: - platforms: all - - name: Setup Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Prepare - id: prep - run: | - VERSION=sha-${GITHUB_SHA::8} - if [[ $GITHUB_REF == refs/tags/* ]]; then - VERSION=${GITHUB_REF/refs\/tags\//} - fi - echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT - echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT - echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT - - name: Generate images meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/jasonthedeveloper/podinfo - tags: | - type=raw,value=${{ steps.prep.outputs.VERSION }} - type=raw,value=latest - - name: Publish multi-arch image - uses: docker/build-push-action@v5 - with: - sbom: true - provenance: true - push: true - builder: ${{ steps.buildx.outputs.name }} - context: . - file: ./Dockerfile.xx - build-args: | - REVISION=${{ steps.prep.outputs.REVISION }} - platforms: linux/amd64,linux/arm/v7,linux/arm64 - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - name: Publish Helm chart to GHCR - run: | - helm package charts/podinfo - helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/jasonthedeveloper/charts - rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz - - name: Publish Flux OCI artifact to GHCR - run: | - flux push artifact oci://ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \ - --path="./kustomize" \ - --source="${{ github.event.repository.html_url }}" \ - --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" - flux tag artifact oci://ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest - - name: Sign OCI artifacts - run: | - notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo:${{ steps.prep.outputs.VERSION }} - notation sign --signature-format cose ghcr.io/jasonthedeveloper/charts/podinfo:${{ steps.prep.outputs.VERSION }} - notation sign --signature-format cose ghcr.io/jasonthedeveloper/manifests/podinfo:${{ steps.prep.outputs.VERSION }} - - name: Publish config artifact - run: | - flux push artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \ - --path="./kustomize" \ - --source="${{ github.event.repository.html_url }}" \ - --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}" - flux tag artifact oci://ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest - - name: Sign config artifact - run: | - notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo-deploy:${{ steps.prep.outputs.VERSION }} - notation sign --signature-format cose ghcr.io/jasonthedeveloper/podinfo-deploy:latest From ecaa7cf4d35d34c651d9d36bf8e857410b3fcda6 Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 9 Feb 2024 10:47:11 +1100 Subject: [PATCH 14/17] ci(release): trigger on tag push --- .github/workflows/release.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d4e6aabe6..46e3cbd90 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,10 +1,9 @@ name: release on: - pull_request: push: - branches: - - 'master' + tags: + - '*' permissions: contents: read From 0d2c428859528b25aa48c8999417829e09e47884 Mon Sep 17 00:00:00 2001 From: Jason Date: Fri, 9 Feb 2024 10:59:44 +1100 Subject: [PATCH 15/17] refactor(trustpolicy): jasonthedeveloper -> stefanprodan --- .notation/trustpolicy.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.notation/trustpolicy.json b/.notation/trustpolicy.json index a51066547..ebfde260c 100644 --- a/.notation/trustpolicy.json +++ b/.notation/trustpolicy.json @@ -4,8 +4,8 @@ { "name": "fluxcd.io", "registryScopes": [ - "ghcr.io/jasonthedeveloper/podinfo-deploy", - "ghcr.io/jasonthedeveloper/charts/podinfo" + "ghcr.io/stefanprodan/podinfo-deploy", + "ghcr.io/stefanprodan/charts/podinfo" ], "signatureVerification": { "level" : "strict" From 24405a5a5d7cfe542633c1d8ee938da6e9c8204e Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Sun, 25 Feb 2024 12:10:06 +0200 Subject: [PATCH 16/17] Setup notation signing keys Signed-off-by: Stefan Prodan --- .gitignore | 3 +++ .notation/README.md | 15 +++++++++++++++ .notation/codesign.cnf | 18 ++++++++++++++++++ .notation/notation.crt | 37 +++++++++++++++++++------------------ .notation/signingkeys.json | 4 ++-- .notation/trustpolicy.json | 6 +++--- 6 files changed, 60 insertions(+), 23 deletions(-) create mode 100644 .notation/README.md create mode 100644 .notation/codesign.cnf diff --git a/.gitignore b/.gitignore index 9f48c7aea..b70fe02b1 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,6 @@ bin/ cue/cue.mod/gen/ cue/go.mod cue/go.sum + +.notation/podinfo.csr +.notation/podinfo.key diff --git a/.notation/README.md b/.notation/README.md new file mode 100644 index 000000000..62181d466 --- /dev/null +++ b/.notation/README.md @@ -0,0 +1,15 @@ +# Podinfo signed releases + +Podinfo release assets such as the Helm chart and the Flux artifact +are published to GitHub Container Registry and are signed with +[Notation](https://github.com/notaryproject/notation). + +## Generate signing keys + +Generate a new signing key pair: + +```sh +openssl genrsa -out podinfo.key 2048 +openssl req -new -key podinfo.key -out podinfo.csr -config codesign.cnf +openssl x509 -req -days 1826 -in podinfo.csr -signkey podinfo.key -out notation.crt -extensions v3_req -extfile codesign.cnf +``` diff --git a/.notation/codesign.cnf b/.notation/codesign.cnf new file mode 100644 index 000000000..5903a3a4a --- /dev/null +++ b/.notation/codesign.cnf @@ -0,0 +1,18 @@ +[ req ] +default_bits = 2048 +default_keyfile = privatekey.pem +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[ req_distinguished_name ] +C = RO +ST = BU +L = Bucharest +O = Notary +CN = stefanprodan.com + +[ v3_req ] +keyUsage = critical,digitalSignature +extendedKeyUsage = critical,codeSigning +#subjectKeyIdentifier = hash diff --git a/.notation/notation.crt b/.notation/notation.crt index 7e59823fc..e1ad1da4a 100644 --- a/.notation/notation.crt +++ b/.notation/notation.crt @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDWjCCAkKgAwIBAgIUBk/7TYVIUsiCeUm5c11abfwMrZUwDQYJKoZIhvcNAQEL -BQAwUTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxl -MQ8wDQYDVQQKDAZOb3RhcnkxEjAQBgNVBAMMCWZsdXhjZC5pbzAeFw0yMzEyMDcw -NDIwNDhaFw0yNDEyMDYwNDIwNDhaMFExCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJX -QTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwGTm90YXJ5MRIwEAYDVQQDDAlm -bHV4Y2QuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx1hpkMmSD -rlyjjL8UYaciLBmMtwbpFUcejDgKSSKAqHGtTPrzSHrza1oFybyjwkG7SlbR6k23 -fuWTIz7gVjx+rEmbnJuAnzhGCES4TY+dPO/svhuAT9iGVlJ4TKuPXFO53c+GKY+t -AJoWO04uzVbZsCNPlYmKoq3XvaMc3bnn2APr9xb7aHqF7LggqWe7GeKQEJvEdBYZ -m1KLKym6+pqnEDSPENUVGMYKQwQHNmpVz6y+HdvuR4AQxHrHGvDxo+G7GIjrDe8l -cW4PurFAbv3yLLvpC4ZkppPLuVv7p0kUwy1sSeWVu7uxZ/MPGqI2HSMctDbAvGLj -bPY+rkVf3+4ZAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAK -BggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAO2TSX5ewQXidW14UzhjNKTXt -Yc8O6qMGNlv2PuCWT9k0ce6qC7s2XYAbvEWYNAS/fwdFC6cJMT/6/Y3s/zbFNrAH -TMJTmGKZvtJnWywcCOg+HcRrLIpExJB1bAaTUW+oea9ABiitMeUEY6oiBGqacPeA -4eVoDQ8wVS8oNHx71fmC9G6iNHaBTip3x81j0koz3JhHf1Mc3gKN56ww1RF/LMEa -NW473dG/8pkuFOp6kuz775/EKBNuYfR6bEYx9zPNIpYAzVsveTnXTHsec3xkUoCQ -xtfR15R8dfbvNFB1iFiew6oiBQ5Wz9abB0PU7b/pE21SjT1+lBKJ9xmMOzFwag== +MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl +c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe +Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw +CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx +GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx +Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw +C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx +1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw +dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5 +gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE +AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA +6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+ +uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ +7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq +ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt +UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y +m91USVqfeUX7ZzjDxPHE2A== -----END CERTIFICATE----- diff --git a/.notation/signingkeys.json b/.notation/signingkeys.json index c3f6e9d7a..662defe61 100644 --- a/.notation/signingkeys.json +++ b/.notation/signingkeys.json @@ -1,8 +1,8 @@ { - "default": "fluxcd.io", + "default": "stefanprodan.com", "keys": [ { - "name": "fluxcd.io", + "name": "stefanprodan.com", "keyPath": "/home/runner/.config/notation/localkeys/notation.key", "certPath": "/home/runner/.config/notation/localkeys/notation.crt" } diff --git a/.notation/trustpolicy.json b/.notation/trustpolicy.json index ebfde260c..3daab5336 100644 --- a/.notation/trustpolicy.json +++ b/.notation/trustpolicy.json @@ -2,7 +2,7 @@ "version": "1.0", "trustPolicies": [ { - "name": "fluxcd.io", + "name": "stefanprodan.com", "registryScopes": [ "ghcr.io/stefanprodan/podinfo-deploy", "ghcr.io/stefanprodan/charts/podinfo" @@ -10,9 +10,9 @@ "signatureVerification": { "level" : "strict" }, - "trustStores": [ "ca:fluxcd.io" ], + "trustStores": [ "ca:stefanprodan.com" ], "trustedIdentities": [ - "x509.subject: C=US, ST=WA, L=Seattle, O=Notary, CN=fluxcd.io" + "x509.subject: C=RO, ST=BU, L=Bucharest, O=Notary, CN=stefanprodan.com" ] } ] From c7f9b521fab56fe99ead827791d13ad2bc25ff2f Mon Sep 17 00:00:00 2001 From: Jason Date: Mon, 26 Feb 2024 20:40:03 +1100 Subject: [PATCH 17/17] ci(notation): install 1.1.0 Signed-off-by: Jason --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 46e3cbd90..3f0c01982 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: - name: Setup Notation CLI uses: notaryproject/notation-action/setup@v1 with: - version: "1.0.0" + version: "1.1.0" - name: Setup Notation signing keys run: | mkdir -p ~/.config/notation/localkeys/