Merge branch 'only-sign-on-gitlabcom' into 'main'

Only sign images on GitLab.com See merge request components/opentofu!155

Merge branch 'only-sign-on-gitlabcom' into 'main'
6fc408e8 · Timo Furrer · 72675b76 · bafd24de · 6fc408e8 · 6fc408e8
Commit 6fc408e8 authored 9 months ago by Timo Furrer
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -57,7 +57,7 @@ stages:
  - release
  - cleanup
-.image-matrix:
+.image-matrix:build:
  parallel:
    matrix:
      - OPENTOFU_VERSION: !reference [.data, supported_versions]
@@ -65,6 +65,36 @@ stages:
          - 'alpine'
          - 'debian'
+.image-matrix:deploy:
+  parallel:
+    # OPENTOFU_VERSION: opentofu version to release in the job (from gitlab-opentofu-image:build)
+    # RELEASE_VERSION:  Tag base for the release image
+    # RELEASE_OPENTOFU_VERSION:  opentofu version to contained in the release tag
+    matrix:
+      - # :{commit-tag}-opentofu{opentofu-version}
+        OPENTOFU_VERSION: !reference [.data, supported_versions]
+        RELEASE_VERSION: $CI_COMMIT_TAG
+        RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION
+        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
+      - # :latest-opentofu{opentofu-version}
+        OPENTOFU_VERSION: !reference [.data, supported_versions]
+        RELEASE_VERSION: latest
+        RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION
+        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
+      - # :{commit-tag|latest}{-opentofulatest|}
+        OPENTOFU_VERSION: $LATEST_OPENTOFU_VERSION
+        RELEASE_VERSION: ["${CI_COMMIT_TAG}", latest]
+        RELEASE_OPENTOFU_VERSION: ["", latest]
+        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
+.image-matrix:deploy:release-name-script: &image-matrix-deploy-release-name-script
+  # OCI image tags are not compatible with semver, specifically the build metadata part
+  # indicated with a `+` sign, see https://github.com/distribution/distribution/issues/1201
+  # We use a dash `-` here, instead of the `+`.
+  # This may be problematic, because it indicates a semver prerelease.
+  - export RELEASE_IMAGE_NAME="$CI_REGISTRY_IMAGE/gitlab-opentofu"
+  - export RELEASE_IMAGE="${RELEASE_IMAGE_NAME}:${RELEASE_VERSION}${RELEASE_OPENTOFU_VERSION:+-opentofu$RELEASE_OPENTOFU_VERSION}${RELEASE_BASE_IMAGE_OS:+-$RELEASE_BASE_IMAGE_OS}"
 variables:
  # OpenTofu variables
  LATEST_OPENTOFU_VERSION: !reference [.data, latest_version]
@@ -85,7 +115,7 @@ check-semantic-version:
    - echo -n "$CI_COMMIT_TAG" | ./.gitlab/scripts/check-semantic-version.sh
 gitlab-opentofu-image:build:
-  extends: .image-matrix
+  extends: '.image-matrix:build'
  stage: build
  image: quay.io/containers/buildah:v1.37.3
  before_script:
@@ -180,6 +210,7 @@ shellcheck:
 #     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
 .gitlab-opentofu-image:deploy:base:
+  extends: '.image-matrix:deploy'
  stage: deploy
  image:
    name: alpine/crane:0.20.2
@@ -187,52 +218,15 @@ shellcheck:
  variables:
    GITLAB_OPENTOFU_BASE_IMAGE_OS: $RELEASE_BASE_IMAGE_OS
  before_script:
+    - *image-matrix-deploy-release-name-script
    - crane auth login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
-    # OCI image tags are not compatible with semver, specifically the build metadata part
-    # indicated with a `+` sign, see https://github.com/distribution/distribution/issues/1201
-    # We use a dash `-` here, instead of the `+`.
-    # This may be problematic, because it indicates a semver prerelease.
-    - export RELEASE_IMAGE_NAME="$CI_REGISTRY_IMAGE/gitlab-opentofu"
-    - export RELEASE_IMAGE="${RELEASE_IMAGE_NAME}:${RELEASE_VERSION}${RELEASE_OPENTOFU_VERSION:+-opentofu$RELEASE_OPENTOFU_VERSION}${RELEASE_BASE_IMAGE_OS:+-$RELEASE_BASE_IMAGE_OS}"
    - 'echo "base image OS: $GITLAB_OPENTOFU_BASE_IMAGE_OS"'
    - echo "Deploying $GITLAB_OPENTOFU_IMAGE_NAME as $RELEASE_IMAGE"
-  parallel:
-    # OPENTOFU_VERSION: opentofu version to release in the job (from gitlab-opentofu-image:build)
-    # RELEASE_VERSION:  Tag base for the release image
-    # RELEASE_OPENTOFU_VERSION:  opentofu version to contained in the release tag
-    matrix:
-      - # :{commit-tag}-opentofu{opentofu-version}
-        OPENTOFU_VERSION: !reference [.data, supported_versions]
-        RELEASE_VERSION: $CI_COMMIT_TAG
-        RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION
-        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
-      - # :latest-opentofu{opentofu-version}
-        OPENTOFU_VERSION: !reference [.data, supported_versions]
-        RELEASE_VERSION: latest
-        RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION
-        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
-      - # :{commit-tag|latest}{-opentofulatest|}
-        OPENTOFU_VERSION: $LATEST_OPENTOFU_VERSION
-        RELEASE_VERSION: ["${CI_COMMIT_TAG}", latest]
-        RELEASE_OPENTOFU_VERSION: ["", latest]
-        RELEASE_BASE_IMAGE_OS: ['alpine', 'debian']
 gitlab-opentofu-image:deploy:
  extends: ['.gitlab-opentofu-image:deploy:base']
-  variables:
-    COSIGN_YES: "true"  # Used by Cosign to skip confirmation prompts for non-destructive operations
-  id_tokens:
-    SIGSTORE_ID_TOKEN:
-      aud: sigstore
  script:
-    # Install dependencies, can't use before_script because of the job we are extending.
-    - apk add --update cosign
-    # Release image
    - crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
-    # Sign image
-    - cosign sign "$(crane digest --full-ref "$RELEASE_IMAGE")"
-    - export image_digest="$(crane digest $RELEASE_IMAGE)"
-    - 'echo "- \`$RELEASE_IMAGE\` (digest: \`$image_digest\`)" > image$CI_JOB_ID.md'
  artifacts:
    paths:
      - 'image*.md'
@@ -254,6 +248,29 @@ gitlab-opentofu-image:deploy:dry-run:
        - .gitlab-ci.yml
        - src/**/*
+gitlab-opentofu-image:sign:
+  extends: '.image-matrix:deploy'
+  image: alpine:3.20.3
+  variables:
+    COSIGN_YES: "true"  # Used by Cosign to skip confirmation prompts for non-destructive operations
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
+  before_script:
+    - *image-matrix-deploy-release-name-script
+    - apk add --update cosign
+  script:
+    - cosign sign "$(crane digest --full-ref "$RELEASE_IMAGE")"
+    - export image_digest="$(crane digest $RELEASE_IMAGE)"
+    - 'echo "- \`$RELEASE_IMAGE\` (digest: \`$image_digest\`)" > image$CI_JOB_ID.md'
+  artifacts:
+    paths:
+      - 'image*.md'
+  rules:
+    - if: '$CI_SERVER_FQDN != "gitlab.com"'
+      when: never
+    - if: $CI_COMMIT_TAG
 .release:base:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:v0.19.0

--- a/tests/unit.gitlab-ci.yml
+++ b/tests/unit.gitlab-ci.yml
@@ -33,7 +33,7 @@ variables:
 unit-test:gitlab-tofu:
  extends:
    - .unit-test-base
-    - .image-matrix
+    - .image-matrix:build
  script:
    - bats --jobs 8 --report-formatter junit --filter-tags '!source' tests/unit/gitlab-tofu.bats