Merge pull request #921 from pjbgf/bump-libgit2-image

Bump libgit2 image and disable cosign verification for CI
fluxcd · Sep 29, 2022 · 5ea4922 · 5ea4922
2 parents ac80849 + 6c06f4e
commit 5ea4922
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 11 deletions.
diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml
@@ -33,3 +33,5 @@ jobs:
           ${{ runner.os }}-go
     - name: Smoke test Fuzzers
       run: make fuzz-smoketest
+      env:
+        SKIP_COSIGN_VERIFICATION: true
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -47,6 +47,7 @@ jobs:
         uses: fluxcd/pkg/actions/helm@main
       - name: Run E2E tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
           CREATE_CLUSTER: false
         run: make e2e
 
@@ -76,6 +77,7 @@ jobs:
           kind create cluster --name ${{ steps.prep.outputs.CLUSTER }} --kubeconfig=/tmp/${{ steps.prep.outputs.CLUSTER }}
       - name: Run e2e tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
           KIND_CLUSTER_NAME: ${{ steps.prep.outputs.CLUSTER }}
           KUBECONFIG: /tmp/${{ steps.prep.outputs.CLUSTER }}
           CREATE_CLUSTER: false

diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -34,6 +34,7 @@ jobs:
             ${{ runner.os }}-go-
       - name: Run tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
           TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
           TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
         run: make test
@@ -51,6 +52,8 @@ jobs:
           go-version: 1.19.x
       - name: Run tests
         env:
+          SKIP_COSIGN_VERIFICATION: true
+
           TEST_AZURE_ACCOUNT_NAME: ${{ secrets.TEST_AZURE_ACCOUNT_NAME }}
           TEST_AZURE_ACCOUNT_KEY: ${{ secrets.TEST_AZURE_ACCOUNT_KEY }}
 
@@ -87,3 +90,5 @@ jobs:
             ${{ runner.os }}-go-
       - name: Run tests
         run: make test
+        env:
+          SKIP_COSIGN_VERIFICATION: true
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@ ARG GO_VERSION=1.19
 ARG XX_VERSION=1.1.2
 
 ARG LIBGIT2_IMG=ghcr.io/fluxcd/golang-with-libgit2-only
-ARG LIBGIT2_TAG=v0.2.0
+ARG LIBGIT2_TAG=v0.3.0
 
 FROM ${LIBGIT2_IMG}:${LIBGIT2_TAG} AS libgit2-libs
 
@@ -64,11 +64,11 @@ ENV CGO_ENABLED=1
 
 # Instead of using xx-go, (cross) compile with vanilla go leveraging musl tool chain.
 RUN export PKG_CONFIG_PATH="/usr/local/$(xx-info triple)/lib/pkgconfig" && \
-    export CGO_LDFLAGS="$(pkg-config --static --libs --cflags libgit2) -static -fuse-ld=lld" && \
-    xx-go build \
-        -ldflags "-s -w" \
-        -tags 'netgo,osusergo,static_build' \
-        -o /source-controller -trimpath main.go;
+  export CGO_LDFLAGS="$(pkg-config --static --libs --cflags libgit2) -static -fuse-ld=lld" && \
+  xx-go build \
+  -ldflags "-s -w" \
+  -tags 'netgo,osusergo,static_build' \
+  -o /source-controller -trimpath main.go;
 
 # Ensure that the binary was cross-compiled correctly to the target platform.
 RUN xx-verify --static /source-controller

diff --git a/Makefile b/Makefile
@@ -4,14 +4,17 @@ TAG ?= latest
 
 # Base image used to build the Go binary
 LIBGIT2_IMG ?= ghcr.io/fluxcd/golang-with-libgit2-only
-LIBGIT2_TAG ?= v0.2.0
+LIBGIT2_TAG ?= v0.3.0
 
 # Allows for defining additional Go test args, e.g. '-tags integration'.
 GO_TEST_ARGS ?= -race
 
 # Allows for filtering tests based on the specified prefix
 GO_TEST_PREFIX ?=
 
+# Defines whether cosign verification should be skipped.
+SKIP_COSIGN_VERIFICATION ?= false
+
 # Allows for defining additional Docker buildx arguments,
 # e.g. '--push'.
 BUILD_ARGS ?=

diff --git a/hack/install-libraries.sh b/hack/install-libraries.sh
@@ -6,6 +6,7 @@ IMG="${IMG:-}"
 TAG="${TAG:-}"
 IMG_TAG="${IMG}:${TAG}"
 DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}"
+SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}"
 
 TMP_DIR=$(mktemp -d)
 
@@ -48,9 +49,13 @@ cosign_verify(){
 assure_provenance() {
     [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments'
 
-    cosign_verify "${TMP_DIR}/checksums.txt.pem" \
-                  "${TMP_DIR}/checksums.txt.sig" \
-                  "${TMP_DIR}/checksums.txt"
+    if "${SKIP_COSIGN_VERIFICATION}"; then
+        echo 'Skipping cosign verification...'
+    else
+        cosign_verify "${TMP_DIR}/checksums.txt.pem" \
+                    "${TMP_DIR}/checksums.txt.sig" \
+                    "${TMP_DIR}/checksums.txt"
+    fi
 
     pushd "${TMP_DIR}" || exit
     if command -v sha256sum; then

diff --git a/tests/fuzz/oss_fuzz_build.sh b/tests/fuzz/oss_fuzz_build.sh
@@ -16,7 +16,7 @@
 
 set -euxo pipefail
 
-LIBGIT2_TAG="${LIBGIT2_TAG:-v0.2.0}"
+LIBGIT2_TAG="${LIBGIT2_TAG:-v0.3.0}"
 GOPATH="${GOPATH:-/root/go}"
 GO_SRC="${GOPATH}/src"
 PROJECT_PATH="github.com/fluxcd/source-controller"