build: Skip cosign verification for CI

Paulo Gomes · Paulo Gomes · commit 08ee794448e8 · 2022-09-29T06:27:29.000+01:00
The libgit2 libraries are downloaded and verified before some of the make targets are executed. This assures the provenance of such files before using them and is very important specially for end users running such tests on their machines. Note that has been disabled specially due to recent issues we experienced at CI which can be seen in: fluxcd/source-controller#899 Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -51,6 +51,7 @@ jobs:
           # We should reenable go test -race for arm64 runners once the
           # current issue is resolved.
           GO_TEST_ARGS: ""
+          SKIP_COSIGN_VERIFICATION: true
       - name: Verify
         run: make verify
 
@@ -74,5 +75,7 @@ jobs:
             ${{ runner.os }}-go-
       - name: Run tests
         run: make test
+        env:
+          SKIP_COSIGN_VERIFICATION: true
       - name: Verify
         run: make verify
diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml
@@ -26,3 +26,5 @@ jobs:
           ${{ runner.os }}-go-
     - name: Smoke test Fuzzers
       run: make fuzz-smoketest
+      env:
+        SKIP_COSIGN_VERIFICATION: true
diff --git a/Makefile b/Makefile
@@ -19,6 +19,9 @@ BUILD_PLATFORMS ?= linux/amd64,linux/arm64,linux/arm/v7
 # Allows for defining additional Go test args, e.g. '-tags integration'.
 GO_TEST_ARGS ?= -race
 
+# Defines whether cosign verification should be skipped.
+SKIP_COSIGN_VERIFICATION ?= false
+
 # Directory with versioned, downloaded things
 CACHE := cache
 
diff --git a/hack/install-libraries.sh b/hack/install-libraries.sh
@@ -6,6 +6,7 @@ IMG="${IMG:-}"
 TAG="${TAG:-}"
 IMG_TAG="${IMG}:${TAG}"
 DOWNLOAD_URL="https://github.com/fluxcd/golang-with-libgit2/releases/download/${TAG}"
+SKIP_COSIGN_VERIFICATION="${SKIP_COSIGN_VERIFICATION:-false}"
 
 TMP_DIR=$(mktemp -d)
 
@@ -48,9 +49,13 @@ cosign_verify(){
 assure_provenance() {
     [[ $# -eq 1 ]] || fatal 'assure_provenance needs exactly 1 arguments'
 
-    cosign_verify "${TMP_DIR}/checksums.txt.pem" \
-                  "${TMP_DIR}/checksums.txt.sig" \
-                  "${TMP_DIR}/checksums.txt"
+    if "${SKIP_COSIGN_VERIFICATION}"; then
+        echo 'Skipping cosign verification...'
+    else
+        cosign_verify "${TMP_DIR}/checksums.txt.pem" \
+                    "${TMP_DIR}/checksums.txt.sig" \
+                    "${TMP_DIR}/checksums.txt"
+    fi
 
     pushd "${TMP_DIR}" || exit
     if command -v sha256sum; then
