feat: Adding Publish and Sign of image as an independent component

Signed-off-by: NucleoFusion <[email protected]>

test: testing with fork

Signed-off-by: NucleoFusion <[email protected]>

fix: omitted publish

Signed-off-by: NucleoFusion <[email protected]>

fix: args mismatch

Signed-off-by: NucleoFusion <[email protected]>

fix: invalid checkout

Signed-off-by: NucleoFusion <[email protected]>

fix: nil pointer error

Signed-off-by: NucleoFusion <[email protected]>

fix: addressing error

Signed-off-by: NucleoFusion <[email protected]>

fix: goVersion error

Signed-off-by: NucleoFusion <[email protected]>

fix: image addresses error

Signed-off-by: NucleoFusion <[email protected]>

fix: nil pointer error

Signed-off-by: NucleoFusion <[email protected]>

fix: nil pointer error

Signed-off-by: NucleoFusion <[email protected]>

fix: nil pointer error

Signed-off-by: NucleoFusion <[email protected]>

fix: debug params

Signed-off-by: NucleoFusion <[email protected]>

fix: debug params

Signed-off-by: NucleoFusion <[email protected]>

fix: debug params

Signed-off-by: NucleoFusion <[email protected]>

fix: debug params

Signed-off-by: NucleoFusion <[email protected]>

fix: debug params

Signed-off-by: NucleoFusion <[email protected]>

Author: NucleoFusion

.dagger/image/build.go

@@ -0,0 +1,46 @@
+package image
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"dagger/harbor-cli/internal/dagger"
+	"dagger/harbor-cli/utils"
+)
+
+func (s *ImagePipeline) Build(ctx context.Context, dist *dagger.Directory) (*dagger.Directory, error) {
+	goarch := []string{"amd64", "arm64"}
+
+	for _, arch := range goarch {
+		// Defining binary file name
+		binName := fmt.Sprintf("harbor-cli_%s_%s_%s", s.appVersion, "linux", arch)
+
+		builder := s.dag.Container().
+			From("golang:"+s.goVersion).
+			WithMountedCache("/go/pkg/mod", s.dag.CacheVolume("go-mod-"+s.goVersion)).
+			WithEnvVariable("GOMODCACHE", "/go/pkg/mod").
+			WithMountedCache("/go/build-cache", s.dag.CacheVolume("go-build-"+s.goVersion)).
+			WithEnvVariable("GOCACHE", "/go/build-cache").
+			WithMountedDirectory("/src", s.source).
+			WithWorkdir("/src").
+			WithEnvVariable("GOOS", "linux").
+			WithEnvVariable("GOARCH", arch).
+			WithEnvVariable("CGO_ENABLED", "0")
+
+		gitCommit, _ := builder.WithExec([]string{"git", "rev-parse", "--short", "HEAD", "--always"}).Stdout(ctx)
+		buildTime := time.Now().UTC().Format(time.RFC3339)
+
+		ldflagsArgs := utils.LDFlags(ctx, s.appVersion, s.goVersion, buildTime, gitCommit)
+
+		builder = builder.WithExec([]string{
+			"bash", "-c",
+			fmt.Sprintf(`set -ex && go env && go build -v -ldflags "%s" -o /bin/%s /src/cmd/harbor/main.go`, ldflagsArgs, binName),
+		})
+
+		file := builder.File("/bin/" + binName)                            // Taking file from container
+		dist = dist.WithFile(fmt.Sprintf("%s/%s", "linux", binName), file) // Adding file(bin) to dist directory
+	}
+
+	return dist, nil
+}

.dagger/image/imagepipeline.go

@@ -0,0 +1,34 @@
+package image
+
+import "dagger/harbor-cli/internal/dagger"
+
+type ImagePipeline struct {
+	source                     *dagger.Directory
+	dag                        *dagger.Client
+	RegistryPassword           *dagger.Secret
+	GithubToken                *dagger.Secret
+	ActionsIDTokenRequestURL   *dagger.Secret
+	ActionsIDTokenRequestToken *dagger.Secret
+	RegistryAddress            string
+	RegistryUsername           string
+	appVersion                 string
+	goVersion                  string
+}
+
+func InitImagePipeline(dag *dagger.Client, source *dagger.Directory,
+	registryPassword, githubToken, actionsIDTokenRequestURL, actionsIDTokenRequestToken *dagger.Secret,
+	registryAddress, registryUsername, appVersion, goVersion string,
+) *ImagePipeline {
+	return &ImagePipeline{
+		source:                     source,
+		dag:                        dag,
+		RegistryPassword:           registryPassword,
+		GithubToken:                githubToken,
+		RegistryAddress:            registryAddress,
+		RegistryUsername:           registryUsername,
+		ActionsIDTokenRequestURL:   actionsIDTokenRequestURL,
+		ActionsIDTokenRequestToken: actionsIDTokenRequestToken,
+		appVersion:                 appVersion,
+		goVersion:                  goVersion,
+	}
+}

.dagger/pipeline/image.go .dagger/image/publish.go.dagger/pipeline/image.go renamed to .dagger/image/publish.go

@@ -1,4 +1,4 @@
-package pipeline
+package image
 
 import (
 	"context"
@@ -10,23 +10,25 @@ import (
 )
 
 // PublishImage publishes a container image to a registry with a specific tag and signs it using Cosign.
-func (s *Pipeline) PublishImage(
-	ctx context.Context,
-	dist *dagger.Directory,
-	registry, registryUsername string,
-	// +optional
-	// +default=["latest"]
-	imageTags []string,
-	registryPassword *dagger.Secret,
-) []string {
+func (s *ImagePipeline) PublishImage(ctx context.Context, dist *dagger.Directory) []string {
 	version := s.appVersion
 	archs := []string{"amd64", "arm64"}
 	releaseImages := []*dagger.Container{}
+	imageTags := []string{s.appVersion, "latest"}
+
+	// Debug
+	fmt.Println("RegistryAddress:", s.RegistryAddress)
+	fmt.Println("RegistryUsername:", s.RegistryUsername)
+	fmt.Println("AppVersion:", s.appVersion)
+	fmt.Println("GoVersion:", s.goVersion)
+	pw, _ := s.RegistryPassword.Plaintext(ctx)
+	fmt.Println("Registry password len:", len(pw))
 
 	for i, tag := range imageTags {
 		imageTags[i] = strings.TrimSpace(tag)
 		imageTags[i] = strings.TrimPrefix(imageTags[i], "v")
 	}
+
 	fmt.Printf("provided tags: %s\n", imageTags)
 
 	// Get current time for image creation timestamp
@@ -54,9 +56,10 @@ func (s *Pipeline) PublishImage(
 
 	imageAddrs := []string{}
 	for _, imageTag := range imageTags {
-		addr, err := s.dag.Container().WithRegistryAuth(registry, registryUsername, registryPassword).
+		fmt.Printf("%s/%s/harbor-cli:%s \n", s.RegistryAddress, s.RegistryUsername, imageTag)
+		addr, err := s.dag.Container().WithRegistryAuth(s.RegistryAddress, s.RegistryUsername, s.RegistryPassword).
 			Publish(ctx,
-				fmt.Sprintf("%s/%s/harbor-cli:%s", registry, registryUsername, imageTag),
+				fmt.Sprintf("%s/%s/harbor-cli:%s", s.RegistryAddress, s.RegistryUsername, imageTag),
 				dagger.ContainerPublishOpts{PlatformVariants: releaseImages},
 			)
 		if err != nil {
@@ -65,5 +68,6 @@ func (s *Pipeline) PublishImage(
 		fmt.Printf("Published image address: %s\n", addr)
 		imageAddrs = append(imageAddrs, addr)
 	}
+
 	return imageAddrs
 }

.dagger/image/sign.go

@@ -0,0 +1,34 @@
+package image
+
+import (
+	"context"
+	"fmt"
+)
+
+func (s *ImagePipeline) Sign(ctx context.Context, imageAddr string) (string, error) {
+	registryPasswordPlain, _ := s.RegistryPassword.Plaintext(ctx)
+
+	cosing_ctr := s.dag.Container().From("cgr.dev/chainguard/cosign")
+
+	// If githubToken is provided, use it to sign the image
+	if s.GithubToken != nil {
+		if s.ActionsIDTokenRequestURL == nil || s.ActionsIDTokenRequestToken == nil {
+			return "", fmt.Errorf("actionsIdTokenRequestUrl (exist=%s) and actionsIdTokenRequestToken (exist=%t) must be provided when githubToken is provided",
+				s.ActionsIDTokenRequestURL, s.ActionsIDTokenRequestToken != nil)
+		}
+		fmt.Printf("Setting the ENV Vars GITHUB_TOKEN, ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN to sign with GitHub Token")
+		cosing_ctr = cosing_ctr.WithSecretVariable("GITHUB_TOKEN", s.GithubToken).
+			WithSecretVariable("ACTIONS_ID_TOKEN_REQUEST_URL", s.ActionsIDTokenRequestURL).
+			WithSecretVariable("ACTIONS_ID_TOKEN_REQUEST_TOKEN", s.ActionsIDTokenRequestToken)
+	}
+
+	return cosing_ctr.WithSecretVariable("REGISTRY_PASSWORD", s.RegistryPassword).
+		WithExec([]string{"cosign", "env"}).
+		WithExec([]string{
+			"cosign", "sign", "--yes", "--recursive",
+			"--registry-username", s.RegistryUsername,
+			"--registry-password", registryPasswordPlain,
+			imageAddr,
+			"--timeout", "1m",
+		}).Stdout(ctx)
+}

.dagger/main.go

@@ -6,6 +6,7 @@ import (
 	"regexp"
 	"strings"
 
+	"dagger/harbor-cli/image"
 	"dagger/harbor-cli/internal/dagger"
 	"dagger/harbor-cli/pipeline"
 )
@@ -21,8 +22,7 @@ type HarborCli struct {
 // -> Publishing to release page -> Publishing to apt
 func (m *HarborCli) Pipeline(ctx context.Context, source *dagger.Directory,
 	// Secrets
-	githubToken *dagger.Secret, registryPassword *dagger.Secret,
-	registryAddr string, registryUsername string,
+	githubToken *dagger.Secret,
 ) (*dagger.Directory, error) {
 	err := m.init(ctx, source)
 	if err != nil {
@@ -63,20 +63,45 @@ func (m *HarborCli) Pipeline(ctx context.Context, source *dagger.Directory,
 	}
 	fmt.Println(out)
 
-	// Publishing Image
-	res := pipe.PublishImage(ctx, dist, registryAddr, registryUsername, []string{"latest", m.AppVersion}, registryPassword)
+	// // Publishing repo
+	// err = pipe.AptRepoBuild(ctx, dist, githubToken)
+	// if err != nil {
+	// 	return nil, err
+	// }
+
+	return dist, err
+}
+
+func (m *HarborCli) PublishAndSignImage(ctx context.Context, source *dagger.Directory,
+	registryPassword, githubToken, actionsIDTokenRequestURL, actionsIDTokenRequestToken *dagger.Secret,
+	registryAddress, registryUsername string,
+) (*dagger.Directory, error) {
+	err := m.init(ctx, source)
 	if err != nil {
 		return nil, err
 	}
-	fmt.Println(strings.Join(res, "\n"))
 
-	// Publishing repo
-	err = pipe.AptRepoBuild(ctx, dist, githubToken)
+	pipe := image.InitImagePipeline(dag, source, registryPassword, githubToken, actionsIDTokenRequestURL, actionsIDTokenRequestToken,
+		registryAddress, registryUsername, m.AppVersion, m.GoVersion)
+
+	dist := dag.Directory()
+
+	// Building Binaries
+	dist, err = pipe.Build(ctx, dist)
 	if err != nil {
 		return nil, err
 	}
 
-	return dist, err
+	// Publishing Image
+	imageAddr := pipe.PublishImage(ctx, dist)
+
+	_, err = pipe.Sign(ctx, imageAddr[0])
+	if err != nil {
+		return nil, err
+	}
+	fmt.Println(strings.Join(imageAddr, "\n"))
+
+	return dist, nil
 }
 
 func (m *HarborCli) init(ctx context.Context, source *dagger.Directory) error {
@@ -102,6 +127,10 @@ func (m *HarborCli) init(ctx context.Context, source *dagger.Directory) error {
 		m.GoVersion = match[1]
 	}
 
+	if m.GoVersion == "" {
+		m.GoVersion = "latest"
+	}
+
 	m.Source = source
 	m.AppVersion = strings.TrimSpace(out)
 

.github/actions/publish-and-sign/action.yaml

@@ -2,20 +2,11 @@ name: Publish and Sign Snapshot Image
 description: Publishes and signs a snapshot image using Dagger.
 
 inputs:
-  IMAGE_TAGS:
-    description: 'Tags for the image, e.g. "latest, v1.0.0"'
-    required: true
-  GITHUB_TOKEN:
-    description: 'GitHub token'
-    required: true
-  REGISTRY_PASSWORD:
-    description: 'Registry password'
-    required: true
   REGISTRY_ADDRESS:
-    description: 'Registry address'
+    description: 'Registry address (e.g., ghcr.io)'
     required: true
   REGISTRY_USERNAME:
-    description: 'Registry username'
+    description: 'Registry username (e.g., nucleocode)'
     required: true
 
 runs:
@@ -24,31 +15,30 @@ runs:
     - name: Dagger Version
       uses: sagikazarmark/[email protected]
 
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
     - name: Install Cosign
       uses: sigstore/[email protected]
 
-    - name: Check Env Variables
+    - name: Debug OIDC Environment
       shell: bash
-      env:
-        GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
-      run: cosign env
+      run: |
+        echo $REGISTRY_PASSWORD
+        echo "ACTIONS_ID_TOKEN_REQUEST_URL: $ACTIONS_ID_TOKEN_REQUEST_URL"
+        echo "ACTIONS_ID_TOKEN_REQUEST_TOKEN present: $([[ -n \"$ACTIONS_ID_TOKEN_REQUEST_TOKEN\" ]] && echo yes || echo no)"
+        cosign version
 
-    - name: Publish and Sign Snapshot Image
+    - name: Publish and Sign Image
       uses: dagger/dagger-for-github@v7
       env:
         GITHUB_TOKEN: ${{ inputs.GITHUB_TOKEN }}
         REGISTRY_ADDRESS: ${{ inputs.REGISTRY_ADDRESS }}
         REGISTRY_USERNAME: ${{ inputs.REGISTRY_USERNAME }}
-        REGISTRY_PASSWORD: ${{ inputs.REGISTRY_PASSWORD }}
-        IMAGE_TAGS: ${{ inputs.IMAGE_TAGS }}
+        REGISTRY_PASSWORD: ${{ env.REGISTRY_PASSWORD }}
+        ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
+        ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}
       with:
         version: ${{ steps.dagger_version.outputs.version }}
         verb: call
-        args: "publish-image-and-sign \
-          --registry='${{ env.REGISTRY_ADDRESS }}' \
-          --registry-username='${{ env.REGISTRY_USERNAME }}' \
-          --registry-password=env:REGISTRY_PASSWORD \
-          --image-tags='${{ env.IMAGE_TAGS}}' \
-          --github-token=env:GITHUB_TOKEN \
-          --actions-id-token-request-url=$ACTIONS_ID_TOKEN_REQUEST_URL \
-          --actions-id-token-request-token=env:ACTIONS_ID_TOKEN_REQUEST_TOKEN"
+        args: "publish-and-sign-image --source=. --registry-address=${{ inputs.REGISTRY_ADDRESS }} --registry-username=${{ inputs.REGISTRY_USERNAME }} --registry-password=env://REGISTRY_PASSWORD --github-token=env://GITHUB_TOKEN --actions-idtoken-request-url=env://ACTIONS_ID_TOKEN_REQUEST_URL --actions-idtoken-request-token=env://ACTIONS_ID_TOKEN_REQUEST_TOKEN"

.github/workflows/default.yaml

@@ -242,4 +242,16 @@ jobs:
           version: "latest"
           verb: call
           # Using a single large line since, dagger parsing with folded/piped command fails due to improper formatting error
-          args: pipeline --source=. --github-token=env://GITHUB_TOKEN --registry-password=env://REGISTRY_PASSWORD --registry-username=${{ vars.REGISTRY_USERNAME }} --registry-addr=${{ vars.REGISTRY_ADDRESS }}
+          args: pipeline --source=. --github-token=env://GITHUB_TOKEN 
+  
+      - name: Publish and Sign Snapshot Image
+        if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/'))
+        uses: ./.github/actions/publish-and-sign
+        with:
+          REGISTRY_ADDRESS: ${{ vars.REGISTRY_ADDRESS }}
+          REGISTRY_USERNAME: ${{ vars.REGISTRY_USERNAME }}
+        env:
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+          ACTIONS_ID_TOKEN_REQUEST_URL: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
+          ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${{ env.ACTIONS_ID_TOKEN_REQUEST_TOKEN }}