developer-guy
commented
2 years ago also, we can use GoReleaser to do that 🤩 cross-ref: https://github.com/google/ko/issues/491
Open mattmoor opened 2 years ago
developer-guy
commented
2 years ago also, we can use GoReleaser to do that 🤩 cross-ref: https://github.com/google/ko/issues/491
The images we publish here: https://github.com/google/go-containerregistry/blob/2874338840a65b73444563e6bd3540dd2f9271b0/cloudbuild.yaml#L26-L37
... should all be signed with
cosign, ideally using the "keyless" flow.For GCB-based keyless signing we can copy what
distrolessdoes here: https://github.com/GoogleContainerTools/distroless/blob/3ecf55603e31c8c01b4da2da8dc34a41757b778c/cloudbuild.yaml#L81-L82... essentially the GCB SA is used to impersonate
keyless@go-containerregistry.iam.gserviceaccount.comfor the identity challenge. Some IAM needs to be configured, and then things just work 😉I believe @jonjohnsonjr has to do this given the requirement that we futz with the GCP stuff, but @dlorenc or I would be happy to help navigate this.