From c36b36f0708740ae6c2cbb46b70b051d558f9029 Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Wed, 26 Oct 2022 23:31:02 -0700
Subject: [PATCH] [action] cosign over docker image digest

---
 .github/workflows/release.yml | 47 +++++++++---------
 Makefile                      | 10 ----
 make/docker.mk                | 91 -----------------------------------
 3 files changed, 23 insertions(+), 125 deletions(-)
 delete mode 100644 make/docker.mk

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 48bbf730..f66ad67b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,8 +15,12 @@ jobs:
     name: Create Release
     needs: ci
     runs-on: ubuntu-latest
+    env:
+      DOCKER_IMAGE: smallstep/step-ca
     outputs:
+      version: ${{ steps.extract-tag.outputs.VERSION }}
       is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
+      docker_tags: ${{ env.DOCKER_TAGS }}
     steps:
       - name: Is Pre-release
         id: is_prerelease
@@ -26,6 +30,16 @@ jobs:
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
           echo "IS_PRERELEASE=${IS_PRERELEASE}" >> ${GITHUB_OUTPUT}
+      - name: Extract Tag Names
+        id: extract-tag
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/v}
+          echo "VERSION=${VERSION}" >> ${GITHUB_OUTPUT}
+          echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> ${GITHUB_ENV}
+      - name: Add Latest Tag
+        if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
+        run: |
+          echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV}
       - name: Create Release
         id: create_release
         uses: actions/create-release@v1
@@ -68,34 +82,19 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
-          RELEASE_DATE: ${RELEASE_DATE}
+          RELEASE_DATE: ${{ env.RELEASE_DATE }}
           COSIGN_EXPERIMENTAL: 1
 
   build_upload_docker:
     name: Build & Upload Docker Images
-    runs-on: ubuntu-latest
-    needs: ci
+    needs: create_release
     permissions:
       id-token: write
       contents: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-      - name: Setup Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: '1.19'
-          check-latest: true
-      - name: Install cosign
-        uses: sigstore/cosign-installer@v2
-        with:
-          cosign-release: 'v1.13.1'
-      - name: Build
-        id: build
-        run: |
-          PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
-          make docker-artifacts
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-          COSIGN_EXPERIMENTAL: 1
+    uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
+    with:
+      platforms: linux/amd64,linux/386,linux/arm,linux/arm64
+      tags: ${{ needs.create_release.outputs.docker_tags }}
+      docker_image: smallstep/step-ca
+      docker_file: docker/Dockerfile.step-ca
+    secrets: inherit
diff --git a/Makefile b/Makefile
index 55b97c62..90e96993 100644
--- a/Makefile
+++ b/Makefile
@@ -79,8 +79,6 @@ $(info    DEB_VERSION is $(DEB_VERSION))
 $(info    PUSHTYPE is $(PUSHTYPE))
 endif
 
-include make/docker.mk
-
 #########################################
 # Build
 #########################################
@@ -232,11 +230,3 @@ debian: changelog
 distclean: clean
 
 .PHONY: changelog debian distclean
-
-#################################################
-# Targets for creating step artifacts
-#################################################
-
-docker-artifacts: docker-$(PUSHTYPE)
-
-.PHONY: docker-artifacts
diff --git a/make/docker.mk b/make/docker.mk
deleted file mode 100644
index 0d56e663..00000000
--- a/make/docker.mk
+++ /dev/null
@@ -1,91 +0,0 @@
-#########################################
-# Building Docker Image
-#
-# This uses a multi-stage build file. The first stage is a builder (that might
-# be large in size). After the build has succeeded, the statically linked
-# binary is copied to a new image that is optimized for size.
-#########################################
-
-ifeq (, $(shell which docker))
-	DOCKER_CLIENT_OS := linux
-else
-	DOCKER_CLIENT_OS := $(strip $(shell docker version -f '{{.Client.Os}}' 2>/dev/null))
-endif
-
-DOCKER_PLATFORMS = linux/amd64,linux/386,linux/arm,linux/arm64
-DOCKER_IMAGE_NAME = smallstep/step-ca
-
-docker-prepare:
-	# Ensure, we can build for ARM architecture
-ifeq (linux,$(DOCKER_CLIENT_OS))
-	[ -f /proc/sys/fs/binfmt_misc/qemu-arm ] || docker run --rm --privileged linuxkit/binfmt:v0.8-amd64
-endif
-
-	# Register buildx builder
-	mkdir -p $$HOME/.docker/cli-plugins
-
-	test -f $$HOME/.docker/cli-plugins/docker-buildx || \
-		(wget -q -O $$HOME/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.$(DOCKER_CLIENT_OS)-amd64 && \
-		chmod +x $$HOME/.docker/cli-plugins/docker-buildx)
-
-	docker buildx create --use --name mybuilder --platform="$(DOCKER_PLATFORMS)" || true
-
-.PHONY: docker-prepare
-
-#################################################
-# Releasing Docker Images
-#
-# Using the docker build infrastructure, this section is responsible for
-# logging into docker hub.
-#################################################
-
-# Rely on DOCKER_USERNAME and DOCKER_PASSWORD being set inside the CI or
-# equivalent environment
-docker-login:
-	$Q docker login -u="$(DOCKER_USERNAME)" -p="$(DOCKER_PASSWORD)"
-
-.PHONY: docker-login
-
-#################################################
-# Targets for different type of builds
-#################################################
-
-define DOCKER_BUILDX
-	# $(1) -- Image Tag
-	# $(2) -- Push (empty is no push | --push will push to dockerhub)
-	docker buildx build . --progress plain -t $(DOCKER_IMAGE_NAME):$(1) -f docker/Dockerfile.step-ca --platform="$(DOCKER_PLATFORMS)" $(2)
-	cosign sign -r $(DOCKER_IMAGE_NAME):$(1)
-
-endef
-
-# For non-master builds don't build the docker containers.
-docker-branch:
-
-# For master builds don't build the docker containers.
-docker-master:
-
-# For all builds with a release candidate tag build and push the containers.
-docker-release-candidate: docker-prepare docker-login
-	$(call DOCKER_BUILDX,$(VERSION),--push)
-
-# For all builds with a release tag build and push the containers.
-docker-release: docker-prepare docker-login
-	$(call DOCKER_BUILDX,latest,--push)
-	$(call DOCKER_BUILDX,$(VERSION),--push)
-
-.PHONY: docker-branch docker-master docker-release-candidate docker-release
-
-# XXX We put the output for the build in 'output' so we don't mess with how we
-# do rule overriding from the base Makefile (if you name it 'build' it messes up
-# the wildcarding).
-DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
-
-DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(BINNAME)
-DOCKER_BUILD=$Q docker build -t $(DOCKER_IMAGE_NAME):latest -f docker/Dockerfile.step-ca --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(BINNAME) .
-
-docker-dev: docker/Dockerfile.step-ca
-	mkdir -p $(DOCKER_OUTPUT)
-	$(call DOCKER_MAKE,$(DOCKER_OUTPUT),step-ca)
-	$(call DOCKER_BUILD)
-
-.PHONY: docker-dev