Skip to content

Automated release workflow permission updates #1802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rlieberman-splunk wants to merge 9 commits into
base: develop
Choose a base branch
from
+8 −3
Open

Automated release workflow permission updates #1802

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
9dcedc4
Merge pull request #1781 from splunk/promote-develop-to-main-3.1.0
gabrielm-splunk Mar 20, 2026
c1edd14
Update Splunk Enterprise version from 10.0.0 to 10.2.0
gabrielm-splunk Mar 20, 2026
85b1dcc
Merge pull request #1790 from splunk/hotfix/update-splunk-enterprise-…
gabrielm-splunk Mar 20, 2026
c4c3374
add id-token: write to permissions
rlieberman-splunk Mar 30, 2026
9124d5e
add COSIGN_DOCKER_MEDIA_TYPES to signing steps
rlieberman-splunk Mar 30, 2026
e095a42
use --recursive for signing distroless image
rlieberman-splunk Mar 30, 2026
0f9367a
remove --recursive from cosign verify
rlieberman-splunk Mar 30, 2026
5e4b7c1
cleanup
rlieberman-splunk Mar 30, 2026
20fc531
add --recursive for standard image
rlieberman-splunk Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ EKSCTL_VERSION=v0.215.0
EKS_CLUSTER_K8_VERSION=1.34
EKS_INSTANCE_TYPE=m5.2xlarge
EKS_INSTANCE_TYPE_ARM64=c6g.4xlarge
SPLUNK_ENTERPRISE_RELEASE_IMAGE=splunk/splunk:10.0.0
SPLUNK_ENTERPRISE_RELEASE_IMAGE=splunk/splunk:10.2.0
9 changes: 7 additions & 2 deletions .github/workflows/automated-release-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
pull-requests: write
if: github.ref == 'refs/heads/main'
env:
Expand Down Expand Up @@ -111,31 +112,35 @@ jobs:

- name: Sign Splunk Operator image with a key
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_DOCKER_MEDIA_TYPES: "1"

- name: Verify Splunk Operator image with a key
run: |
cosign verify --key env://COSIGN_PUBLIC_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
COSIGN_DOCKER_MEDIA_TYPES: "1"

- name: Promote Distroless RC Image to Release
run: |
regctl image copy ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_RC_IMAGE_NAME }}:${{ github.event.inputs.release_version }}-RC-distroless splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless

- name: Sign Distroless Splunk Operator image with a key
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless
cosign sign --yes --recursive --key env://COSIGN_PRIVATE_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_DOCKER_MEDIA_TYPES: "1"

- name: Verify Distroless Splunk Operator image with a key
run: |
cosign verify --key env://COSIGN_PUBLIC_KEY splunk/splunk-operator:${{ github.event.inputs.operator_image_tag }}-distroless
env:
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
COSIGN_DOCKER_MEDIA_TYPES: "1"

Loading