Skip to content
This repository has been archived by the owner on Oct 30, 2024. It is now read-only.

go releaser action #539

Merged
merged 7 commits into from
Mar 30, 2023
Merged

go releaser action #539

merged 7 commits into from
Mar 30, 2023

Conversation

dani-santos-code
Copy link
Contributor

@dani-santos-code dani-santos-code commented Mar 14, 2023

Description

This PR adds a releaser action that will create a draft release on Github and publish the library to the github registry. Notice: this has been used to publish a package and make a release already

After talking to Genevieve, we've decided not to keep a separate CHANGELOG.md file. We can either go with the body generated by go releaser or click this button to automatically tag people in contributions

Screenshot 2023-03-27 at 9 44 12 AM

I've tagged this commit a couple of times to test the plan

The plan is:

after this gets approved/merged, we'll re-tag this commit on main and trigger the action again and finally make a release!

Closes #538

example draft release: https://github.com/Shopify/kubeaudit/releases/tag/untagged-565c4cad9b0e59740674

@dani-santos-code dani-santos-code force-pushed the go-releaser-action branch 3 times, most recently from d409e26 to c1e2ab2 Compare March 15, 2023 22:31
@dani-santos-code dani-santos-code marked this pull request as ready for review March 21, 2023 13:49
@dani-santos-code dani-santos-code marked this pull request as draft March 21, 2023 13:49
CHANGELOG.md Outdated Show resolved Hide resolved
CHANGELOG.md Outdated Show resolved Hide resolved
docs/release.md Outdated Show resolved Hide resolved
@dani-santos-code dani-santos-code marked this pull request as ready for review March 27, 2023 13:58
@genevieveluyt genevieveluyt mentioned this pull request Mar 27, 2023
2 tasks
genevieveluyt
genevieveluyt previously approved these changes Mar 28, 2023
Copy link
Contributor

@genevieveluyt genevieveluyt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the live review and tophat! We decided to remove the changelog since the Github generated one is quite nice and get a review from our resident Github action expert Pete for any tips on the workflow config. It all works great though, the new flow is super sweet 🎉

Copy link
Contributor

@thepwagner thepwagner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is dope! By building the release artifacts in an ephemeral runner, we are on our way to SLSA town 🍅🌶️ !

In terms of process, I tend to drive things more from the Create a new release

  • I use the GitHub tooling to generate a changelog/release notes
  • Pushing the "publish release" button is what creates the tag that starts the workflow to build the artifacts
  • That version is pushed in to my build (via -X github.com/Shopify/kubeaudit/cmd.Version={{.Version}} like this build is doing). I dig how this avoids maintaining a VERSION file. I don't see the cmd.{Version,Commit,BuildDate] variables that are being embedded via -X actually being used.

It's cool because I click the button and the robots take over from there. It's not cool because sometimes things break, and you either have to undo+redo the release or fail forward quickly.


The other can of worms to consider is signing! By building your release artifacts in GitHub Actions, you can use the Actions worker's identity to get a short-lived signing key from fulcio!.

You may have to add sigstore/cosign-installer to the worfklow, then you can add a docker_signs section to the goreleaser configuration example

With that, the whole internet can verify the artifact they are receiving was built by Actions executing your workflow:

# Assumes cosign >= 2.0.0
$ cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity https://github.com/Shopify/hansel/.github/workflows/release.yaml@refs/tags/v0.0.9 --certificate-github-workflow-repository Shopify/hansel ghcr.io/shopify/hansel:0.0.9
Verification for ghcr.io/shopify/hansel:0.0.9 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

You can use the same technique to sign other release artifacts too! https://goreleaser.com/customization/sign/#signing-with-cosign In hansel, I use that and the .release.extra_files[] configuration to sign the blobs and the capture the certificate/signature as part of the uploaded release:

$ cosign verify-blob --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity https://github.com/Shopify/hansel/.github/workflows/release.yaml@refs/tags/v0.0.9 --certificate ./hansel_0.0.9_darwin_amd64-keyless.pem --signature ./hansel_0.0.9_darwin_amd64-keyless.sig hansel
Verified OK

Sorry for all the exclamation points, I just dig this stuff. Please see all the signing stuff as optional - building the release artifacts in Actions is a massive improvement over building on developer workstations, and being able to prove the release was built in Actions brings less incremental value than building there. (currently only nerds like me will actually verify 😆)


-
name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Idea: if you track the semver tag in a comment, Dependabot should update both!
example / example PR.

I really dig it: you get the immutability of pinning a tag, without losing the visibility that the tag provides.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, neat! will add it! thank you!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will be addressed in a separate PR as per: #547

release:
runs-on: ubuntu-latest
permissions:
contents: write
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: why contents: write?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, I got it from toxiproxy: https://github.com/Shopify/toxiproxy/blob/master/.github/workflows/release.yml#L17

I assumed the release action required write to be able to create a draft release?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also it seems it's required? https://github.com/marketplace/actions/create-release#example

In the example above only required permissions for the action specified (which is contents: write). If you add other actions to the same workflow you should expand permissions block accordingly.

image_templates:
- "ghcr.io/shopify/kubeaudit:latest"
- "ghcr.io/shopify/kubeaudit:{{ .Tag }}"
- "ghcr.io/shopify/kubeaudit:v{{ .Major }}.{{ .Minor }}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noice: this pattern is cool!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the pattern that we had before, but were pointing to docker hub registries instead

@dani-santos-code
Copy link
Contributor Author

dani-santos-code commented Mar 30, 2023

I created a separate issue to address the amazing enhancements suggested in this PR, so we get unblocked when it comes to releasing since folks are waiting on us for this.

let's address this in a separate PR. thank you Pete and Genevieve for your feedback! 🙏

@dani-santos-code dani-santos-code merged commit 538937d into main Mar 30, 2023
@dani-santos-code dani-santos-code deleted the go-releaser-action branch March 30, 2023 13:50
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

docker hub free team account being sunset
3 participants