WIP: start porting release logic to GoReleaser

This now has: - Publishing of artifacts in the same formats as previous releases - Publishing of RPM and deb artifacts in the same formats as previous releases (although the metadata may need a bit of tweaking) - SBOM inclusion per binary artifact - Reproducable and verifiable builds (theoretically, did not actually test it (yet)) To-do: - [ ] Artifact signing - [ ] SLSA compliance - [ ] Docker images - [ ] GitHub release - [ ] Changelog generation Signed-off-by: Hidde Beydals <hidde@hhh.computer>
getsops · Jul 12, 2023 · d80f687 · d80f687
1 parent 7051ccd
commit d80f687
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
-target
+dist/
+target/
 Cargo.lock
 vendor/
 coverage.txt

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,122 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+
+project_name: sops
+
+# xref: https://goreleaser.com/customization/build/
+builds:
+  - id: binary-linux
+    main: ./cmd/sops
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}"
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    # Modified timestamp on the binary, set to ensure reproducible builds.
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+  - id: binary-darwin
+    main: ./cmd/sops
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}"
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    # Modified timestamp on the binary, set to ensure reproducible builds.
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+  - id: binary-windows
+    main: ./cmd/sops
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    binary: "{{ .ProjectName }}-{{ .Version }}"
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - windows
+    goarch:
+      - amd64
+    # Modified timestamp on the binary, set to ensure reproducible builds.
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+# xref: https://goreleaser.com/customization/universalbinaries/
+universal_binaries:
+  - ids:
+      - binary-darwin
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    # Before v3.8.0, this used to be _just_ the AMD64 binary.
+    name_template: '{{ .ProjectName }}-{{ .Version }}.darwin'
+    replace: false
+
+# xref: https://goreleaser.com/customization/nfpm/
+nfpms:
+  - id: deb
+    package_name: '{{ .ProjectName }}'
+    file_name_template: '{{ .ConventionalFileName }}'
+    vendor: SOPS (Secret OPerationS) project
+    homepage: https://github.com/getsops/sops
+    maintainer: SOPS maintainers <cncf-SOPS-maintainers@lists.cncf.io>
+    description: Simple and flexible tool for managing secrets
+    license: MPL-2.0
+    formats:
+      - deb
+      - rpm
+
+# xref: https://goreleaser.com/customization/verifiable_builds/
+gomod:
+  proxy: true
+  env:
+    - GOPROXY=https://proxy.golang.org,direct
+    - GOSUMDB=sum.golang.org
+  mod: mod
+
+# xref: https://goreleaser.com/customization/checksum/
+checksum:
+  name_template: "{{ .ProjectName }}-{{ .Version }}.checksums.txt"
+  algorithm: sha256
+  ids:
+    - binary-linux
+    - binary-darwin
+    - binary-windows
+
+# xref: https://goreleaser.com/customization/snapshots/
+snapshot:
+  name_template: "{{ incpatch .Version }}-dev-{{ .ShortCommit }}"
+
+# xref: https://goreleaser.com/customization/archive/#disable-archiving
+archives:
+  - format: binary
+
+# xref: https://goreleaser.com/customization/sbom/
+sboms:
+  - id: binary-sbom
+    artifacts: binary
+    documents:
+      - "${artifact}.spdx.sbom.json"
diff --git a/Makefile b/Makefile
@@ -2,9 +2,9 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-PROJECT		:= go.mozilla.org/sops/v3
-GO 		:= GOPROXY=https://proxy.golang.org go
-GOLINT 		:= golint
+PROJECT := go.mozilla.org/sops/v3
+GO      := GOPROXY=https://proxy.golang.org go
+GOLINT  := golint
 
 all: test vet generate install functional-tests
 origin-build: test vet generate install functional-tests-all

diff --git a/version/version.go b/version/version.go
@@ -11,7 +11,7 @@ import (
 )
 
 // Version represents the value of the current semantic version
-const Version = "3.7.3"
+var Version = "3.7.3"
 
 // PrintVersion handles the version command for sops
 func PrintVersion(c *cli.Context) {