From d80f687271574442b92cb7b797c8226c7da91384 Mon Sep 17 00:00:00 2001
From: Hidde Beydals <hidde@hhh.computer>
Date: Tue, 11 Jul 2023 23:32:37 +0200
Subject: [PATCH] WIP: start porting release logic to GoReleaser

This now has:

- Publishing of artifacts in the same formats as previous releases
- Publishing of RPM and deb artifacts in the same formats as previous
  releases (although the metadata may need a bit of tweaking)
- SBOM inclusion per binary artifact
- Reproducable and verifiable builds (theoretically, did not actually
  test it (yet))

To-do:

- [ ] Artifact signing
- [ ] SLSA compliance
- [ ] Docker images
- [ ] GitHub release
- [ ] Changelog generation

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
---
 .gitignore         |   3 +-
 .goreleaser.yaml   | 122 +++++++++++++++++++++++++++++++++++++++++++++
 Makefile           |   6 +--
 version/version.go |   2 +-
 4 files changed, 128 insertions(+), 5 deletions(-)
 create mode 100644 .goreleaser.yaml

diff --git a/.gitignore b/.gitignore
index d7e97440f..de453ba26 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
-target
+dist/
+target/
 Cargo.lock
 vendor/
 coverage.txt
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
new file mode 100644
index 000000000..7655a6456
--- /dev/null
+++ b/.goreleaser.yaml
@@ -0,0 +1,122 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+
+project_name: sops
+
+# xref: https://goreleaser.com/customization/build/
+builds:
+  - id: binary-linux
+    main: ./cmd/sops
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}"
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    # Modified timestamp on the binary, set to ensure reproducible builds.
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+  - id: binary-darwin
+    main: ./cmd/sops
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}"
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    # Modified timestamp on the binary, set to ensure reproducible builds.
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+  - id: binary-windows
+    main: ./cmd/sops
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    binary: "{{ .ProjectName }}-{{ .Version }}"
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - windows
+    goarch:
+      - amd64
+    # Modified timestamp on the binary, set to ensure reproducible builds.
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+# xref: https://goreleaser.com/customization/universalbinaries/
+universal_binaries:
+  - ids:
+      - binary-darwin
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    # Before v3.8.0, this used to be _just_ the AMD64 binary.
+    name_template: '{{ .ProjectName }}-{{ .Version }}.darwin'
+    replace: false
+
+# xref: https://goreleaser.com/customization/nfpm/
+nfpms:
+  - id: deb
+    package_name: '{{ .ProjectName }}'
+    file_name_template: '{{ .ConventionalFileName }}'
+    vendor: SOPS (Secret OPerationS) project
+    homepage: https://github.com/getsops/sops
+    maintainer: SOPS maintainers <cncf-SOPS-maintainers@lists.cncf.io>
+    description: Simple and flexible tool for managing secrets
+    license: MPL-2.0
+    formats:
+      - deb
+      - rpm
+
+# xref: https://goreleaser.com/customization/verifiable_builds/
+gomod:
+  proxy: true
+  env:
+    - GOPROXY=https://proxy.golang.org,direct
+    - GOSUMDB=sum.golang.org
+  mod: mod
+
+# xref: https://goreleaser.com/customization/checksum/
+checksum:
+  name_template: "{{ .ProjectName }}-{{ .Version }}.checksums.txt"
+  algorithm: sha256
+  ids:
+    - binary-linux
+    - binary-darwin
+    - binary-windows
+
+# xref: https://goreleaser.com/customization/snapshots/
+snapshot:
+  name_template: "{{ incpatch .Version }}-dev-{{ .ShortCommit }}"
+
+# xref: https://goreleaser.com/customization/archive/#disable-archiving
+archives:
+  - format: binary
+
+# xref: https://goreleaser.com/customization/sbom/
+sboms:
+  - id: binary-sbom
+    artifacts: binary
+    documents:
+      - "${artifact}.spdx.sbom.json"
diff --git a/Makefile b/Makefile
index e302a7464..2a8557ead 100644
--- a/Makefile
+++ b/Makefile
@@ -2,9 +2,9 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-PROJECT		:= go.mozilla.org/sops/v3
-GO 		:= GOPROXY=https://proxy.golang.org go
-GOLINT 		:= golint
+PROJECT := go.mozilla.org/sops/v3
+GO      := GOPROXY=https://proxy.golang.org go
+GOLINT  := golint
 
 all: test vet generate install functional-tests
 origin-build: test vet generate install functional-tests-all
diff --git a/version/version.go b/version/version.go
index 3b00d12d9..8123d92d6 100644
--- a/version/version.go
+++ b/version/version.go
@@ -11,7 +11,7 @@ import (
 )
 
 // Version represents the value of the current semantic version
-const Version = "3.7.3"
+var Version = "3.7.3"
 
 // PrintVersion handles the version command for sops
 func PrintVersion(c *cli.Context) {