Skip to content

Commit

Permalink
refactor release job
Browse files Browse the repository at this point in the history
Signed-off-by: cpanato <ctadeu@gmail.com>
  • Loading branch information
cpanato committed Mar 14, 2023
1 parent e1061f7 commit 4111de2
Show file tree
Hide file tree
Showing 5 changed files with 107 additions and 54 deletions.
54 changes: 29 additions & 25 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,24 +11,42 @@ jobs:
hashes: ${{ steps.hash.outputs.hashes }}
tag_name: ${{ steps.tag.outputs.tag_name }}

permissions:
packages: write
id-token: write
contents: write

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- run: git fetch --prune --unshallow

- uses: actions/setup-go@v3
with:
go-version: 1.18
check-latest: true

- uses: imjasonh/setup-ko@v0.6 # This installs the current latest release.

- uses: sigstore/cosign-installer@v3.0.1

- name: Set tag output
id: tag
run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"

- uses: goreleaser/goreleaser-action@v4.2.0
id: run-goreleaser
with:
version: latest
args: release --rm-dist
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GIT_HASH: ${{ github.sha }}
GIT_TAG: ${{ steps.tag.outputs.tag_name }}
RUN_ATTEMPT: ${{ github.run_attempt }}
RUN_ID: ${{ github.run_id }}

- name: Generate subject
id: hash
env:
Expand All @@ -37,45 +55,31 @@ jobs:
set -euo pipefail
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)"
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: git fetch --prune --unshallow
- uses: actions/setup-go@v3
with:
go-version: 1.18
check-latest: true
- uses: imjasonh/setup-ko@v0.6 # This installs the current latest release.
- uses: sigstore/cosign-installer@v3.0.1
- run: |
tag=$(echo ${{ github.ref }} | cut -c11-) # get tag name without tags/refs/ prefix.
img=$(ko build --bare --platform=all -t latest -t ${{ github.sha }} -t ${tag} ./)
echo "built ${img}"
cosign sign ${img} \
-a sha=${{ github.sha }} \
-a run_id=${{ github.run_id }} \
-a run_attempt=${{ github.run_attempt }} \
-a tag=${tag}
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs: [goreleaser]
needs:
- goreleaser

permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.

uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
upload-tag-name: "${{ needs.release.outputs.tag_name }}"

verification:
needs: [goreleaser, provenance]
needs:
- goreleaser
- provenance

runs-on: ubuntu-latest
permissions: read-all

steps:
# Note: this will be replaced with the GHA in the future.
- name: Install the verifier
Expand Down
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Ignore GoLand (IntelliJ) files.
.idea/

imagerefs
ko

.DS_Store
61 changes: 34 additions & 27 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
@@ -1,45 +1,52 @@
# This is an example goreleaser.yaml file with some sane defaults.
---
# Make sure to check the documentation at http://goreleaser.com
before:
hooks:
# you may remove this if you don't use vgo
- go mod tidy
# you may remove this if you don't need go generate
- go generate ./...
- /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
- /bin/bash -c './scripts/builld-sign-release-images.sh'

builds:
- main: ./main.go
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
goos:
- windows
- linux
- darwin
goarch:
- amd64
- arm64
- s390x
- 386
- mips64le
- ppc64le
- main: ./main.go
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
goos:
- windows
- linux
- darwin
goarch:
- amd64
- arm64
- s390x
- 386
- mips64le
- ppc64le

archives:
- replacements:
darwin: Darwin
linux: Linux
windows: Windows
386: i386
amd64: x86_64
- name_template: >-
{{ .ProjectName }}_
{{- title .Os }}_
{{- if eq .Arch "amd64" }}x86_64
{{- else if eq .Arch "386" }}i386
{{- else }}{{ .Arch }}{{ end }}
checksum:
name_template: 'checksums.txt'

snapshot:
name_template: "{{ .Tag }}-next"

changelog:
sort: asc
use: github
filters:
exclude:
- '^docs:'
- '^test:'
- '^docs:'
- '^test:'
2 changes: 1 addition & 1 deletion hack/boilerplate/boilerplate.sh.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash

# Copyright 2020 Google LLC All Rights Reserved.
#
Expand Down
42 changes: 42 additions & 0 deletions scripts/builld-sign-release-images.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#!/usr/bin/env bash

# Copyright 2023 Google LLC All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o errexit
set -o nounset
set -o pipefail

: "${GIT_HASH:?Environment variable empty or not defined.}"
: "${GIT_TAG:?Environment variable empty or not defined.}"
: "${RUN_ID:?Environment variable empty or not defined.}"
: "${RUN_ATTEMPT:?Environment variable empty or not defined.}"

export LDFLAGS="-s -w -X github.com/google/ko/pkg/commands.Version=${GIT_TAG}"

ko build --bare --platform=all -t latest -t "${GIT_HASH}" -t "${GIT_TAG}" --image-refs imagerefs ./

if [[ ! -f imagerefs ]]; then
echo "imagerefs not found"
exit 1
fi

echo "Signing images with Keyless..."
readarray -t images < <(cat imagerefs || true)
cosign sign --yes \
-a GIT_HASH="${GIT_HASH}" \
-a GIT_TAG="${GIT_TAG}" \
-a RUN_ID="${RUN_ID}" \
-a RUN_ATTEMPT="${RUN_ATTEMPT}" \
"${images[@]}"

0 comments on commit 4111de2

Please sign in to comment.