chrore(ci): added Release workflow + configs

Signed-off-by: manhtukhang <travis.khang@protonmail.com>

.github/workflows/_test-acceptance.tmpl.yaml

@@ -42,12 +42,24 @@ jobs:
           file-install: false
 
       - name: Download plugin from build
-        if: github.action_ref != 'v*'
+        if: github.ref_type != 'tag'
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: vault-plugin-secrets-nexus-repository
           path: dist/bin
 
+      - name: Download plugin from release
+        if: github.ref_type == 'tag'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          git remote -v
+          gh release list
+          gh release download "$GITHUB_REF_NAME" -p "vault-plugin-secrets-nexus-repository_${GITHUB_REF_NAME}_linux-amd64"
+          mkdir -p "${VAULT_PLUGIN_DIR}"
+          mv "vault-plugin-secrets-nexus-repository_${GITHUB_REF_NAME}_linux-amd64" "${VAULT_PLUGIN_DIR}/vault-plugin-secrets-nexus-repository"
+
       - name: Run test
         shell: bash
         env:

.github/workflows/release.yaml

@@ -0,0 +1,123 @@
+name: Release with SLSA
+
+on:
+  # For manual tests.
+  workflow_dispatch:
+  push:
+    tags:
+      - "*" # triggers only if push new tag version, like `0.8.4`.
+  # Run daily as a dry-run/test.
+  schedule:
+    - cron: "0 1 * * *"
+
+permissions: read-all
+
+env:
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  ISSUE_REPOSITORY: manhtukhang/vault-plugin-secrets-nexus-repository
+  # In case daily runs fail, the label for filing the issue
+  HEADER: release
+
+jobs:
+  args:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.ldflags.outputs.version }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      # - name: Generate SLSA Goreleaser config files
+      #   run: |
+      #     mkdir -p .slsa-goreleaser/
+      #     for os in "linux windows darwin"; do
+      #       for arch in "amd64 arm64"; do
+      #         sed "s/__REPLACE_GOOS__/${os}; s/__REPLACE_GOARCH__/${arch}/g" .slsa-goreleaser.tmpl.yaml > ".slsa-goreleaser/${os}-${arch}.yaml"
+      #       done
+      #     done
+      # - name: Upload SLSA Goreleaser config files
+      #   uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      #   with:
+      #     name: slsa-goreleaser
+      #     path: slsa-goreleaser
+      #     if-no-files-found: error
+      - name: Generate dynamic LDFlags
+        id: ldflags
+        run: |
+          echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT"
+
+  build-provenance:
+    name: build-${{matrix.os}}-${{matrix.arch}}
+    needs: [ args ]
+    strategy:
+      matrix:
+        os:
+          - linux
+          # - windows
+          # - darwin
+        arch:
+          - amd64
+          # - arm64
+    permissions:
+      actions: read # For the detection of GitHub Actions environment.
+      id-token: write # For signing.
+      contents: write # For asset uploads.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v2.0.0 # always use a tag @X.Y.Z for for slsa builders, not SHA!
+    with:
+      go-version-file: "go.mod"
+      config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yaml
+      compile-builder: false
+      draft-release: true
+      evaluated-envs: "VERSION:${{needs.args.outputs.version}}, PROJECTNAME:vault-plugin-secrets-nexus-repository"
+
+  verification:
+    needs: [ build-provenance ]
+    runs-on: ubuntu-latest
+    if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
+    permissions: read-all
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Install the verifier
+        uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0
+
+      - name: Download assets
+        env:
+          #GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
+          ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl"
+          ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }}
+        run: |
+          set -euo pipefail
+
+          git remote -v
+          gh release list
+          gh release download "$GITHUB_REF_NAME" -p "$ARTIFACT"
+          gh release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
+
+      - name: Verify assets
+        env:
+          ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }}
+          ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl"
+        run: |
+          set -euo pipefail
+
+          echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
+          slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
+                                        --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                        --source-tag "$GITHUB_REF_NAME" \
+                                        "$ARTIFACT"
+  test:
+    needs: [ build-provenance ]
+    if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
+    strategy:
+      matrix:
+        vault: [ "1.17.6", "1.18.2" ]
+        nexus: [ "3.73.0", "3.74.0" ]
+    uses: ./.github/workflows/_test-acceptance.tmpl.yaml
+    with:
+      vault-version: ${{ matrix.vault }}
+      nxr-version: ${{ matrix.nexus }}
+      vault-plugin-dir: ./dist/bin

.slsa-goreleaser/darwin-amd64.yaml

@@ -0,0 +1,13 @@
+version: 1
+env:
+  - CGO_ENABLED=0
+goos: darwin
+goarch: amd64
+binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
+main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
+flags:
+  - -trimpath
+ldflags:
+  - -s
+  - -w 
+  - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"

.slsa-goreleaser/darwin-arm64.yaml

@@ -0,0 +1,13 @@
+version: 1
+env:
+  - CGO_ENABLED=0
+goos: darwin
+goarch: arm64
+binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
+main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
+flags:
+  - -trimpath
+ldflags:
+  - -s
+  - -w 
+  - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"

.slsa-goreleaser/linux-amd64.yaml

@@ -0,0 +1,13 @@
+version: 1
+env:
+  - CGO_ENABLED=0
+goos: linux
+goarch: amd64
+binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
+main: "./src/cmd/vault-plugin-secrets-nexus-repository/main.go"
+flags:
+  - -trimpath
+ldflags:
+  - -s
+  - -w 
+  - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"

.slsa-goreleaser/linux-arm64.yaml

@@ -0,0 +1,13 @@
+version: 1
+env:
+  - CGO_ENABLED=0
+goos: linux
+goarch: arm64
+binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
+main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
+flags:
+  - -trimpath
+ldflags:
+  - -s
+  - -w 
+  - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"

.slsa-goreleaser/windows-amd64.yaml

@@ -0,0 +1,13 @@
+version: 1
+env:
+  - CGO_ENABLED=0
+goos: windows
+goarch: amd64
+binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
+main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
+flags:
+  - -trimpath
+ldflags:
+  - -s
+  - -w 
+  - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"

.slsa-goreleaser/windows-arm64.yaml

@@ -0,0 +1,13 @@
+version: 1
+env:
+  - CGO_ENABLED=0
+goos: windows
+goarch: arm64
+binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
+main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
+flags:
+  - -trimpath
+ldflags:
+  - -s
+  - -w 
+  - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"