Release #28

Summary
Jobs
- release
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/releaser.yml at 9f4c4f6

	name: Release

	on:
	workflow_dispatch:
	inputs:
	release:
	description: 'Release version'
	required: true

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

	jobs:
	release:
	runs-on: macos-latest
	permissions:
	packages: read
	contents: write
	steps:
	-
	name: Checkout
	uses: actions/checkout@v4
	-
	name: Unshallow
	run: git fetch --prune --unshallow
	-
	name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	-
	name: Cache Go modules
	uses: actions/[email protected]
	with:
	path: ~/go/pkg/mod
	key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
	restore-keys: \|
	${{ runner.os }}-go-
	-
	name: Download cyclonedx-gomod
	uses: CycloneDX/gh-gomod-generate-sbom@v2
	with:
	version: v1.8.0
	env:
	GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	-
	name: Install Cosign
	uses: sigstore/[email protected]
	-
	name: Import Code-Signing Certificates
	uses: Apple-Actions/import-codesign-certs@cfd6eb39a2c848ead8836bda6b56813585404ba7 # v5.0.0
	with:
	p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
	p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
	-
	name: Install gon via HomeBrew for code signing and app notarization
	run: \|
	brew tap mitchellh/gon
	brew install mitchellh/gon/gon
	brew install coreutils
	-
	name: Run GoReleaser
	uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
	with:
	version: latest
	args: release --clean --skip=publish
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	-
	name: Prepare Github release packages
	run: \|
	#!/bin/bash
	shopt -s expand_aliases
	mkdir .dist
	cp dist/harp-* .dist/
	-
	name: Sign and notarize MacOS AMD64 cli
	env:
	AC_USERNAME: "${{ secrets.AC_USERNAME }}"
	AC_PASSWORD: "${{ secrets.AC_PASSWORD }}"
	run: \|
	echo '{
	"source": ["./dist/harp-darwin-amd64-v1"],
	"bundle_id":"co.elastic.harp",
	"apple_id": {},
	"sign": { "application_identity": "9FAEEDF0301EA562A47EC8A473309407DD99CD7C" },
	"zip": {
	"output_path": "./dist/harp-darwin-amd64-v1.zip"
	}
	}' \| jq . > gon.amd64.json
	gon -log-level=debug -log-json ./gon.amd64.json
	rm -f .dist/harp-darwin-amd64-v1
	-
	name: Sign and notarize MacOS ARM64 cli
	env:
	AC_USERNAME: "${{ secrets.AC_USERNAME }}"
	AC_PASSWORD: "${{ secrets.AC_PASSWORD }}"
	run: \|
	echo '{
	"source": ["./dist/harp-darwin-arm64-v8.0"],
	"bundle_id":"co.elastic.harp",
	"apple_id": {},
	"sign": { "application_identity": "9FAEEDF0301EA562A47EC8A473309407DD99CD7C" },
	"zip": {
	"output_path": "./dist/harp-darwin-arm64-v8.0.zip"
	}
	}' \| jq . > gon.arm64.json
	gon -log-level=debug -log-json ./gon.arm64.json
	rm -f .dist/harp-darwin-arm64-v8.0
	-
	name: Prepare archives
	run: \|
	#!/bin/bash
	shopt -s expand_aliases
	cd .dist/
	unzip ../dist/harp-darwin-amd64-v1.zip
	unzip ../dist/harp-darwin-arm64-v8.0.zip
	FILES="*"
	for f in $FILES;
	do
	case $f in
	*.sbom.json)
	continue
	;;
	harp-*)
	fn=$(basename -s ".exe" $f)
	tar czf ${fn}.tar.gz $f ${fn}.sbom.json
	rm -f $f ${fn}.sbom.json
	;;
	esac
	done
	# Disable provenance
	#
	#-
	# name: Generate provenance for Release
	# uses: philips-labs/[email protected]
	# with:
	# command: generate
	# subcommand: files
	# arguments: --artifact-path .dist --output-path '.dist/provenance.json'
	# env:
	# GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	-
	name: Sign
	shell: bash
	run: \|
	#!/bin/bash
	shopt -s expand_aliases
	cd .dist
	sha256sum *.tar.gz > checksums.txt
	FILES="*"
	for f in $FILES;
	do
	case $f in
	provenance.json\|checksums.txt)
	cosign sign-blob --key <(echo -n "${COSIGN_KEY}") "$f" > "$f.sig"
	;;
	*.tar.gz)
	sha256sum "$f" \| cut -d " " -f 1 > "$f.sha256"
	cosign sign-blob --key <(echo -n "${COSIGN_KEY}") "$f" > "$f.sig"
	;;
	esac
	done
	env:
	COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	-
	name: Verify
	shell: bash
	run: \|
	#!/bin/bash
	shopt -s expand_aliases
	curl -sLO https://raw.githubusercontent.com/elastic/harp/v${{ github.event.inputs.release }}/build/artifact/cosign.pub
	cd .dist
	FILES="*"
	for f in $FILES;
	do
	if [[ -f "$f.sig" ]];
	then
	cosign verify-blob --key ../cosign.pub --signature "$f.sig" $f
	fi
	done
	-
	name: Upload to release
	uses: AButler/upload-release-assets@3d6774fae0ed91407dc5ae29d576b166536d1777 # v3.0
	with:
	files: '.dist/*'
	repo-token: ${{ secrets.GITHUB_TOKEN }}
	release-tag: v${{ github.event.inputs.release }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Release #28

Workflow file

Release #28

Uh oh!

Jobs

Run details

Workflow file for this run