feat: add goreleaser to publish releases and docker images

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-# Copyright 2022 The Archivista Contributors
+# Copyright 2023 The Archivista Contributors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
 name: release
 on: [push, pull_request]
 jobs:
@@ -38,30 +41,49 @@ jobs:
             ${{ runner.os }}-go-
       - name: Format Unix
         run: test -z $(go fmt ./...)
+      - name: Install GoKart
+        run: go install github.com/praetorian-inc/gokart@latest
+
+      - name: Static Analysis
+        uses: testifysec/witness-run-action@bdd82729b316d071606007cc9eecae326429caaf
+        with:
+          step: static-analysis
+          attestations: "github sarif"
+          command: gokart scan . -o sarif-results.json -s
+
       - name: Test
-        run: go test -covermode atomic -coverprofile='profile.cov' ./...
+        uses: testifysec/witness-run-action@bdd82729b316d071606007cc9eecae326429caaf
+        with: 
+          step: "test"
+          attestations: "github"
+          command: go test -v -coverprofile=profile.cov -covermode=atomic ./...
+
       - name: Send coverage
         env:
           COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           GO111MODULE=off go get github.com/mattn/goveralls
           $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+
   release:
     permissions:
       id-token: write
       contents: write
+      packages: write
     runs-on: ubuntu-latest
     needs: test
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
+
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.19
+          go-version: 1.19.x
       - uses: actions/cache@v2
         with:
           path: |
@@ -70,17 +92,23 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      - name: install cosign
-        uses: sigstore/cosign-installer@main
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
         with:
-          cosign-release: 'v1.4.1'
-      - uses: anchore/sbom-action/[email protected]
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Download GoReleaser
+        run: go install github.com/goreleaser/goreleaser@latest
+
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          distribution: goreleaser
-          version: 'v1.2.5'
-          args: release --rm-dist
+        uses: testifysec/witness-run-action@bdd82729b316d071606007cc9eecae326429caaf
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+        with:
+          step: "build"
+          attestations: "github"
+          command: goreleaser release --clean

.goreleaser.yaml

@@ -0,0 +1,99 @@
+# Copyright 2023 The Archivista Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+project_name: archivista
+builds:
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+      - "-extldflags -w -X 'github.com/testifysec/archivista/cmd.Version={{.Tag}}-{{.ShortCommit}}'"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+      - "GOFLAGS=-mod=readonly -trimpath"
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./cmd/archivista
+    binary: archivista
+    id: archivista
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+      - "-extldflags -w -X 'github.com/testifysec/archivistactl/cmd.Version={{.Tag}}-{{.ShortCommit}}'"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+      - "GOFLAGS=-mod=readonly -trimpath"
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./cmd/archivistactl
+    binary: archivistactl
+    id: archivistactl
+gomod:
+  proxy: false
+source:
+  enabled: true
+changelog:
+  use: github
+  groups:
+    - title: Features
+      regexp: "^.*feat[(\\w)]*:+.*$"
+      order: 0
+    - title: 'Bug fixes'
+      regexp: "^.*fix[(\\w)]*:+.*$"
+      order: 1
+    - title: 'Documentation'
+      regexp: "^.*docs[(\\w)]*:+.*$"
+      order: 2
+    - title: Others
+      order: 999
+release:
+  prerelease: auto
+  github:
+    owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}"
+kos:
+  - repository: ghcr.io/testifysec/archivista
+    id: archivista
+    build: archivista
+    tags:
+    - '{{.Version}}'
+    bare: true
+    preserve_import_paths: false
+    creation_time: '{{.CommitTimestamp}}'
+    platforms:
+    - linux/amd64
+    - linux/arm64
+  - repository: ghcr.io/testifysec/archivistactl
+    id: archivistactl
+    build: archivistactl
+    tags:
+    - '{{.Version}}'
+    bare: true
+    preserve_import_paths: false
+    creation_time: '{{.CommitTimestamp}}'
+    platforms:
+    - linux/amd64
+    - linux/arm64