Skip to content

Commit

Permalink
add signed release builds
Browse files Browse the repository at this point in the history
  • Loading branch information
shibumi committed Sep 27, 2021
1 parent f2c57d1 commit 89edb03
Show file tree
Hide file tree
Showing 6 changed files with 133 additions and 28 deletions.
28 changes: 0 additions & 28 deletions .github/workflows/build.yml

This file was deleted.

59 changes: 59 additions & 0 deletions .github/workflows/goreleaser.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: release
on: [push, pull_request]
jobs:
test:
strategy:
matrix:
go-version: [ 1.16.x, 1.17.x ]
os: [ ubuntu-latest, macos-latest, windows-latest ]
runs-on: ${{ matrix.os }}
steps:
- name: Install Go
uses: actions/setup-go@v2
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v2
- name: Format Unix
if: runner.os == 'Linux'
run: test -z $(go fmt ./...)
- name: Test
run: go test -covermode atomic -coverprofile='profile.cov' ./...
- name: Send coverage
if: runner.os == 'Linux'
env:
COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
GO111MODULE=off go get github.com/mattn/goveralls
$(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
release:
runs-on: ubuntu-latest
needs: test
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.17
- name: install cosign
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.2.1'
- name: write cosign.key to environment
run: 'echo "$COSIGN_KEY" > .github/cosign.key'
shell: bash
env:
COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v2
with:
distribution: goreleaser
version: 'v0.180.2'
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
11 changes: 11 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# goreleaser distribution directory
dist

# GoLand idea configuration
.idea

# VSCode configuration
.vscode

# ignore cosign private key
cosign.key
26 changes: 26 additions & 0 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
project_name: in-toto
builds:
- ldflags:
- "-s -w"
- "-extldflags=-zrelro"
- "-extldflags=-znow"
- "-X main.tag={{.Version}}"
- "-X main.commit={{.FullCommit}}"
- "-X main.date={{.CommitDate}}"
env:
- "CGO_ENABLED=0"
- "GO111MODULE=on"
- "GOFLAGS=-mod=readonly -trimpath"
goos:
- linux
- darwin
- windows
goarch:
- amd64
main: ./cmd/in-toto/
signs:
- cmd: cosign
signature: "${artifact}.sig"
stdin: '{{ .Env.COSIGN_PWD }}'
args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"]
artifacts: all
33 changes: 33 additions & 0 deletions cmd/in-toto/version.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package main

import (
"fmt"
"github.com/spf13/cobra"
)

var (
commit = "none"
date = "unknown"
tag = "dev"
)

var versionCmd = &cobra.Command{
Use: "version",
Short: "Display the version of the in-toto CLI tool",
Long: `Display the commit ID, the build date and the version tag of the in-toto CLI as embedded by the build system.`,
RunE: version,
}

func init() {
rootCmd.AddCommand(versionCmd)
}

func version(cmd *cobra.Command, args []string) error {
// let us make it as simple as possible.
// We could encode the version information as JSON like kubectl does,
// but what if the json package has a bug? :/
fmt.Println("commit : ", commit)
fmt.Println("date : ", date)
fmt.Println("version: ", tag)
return nil
}
4 changes: 4 additions & 0 deletions cosign.pub
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESv8K4ZaLK5ZQcjycNcuHCY2zYE65
vagRvLoqo/ugR/52+ZLcq3DW41pfyjK0XVNSCqpdIaA0qUkmkDcwgwKFUg==
-----END PUBLIC KEY-----

0 comments on commit 89edb03

Please sign in to comment.