keyless releases via workload identities and transparency log support #157
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,101 @@ | ||
| on: [push, pull_request] | ||
| name: goreleaser | ||
| jobs: | ||
| test: | ||
| strategy: | ||
| matrix: | ||
| go-version: [1.16.x, 1.17.x] | ||
| os: [ubuntu-latest, macos-latest] | ||
| runs-on: ${{ matrix.os }} | ||
| steps: | ||
| - name: Install Go | ||
| uses: actions/setup-go@v2 | ||
| with: | ||
| go-version: ${{ matrix.go-version }} | ||
| - name: Setup Python | ||
| uses: actions/setup-python@v2 | ||
| with: | ||
| python-version: 3.6 | ||
| - name: Checkout code | ||
| uses: actions/checkout@v2 | ||
| - name: Install Python dependencies | ||
| run: | | ||
| python -m pip install --upgrade iso8601 requests securesystemslib six tuf | ||
| - name: Format Unix | ||
| if: runner.os == 'Linux' | ||
| run: test -z $(go fmt ./...) | ||
| - name: Test | ||
| run: go test -race -covermode atomic -coverprofile='profile.cov' ./... | ||
| - name: Send coverage | ||
| if: runner.os == 'Linux' | ||
| env: | ||
| COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| GO111MODULE=off go get github.com/mattn/goveralls | ||
| $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github | ||
| - name: Vet | ||
| run: go vet ./... | ||
| - name: Install staticcheck | ||
| run: "go install honnef.co/go/tools/cmd/[email protected]" | ||
| - name: Run staticcheck | ||
| run: staticcheck ./... | ||
| release-server: | ||
| permissions: | ||
| id-token: write | ||
| contents: write | ||
| runs-on: ubuntu-latest | ||
| needs: test | ||
| if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v2 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v2 | ||
| with: | ||
| go-version: 1.17 | ||
| - name: install cosign | ||
| uses: sigstore/cosign-installer@main | ||
| with: | ||
| cosign-release: 'v1.4.1' | ||
| - uses: anchore/sbom-action/[email protected] | ||
| - name: Run GoReleaser | ||
| uses: goreleaser/goreleaser-action@v2 | ||
| with: | ||
| distribution: goreleaser | ||
| version: 'v1.2.5' | ||
| args: release --rm-dist | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| COSIGN_EXPERIMENTAL: 1 | ||
| release-cli: | ||
| permissions: | ||
| id-token: write | ||
| contents: write | ||
| runs-on: ubuntu-latest | ||
| needs: test | ||
| if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v2 | ||
| with: | ||
| fetch-depth: 0 | ||
| - name: Set up Go | ||
| uses: actions/setup-go@v2 | ||
| with: | ||
| go-version: 1.17 | ||
| - name: install cosign | ||
| uses: sigstore/cosign-installer@main | ||
| with: | ||
| cosign-release: 'v1.4.1' | ||
| - uses: anchore/sbom-action/[email protected] | ||
| - name: Run GoReleaser | ||
| uses: goreleaser/goreleaser-action@v2 | ||
| with: | ||
| distribution: goreleaser | ||
| version: 'v1.2.5' | ||
| args: release --config ./.goreleaser_client.yaml --rm-dist | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| COSIGN_EXPERIMENTAL: 1 | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| project_name: tuf | ||
| builds: | ||
| - ldflags: | ||
| - "-s -w" | ||
| - "-extldflags=-zrelro" | ||
| - "-extldflags=-znow" | ||
| env: | ||
| - "CGO_ENABLED=0" | ||
| - "GO111MODULE=on" | ||
| - "GOFLAGS=-mod=readonly -trimpath" | ||
| goos: | ||
| - linux | ||
| - darwin | ||
| - windows | ||
| goarch: | ||
| - amd64 | ||
| main: ./cmd/tuf/ | ||
| sboms: | ||
| - artifacts: archive | ||
| - id: source | ||
| artifacts: source | ||
| source: | ||
| enabled: true | ||
| signs: | ||
| - cmd: cosign | ||
| signature: "${artifact}.sig" | ||
| certificate: "${artifact}.pem" | ||
| args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] | ||
| artifacts: all |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| project_name: tuf-client | ||
| builds: | ||
| - ldflags: | ||
| - "-s -w" | ||
| - "-extldflags=-zrelro" | ||
| - "-extldflags=-znow" | ||
| env: | ||
| - "CGO_ENABLED=0" | ||
| - "GO111MODULE=on" | ||
| - "GOFLAGS=-mod=readonly -trimpath" | ||
| goos: | ||
| - linux | ||
| - darwin | ||
| - windows | ||
| goarch: | ||
| - amd64 | ||
| main: ./cmd/tuf-client/ | ||
| sboms: | ||
| - artifacts: archive | ||
| signs: | ||
| - cmd: cosign | ||
|
There was a problem hiding this comment. maybe we can move the COSIGN_EXPERIMENTAL environment variable over here under the env property of the sign section, WDYT? There was a problem hiding this comment. You mean in the goreleaser files instead of the github action workflow file? Do you know how? Can you provide a gist? There was a problem hiding this comment. of course, let me clarify this example: |
||
| signature: "${artifact}.sig" | ||
| certificate: "${artifact}.pem" | ||
| args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] | ||
| artifacts: all | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can use golangci-lint tool instead of these lines, WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that makes sense. These lines are migrated from the old build workflow.. @asraa @trishankatdatadog are you fine with using golangci-lint instead of staticcheck (golangci-lint calls staticcheck, but can do more).