From 6ce8a434b794b79fe831727f2c308a39c5ba6acb Mon Sep 17 00:00:00 2001
From: cpanato <ctadeu@gmail.com>
Date: Tue, 14 Mar 2023 14:02:08 +0100
Subject: [PATCH] refactor release job

Signed-off-by: cpanato <ctadeu@gmail.com>
---
 .github/workflows/release.yml         | 54 +++++++++++++-----------
 .gitignore                            |  2 +-
 .goreleaser.yml                       | 61 +++++++++++++++------------
 scripts/builld-sign-release-images.sh | 42 ++++++++++++++++++
 4 files changed, 106 insertions(+), 53 deletions(-)
 create mode 100755 scripts/builld-sign-release-images.sh

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9d0c59c631..caddb336c1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,24 +11,42 @@ jobs:
       hashes: ${{ steps.hash.outputs.hashes }}
       tag_name: ${{ steps.tag.outputs.tag_name }}
 
+    permissions:
+      packages: write
+      id-token: write
+      contents: write
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+
       - run: git fetch --prune --unshallow
+
       - uses: actions/setup-go@v3
         with:
           go-version: 1.18
           check-latest: true
+
+      - uses: imjasonh/setup-ko@v0.6 # This installs the current latest release.
+
+      - uses: sigstore/cosign-installer@v3.0.1
+
       - name: Set tag output
         id: tag
         run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
+
       - uses: goreleaser/goreleaser-action@v4.2.0
         id: run-goreleaser
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GIT_HASH: ${{ github.sha }}
+          GIT_TAG: ${{ steps.tag.outputs.tag_name }}
+          RUN_ATTEMPT: ${{ github.run_attempt }}
+          RUN_ID: ${{ github.run_id }}
+
       - name: Generate subject
         id: hash
         env:
@@ -37,35 +55,17 @@ jobs:
           set -euo pipefail
 
           checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-          echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)"
-
-  publish:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - run: git fetch --prune --unshallow
-      - uses: actions/setup-go@v3
-        with:
-          go-version: 1.18
-          check-latest: true
-      - uses: imjasonh/setup-ko@v0.6 # This installs the current latest release.
-      - uses: sigstore/cosign-installer@v3.0.1
-      - run: |
-          tag=$(echo ${{ github.ref }} | cut -c11-) # get tag name without tags/refs/ prefix.
-          img=$(ko build --bare --platform=all -t latest -t ${{ github.sha }} -t ${tag} ./)
-          echo "built ${img}"
-          cosign sign ${img} \
-              -a sha=${{ github.sha }} \
-              -a run_id=${{ github.run_id }} \
-              -a run_attempt=${{ github.run_attempt }} \
-              -a tag=${tag}
+          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
 
   provenance:
-    needs: [goreleaser]
+    needs:
+      - goreleaser
+
     permissions:
       actions: read   # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
+
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
@@ -73,9 +73,13 @@ jobs:
       upload-tag-name: "${{ needs.release.outputs.tag_name }}"
 
   verification:
-    needs: [goreleaser, provenance]
+    needs:
+      - goreleaser
+      - provenance
+
     runs-on: ubuntu-latest
     permissions: read-all
+
     steps:
       # Note: this will be replaced with the GHA in the future.
       - name: Install the verifier
diff --git a/.gitignore b/.gitignore
index 2d8e0e742f..83acd05615 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
 # Ignore GoLand (IntelliJ) files.
 .idea/
-
+imagerefs
 ko
 
 .DS_Store
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 2afaa2bbab..1b6d7aa034 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,4 +1,4 @@
-# This is an example goreleaser.yaml file with some sane defaults.
+---
 # Make sure to check the documentation at http://goreleaser.com
 before:
   hooks:
@@ -6,40 +6,47 @@ before:
     - go mod tidy
     # you may remove this if you don't need go generate
     - go generate ./...
+    - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
+    - /bin/bash -c './scripts/builld-sign-release-images.sh'
+
 builds:
-- main: ./main.go
-  env:
-  - CGO_ENABLED=0
-  flags:
-  - -trimpath
-  ldflags:
-  - "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
-  goos:
-  - windows
-  - linux
-  - darwin
-  goarch:
-  - amd64
-  - arm64
-  - s390x
-  - 386
-  - mips64le
-  - ppc64le
+  - main: ./main.go
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+    ldflags:
+      - "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
+    goos:
+      - windows
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+      - s390x
+      - 386
+      - mips64le
+      - ppc64le
+
 archives:
-- replacements:
-    darwin: Darwin
-    linux: Linux
-    windows: Windows
-    386: i386
-    amd64: x86_64
+  - name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+
 checksum:
   name_template: 'checksums.txt'
+
 snapshot:
   name_template: "{{ .Tag }}-next"
+
 changelog:
   sort: asc
   use: github
   filters:
     exclude:
-    - '^docs:'
-    - '^test:'
+      - '^docs:'
+      - '^test:'
diff --git a/scripts/builld-sign-release-images.sh b/scripts/builld-sign-release-images.sh
new file mode 100755
index 0000000000..292ec7b549
--- /dev/null
+++ b/scripts/builld-sign-release-images.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 Google LLC All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+: "${GIT_HASH:?Environment variable empty or not defined.}"
+: "${GIT_TAG:?Environment variable empty or not defined.}"
+: "${RUN_ID:?Environment variable empty or not defined.}"
+: "${RUN_ATTEMPT:?Environment variable empty or not defined.}"
+
+export LDFLAGS="-s -w -X github.com/google/ko/pkg/commands.Version=${GIT_TAG}"
+
+ko build --bare --platform=all -t latest -t "${GIT_HASH}" -t "${GIT_TAG}" --image-refs imagerefs ./
+
+if [[ ! -f imagerefs ]]; then
+    echo "imagerefs not found"
+    exit 1
+fi
+
+echo "Signing images with Keyless..."
+readarray -t images < <(cat imagerefs || true)
+cosign sign --yes \
+    -a GIT_HASH="${GIT_HASH}" \
+    -a GIT_TAG="${GIT_TAG}" \
+    -a RUN_ID="${RUN_ID}" \
+    -a RUN_ATTEMPT="${RUN_ATTEMPT}" \
+    "${images[@]}"