flipt-io · markphelps · Jul 6, 2022 · Jul 5, 2022 · Jul 5, 2022 · Jul 6, 2022
@@ -1,36 +1,63 @@
-name: Check Release
+name: Release
 on:
-  release:
-    types: [published]
   workflow_dispatch:
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
-  check:
-    name: Check
+  release:
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
 
-      - name: Fetch latest release version
-        id: fetch-latest-release
-        uses: reloc8/action-latest-release-version@1.0.0
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.17.x"
 
-      - name: Verify Dockerhub
-        run: docker pull markphelps/flipt:${{ steps.fetch-latest-release.outputs.latest-release }}
+      - uses: arduino/setup-task@v1
 
-      - name: Verify GHCR
-        run: docker pull ghcr.io/markphelps/flipt:${{ steps.fetch-latest-release.outputs.latest-release }}
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Prepare for release
+        run: |
+          task prep
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.4.1
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
         with:
-          image-ref: "docker.io/markphelps/flipt:${{ steps.fetch-latest-release.outputs.latest-release }}"
-          format: "template"
-          template: "@/contrib/sarif.tpl"
-          output: "trivy-results.sarif"
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v3
         with:
-          sarif_file: "trivy-results.sarif"
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ANALYTICS_KEY: ${{ secrets.ANALYTICS_KEY }}
+          DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }}
+          DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}
@@ -0,0 +1,44 @@
+name: Release (Snapshot)
+on:
+  workflow_dispatch:
+
+jobs:
+  snapshot:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.17.x"
+
+      - uses: arduino/setup-task@v1
+
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Install Syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Prepare for release
+        run: |
+          task prep
+
+      - name: GoReleaser (Snapshot)
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist --snapshot
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ANALYTICS_KEY: ${{ secrets.ANALYTICS_KEY }}
@@ -5,8 +5,6 @@ builds:
   - main: ./cmd/flipt/.
     env:
       - CGO_ENABLED=1
-      - CC=x86_64-linux-musl-gcc
-      - CXX=x86_64-linux-musl-g++
     ldflags:
       - -s -w -X main.version={{ .Version }} -X main.commit={{ .Commit }} -X main.date={{ .Date }} -X main.analyticsKey={{ .Env.ANALYTICS_KEY }}
       - -linkmode external -extldflags -static
@@ -36,7 +34,7 @@ checksum:
   name_template: "checksums.txt"
 
 changelog:
-  skip: true
+  use: github-native
 
 dockers:
   - dockerfile: ./build/Dockerfile
@@ -57,4 +55,3 @@ dockers:
 announce:
   discord:
     enabled: true
-
@@ -1,5 +1,6 @@
 tap 'filosottile/musl-cross'
 tap 'goreleaser/tap'
+tap 'anchore/syft'
 
 brew 'cmake'
 brew 'cosign'
@@ -11,3 +12,4 @@ brew 'musl-cross'
 brew 'pkg-config'
 brew 'protobuf'
 brew 'sqlite'
+brew 'syft'
@@ -9,15 +9,20 @@ vars:
 tasks:
   default:
     desc: Build the binary
+    deps: [prep]
     cmds:
-      - task: clean
-      - task: proto
-      - task: assets
       - go build -trimpath -tags assets -ldflags "-X main.commit={{.GIT_COMMIT}}" -o ./bin/{{.PROJECT}} ./cmd/{{.PROJECT}}/.
     vars:
       GIT_COMMIT:
         sh: set -e && git rev-parse --verify HEAD || ""
 
+  prep:
+    desc: Prepare for release
+    cmds:
+      - task: clean
+      - task: proto
+      - task: assets
+
   assets:
     desc: Build the UI
     deps: [assets:deps]
@@ -37,6 +42,9 @@ tasks:
     dir: "{{.UI}}"
     cmds:
       - npm ci
+    sources:
+      - ./{{.UI}}/package-lock.json
+    method: checksum
 
   assets:dev:
     desc: Run the UI dev server
@@ -56,9 +64,15 @@ tasks:
     desc: Install necessary development tools
     cmds:
       - ./script/bootstrap
+    sources:
+      - ./_tools/go.mod
+    generates:
+      - ./_tools/go.sum
+    method: checksum
 
   build:
     desc: Run Go build
+    deps: [bootstrap]
     cmds:
       - go build -trimpath -tags assets -ldflags "-X main.commit={{.GIT_COMMIT}}" -o ./bin/{{.PROJECT}} ./cmd/{{.PROJECT}}/.
     vars:
@@ -71,24 +85,9 @@ tasks:
     cmds:
       - buf generate --template=buf.public.gen.yaml
 
-  build:release:
-    desc: Build a release version and push the release with goreleaser
-    cmds:
-      - task: clean
-      - task: proto
-      - task: assets
-      - ./script/build release
-
-  build:snapshot:
-    desc: Build a snapshot version with goreleaser
-    cmds:
-      - task: clean
-      - task: proto
-      - task: assets
-      - ./script/build snapshot
-
   proto:
     desc: Generate protobuf files from .protos
+    deps: [bootstrap]
     cmds:
       - buf generate