Skip to content

Commit

Permalink
refactor release job
Browse files Browse the repository at this point in the history
Signed-off-by: cpanato <[email protected]>
  • Loading branch information
cpanato committed Mar 14, 2023
1 parent 0a36d93 commit 55d426c
Show file tree
Hide file tree
Showing 3 changed files with 98 additions and 56 deletions.
62 changes: 37 additions & 25 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,24 +11,50 @@ jobs:
hashes: ${{ steps.hash.outputs.hashes }}
tag_name: ${{ steps.tag.outputs.tag_name }}

permissions:
packages: write
id-token: write
contents: write

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- run: git fetch --prune --unshallow

- uses: actions/setup-go@v3
with:
go-version: '1.20'
check-latest: true

- uses: ko-build/[email protected] # This installs the current latest release.

- uses: imjasonh/[email protected]

- uses: sigstore/[email protected]

- name: Set tag output
id: tag
run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"

- uses: goreleaser/[email protected]
id: run-goreleaser
with:
version: latest
args: release --rm-dist
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: sign ko-image
run: ./scripts/build-sign-release-images.sh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GIT_HASH: ${{ github.sha }}
GIT_TAG: ${{ steps.tag.outputs.tag_name }}
RUN_ATTEMPT: ${{ github.run_attempt }}
RUN_ID: ${{ github.run_id }}
REGISTRY: "ghcr.io/${{ github.repository }}"

- name: Generate subject
id: hash
env:
Expand All @@ -37,45 +63,31 @@ jobs:
set -euo pipefail
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)"
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: git fetch --prune --unshallow
- uses: actions/setup-go@v3
with:
go-version: '1.20'
check-latest: true
- uses: imjasonh/[email protected] # This installs the current latest release.
- uses: sigstore/[email protected]
- run: |
tag=$(echo ${{ github.ref }} | cut -c11-) # get tag name without tags/refs/ prefix.
img=$(ko build --bare --platform=all -t latest -t ${{ github.sha }} -t ${tag} ./)
echo "built ${img}"
cosign sign ${img} \
-a sha=${{ github.sha }} \
-a run_id=${{ github.run_id }} \
-a run_attempt=${{ github.run_attempt }} \
-a tag=${tag}
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs: [goreleaser]
needs:
- goreleaser

permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.

uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
upload-tag-name: "${{ needs.release.outputs.tag_name }}"

verification:
needs: [goreleaser, provenance]
needs:
- goreleaser
- provenance

runs-on: ubuntu-latest
permissions: read-all

steps:
# Note: this will be replaced with the GHA in the future.
- name: Install the verifier
Expand Down
90 changes: 60 additions & 30 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
@@ -1,45 +1,75 @@
# This is an example goreleaser.yaml file with some sane defaults.
# Make sure to check the documentation at http://goreleaser.com
before:
hooks:
# you may remove this if you don't use vgo
- go mod tidy
# you may remove this if you don't need go generate
- go generate ./...
- /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'

builds:
- main: ./main.go
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
goos:
- windows
- linux
- darwin
goarch:
- amd64
- arm64
- s390x
- 386
- mips64le
- ppc64le
- id: binary
main: ./main.go
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
goos:
- windows
- linux
- darwin
goarch:
- amd64
- arm64
- s390x
- 386
- mips64le
- ppc64le

kos:
- id: ko-image
build: binary
main: .
base_image: golang:1.20
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
platforms:
- all
tags:
- '{{ .Tag }}'
- '{{ .FullCommit }}'
- latest
sbom: spdx
bare: true
preserve_import_paths: false
base_import_paths: false

archives:
- replacements:
darwin: Darwin
linux: Linux
windows: Windows
386: i386
amd64: x86_64
- id: with-version
name_template: >-
{{ .ProjectName }}_
{{ .Version }}_
{{- title .Os }}_
{{- if eq .Arch "amd64" }}x86_64
{{- else if eq .Arch "386" }}i386
{{- else }}{{ .Arch }}{{ end }}
- id: without-version
name_template: >-
{{ .ProjectName }}_
{{- title .Os }}_
{{- if eq .Arch "amd64" }}x86_64
{{- else if eq .Arch "386" }}i386
{{- else }}{{ .Arch }}{{ end }}
checksum:
name_template: 'checksums.txt'

snapshot:
name_template: "{{ .Tag }}-next"

changelog:
sort: asc
use: github
filters:
exclude:
- '^docs:'
- '^test:'
- '^docs:'
- '^test:'
2 changes: 1 addition & 1 deletion hack/boilerplate/boilerplate.sh.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash

# Copyright 2020 Google LLC All Rights Reserved.
#
Expand Down

0 comments on commit 55d426c

Please sign in to comment.