Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor release job #986

Merged
merged 2 commits into from
Mar 17, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 49 additions & 26 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,22 +9,59 @@ jobs:
goreleaser:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
tag_name: ${{ steps.tag.outputs.tag_name }}

permissions:
packages: write
id-token: write
contents: write

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- run: git fetch --prune --unshallow

- uses: actions/setup-go@v3
with:
go-version: '1.20'
check-latest: true

- uses: ko-build/[email protected] # This installs the current latest release.

- uses: imjasonh/[email protected]

- uses: sigstore/[email protected]

- name: Set tag output
id: tag
run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"

- uses: goreleaser/[email protected]
id: run-goreleaser
with:
version: latest
args: release --rm-dist
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: sign ko-image
run: |
digest=$(crane digest "${REGISTRY}":"${GIT_TAG}")
cosign sign --yes \
-a GIT_HASH="${GIT_HASH}" \
-a GIT_TAG="${GIT_TAG}" \
-a RUN_ID="${RUN_ID}" \
-a RUN_ATTEMPT="${RUN_ATTEMPT}" \
"${REGISTRY}@${digest}"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GIT_HASH: ${{ github.sha }}
GIT_TAG: ${{ steps.tag.outputs.tag_name }}
RUN_ATTEMPT: ${{ github.run_attempt }}
RUN_ID: ${{ github.run_id }}
REGISTRY: "ghcr.io/${{ github.repository }}"

- name: Generate subject
id: hash
env:
Expand All @@ -33,45 +70,31 @@ jobs:
set -euo pipefail

checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)"

publish:
needs: [goreleaser]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: git fetch --prune --unshallow
- uses: actions/setup-go@v3
with:
go-version: '1.20'
check-latest: true
- uses: imjasonh/[email protected] # This installs the current latest release.
- uses: sigstore/[email protected]
- run: |
tag=$(echo ${{ github.ref }} | cut -c11-) # get tag name without tags/refs/ prefix.
img=$(ko build --bare --platform=all -t latest -t ${{ github.sha }} -t ${tag} ./)
echo "built ${img}"
cosign sign ${img} --yes \
-a sha=${{ github.sha }} \
-a run_id=${{ github.run_id }} \
-a run_attempt=${{ github.run_attempt }} \
-a tag=${tag}
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"

provenance:
needs: [goreleaser]
needs:
- goreleaser

permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.

uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
upload-tag-name: "${{ needs.release.outputs.tag_name }}"

verification:
needs: [goreleaser, provenance]
needs:
- goreleaser
- provenance

runs-on: ubuntu-latest
permissions: read-all

steps:
# Note: this will be replaced with the GHA in the future.
- name: Install the verifier
Expand Down
90 changes: 60 additions & 30 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
@@ -1,45 +1,75 @@
# This is an example goreleaser.yaml file with some sane defaults.
# Make sure to check the documentation at http://goreleaser.com
before:
hooks:
# you may remove this if you don't use vgo
- go mod tidy
# you may remove this if you don't need go generate
- go generate ./...
- /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'

builds:
- main: ./main.go
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
goos:
- windows
- linux
- darwin
goarch:
- amd64
- arm64
- s390x
- 386
- mips64le
- ppc64le
- id: binary
main: ./main.go
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
goos:
- windows
- linux
- darwin
goarch:
- amd64
- arm64
- s390x
- 386
- mips64le
- ppc64le

kos:
- id: ko-image
build: binary
main: .
base_image: golang:1.20
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
platforms:
- all
tags:
- '{{ .Tag }}'
- '{{ .FullCommit }}'
- latest
sbom: spdx
bare: true
preserve_import_paths: false
base_import_paths: false

archives:
- replacements:
darwin: Darwin
linux: Linux
windows: Windows
386: i386
amd64: x86_64
- id: with-version
name_template: >-
{{ .ProjectName }}_
{{- .Version }}_
{{- title .Os }}_
{{- if eq .Arch "amd64" }}x86_64
{{- else if eq .Arch "386" }}i386
{{- else }}{{ .Arch }}{{ end }}
- id: without-version
name_template: >-
{{ .ProjectName }}_
{{- title .Os }}_
{{- if eq .Arch "amd64" }}x86_64
{{- else if eq .Arch "386" }}i386
{{- else }}{{ .Arch }}{{ end }}

checksum:
name_template: 'checksums.txt'

snapshot:
name_template: "{{ .Tag }}-next"

changelog:
sort: asc
use: github
filters:
exclude:
- '^docs:'
- '^test:'
- '^docs:'
- '^test:'
2 changes: 1 addition & 1 deletion hack/boilerplate/boilerplate.sh.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash

# Copyright 2020 Google LLC All Rights Reserved.
#
Expand Down