add signed releases

in-toto · Sep 26, 2021 · a265a62 · a265a62
1 parent f2c57d1
commit a265a62
Show file tree

Hide file tree

Showing 7 changed files with 136 additions and 28 deletions.
diff --git a/.github/cosign.key b/.github/cosign.key
@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6
+OCwicCI6MX0sInNhbHQiOiJIYm5Zeno2c1orRytYdlFTUWorTU5PZEhnTmZTQnpR
+NTd4MkRIQWI5emU4PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiIyS1pvUHF1bG9NcDUvcFBsOWg5cDR5VXBsL2M5eFI1OCJ9LCJj
+aXBoZXJ0ZXh0IjoiT1NqZUMvS2dtWUkzQ2ErVlVmQlh1Wm9hU0FkYWxFT0wwWk9G
+UEMrNFFWYWhtMUtNeHM2YUUwNWpvT3hveEF1eDRxaGk2amJmenp0MG5SelhJUUZt
+QjRSblBDTUQ4NmduQ2owR243dE4vc3V0TmpZbVI0c3NORzZpNXVYdTBuWmdseHk3
+K1k5SXU0cW0wOWordXRyNURwODM3RmF2Z0w3ZUhJeU1LQjlZWVd0OWZMV0s4VFps
+b29yTjJpVDYxT1E4Y0diM0JyOGw2ang2YkE9PSJ9
+-----END ENCRYPTED COSIGN PRIVATE KEY-----
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -0,0 +1,54 @@
+name: release
+on: [push, pull_request]
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [ 1.16.x, 1.17.x ]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Format Unix
+        if: runner.os == 'Linux'
+        run: test -z $(go fmt ./...)
+      - name: Test
+        run: go test -covermode atomic -coverprofile='profile.cov' ./...
+      - name: Send coverage
+        if: runner.os == 'Linux'
+        env:
+          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          GO111MODULE=off go get github.com/mattn/goveralls
+          $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+  release:
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+      - name: install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.2.1'
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,8 @@
+# goreleaser distribution directory
+dist
+
+# GoLand idea configuration
+.idea
+
+# VSCode configuration
+.vscode
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,26 @@
+project_name: in-toto
+builds:
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+      - "-X main.tag={{.Version}}"
+      - "-X main.commit={{.FullCommit}}"
+      - "-X main.date={{.Date}}"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+      - "GOFLAGS=-mod=readonly -trimpath"
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+    main: ./cmd/in-toto/
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    stdin: '{{ .Env.COSIGN_PWD }}'
+    args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"]
+    artifacts: all
diff --git a/cmd/in-toto/version.go b/cmd/in-toto/version.go
@@ -0,0 +1,33 @@
+package main
+
+import (
+	"fmt"
+	"github.com/spf13/cobra"
+)
+
+var (
+	commit = "none"
+	date   = "unknown"
+	tag    = "dev"
+)
+
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "Display the version of the in-toto CLI tool",
+	Long:  `Display the commit ID, the date and the version tag of the in-toto CLI as embedded by the build system.`,
+	RunE:  version,
+}
+
+func init() {
+	rootCmd.AddCommand(versionCmd)
+}
+
+func version(cmd *cobra.Command, args []string) error {
+	// let us make it as simple as possible.
+	// We could encode the version information as JSON like kubectl does,
+	// but what if the json package has a bug? :/
+	fmt.Println("commit : ", commit)
+	fmt.Println("date   : ", date)
+	fmt.Println("version: ", tag)
+	return nil
+}
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2aAPtd19aLTQNfMnspdWzs2e0ieD
+NxbkxAfrlSrJ7t/CUdQVlzqRydZQ1HnRfGmB6xPW6U7BDFUexVYLMTMOBQ==
+-----END PUBLIC KEY-----