Use goreleaser to release new version

Cosign will now be used to sign the artifacts using the keyless mode.
LeSuisse · Jun 16, 2023 · dabdb6e · dabdb6e
1 parent f42b44e
commit dabdb6e
Show file tree

Hide file tree

Showing 8 changed files with 114 additions and 73 deletions.
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -41,16 +41,18 @@ jobs:
         run: go run honnef.co/go/tools/cmd/staticcheck -checks 'all,-ST1000' ./...
       - name: Gosec
         run: go run github.com/securego/gosec/cmd/gosec -exclude=G104 ./...
-  build_script:
+  test_release:
     runs-on: ubuntu-22.04
-    name: Build across all supported architectures
+    permissions:
+      id-token: write
+      contents: read
+    name: Test release
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
       - uses: cachix/install-nix-action@4b933aa7ebcc94a6174cf1364864e957b4910265
-      - name: Build
-        run: ./scripts/build.sh
+      - run: nix-shell --run 'goreleaser --snapshot --clean'
       - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
         with:
-          name: pre-built-binaries
-          path: pkg/*.zip
+          name: test-release-dist
+          path: dist/**/*
           retention-days: 2
diff --git a/.github/workflows/Release.yml b/.github/workflows/Release.yml
@@ -0,0 +1,23 @@
+name: Release
+
+permissions: read-all
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  release:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: write
+    name: Test release
+    steps:
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+        with:
+          fetch-depth: 0
+      - run: git fetch --force --tags
+      - uses: cachix/install-nix-action@4b933aa7ebcc94a6174cf1364864e957b4910265
+      - run: nix-shell --run 'goreleaser --clean'
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 .idea
-pkg/
+pkg/
+dist/
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,69 @@
+gomod:
+  proxy: true
+
+report_sizes: true
+
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - windows
+      - linux
+      - freebsd
+      - netbsd
+      - openbsd
+      - solaris
+    goarch:
+      - "386"
+      - amd64
+      - arm
+      - arm64
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w -X github.com/LeSuisse/vault-gpg-plugin/version.GitCommit={{.Commit}}
+    hooks:
+      post:
+        - cmd: sh -c 'sha256sum  "{{ base .Path }}" > "{{ base .Path }}".sha256sum'
+          dir: "{{ dir .Path }}"
+sboms:
+  - artifacts: binary
+archives:
+  - format: zip
+    name_template: "{{ .Os }}_{{ .Arch }}"
+    files:
+      - README.md
+      - LICENSE
+      - docs/*
+      - src: "{{ .ArtifactPath }}.sha256sum"
+        dst: /
+        strip_parent: true
+checksum:
+  name_template: 'checksums.txt'
+signs:
+  - id: binary-keyless
+    signature: "${artifact}.bundle"
+    cmd: cosign
+    args: ["sign-blob", "--bundle", "${signature}", "--yes", "${artifact}"]
+    artifacts: binary
+  - id: checksum-keyless
+    signature: "${artifact}.bundle"
+    cmd: cosign
+    args: ["sign-blob", "--bundle", "${signature}", "--yes", "${artifact}"]
+    artifacts: checksum
+  - id: sbom-keyless
+    signature: "${artifact}.bundle"
+    cmd: cosign
+    args: ["sign-blob", "--bundle", "${signature}", "--yes", "${artifact}"]
+    artifacts: sbom
+  - id: packages-keyless
+    signature: "${artifact}.bundle"
+    cmd: cosign
+    args: ["sign-blob", "--bundle", "${signature}", "--yes", "${artifact}"]
+    artifacts: package
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+release:
+  draft: true
diff --git a/README.md b/README.md
@@ -20,7 +20,13 @@ on the official Vault website. You can download and decompress the pre-compiled
 from the [latest release on GitHub](https://github.com/LeSuisse/vault-gpg-plugin/releases). SHA256 checksum for the
 pre-compiled plugin binary is also provided in the archive so it can be registered to your Vault plugin catalog.
 
-All archives available from the [release tab on GitHub](https://github.com/LeSuisse/vault-gpg-plugin/releases) come with
-a GPG signature made with the GPG key [`FFCB D29F 3AFE D453 AE4B 9E32 1D40 FBA2 9EB3 9616`](https://sks-keyservers.net/pks/lookup?op=get&search=0xFFCBD29F3AFED453AE4B9E321D40FBA29EB39616).
+All archives available from the [release tab on GitHub](https://github.com/LeSuisse/vault-gpg-plugin/releases).
+All archives are signed using [Cosign](https://docs.sigstore.dev/cosign/verify/):
+
+```
+$ cosign verify-blob <file> --bundle <file>.bundle \
+    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
+    --certificate-identity-regexp='https://github.com/LeSuisse/vault-gpg-plugin/\.github/workflows/Release\.yml'
+```
 
 Once mounted in Vault, this plugin exposes [this HTTP API](docs/http-api.md).
diff --git a/scripts/build.sh b/scripts/build.sh
diff --git a/scripts/sign.sh b/scripts/sign.sh
diff --git a/shell.nix b/shell.nix
@@ -7,11 +7,10 @@
 
 pkgs.mkShell {
   buildInputs = [
-    pkgs.findutils
-    pkgs.gitMinimal
-    pkgs.zip
     pkgs.go_1_20
-    pkgs.gnupg
-    pkgs.rekor-cli
+    pkgs.gitMinimal
+    pkgs.goreleaser
+    pkgs.syft
+    pkgs.cosign
   ];
 }