macOS notarization & brew

- Combine intel & arm builds into one universal binary - Notarize it with Apple, only if building on macOS and secrets set - Split goreleaser for binaries vs docker - Build docker tags still on buildjet - Build release binaries/archives on a github macOS runner because notarizing needs macOS - Publish homebrew update - Small chance it even actually works
acorn-io · Jul 14, 2022 · 64dfdc3 · 64dfdc3
1 parent cbbab06
commit 64dfdc3
Show file tree

Hide file tree

Showing 7 changed files with 242 additions and 96 deletions.
diff --git a/.ackrc b/.ackrc
@@ -0,0 +1 @@
+--ignore-dir=docs/build
diff --git a/.github/workflows/main-release.yaml b/.github/workflows/main-release.yaml
@@ -14,7 +14,7 @@ permissions:
   packages: write
 
 jobs:
-  goreleaser:
+  binary:
     runs-on: buildjet-16vcpu-ubuntu-2004
     steps:
       - name: Checkout
@@ -25,6 +25,45 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.18
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v1.4.1"
+      - name: Setup Cosign
+        run: |
+          echo "${COSIGN_KEY}" > "$GITHUB_WORKSPACE/cosign.key"
+        env:
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+      - run: make download-latest-ui
+      - run: make validate-ci
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist --snapshot
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      - name: Upload to S3
+        uses: jakejarvis/s3-sync-action@v0.5.1
+        env:
+          SOURCE_DIR: releases
+          DEST_DIR: cli
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          AWS_S3_ENDPOINT: ${{ secrets.AWS_ENDPOINT }}
+          AWS_S3_BUCKET: ${{ secrets.AWS_BUCKET }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
+
+  docker:
+    needs: binary
+    runs-on: buildjet-16vcpu-ubuntu-2004
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -44,13 +83,12 @@ jobs:
         env:
           COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
       - run: make download-latest-ui
-      - run: make validate-ci
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
           distribution: goreleaser
           version: latest
-          args: release --rm-dist --snapshot
+          args: release --rm-dist -f .goreleaser-docker.yml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
@@ -65,13 +103,3 @@ jobs:
           docker manifest push ghcr.io/acorn-io/acorn:main
           docker manifest create ghcr.io/acorn-io/acorn:${VERSION} ${IMAGES}
           docker manifest push ghcr.io/acorn-io/acorn:${VERSION}
-      - name: Upload to S3
-        uses: jakejarvis/s3-sync-action@v0.5.1
-        env:
-          SOURCE_DIR: releases
-          DEST_DIR: cli
-          AWS_REGION: ${{ secrets.AWS_REGION }}
-          AWS_S3_ENDPOINT: ${{ secrets.AWS_ENDPOINT }}
-          AWS_S3_BUCKET: ${{ secrets.AWS_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -10,8 +10,8 @@ permissions:
   packages: write
 
 jobs:
-  goreleaser:
-    runs-on: buildjet-16vcpu-ubuntu-2004
+  binary:
+    runs-on: macos-12
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -21,6 +21,38 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version: 1.18
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v1.4.1"
+      - name: Setup Cosign
+        run: |
+          echo "${COSIGN_KEY}" > "$GITHUB_WORKSPACE/cosign.key"
+        env:
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+      - run: make download-ui
+      - run: make validate-ci
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          AC_IDENTITY: ${{ secrets.AC_IDENTITY }}
+          AC_PROJECT: ${{ secrets.AC_PROJECT }}
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+  docker:
+    needs: binary
+    runs-on: buildjet-16vcpu-ubuntu-2004
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -40,13 +72,16 @@ jobs:
         env:
           COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
       - run: make download-ui
-      - run: make validate-ci
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:
           distribution: goreleaser
           version: latest
-          args: release --rm-dist
+          args: release --rm-dist -f .goreleaser-docker.yml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          AC_IDENTITY: ${{ secrets.AC_IDENTITY }}
+          AC_PROJECT: ${{ secrets.AC_PROJECT }}
+          AC_USERNAME: ${{ secrets.AC_USERNAME }}
+          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
diff --git a/.gon.hcl b/.gon.hcl
@@ -0,0 +1,10 @@
+source = ["releases/mac_darwin_all/acorn"]
+bundle_id = "io.acorn.cli"
+
+sign {
+  application_identity = "Developer ID Application: Acorn Labs, Inc. (K5HKMU4T9S)"
+}
+
+zip {
+  output_path = "releases/mac_darwin_all/acorn.zip"
+}
diff --git a/.goreleaser-docker.yml b/.goreleaser-docker.yml
@@ -0,0 +1,78 @@
+dist: releases
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+    ldflags:
+      - -s
+      - -w
+      - -X "github.com/acorn-io/acorn/pkg/version.Tag=v{{ .Version }}"
+    # The docker build don't actually use the binaries generated here, so just build something
+dockers:
+  - use: buildx
+    goos: linux
+    goarch: amd64
+    dockerfile: Dockerfile
+    image_templates:
+      - ghcr.io/acorn-io/acorn:v{{ .Version }}-amd64
+    build_flag_templates:
+      - "--target=goreleaser"
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.source=https://github.com/acorn-io/acorn"
+      - "--platform=linux/amd64"
+  - use: buildx
+    goos: linux
+    goarch: arm64
+    dockerfile: Dockerfile
+    image_templates:
+      - ghcr.io/acorn-io/acorn:v{{ .Version }}-arm64
+    build_flag_templates:
+      - "--target=goreleaser"
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.source=https://github.com/acorn-io/acorn"
+      - "--platform=linux/arm64"
+  - use: buildx
+    goos: linux
+    goarch: arm
+    goarm: "7"
+    dockerfile: Dockerfile
+    image_templates:
+      - ghcr.io/acorn-io/acorn:v{{ .Version }}-arm32v7
+    build_flag_templates:
+      - "--target=goreleaser"
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.source=https://github.com/acorn-io/acorn"
+      - "--platform=linux/arm/v7"
+docker_manifests:
+  - use: docker
+    name_template: ghcr.io/acorn-io/acorn:v{{ .Version }}
+    image_templates:
+      - ghcr.io/acorn-io/acorn:v{{ .Version }}-amd64
+      - ghcr.io/acorn-io/acorn:v{{ .Version }}-arm64
+      - ghcr.io/acorn-io/acorn:v{{ .Version }}-arm32v7
+  - use: docker
+    name_template: ghcr.io/acorn-io/acorn:latest
+    image_templates:
+      - ghcr.io/acorn-io/acorn:v{{ .Version }}-amd64
+      - ghcr.io/acorn-io/acorn:v{{ .Version }}-arm64
+      - ghcr.io/acorn-io/acorn:v{{ .Version }}-arm32v7
+docker_signs:
+  - artifacts: all
+    stdin: "{{ .Env.COSIGN_PASSWORD }}"
+snapshot:
+  name_template: '{{ trimprefix .Summary "v" }}'