Add release process

.bouncer.yaml

@@ -2,4 +2,5 @@ permit:
   - BSD.*
   - MIT.*
   - Apache.*
-  - MPL.*
+  - MPL.*
+  - ISC

.circleci/config.yml

@@ -102,18 +102,19 @@ jobs:
 
       - restore_cache:
           keys:
-            - integration-test-tar-cache-{{ checksum "integration/test-fixtures/tar-cache.fingerprint" }}
+            - integration-test-tar-cache-{{ checksum "test/integration/test-fixtures/tar-cache.fingerprint" }}
       - run:
           name: run integration tests
           command: make integration
 
       - save_cache:
-          key: integration-test-tar-cache-{{ checksum "integration/test-fixtures/tar-cache.fingerprint" }}
+          key: integration-test-tar-cache-{{ checksum "test/integration/test-fixtures/tar-cache.fingerprint" }}
           paths:
-            - "integration/test-fixtures/tar-cache"
+            - "test/integration/test-fixtures/tar-cache"
 
 workflows:
-  "Static Analysis & All Tests":
+  # Note: changing this workflow name requires making the same update in the .github/workflows/release.yaml pipeline
+  "Static Analysis + Unit + Integration":
     jobs:
       - run-static-analysis:
           name: "Static Analysis"

.github/workflows/acceptance-test.yaml

@@ -0,0 +1,83 @@
+name: 'Acceptance'
+on:
+  push:
+    # ... only act on pushes to master
+    branches:
+      - master
+    # ... do not act on release tags
+    tags-ignore:
+      - v*
+env:
+  GO_VERSION: "1.14.x"
+jobs:
+  Build-Snapshot-Artifacts:
+    runs-on: ubuntu-latest
+    steps:
+
+      # TODO: remove me after release
+      - name: Configure git for private modules
+        env:
+          TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }}
+        run: git config --global url."https://anchore:${TOKEN}@github.com".insteadOf "https://github.com"
+
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - uses: actions/checkout@v2
+
+      - name: Restore bootstrap cache
+        id: cache
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ${{ github.workspace }}/.tmp
+          key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('Makefile') }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('Makefile') }}-
+            ${{ runner.os }}-go-${{ env.GO_VERSION }}-
+
+      - name: Bootstrap dependencies
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: make ci-bootstrap
+
+      - name: Build snapshot artifacts
+        run: make snapshot
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: artifacts
+          path: snapshot
+
+  # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
+  Acceptance-Linux:
+    needs: [ Build-Snapshot-Artifacts ]
+    runs-on: ubuntu-latest
+    steps:
+
+      - uses: actions/checkout@v2
+
+      - uses: actions/download-artifact@v2
+        with:
+          name: artifacts
+          path: snapshot
+
+      - name: Run Acceptance Tests (Linux)
+        run: make acceptance-linux
+
+  # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
+  Acceptance-Mac:
+    needs: [ Build-Snapshot-Artifacts ]
+    runs-on: macos-latest
+    steps:
+
+      - uses: actions/checkout@v2
+
+      - uses: actions/download-artifact@v2
+        with:
+          name: artifacts
+          path: snapshot
+
+      - name: Run Acceptance Tests (Mac)
+        run: make acceptance-mac

.github/workflows/release.yaml

@@ -0,0 +1,101 @@
+name: 'Release'
+on:
+  push:
+    # take no actions on push...
+    branches-ignore:
+      - '**'
+    # ... only act on release tags
+    tags:
+      - 'v*'
+env:
+  GO_VERSION: "1.14.x"
+jobs:
+  wait-for-checks:
+    runs-on: ubuntu-latest
+    steps:
+
+      - uses: actions/checkout@v2
+
+      # we don't want to release commits that have been pushed and tagged, but not necessarily merged onto master
+      - name: Ensure tagged commit is on master
+        run: |
+          echo "Tag: ${GITHUB_REF##*/}"
+          git fetch origin master
+          git merge-base --is-ancestor ${GITHUB_REF##*/} origin/master && echo "${GITHUB_REF##*/} is a commit on master!"
+
+      - name: Check static anaylysis, unit, and integration test results
+        uses: fountainhead/action-wait-for-check@v1
+        id: sa-unit-int
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          # This check name is defined as the circle-ci workflow name (in .circleci/config.yaml)
+          checkName: "Static Analysis + Unit + Integration"
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: Check acceptance test results (linux)
+        uses: fountainhead/action-wait-for-check@v1
+        id: acceptance-linux
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml)
+          checkName: "Acceptance-Linux"
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: Check acceptance test results (mac)
+        uses: fountainhead/action-wait-for-check@v1
+        id: acceptance-mac
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml)
+          checkName: "Acceptance-Mac"
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: Quality gate
+        if: steps.sa-unit-int.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
+        run: |
+          echo "Static/Unit/Integration Status: ${{ steps.sa-unit-int.outputs.conclusion }}"
+          echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}"
+          echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}"
+          false
+
+  release:
+    runs-on: ubuntu-latest
+    steps:
+
+      # TODO: remove me after release
+      - name: Configure git for private modules
+        env:
+          TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }}
+        run: git config --global url."https://anchore:${TOKEN}@github.com".insteadOf "https://github.com"
+
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - uses: actions/checkout@v2
+
+      - name: Restore bootstrap cache
+        id: cache
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/go/pkg/mod
+            ${{ github.workspace }}/.tmp
+          key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('Makefile') }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('Makefile') }}-
+            ${{ runner.os }}-go-${{ env.GO_VERSION }}-
+
+      - name: Bootstrap dependencies
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: make ci-bootstrap
+
+      - name: Build snapshot artifacts
+        run: make release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: artifacts
+          path: dist

.gitignore

@@ -1,3 +1,5 @@
+/dist
+/snapshot
 .server/
 .vscode/
 *.tar

.goreleaser.yaml

@@ -0,0 +1,44 @@
+builds:
+  - binary: imgbom
+    env:
+      - CGO_ENABLED=0
+    goos:
+      # windows not supported yet (due to jotframe)
+      # - windows
+      - linux
+      - darwin
+    goarch:
+      - amd64
+    # Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    ldflags: |
+      -w
+      -s
+      -extldflags '-static'
+      -X github.com/anchore/imgbom/internal/version.version={{.Version}}
+      -X github.com/anchore/imgbom/internal/version.gitCommit={{.Commit}}
+      -X github.com/anchore/imgbom/internal/version.buildDate={{.Date}}
+      -X github.com/anchore/imgbom/internal/version.gitTreeState={{.Env.BUILD_GIT_TREE_STATE}}
+
+nfpms:
+  - license: "Apache 2.0"
+    maintainer: "Anchore, Inc"
+    homepage: &website "https://github.com/anchore/imgbom"
+    description: &description "A tool that generates a Software Bill Of Materials (SBOM) from container images and filesystems"
+    formats:
+      - rpm
+      - deb
+
+brews:
+  - tap:
+      owner: anchore
+      name: homebrew-imgbom
+    homepage: *website
+    description: *description
+
+archives:
+  - format: tar.gz
+    format_overrides:
+      - goos: windows
+        format: zip
+