✨ Add bootstrap mechanism (#60)

* 🔧 Add syft

Used by goreleaser to generate SBOM

* ✨ Add bootstrap mechanism

* 🌱 Log (debug) tempdir

Let users verify that we clean up after ourselves.

.bindl-lock.yaml

@@ -219,3 +219,23 @@ programs:
       signature: https://github.com/goreleaser/goreleaser/releases/download/v{{ .Version }}/checksums.txt.sig
     target: '{{ .Name }}_{{ .OS }}_{{ .Arch }}.tar.gz'
   version: 1.7.0
+- checksums:
+    syft_0.43.2_darwin_amd64.tar.gz:
+      archive: 90953f7a116bbc5b57532778ce5d77782eec9fc9328da4f1127c1d00f70d9fb0
+      binary: 36ec338aaacf711bdf334c933c94989d07a75c568fe18b2973d040c72b37dc7b
+    syft_0.43.2_darwin_arm64.tar.gz:
+      archive: 18f8e73d74c336ca6b3ffbb34b2a7cd48127ebfac1a582bf1e00af1487ea0561
+      binary: 4f1f83d96d6b535a0ead8e2de48c5e6b68a720819fc5f6acba39347969c58ec4
+    syft_0.43.2_linux_amd64.tar.gz:
+      archive: 13f77a598bc8e38157332fa70bc4219ae0269bddee862fe9ad3e5bcf74e00805
+      binary: d872b7b2f70c3bcc5b2d15d8e102794107f5359aef738dd5db458acb8fe77f9e
+    syft_0.43.2_linux_arm64.tar.gz:
+      archive: 8ced32df0e4c382b64bea3a30e23f281299528b82cbb2e54db98823d68439a48
+      binary: 9e2ab49e70d1bc5b6279448b31dc349b1bfc1f0ee2111da6cbe0f40490290783
+  name: syft
+  paths:
+    base: https://github.com/anchore/syft/releases/download/v{{ .Version }}/
+    checksums:
+      artifact: https://github.com/anchore/syft/releases/download/v{{ .Version }}/{{ .Name }}_{{ .Version }}_checksums.txt
+    target: '{{ .Name }}_{{ .Version }}_{{ .OS }}_{{ .Arch }}.tar.gz'
+  version: 0.43.2

.goreleaser.yaml

@@ -33,6 +33,10 @@ archives:
       linux: Linux
       386: i386
       amd64: x86_64
+    # Naming modification from default:
+    # - Use dash '-' instead of underscore '_' for better visibility in x86_64 scenario
+    # - Remove version from name to simplify bootstrapping
+    name_template: '{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}-{{ . }}{{ end }}{{ if eq .Amd64 "v3" }}v3{{ end }}'
 release:
   prerelease: auto
 checksum:

bindl.yaml

@@ -24,6 +24,25 @@ programs:
         artifact: "{{ .Name }}_checksums.txt"
         certificate: "{{ .Name }}_checksums.txt-keyless.pem"
         signature: "{{ .Name }}_checksums.txt-keyless.sig"
+  - name: goreleaser
+    version: 1.7.0
+    provider: github
+    overlay: *uname
+    paths:
+      base: goreleaser/goreleaser
+      target: "{{ .Name }}_{{ .OS }}_{{ .Arch }}.tar.gz"
+      checksums:
+        artifact: checksums.txt
+        certificate: checksums.txt.pem
+        signature: checksums.txt.sig
+  - name: syft
+    version: 0.43.2
+    provider: github
+    paths:
+      base: anchore/syft
+      target: "{{ .Name }}_{{ .Version }}_{{ .OS }}_{{ .Arch }}.tar.gz"
+      checksums:
+        artifact: "{{ .Name }}_{{ .Version }}_checksums.txt"
   - name: addlicense
     version: 1.0.0
     provider: github
@@ -37,17 +56,6 @@ programs:
       target: "{{ .Name }}_{{ .Version }}_{{ .OS }}_{{ .Arch }}.tar.gz"
       checksums:
         artifact: checksums.txt
-  - name: goreleaser
-    version: 1.7.0
-    provider: github
-    overlay: *uname
-    paths:
-      base: goreleaser/goreleaser
-      target: "{{ .Name }}_{{ .OS }}_{{ .Arch }}.tar.gz"
-      checksums:
-        artifact: checksums.txt
-        certificate: checksums.txt.pem
-        signature: checksums.txt.sig
   - name: golangci-lint
     # LINT: Match with version in .golangci.yaml and .github/workflows/go.yaml
     version: 1.45.2

bootstrap.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+set -e
+set -o pipefail
+
+OS="$(uname -s)"
+ARCH="$(uname -m)"
+
+PROGRAM_NAME="archy"
+REPOSITORY="xargs-dev/${PROGRAM_NAME}"
+
+WORKDIR="$(mktemp -d /tmp/bindl-bootstrap-XXXXX)"
+
+ARCHIVE="${PROGRAM_NAME}_0.1.2_${OS}_${ARCH}.tar.gz"
+
+function log() {
+  echo -e "[\e[1;34mbootstrap\e[0m] $1"
+}
+
+function prompt() {
+  read -p "Proceed? (y/N) " answer
+  if [ $answer != "y" ]; then
+    echo "Aborted: only 'y' is accepted answer to continue (received '${answer}')"
+    exit 1
+  fi
+}
+
+log "Hello! The sole purpose of my existence is to bootstrap bindl."
+log "I have found myself in ${ARCH} machine running ${OS}."
+log "I expect the archive to be named ${ARCHIVE}."
+
+prompt
+
+log "Working in ${WORKDIR}"
+pushd "${WORKDIR}" >/dev/null
+  log "Downloading (1/2): checksums.txt"
+  curl --silent --location --remote-name "https://github.com/${REPOSITORY}/releases/latest/download/checksums.txt"
+
+  log "Downloading (2/2): ${ARCHIVE}"
+  curl --silent --location --remote-name "https://github.com/${REPOSITORY}/releases/latest/download/${ARCHIVE}"
+
+  log "Verifying checksums"
+  shasum --algorithm 256 --check checksums.txt --ignore-missing
+
+  tar -xzf ${ARCHIVE} ${PROGRAM_NAME}
+
+  log "Printing program version"
+  ./${PROGRAM_NAME} version
+popd >/dev/null
+
+trap "rm -r ${WORKDIR}" EXIT
+
+mv ${WORKDIR}/${PROGRAM_NAME} .
+log "Done! The binary is in current working directory."
+log "Move them to a directory accessible in PATH to start using seamlessly."

program/cosign.go

@@ -85,6 +85,7 @@ func (c *CosignBundle) VerifySignature(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("creating cosign workspace: %w", err)
 	}
+	internal.Log().Debug().Str("dir", dir).Msg("cosign workspace")
 	artifactPath := filepath.Join(dir, "artifact")
 	if err := os.WriteFile(artifactPath, []byte(c.Artifact), 0666); err != nil {
 		return fmt.Errorf("creating artifact file: %w", err)
@@ -114,7 +115,10 @@ func (c *CosignBundle) VerifySignature(ctx context.Context) error {
 	err = cmd.Run()
 	if err == nil {
 		internal.Log().Debug().Str("cosign", strings.TrimSpace(stderr.String())).Send()
-		os.RemoveAll(dir)
+		err = os.RemoveAll(dir)
+		if err != nil {
+			internal.Log().Debug().Str("dir", dir).Err(err).Msg("remove cosign verification workspace")
+		}
 		return nil
 	}