From 056f8792b7f55690bf749f3a31ad06382ee3a898 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Sun, 28 Aug 2022 20:53:38 +0200
Subject: [PATCH 1/3] release target with checksums

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 .github/workflows/build.yml | 13 +++-----
 Dockerfile                  | 64 +++++++++++++++++++++++++------------
 Makefile                    | 39 ++++++----------------
 README.md                   |  2 +-
 docker-bake.hcl             |  6 ++++
 hack/git-meta               | 16 ++++++++++
 hack/release                | 59 ++++++++++++++++++++++++++++++++++
 7 files changed, 138 insertions(+), 61 deletions(-)
 create mode 100755 hack/git-meta
 create mode 100755 hack/release

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 67a34510..cac543c0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -138,16 +138,11 @@ jobs:
         uses: docker/setup-buildx-action@v2
       -
         name: Build
-        uses: docker/bake-action@v2
-        with:
-          targets: binaries
-          set: |
-            *.cache-from=type=gha,scope=build
-            *.cache-to=type=gha,scope=build,mode=max
-      -
-        name: Move artifacts
         run: |
-          mv ${{ env.DESTDIR }}/**/* ${{ env.DESTDIR }}/
+          make release
+        env:
+          CACHE_FROM: type=gha,scope=build
+          CACHE_TO: type=gha,scope=build,mode=max
       -
         name: Upload artifacts
         uses: actions/upload-artifact@v3
diff --git a/Dockerfile b/Dockerfile
index 8137f385..13296a4b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -85,54 +85,76 @@ EOT
 FROM scratch AS test-coverage
 COPY --from=test /out /
 
+FROM gobase AS version
+RUN --mount=target=. \
+    echo -n "$(./hack/git-meta version)" | tee /tmp/.version ; echo -n "$(./hack/git-meta revision)" | tee /tmp/.revision
+
 FROM base AS build-linux
 ARG PACKAGE
-ARG TARGETOS
-ARG TARGETARCH
-ARG TARGETVARIANT
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod <<EOT
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
+    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
   set -ex
   xx-go --wrap
-  make build-pass PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
-  xx-verify /out/docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
-  make build-secretservice PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-secretservice-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
-  xx-verify /out/docker-credential-secretservice-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
+  make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  xx-verify /out/docker-credential-pass
+  xx-verify /out/docker-credential-secretservice
 EOT
 
 FROM base AS build-darwin
 ARG PACKAGE
-ARG TARGETOS
-ARG TARGETARCH
-ARG TARGETVARIANT
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
     --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk <<EOT
+    --mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
+    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
+    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
   set -ex
   xx-go --wrap
   go install std
-  make build-osxkeychain PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-osxkeychain-${TARGETARCH}${TARGETVARIANT}
-  xx-verify /out/docker-credential-osxkeychain-${TARGETARCH}${TARGETVARIANT}
-  make build-pass PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
-  xx-verify /out/docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
+  make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  xx-verify /out/docker-credential-osxkeychain
+  xx-verify /out/docker-credential-pass
 EOT
 
 FROM base AS build-windows
 ARG PACKAGE
-ARG TARGETARCH
-ARG TARGETVARIANT
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod <<EOT
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
+    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
   set -ex
   xx-go --wrap
-  make build-wincred PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-wincred-${TARGETARCH}${TARGETVARIANT}.exe
-  xx-verify /out/docker-credential-wincred-${TARGETARCH}${TARGETVARIANT}.exe
+  make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
+  xx-verify /out/docker-credential-wincred.exe
 EOT
 
 FROM build-$TARGETOS AS build
 
 FROM scratch AS binaries
 COPY --from=build /out /
+
+FROM --platform=$BUILDPLATFORM alpine AS releaser
+WORKDIR /work
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+RUN --mount=from=binaries \
+    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version <<EOT
+  set -e
+  mkdir /out
+  version="$(cat /tmp/.version)"
+  [ "$TARGETOS" = "windows" ] && ext=".exe"
+  for f in *; do
+    cp "$f" "/out/${f%.*}-${version}.${TARGETOS}-${TARGETARCH}${TARGETVARIANT}${ext}"
+  done
+EOT
+
+FROM scratch AS release
+COPY --from=releaser /out/ /
+
+FROM binaries
diff --git a/Makefile b/Makefile
index 4bad9a89..ceb860f2 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 PACKAGE ?= github.com/docker/docker-credential-helpers
-VERSION ?= $(shell git describe --match 'v[0-9]*' --dirty='.m' --always --tags)
-REVISION ?= $(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
+VERSION ?= $(shell ./hack/git-meta version)
+REVISION ?= $(shell ./hack/git-meta revision)
 
 GO_PKG = github.com/docker/docker-credential-helpers
 GO_LDFLAGS = -s -w -X ${GO_PKG}/credentials.Version=${VERSION} -X ${GO_PKG}/credentials.Revision=${REVISION} -X ${GO_PKG}/credentials.Package=${PACKAGE}
@@ -17,8 +17,7 @@ clean:
 
 .PHONY: build-%
 build-%: # build, can be one of build-osxkeychain build-pass build-secretservice build-wincred
-	$(eval BINNAME := docker-credential-$*)
-	go build -trimpath -ldflags="$(GO_LDFLAGS) -X ${GO_PKG}/credentials.Name=docker-credential-$*" -o $(DESTDIR)/$(BINNAME) ./$*/cmd/
+	go build -trimpath -ldflags="$(GO_LDFLAGS) -X ${GO_PKG}/credentials.Name=docker-credential-$*" -o "$(DESTDIR)/docker-credential-$*" ./$*/cmd/
 
 # aliases for build-* targets
 .PHONY: osxkeychain secretservice pass wincred
@@ -27,36 +26,16 @@ secretservice: build-secretservice
 pass: build-pass
 wincred: build-wincred
 
-.PHONY: osxcodesign
-osxcodesign: build-osxkeychain
-	$(eval SIGNINGHASH = $(shell security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4))
-	xcrun -log codesign -s $(SIGNINGHASH) --force --verbose bin/build/docker-credential-osxkeychain
-	xcrun codesign --verify --deep --strict --verbose=2 --display bin/build/docker-credential-osxkeychain
-
-.PHONY: linuxrelease
-linuxrelease:
-	mkdir -p release
-	cd bin && tar cvfz ../release/docker-credential-pass-$(VERSION)-amd64.tar.gz docker-credential-pass
-	cd bin && tar cvfz ../release/docker-credential-secretservice-$(VERSION)-amd64.tar.gz docker-credential-secretservice
-
-.PHONY: osxrelease
-osxrelease:
-	mkdir -p release
-	cd bin && tar cvfz ../release/docker-credential-osxkeychain-$(VERSION)-amd64.tar.gz docker-credential-osxkeychain
-	cd bin && tar cvfz ../release/docker-credential-pass-$(VERSION)-darwin-amd64.tar.gz docker-credential-pass
-
-.PHONY: winrelease
-winrelease:
-	mkdir -p release
-	cd bin && zip ../release/docker-credential-wincred-$(VERSION)-amd64.zip docker-credential-wincred.exe
-
 .PHONY: cross
 cross: # cross build all supported credential helpers
-	$(BUILDX_CMD) bake cross
+	$(BUILDX_CMD) bake binaries
+
+.PHONY: release
+release: # create release
+	./hack/release
 
 .PHONY: test
-test:
-	# tests all packages except vendor
+test: # tests all packages except vendor
 	go test -v `go list ./... | grep -v /vendor/`
 
 .PHONY: lint
diff --git a/README.md b/README.md
index c9a41f44..7c7a45e5 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ $ make osxkeychain
 3 - Put that binary in your `$PATH`, so Docker can find it.
 
 ```shell
-$ cp bin/docker-credential-osxkeychain /usr/local/bin/
+$ cp bin/build/docker-credential-osxkeychain /usr/local/bin/
 ```
 
 ## Usage
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 4cc91aef..74c30977 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -65,3 +65,9 @@ target "binaries" {
     "windows/amd64"
   ]
 }
+
+target "release" {
+  inherits = ["binaries"]
+  target = "release"
+  output = [bindir("release")]
+}
diff --git a/hack/git-meta b/hack/git-meta
new file mode 100755
index 00000000..ed4bfb84
--- /dev/null
+++ b/hack/git-meta
@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+set -e
+
+case $1 in
+	"version")
+		git describe --match 'v[0-9]*' --dirty='.m' --always --tags
+		;;
+	"revision")
+		echo "$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)"
+		;;
+	*)
+		echo "usage: ./hack/git-meta <version|revision>"
+		exit 1
+		;;
+esac
diff --git a/hack/release b/hack/release
new file mode 100755
index 00000000..aff1c646
--- /dev/null
+++ b/hack/release
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+set -e
+
+: "${BUILDX_CMD=docker buildx}"
+: "${DESTDIR=./bin/release}"
+: "${CACHE_FROM=}"
+: "${CACHE_TO=}"
+
+: "${SIGN=}"
+: "${PFX=}"
+: "${PFXPASSWORD=}"
+
+if [ -n "$CACHE_FROM" ]; then
+	for cfrom in $CACHE_FROM; do
+		cacheFlags+=(--set "*.cache-from=$cfrom")
+	done
+fi
+if [ -n "$CACHE_TO" ]; then
+	for cto in $CACHE_TO; do
+		cacheFlags+=(--set "*.cache-to=$cto")
+	done
+fi
+
+dockerpfx=$(mktemp -t dockercredhelper-pfx.XXXXXXXXXX)
+function clean {
+	rm -f "$dockerpfx"
+}
+trap clean EXIT
+
+# release
+(
+	set -x
+	${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release
+)
+
+# wrap binaries
+mv -f ./${DESTDIR}/**/* ./${DESTDIR}/
+find ./${DESTDIR} -type d -empty -delete
+
+# sign binaries
+if [ -n "$SIGN" ]; then
+	for f in "${DESTDIR}"/*".darwin-"*; do
+		SIGNINGHASH=$(security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4)
+		xcrun -log codesign -s "$SIGNINGHASH" --force --verbose "$f"
+		xcrun codesign --verify --deep --strict --verbose=2 --display "$f"
+	done
+	for f in "${DESTDIR}"/*".windows-"*; do
+		echo ${PFX} | base64 -d > "$dockerpfx"
+		signtool sign /fd SHA256 /a /f pfx /p ${PFXPASSWORD} /d Docker /du https://www.docker.com /t http://timestamp.verisign.com/scripts/timestamp.dll "$f"
+	done
+fi
+
+# checksums
+(
+  cd ${DESTDIR}
+  sha256sum -b docker-credential-* > ./checksums.txt
+  sha256sum -c --strict checksums.txt
+)

From 214ecc1238194dc47ac3ba29b04db0caf83954f6 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Sat, 27 Aug 2022 16:54:49 +0200
Subject: [PATCH 2/3] create GitHub Release on push tag with artifacts

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 .github/workflows/build.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cac543c0..177be24d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -143,6 +143,14 @@ jobs:
         env:
           CACHE_FROM: type=gha,scope=build
           CACHE_TO: type=gha,scope=build,mode=max
+      -
+        name: List artifacts
+        run: |
+          tree -nh ${{ env.DESTDIR }}
+      -
+        name: Check artifacts
+        run: |
+          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
       -
         name: Upload artifacts
         uses: actions/upload-artifact@v3
@@ -150,6 +158,15 @@ jobs:
           name: docker-credential-helpers
           path: ${{ env.DESTDIR }}/*
           if-no-files-found: error
+      -
+        name: GitHub Release
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          draft: true
+          files: ${{ env.DESTDIR }}/*
 
   build-deb:
     runs-on: ubuntu-20.04

From d4880decb1386f130d1cbddf5c39baac65c575ec Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Sun, 28 Aug 2022 02:26:18 +0200
Subject: [PATCH 3/3] remove CHANGELOG

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 CHANGELOG.md | 61 ----------------------------------------------------
 1 file changed, 61 deletions(-)
 delete mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
deleted file mode 100644
index 2a9aeffc..00000000
--- a/CHANGELOG.md
+++ /dev/null
@@ -1,61 +0,0 @@
-# Changelog
-
-This changelog tracks the releases of docker-credential-helpers.
-This project includes different binaries per platform.
-The platform released is identified after the tag name.
-
-## v0.6.0 (Go client, Linux)
-
-- New credential helper on Linux using `pass`
-- New entry point for passing environment variables when calling a credential helper
-- Add a Makefile rule generating a Windows release binary
-
-### Note
-
-`pass` needs to be configured for `docker-credential-pass` to work properly.
-It must be initialized with a `gpg2` key ID. Make sure your GPG key exists is in `gpg2` keyring as `pass` uses `gpg2` instead of the regular `gpg`.
-
-## v0.5.2 (Mac OS X, Windows, Linux)
-
-- Add a `version` command to output the version
-- Fix storing URLs without scheme, and use `https://` by default
-
-## v0.5.1 (Go client, Mac OS X, Windows, Linux)
-
-- Redirect credential helpers' standard error to the caller's
-- Prevent invalid credentials and credentials queries
-
-## v0.5.0 (Mac OS X)
-
-- Add a label for Docker credentials and filter credentials lookup to filter keychain lookups
-
-## v0.4.2 (Mac OS X, Windows)
-
-- Fix osxkeychain list
-- macOS binary is now signed on release
-- Generate a `.exe` instead
-
-## v0.4.1 (Mac OS X)
-
-- Fixes to support older version of OSX (10.10, 10.11)
-
-## v0.4.0 (Go client, Mac OS X, Windows, Linux)
-
-- Full implementation for OSX ready
-- Fix some windows issues
-- Implement client.List, change list API
-- mac: delete credentials before adding them to avoid already exist error (fixes #37)
-
-## v0.3.0 (Go client)
-
-- Add Go client library to talk with the native programs.
-
-## v0.2.0 (Mac OS X, Windows, Linux)
-
-- Initial release of docker-credential-secretservice for Linux.
-- Use new secrets payload introduced in https://github.com/docker/docker/pull/20970.
-
-## v0.1.0 (Mac OS X, Windows)
-
-- Initial release of docker-credential-osxkeychain for Mac OS X.
-- Initial release of docker-credential-wincred for Microsoft Windows.