Revamp release automation #1250

hiddeco · 2023-07-11T21:36:08Z

This pull request changes the release automation so that it uses GoReleaser.

The configuration for GoReleaser is in the file .goreleaser.yaml. The configuration for the GitHub Actions workflow is in the file release.yml.

This configuration is quite sophisticated, and ensures at least the following:

The release is built for multiple platforms and architectures, including Linux, macOS, and Windows, and for both AMD64 and ARM64.
The release includes multiple packages in Debian and RPM formats.
For every binary, a corresponding SBOM is generated and published.
For all binaries, a checksums file is generated and signed using Cosign with GitHub OIDC.
Both Debian and Alpine Docker multi-arch images are built and pushed to GitHub Container Registry and Quay.io.
The container images are signed using Cosign with GitHub OIDC.
SLSA provenance metadata is generated for release artifacts and container images.

⚠️ Notable changes

The previous Dockerfile and Dockerfile.alpine have been removed in favor of Dockerfiles specifically crafted for GoReleaser in .release/. These Dockerfiles need a specially crafted build context (with pretty much just the binary in it), and do not work using a normal docker build ....
While the release artifacts have the intention to be as backwards compatible as possible in terms of file names, etc. Your mileage may vary here, more specifically the .rpm and .deb artifacts.
The .darwin artifact is now a "fat binary".

👀 Preview (on fork)

https://github.com/hiddeco/sops/releases/tag/v3.8.0-rc.38

🧑‍🏭 Preview workflow (on fork)

🖥️ Testing locally

Run make release-snapshot and view dist/ contents.

hiddeco · 2023-08-09T00:05:09Z

@getsops/maintainers this is ready for an early review. I need to update the PR message to include all details, but also really need to catch some sleep at the moment.

The thing to focus on in the preview is the file formats of the artifacts, in comparison to https://github.com/getsops/sops/releases/tag/v3.7.3. Most of them should be fully backwards compatible (the binaries), but for the package formats I have reached the absolute limits of what I deemed possible.

In addition, it includes all the niceness of a checksum file signed with Cosign, SBOMs for the binaries (but not containers, which include a 1:1 copy of the binary — we can add this later), and SLSA provenance for all artifacts uploaded to GitHub and the container images themselves.

To get an idea of the changelog which would normally be included, run:

gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  /repos/getsops/sops/releases/generate-notes \
  -f tag_name='v3.8.0' \
  -f target_commitish='main' \
  -f previous_tag_name='v3.7.2' | jq -r .body

Based on the output, I think the current header configuration actually should move to footer.

This adds the base for releasing using GoReleaser going forward in a backwards compatible manner, which means: - Publishing of artifacts in the same formats as previous releases - Publishing of RPM and deb artifacts in the same formats as previous releases (although the metadata may need a bit of tweaking) In addition, it includes: - SBOM inclusion per binary artifact It still needs work around: - Artifact signing - SLSA compliance - Docker images - GitHub release - Changelog generation - GitHub Action workflow Signed-off-by: Hidde Beydals <hidde@hhh.computer>

GoReleaser requires specifically crafted Dockerfiles as the build context is dynamically constructed. For more information, refer to https://goreleaser.com/errors/docker-build/#do and other documentation around Docker image templates and manifests. Signed-off-by: Hidde Beydals <hidde@hhh.computer>