Skip to content

Commit

Permalink
Add goreleaser, sboms, slsa3, sigstore and homebrew support (#1315)
Browse files Browse the repository at this point in the history
* add goreleaser, sboms, slsa3, sigstore and homebrew support

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

* fix env vars for ldflags

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

* use commit date for ldflags

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

* allow slsa generator to run for private repo

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

---------

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
  • Loading branch information
rdimitrov authored Oct 30, 2023
1 parent 973f103 commit 7fa1be1
Show file tree
Hide file tree
Showing 9 changed files with 236 additions and 281 deletions.
154 changes: 154 additions & 0 deletions .github/workflows/releaser.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
#
# Copyright 2023 Stacklok, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This workflow compiles your mediator server and medic using a SLSA3 compliant
# build and then verifies the provenance of the built artifacts.
# It releases the following architectures: amd64, arm64, and armv7 on Linux,
# Windows, and macOS.
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.

name: Release
on:
workflow_dispatch:
release:
types: [created]

permissions:
contents: write

jobs:
ldflags_args:
runs-on: ubuntu-latest
outputs:
commit-date: ${{ steps.ldflags.outputs.commit-date }}
commit: ${{ steps.ldflags.outputs.commit }}
version: ${{ steps.ldflags.outputs.version }}
tree-state: ${{ steps.ldflags.outputs.tree-state }}
steps:
- id: checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- id: ldflags
run: |
echo "::set-output name=commit-date::$(git log --date=iso8601-strict -1 --pretty=%ct)"
echo "::set-output name=commit::$GITHUB_SHA"
echo "::set-output name=version::$(git describe --tags --always --dirty | cut -c2-)"
echo "::set-output name=tree-state::$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)"
release:
name: Build and release
needs:
- ldflags_args
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
permissions:
contents: write # To add assets to a release.
id-token: write # To do keyless signing with cosign
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version-file: 'go.mod'
- name: Install Syft
uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
- name: Install Cosign
uses: sigstore/cosign-installer@v3.1.1
with:
cosign-release: 'v2.1.1'
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@v5
with:
distribution: goreleaser
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
VERSION: ${{ needs.ldflags_args.outputs.version }}
COMMIT: ${{ needs.ldflags_args.outputs.commit }}
COMMIT_DATE: ${{ needs.ldflags_args.outputs.commit-date }}
TREE_STATE: ${{ needs.ldflags_args.outputs.tree-state }}

- name: Generate subject
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
if test "$hashes" = ""; then # goreleaser < v1.13.0
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
hashes=$(cat $checksum_file | base64 -w0)
fi
echo "hashes=$hashes" >> $GITHUB_OUTPUT
provenance:
name: Generate provenance (SLSA3)
needs:
- release
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
with:
base64-subjects: "${{ needs.release.outputs.hashes }}"
upload-assets: true # upload to a new release
private-repository: true # remove this line after going public
verification:
name: Verify provenance of assets (SLSA3)
needs:
- release
- provenance
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the SLSA verifier
uses: slsa-framework/slsa-verifier/actions/installer@v2.4.0
- name: Download assets
env:
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CHECKSUMS: "${{ needs.release.outputs.hashes }}"
ATT_FILE_NAME: "${{ needs.provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
checksums=$(echo "$CHECKSUMS" | base64 -d)
while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Downloading $fn"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$fn"
done <<<"$checksums"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
- name: Verify assets
env:
CHECKSUMS: "${{ needs.release.outputs.hashes }}"
PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
checksums=$(echo "$CHECKSUMS" | base64 -d)
while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Verifying SLSA provenance for $fn"
slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$fn"
done <<<"$checksums"
94 changes: 0 additions & 94 deletions .github/workflows/slsa-go-releaser.yml

This file was deleted.

82 changes: 82 additions & 0 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# This is an example .goreleaser.yml file with some sensible defaults.
# Make sure to check the documentation at https://goreleaser.com

# The lines bellow are called `modelines`. See `:help modeline`
# Feel free to remove those if you don't want/need to use them.
# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
# vim: set ts=2 sw=2 tw=0 fo=cnqoj
project_name: medic
before:
hooks:
- go mod tidy
- go generate ./...
# This section defines the build matrix.
builds:
- env:
- GO111MODULE=on
- CGO_ENABLED=0
flags:
- -trimpath
- -tags=netgo
ldflags:
- "-X main.Version={{ .Env.VERSION }}"
- "-X main.Commit={{ .Env.COMMIT }}"
- "-X main.CommitDate={{ .Env.COMMIT_DATE }}"
- "-X main.TreeState={{ .Env.TREE_STATE }}"
goos:
- linux
- windows
- darwin
goarch:
- amd64
- arm64
main: ./cmd/cli
# This section defines the release format.
archives:
- format: tar.gz # we can use binary, but it seems there's an issue where goreleaser skips the sboms
name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}" # "{{ .Binary }}-{{ .Os }}-{{ .Arch }}"
format_overrides:
- goos: windows
format: zip
# This section defines how to release to homebrew.
brews:
- homepage: 'https://github.com/stacklok/mediator'
description: 'Medic is the client CLI for interacting with Mediator by Stacklok.'
folder: Formula
commit_author:
name: 'Stacklok, Inc.'
email: contact@stacklok.com
repository:
owner: stacklok
name: homebrew-tap
token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
test: |
system "#{bin}/medic --help"
# This section defines whether we want to release the source code too.
source:
enabled: true
# This section defines how to generate the changelog
changelog:
sort: asc
use: github
# This section defines for which artifact types to generate SBOMs.
sboms:
- artifacts: archive
# This section defines the release policy.
release:
# If set to auto, will mark the release as not ready for production
# in case there is an indicator for this in the tag e.g. v1.0.0-rc1
prerelease: auto
github:
owner: stacklok
name: mediator
# This section defines how and which artifacts we want to sign for the release.
signs:
- cmd: cosign
args:
- "sign-blob"
- "--output-signature=${signature}"
- "${artifact}"
- "--yes" # needed on cosign 2.0.0+
artifacts: archive
output: true
31 changes: 0 additions & 31 deletions .slsa-goreleaser/darwin-amd64.yml

This file was deleted.

31 changes: 0 additions & 31 deletions .slsa-goreleaser/darwin-arm64.yml

This file was deleted.

Loading

0 comments on commit 7fa1be1

Please sign in to comment.