Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add goreleaser, sboms, slsa3, sigstore and homebrew support #1315

Merged
merged 4 commits into from
Oct 30, 2023
Merged

Add goreleaser, sboms, slsa3, sigstore and homebrew support #1315

merged 4 commits into from
Oct 30, 2023

Conversation

rdimitrov
Copy link
Member

@rdimitrov rdimitrov commented Oct 28, 2023
edited
Loading

The following PR covers the following changes.

Adds

  • Introduces GoReleaser
  • Builds and releases medic binaries for [linux, windows, darwin] and [amd64, arm64]
  • Binaries are released as archived binaries (prev. plain binaries). For some reason setting the format to binaries made the SBOMs disappear from the released files.
  • Generate SLSA3 provenance for each released version (keyless)
  • Verify the SLSA3 provenance for each released version (Fixes an issue actually in the current action which only verifies one of the versions)
  • Generate SBOMs for each released version using Syft
  • Sign each released version using cosign (keyless)
  • Publish a homebrew formula so we can install medic through brew install stacklok/tap/medic. (note: adding a formula to the homebrew-core tap is for post-MVP)

Removes

  • Removed the existing slsa-go-releaser action which was used to build and release medic and also generate provenance

Unchanged

  • Kept the same trigger conditions for the release process - on release created event

Blocking

Fixes: #1249
Fixes: #1250

@rdimitrov
add goreleaser, sboms, slsa3, sigstore and homebrew support
8c8ae23 
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@rdimitrov rdimitrov self-assigned this Oct 28, 2023
@rdimitrov rdimitrov added the github_actions Pull requests that update GitHub Actions code label Oct 28, 2023
@rdimitrov
Copy link
Member Author

FYI - In case you want to see this in action, I've Implemented that first for another project as a proof-of-concept - https://github.com/rdimitrov/tuf-client-cli/actions/runs/6679372755

JAORMX
JAORMX requested changes Oct 30, 2023
View reviewed changes
.goreleaser.yaml Show resolved Hide resolved
.goreleaser.yaml Show resolved Hide resolved
@rdimitrov
fix env vars for ldflags
6e1c233 
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
JAORMX
JAORMX reviewed Oct 30, 2023
View reviewed changes
.goreleaser.yaml Outdated Show resolved Hide resolved
@rdimitrov
use commit date for ldflags
746317a 
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@rdimitrov
allow slsa generator to run for private repo
ae13953 
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@lukehinds lukehinds merged commit 7fa1be1 into mindersec:main Oct 30, 2023
12 checks passed
@lukehinds lukehinds deleted the brew branch October 30, 2023 14:47
This was referenced Nov 2, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukehinds lukehinds lukehinds approved these changes

@JAORMX JAORMX JAORMX approved these changes

Assignees

@rdimitrov rdimitrov

Labels
github_actions Pull requests that update GitHub Actions code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

releases: automate publishing for macos/home-brew releases: publish for macos/home-brew
3 participants
@rdimitrov @JAORMX @lukehinds