diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 81f10c4..c60e347 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,13 +18,8 @@ jobs: packages: write # needed for pushing the images to ghcr.io env: - GO111MODULE: on COSIGN_YES: "true" - outputs: - hashes: ${{ steps.hash.outputs.hashes }} - tag_name: ${{ steps.tag.outputs.tag_name }} - steps: - name: Check out code onto GOPATH uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -37,13 +32,10 @@ jobs: - name: Install cosign uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 - - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - with: - version: v0.14.1 + - name: Install bom + uses: puerco/release-actions/setup-bom@dd08496c83441d6477114cc0555b96d404dacff7 # v0.1.2 - - name: Get TAG - id: get_tag - run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - name: Set LDFLAGS id: ldflags @@ -52,11 +44,7 @@ jobs: goflags=$(ldflags) echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV" - - name: Log into ghcr.io - run: echo ${{ secrets.GITHUB_TOKEN }} | ko login ghcr.io -u ${{ github.repository_owner }} --password-stdin - - name: Run GoReleaser - id: run-goreleaser uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest @@ -65,31 +53,45 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} LDFLAGS: ${{ env.GO_FLAGS }} - - name: Generate subject - id: hash - env: - ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" - run: | - set -euo pipefail - checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" + - name: Log into ghcr.io + run: echo ${{ secrets.GITHUB_TOKEN }} | ko login ghcr.io -u ${{ github.repository_owner }} --password-stdin - name: build images run: make build-sign-release-images || true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - provenance: + attestation: + runs-on: ubuntu-latest + + permissions: + id-token: write + contents: write + needs: - release - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - with: - base64-subjects: "${{ needs.release.outputs.hashes }}" - upload-assets: true # upload to a new release - upload-tag-name: "${{ needs.release.outputs.tag_name }}" + steps: + - name: Check out code onto GOPATH + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 + + - name: Set tag output + id: tag + run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" + + - name: Install tejolote + uses: puerco/release-actions/setup-tejolote@dd08496c83441d6477114cc0555b96d404dacff7 # v0.1.2 + + - run: | + tejolote attest --artifacts github://openvex/vexctl/${{ steps.tag.outputs.tag_name }} github://openvex/vexctl/"${GITHUB_RUN_ID}" --output vexctl.intoto.json --sign + + - name: Release + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 + with: + files: vexctl.intoto.json + tag_name: "${{ steps.tag.outputs.tag_name }}" + token: ${{ secrets.GITHUB_TOKEN }} + env: + GITHUB_REPOSITORY: openvex/vexctl diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml new file mode 100644 index 0000000..2b9057d --- /dev/null +++ b/.github/workflows/snapshot.yaml @@ -0,0 +1,38 @@ +# Copyright 2023 The OpenVEX Authors +# SPDX-License-Identifier: Apache-2.0 + +name: Snapshot + +on: + push: + branches: + - 'main' + pull_request: + +jobs: + snapshot: + runs-on: ubuntu-latest + + steps: + - name: Check out code onto GOPATH + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: '1.21' + check-latest: true + + - name: Install GoReleaser + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + install-only: true + + - name: Install bom + uses: puerco/release-actions/setup-bom@dd08496c83441d6477114cc0555b96d404dacff7 # v0.1.2 + + - name: Run Snapshot + run: make snapshot + + - name: check binary + run: | + ./dist/vexctl-linux-amd64 version diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml index 251d7f8..9e6f778 100644 --- a/.github/workflows/verify.yaml +++ b/.github/workflows/verify.yaml @@ -25,5 +25,5 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: - version: v1.54 + version: v1.55 args: --timeout=5m diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c1da43c..3386c7f 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -1,4 +1,7 @@ -project_name: vex +# Copyright 2023 The OpenVEX Authors +# SPDX-License-Identifier: Apache-2.0 + +project_name: vexctl env: - GO111MODULE=on @@ -47,25 +50,35 @@ builds: - CGO_ENABLED=0 signs: - # Keyless - - id: binary-keyless + - id: vexctl-keyless signature: "${artifact}.sig" certificate: "${artifact}.pem" cmd: cosign args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"] - artifacts: binary - - id: checksum-keyless - signature: "${artifact}.sig" - certificate: "${artifact}.pem" - cmd: cosign - args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"] - artifacts: checksum + artifacts: all archives: - format: binary name_template: "{{ .Binary }}" allow_different_binary_count: true +sboms: + - id: vexctl + cmd: bom + args: + - generate + - "--output" + - "vexctl-bom.json.spdx" + - "-d" + - "../" + - "-c" + - "../.vexctl-bom-config.yaml" + - "--format" + - "json" + artifacts: any + documents: + - "vexctl-bom.json.spdx" + checksum: name_template: "{{ .ProjectName }}_checksums.txt" @@ -74,3 +87,6 @@ snapshot: release: prerelease: auto + +changelog: + use: github-native diff --git a/.vexctl-bom-config.yaml b/.vexctl-bom-config.yaml new file mode 100644 index 0000000..7d73636 --- /dev/null +++ b/.vexctl-bom-config.yaml @@ -0,0 +1,51 @@ +# Copyright 2023 The OpenVEX Authors +# SPDX-License-Identifier: Apache-2.0 + +--- +namespace: https://openvex/vexctl +license: Apache-2.0 +name: vexctl +creator: + person: The OpenVEX Authors + tool: vexctl + +artifacts: + - type: file + source: vexctl-windows-amd64.exe + license: Apache-2.0 + gomodules: true + + - type: file + source: vexctl-darwin-amd64 + license: Apache-2.0 + gomodules: true + + - type: file + source: vexctl-darwin-arm64 + license: Apache-2.0 + gomodules: true + + - type: file + source: vexctl-linux-amd64 + license: Apache-2.0 + gomodules: true + + - type: file + source: vexctl-linux-arm + license: Apache-2.0 + gomodules: true + + - type: file + source: vexctl-linux-arm64 + license: Apache-2.0 + gomodules: true + + - type: file + source: vexctl-linux-ppc64le + license: Apache-2.0 + gomodules: true + + - type: file + source: vexctl-linux-s390x + license: Apache-2.0 + gomodules: true diff --git a/Makefile b/Makefile index 2198979..94a57c5 100644 --- a/Makefile +++ b/Makefile @@ -46,11 +46,11 @@ test: .PHONY: release release: - LDFLAGS="$(LDFLAGS)" goreleaser release --rm-dist --timeout 120m + LDFLAGS="$(LDFLAGS)" goreleaser release --clean --timeout 120m .PHONY: snapshot snapshot: - LDFLAGS="$(LDFLAGS)" goreleaser release --rm-dist --snapshot --skip-sign --skip-publish --timeout 120m + LDFLAGS="$(LDFLAGS)" goreleaser release --clean --snapshot --skip=sign,publish --timeout 120m .PHONY: ko ko: