diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index d1a2160c8..000000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,41 +0,0 @@ -on: [push, pull_request] -name: build -jobs: - test: - strategy: - matrix: - go-version: [1.16.x, 1.17.x] - os: [ubuntu-latest, macos-latest] - runs-on: ${{ matrix.os }} - steps: - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go-version }} - - name: Setup Python - uses: actions/setup-python@v2 - with: - python-version: 3.6 - - name: Checkout code - uses: actions/checkout@v2 - - name: Install Python dependencies - run: | - python -m pip install --upgrade iso8601 requests securesystemslib six tuf - - name: Format Unix - if: runner.os == 'Linux' - run: test -z $(go fmt ./...) - - name: Test - run: go test -race -covermode atomic -coverprofile='profile.cov' ./... - - name: Send coverage - if: runner.os == 'Linux' - env: - COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - GO111MODULE=off go get github.com/mattn/goveralls - $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github - - name: Vet - run: go vet ./... - - name: Install staticcheck - run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2" - - name: Run staticcheck - run: staticcheck ./... diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml new file mode 100644 index 000000000..a00555a39 --- /dev/null +++ b/.github/workflows/goreleaser.yaml @@ -0,0 +1,101 @@ +on: [push, pull_request] +name: goreleaser +jobs: + test: + strategy: + matrix: + go-version: [1.16.x, 1.17.x] + os: [ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + steps: + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.go-version }} + - name: Setup Python + uses: actions/setup-python@v2 + with: + python-version: 3.6 + - name: Checkout code + uses: actions/checkout@v2 + - name: Install Python dependencies + run: | + python -m pip install --upgrade iso8601 requests securesystemslib six tuf + - name: Format Unix + if: runner.os == 'Linux' + run: test -z $(go fmt ./...) + - name: Test + run: go test -race -covermode atomic -coverprofile='profile.cov' ./... + - name: Send coverage + if: runner.os == 'Linux' + env: + COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + GO111MODULE=off go get github.com/mattn/goveralls + $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github + - name: Vet + run: go vet ./... + - name: Install staticcheck + run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2" + - name: Run staticcheck + run: staticcheck ./... + release-server: + permissions: + id-token: write + contents: write + runs-on: ubuntu-latest + needs: test + if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.17 + - name: install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.4.1' + - uses: anchore/sbom-action/download-syft@v0.6.0 + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v2 + with: + distribution: goreleaser + version: 'v1.2.5' + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COSIGN_EXPERIMENTAL: 1 + release-cli: + permissions: + id-token: write + contents: write + runs-on: ubuntu-latest + needs: test + if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.17 + - name: install cosign + uses: sigstore/cosign-installer@main + with: + cosign-release: 'v1.4.1' + - uses: anchore/sbom-action/download-syft@v0.6.0 + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v2 + with: + distribution: goreleaser + version: 'v1.2.5' + args: release --config ./.goreleaser_client.yaml --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COSIGN_EXPERIMENTAL: 1 diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 000000000..ee4e32572 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,29 @@ +project_name: tuf +builds: + - ldflags: + - "-s -w" + - "-extldflags=-zrelro" + - "-extldflags=-znow" + env: + - "CGO_ENABLED=0" + - "GO111MODULE=on" + - "GOFLAGS=-mod=readonly -trimpath" + goos: + - linux + - darwin + - windows + goarch: + - amd64 + main: ./cmd/tuf/ +sboms: + - artifacts: archive + - id: source + artifacts: source +source: + enabled: true +signs: + - cmd: cosign + signature: "${artifact}.sig" + certificate: "${artifact}.pem" + args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] + artifacts: all \ No newline at end of file diff --git a/.goreleaser_client.yaml b/.goreleaser_client.yaml new file mode 100644 index 000000000..cab0b3423 --- /dev/null +++ b/.goreleaser_client.yaml @@ -0,0 +1,25 @@ +project_name: tuf-client +builds: + - ldflags: + - "-s -w" + - "-extldflags=-zrelro" + - "-extldflags=-znow" + env: + - "CGO_ENABLED=0" + - "GO111MODULE=on" + - "GOFLAGS=-mod=readonly -trimpath" + goos: + - linux + - darwin + - windows + goarch: + - amd64 + main: ./cmd/tuf-client/ +sboms: + - artifacts: archive +signs: + - cmd: cosign + signature: "${artifact}.sig" + certificate: "${artifact}.pem" + args: ["sign-blob", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] + artifacts: all \ No newline at end of file