use goreleaser for ci and start release process (#11)

Author: verbanicm

.github/workflows/ci.yml

@@ -27,12 +27,13 @@ env:
   WIF_PROVIDER: 'projects/138221849759/locations/global/workloadIdentityPools/github-pool-ac8f/providers/github-provider'
   WIF_SERVICE_ACCOUNT: 'github-metrics-ac8f-ci-sa@github-metrics-ci.iam.gserviceaccount.com'
   DOCKER_REGISTRY: 'us-docker.pkg.dev'
-  DOCKER_TAG: '${{ github.sha }}'
   DOCKER_REPO: 'us-docker.pkg.dev/github-metrics-ci/ci-images'
+  DOCKER_TAG: '${{ github.sha }}'
   INTEGRATION_PROJECT_ID: 'github-metrics-ci'
   INTEGRATION_DATESET_ID: 'github-metrics'
   INTEGRATION_REGION: 'us-central1'
   INTEGRATION_SERVICE_NAME: 'github-metrics-webhook-8ecc'
+  INTEGRATION_SERVICE_AUDIENCE: 'https://github-metrics-webhook-8ecc-fghj6lcama-uc.a.run.app'
 
 concurrency:
   group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
@@ -64,7 +65,7 @@ jobs:
     steps:
       - run: 'echo prechecks complete'
 
-  # Build the main github-metrics-aggregator-server and push to artifact registry
+  # Build github-metrics-aggregator-server and push to artifact registry
   build:
     runs-on: 'ubuntu-latest'
     needs:
@@ -75,6 +76,10 @@ jobs:
     steps:
       - name: 'Checkout'
         uses: 'actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c' # ratchet:actions/checkout@v3
+      - name: 'Setup Go'
+        uses: 'actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568' # ratchet:actions/setup-go@v3
+        with:
+          go-version: '1.19'
       - id: 'auth'
         name: 'Authenticate to Google Cloud'
         uses: 'google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d' # ratchet:google-github-actions/auth@v1
@@ -88,14 +93,19 @@ jobs:
           username: 'oauth2accesstoken'
           password: '${{ steps.auth.outputs.access_token }}'
           registry: '${{ env.DOCKER_REGISTRY }}'
-      - name: 'Build the main server container and push to the registry'
-        uses: 'docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5' # ratchet:docker/build-push-action@v3
+      # goreleaser requires a tag to publish images to container registry.
+      # We create a local tag to make it happy.
+      - run: |-
+          git config user.name "${GITHUB_ACTOR}"
+          git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+          git tag -f `date "+%Y%m%d%H%M%S"`
+      - name: 'Build the server container and push to the registry with goreleaser'
+        uses: 'goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757' # ratchet:goreleaser/goreleaser-action@v3
         with:
-          push: true
-          tags: '${{ env.DOCKER_REPO }}/github-metrics-aggregator-server:${{ env.DOCKER_TAG }}'
-          file: 'Dockerfile'
+          version: 'v1.12.3' # Manually pinned
+          args: 'release -f .goreleaser.docker.yaml --rm-dist --skip-validate'
 
-  integration:
+  deployment:
     runs-on: 'ubuntu-latest'
     needs:
       - 'build'
@@ -111,8 +121,6 @@ jobs:
         with:
           workload_identity_provider: '${{ env.WIF_PROVIDER }}'
           service_account: '${{ env.WIF_SERVICE_ACCOUNT }}'
-          token_format: 'id_token'
-          id_token_audience: 'https://github-metrics-webhook-8ecc-fghj6lcama-uc.a.run.app'
       - name: 'Setup gcloud'
         uses: 'google-github-actions/setup-gcloud@d51b5346f85640ec2aa2fa057354d2b82c2fcbce' # ratchet:google-github-actions/setup-gcloud@v1
       - name: 'Deploy to Cloud Run'
@@ -121,7 +129,27 @@ jobs:
             --project="${{ env.INTEGRATION_PROJECT_ID }}" \
             --region="${{ env.INTEGRATION_REGION }}" \
             --image="${{ env.DOCKER_REPO }}/github-metrics-aggregator-server:${{ env.DOCKER_TAG }}"
-      - uses: 'actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568' # ratchet:actions/setup-go@v3
+
+  integration:
+    runs-on: 'ubuntu-latest'
+    needs:
+      - 'deployment'
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c' # ratchet:actions/checkout@v3
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d' # ratchet:google-github-actions/auth@v1
+        with:
+          workload_identity_provider: '${{ env.WIF_PROVIDER }}'
+          service_account: '${{ env.WIF_SERVICE_ACCOUNT }}'
+          token_format: 'id_token'
+          id_token_audience: '${{ env.INTEGRATION_SERVICE_AUDIENCE }}'
+      - name: 'Setup Go'
+        uses: 'actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568' # ratchet:actions/setup-go@v3
         with:
           go-version: '1.19'
       - name: 'Run integration tests'
@@ -133,5 +161,4 @@ jobs:
           GITHUB_WEBHOOK_SECRET: '${{ secrets.INTEGRATION_WEBHOOK_SECRET }}'
           ENDPOINT_URL: 'https://github-metrics-ci.tycho.joonix.net/webhook'
         run: |-
-          go test github.com/abcxyz/github-metrics-aggregator/integration \
-            -timeout=15m
+          go test github.com/abcxyz/github-metrics-aggregator/integration -timeout=15m

.github/workflows/cleanup.yml

@@ -1,3 +1,17 @@
+# Copyright 2023 The Authors (see AUTHORS file)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 name: 'cleanup'
 
 on:
@@ -21,8 +35,7 @@ permissions:
 
 jobs:
   # cleanup_cloudrun_revisions deletes all Cloud Run revisions for the given service
-  # that are more than 5 hours old, since sometimes services are not deleted during
-  # integration tests.
+  # that are more than 5 hours old
   cleanup_cloudrun_revisions:
     runs-on: 'ubuntu-latest'
     steps:
@@ -32,7 +45,7 @@ jobs:
           workload_identity_provider: '${{ env.WIF_PROVIDER }}'
           service_account: '${{ env.WIF_SERVICE_ACCOUNT }}'
       - uses: 'google-github-actions/setup-gcloud@ee9693ff89cdf73862b8a13988f6a71070e8fc58' # ratchet:google-github-actions/setup-gcloud@v1
-      - name: 'Remove old Cloud Run services'
+      - name: 'Remove old Cloud Run revisions'
         shell: 'bash'
         run: |-
           gcloud config set core/project "${{ env.INTEGRATION_PROJECT_ID }}"

.github/workflows/release.yml

@@ -0,0 +1,60 @@
+# Copyright 2023 The Authors (see AUTHORS file)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: 'release'
+
+on:
+  push:
+    tags:
+      - 'v*'
+env:
+  SOURCE_DOCKER_IMAGE: 'us-docker.pkg.dev/github-metrics-ci/ci-images/github-metrics-aggregator-server:${{ github.sha }}'
+  DEST_DOCKER_REPO: 'us-docker.pkg.dev/abcxyz-artifacts/docker-images/github-metrics-aggregator-server:${{ github.ref_name }}'
+  WIF_PROVIDER: 'projects/138221849759/locations/global/workloadIdentityPools/github-pool-ac8f/providers/github-provider'
+  WIF_SERVICE_ACCOUNT: 'github-metrics-ac8f-ci-sa@github-metrics-ci.iam.gserviceaccount.com'
+
+# Don't cancel in progress since we don't want to have half-baked releases.
+concurrency: '${{ github.workflow }}-${{ github.head_ref || github.ref }}-release'
+
+jobs:
+  image-release:
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      - name: 'Setup QEMU'
+        uses: 'docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18' # ratchet:docker/setup-qemu-action@v2
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@c4799db9111fba4461e9f9da8732e5057b394f72' # ratchet:google-github-actions/auth@v0
+        with:
+          workload_identity_provider: '${{ env.WIF_PROVIDER }}'
+          service_account: '${{ env.WIF_SERVICE_ACCOUNT }}'
+          token_format: 'access_token'
+      - name: 'Authenticate to Artifact Registry'
+        uses: 'docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a' # ratchet:docker/login-action@v2
+        with:
+          username: 'oauth2accesstoken'
+          password: '${{ steps.auth.outputs.access_token }}'
+          registry: 'us-docker.pkg.dev'
+      - name: 'Tag and push Docker images'
+        run: |-
+          docker pull ${{ env.SOURCE_DOCKER_IMAGE }}-amd64
+          docker tag ${{ env.SOURCE_DOCKER_IMAGE }}-amd64 ${{ env.TARGET_DOCKER_IMAGE }}-amd64
+          docker push ${{ env.TARGET_DOCKER_IMAGE }}-amd64
+
+          docker pull ${{ env.SOURCE_DOCKER_IMAGE }}-arm64
+          docker tag ${{ env.SOURCE_DOCKER_IMAGE }}-arm64 ${{ env.TARGET_DOCKER_IMAGE }}-arm64
+          docker push ${{ env.TARGET_DOCKER_IMAGE }}-arm64

.gitignore

@@ -69,6 +69,7 @@ coverage.out
 *.tfvars
 
 bin/
+dist/
 
 # Env Vars
 .env*

.goreleaser.docker.yaml

@@ -0,0 +1,94 @@
+# Copyright 2023 The Authors (see AUTHORS file)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+env:
+  # Global env vars for Go build.
+  - 'CGO_ENABLED=0'
+  - 'GO111MODULE=on'
+  - 'GOPROXY=https://proxy.golang.org,direct'
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - id: server
+    main: ./cmd/github-metrics-aggregator
+    binary: server
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    flags:
+      - '-a'
+      - '-trimpath'
+    ldflags:
+      - '-s'
+      - '-w'
+      - '-X={{ .ModulePath }}/pkg/version.Name=github-metrics-aggregator-server'
+      - '-X={{ .ModulePath }}/pkg/version.Version={{ .Version }}'
+      - '-X={{ .ModulePath }}/pkg/version.Commit={{ .Commit }}'
+      - '-extldflags=-static'
+    goos:
+      - 'linux'
+    goarch:
+      - 'amd64'
+      - 'arm64'
+
+dockers:
+  - ids:
+      - server
+    use: 'buildx'
+    goos: 'linux'
+    goarch: 'amd64'
+    image_templates:
+      - '{{ .Env.DOCKER_REPO }}/github-metrics-aggregator-server:{{ .Env.DOCKER_TAG }}-amd64'
+    build_flag_templates:
+      - '--platform=linux/amd64'
+      - '--pull'
+      - '--label=org.opencontainers.image.created={{ .CommitTimestamp }}'
+      - '--label=org.opencontainers.image.description=GitHub Metrics Aggregator server is a service to ingest GitHub webhook events.'
+      - '--label=org.opencontainers.image.licenses=Apache-2.0'
+      - '--label=org.opencontainers.image.name=github-metrics-aggregator-server'
+      - '--label=org.opencontainers.image.revision={{ .FullCommit }}'
+      - '--label=org.opencontainers.image.source={{ .GitURL }}'
+      - '--label=org.opencontainers.image.title=github-metrics-aggregator-server'
+      - '--label=org.opencontainers.image.version={{ .Version }}'
+  - ids:
+      - server
+    use: 'buildx'
+    goos: 'linux'
+    goarch: 'arm64'
+    image_templates:
+      - '{{ .Env.DOCKER_REPO }}/github-metrics-aggregator-server:{{ .Env.DOCKER_TAG }}-arm64'
+    build_flag_templates:
+      - '--platform=linux/arm64'
+      - '--pull'
+      - '--label=org.opencontainers.image.created={{ .CommitTimestamp }}'
+      - '--label=org.opencontainers.image.description=GitHub Metrics Aggregator server is a service to ingest GitHub webhook events.'
+      - '--label=org.opencontainers.image.licenses=Apache-2.0'
+      - '--label=org.opencontainers.image.name=github-metrics-aggregator-server'
+      - '--label=org.opencontainers.image.revision={{ .FullCommit }}'
+      - '--label=org.opencontainers.image.source={{ .GitURL }}'
+      - '--label=org.opencontainers.image.title=github-metrics-aggregator-server'
+      - '--label=org.opencontainers.image.version={{ .Version }}'
+
+docker_manifests:
+  - name_template: '{{ .Env.DOCKER_REPO }}/github-metrics-aggregator-server:{{ .Env.DOCKER_TAG }}'
+    image_templates:
+      - '{{ .Env.DOCKER_REPO }}/github-metrics-aggregator-server:{{ .Env.DOCKER_TAG }}-amd64'
+      - '{{ .Env.DOCKER_REPO }}/github-metrics-aggregator-server:{{ .Env.DOCKER_TAG }}-arm64'
+
+# TODO: Follow up on signing.
+
+# Disable SCM release we only want docker release here.
+release:
+  disable: true

Dockerfile

@@ -12,33 +12,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM golang:1.19 AS builder
-
-ENV PORT=8080
-ENV CGO_ENABLED=0
-ENV GOPROXY=https://proxy.golang.org,direct
-
-WORKDIR /go/src/app
-COPY . .
-
-RUN go build \
-    -a \
-    -trimpath \
-    -ldflags "-s -w -extldflags='-static'" \
-    -o /go/bin/server \
-    ./cmd/github-metrics-aggregator
-
-RUN strip -s /go/bin/server
-
-RUN echo "nobody:*:65534:65534:nobody:/:/bin/false" > /tmp/etc-passwd
+# Use distroless for ca certs.
+FROM gcr.io/distroless/static AS distroless
 
 # Use a scratch image to host our binary.
 FROM scratch
-COPY --from=builder /tmp/etc-passwd /etc/passwd
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=builder /go/bin/server /server
+COPY --from=distroless /etc/passwd /etc/passwd
+COPY --from=distroless /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+COPY server /server
 
-USER nobody
+# Normally we would set this to run as "nobody".
+# But goreleaser builds the binary locally and sometimes it will mess up the permission
+# and cause "exec user process caused: permission denied".
+#
+# USER nobody
 
-EXPOSE 8080
+# Run the server on container startup.
+ENV PORT 8080
 ENTRYPOINT ["/server"]