cofide
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 36 additions & 75 deletions b/‎.github/workflows/release.yml‎
Lines changed: 36 additions & 75 deletions
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.goreleaser.yaml‎
Lines changed: 152 additions & 0 deletions b/‎.goreleaser.yaml‎
Lines changed: 152 additions & 0 deletions
diff --git a/‎Dockerfile.nftables‎
Lines changed: 1 addition & 1 deletion b/‎Dockerfile.nftables‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Dockerfile.ui‎
Lines changed: 1 addition & 22 deletions b/‎Dockerfile.ui‎
Lines changed: 1 addition & 22 deletions
@@ -1,87 +1,48 @@
 name: release
 
 on:
+  workflow_dispatch:
   push:
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+*'
 
 permissions:
   contents: write
-  id-token: write
+  packages: write
 
 jobs:
-  build-push-images:
-    name: Build and push images
-    runs-on: ${{ matrix.runs-on }}
-    strategy:
-      matrix:
-        include:
-          - dockerfile: Dockerfile
-            repo: amazonaws.com/cofide/spiffe-enable
-            platform: linux/amd64
-            runs-on: ubuntu-latest
-            arch: amd64
-          - dockerfile: Dockerfile
-            repo: amazonaws.com/cofide/spiffe-enable
-            platform: linux/arm64
-            runs-on: connect-ci-runner-arm
-            arch: arm64
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/connect-ecr-gh-actions-access
-          role-session-name: connect-ecr-gh-actions-access
-          aws-region: ${{ secrets.AWS_REGION }}
-      - name: Login to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@v2
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ${{ matrix.dockerfile }}
-          provenance: false # this is a fix needed to be able to merge the images in a new manifest list later on
-          push: true
-          platforms: ${{ matrix.platform }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          tags: ${{format('{0}.dkr.ecr.{1}.{2}:{3}-{4}', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION, matrix.repo, matrix.arch, github.ref_name)}}
+    goreleaser:
+      name: Build and Release with GoReleaser
+      runs-on: ubuntu-latest
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v4
+          with:
+            fetch-depth: 0 # Required for GoReleaser to generate changelogs
+  
+        - name: Setup Go
+          uses: actions/setup-go@v5
+          with:
+            go-version-file: go.mod
+            cache: true
 
-  build-merge-arch-images:
-    runs-on: ubuntu-latest
-    needs: build-push-images
-    strategy:
-      matrix:
-        include:
-          - repo: amazonaws.com/cofide/spiffe-enable
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/connect-ecr-gh-actions-access
-          role-session-name: connect-ecr-gh-actions-access
-          aws-region: ${{ secrets.AWS_REGION }}
-      - name: Login to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@v2
-      - name: pull images
-        run: |
-          docker pull --platform linux/amd64 ${{format('{0}.dkr.ecr.{1}.{2}:amd64-{3}', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION, matrix.repo, github.ref_name)}}
-          docker pull --platform linux/arm64 ${{format('{0}.dkr.ecr.{1}.{2}:arm64-{3}', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION, matrix.repo, github.ref_name)}}
-      - name: Merge images
-        run: |
-          docker manifest create $IMAGE --amend $IMAGE_AMD64 --amend $IMAGE_ARM64
-          docker manifest annotate $IMAGE $IMAGE_AMD64 --os linux --arch amd64
-          docker manifest annotate $IMAGE $IMAGE_ARM64  --os linux --arch arm64
-          docker manifest push $IMAGE
-        env:
-          IMAGE_AMD64: ${{format('{0}.dkr.ecr.{1}.{2}:amd64-{3}', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION, matrix.repo, github.ref_name)}}
-          IMAGE_ARM64: ${{format('{0}.dkr.ecr.{1}.{2}:arm64-{3}', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION, matrix.repo, github.ref_name)}}
-          IMAGE: ${{format('{0}.dkr.ecr.{1}.{2}:{3}', secrets.AWS_ACCOUNT_ID, secrets.AWS_REGION, matrix.repo, github.ref_name)}}
+        - uses: ko-build/[email protected]
+
+        - name: Log in to GitHub Container Registry
+          uses: docker/login-action@v3
+          with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+        - name: Set up Docker Buildx
+          uses: docker/setup-buildx-action@v3
+  
+        - name: Run GoReleaser
+          uses: goreleaser/goreleaser-action@v6
+          with:
+            distribution: goreleaser
+            version: '~> v2'
+            args: release --clean
+          env:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -28,3 +28,6 @@ go.work
 
 # remove the binary if its been built
 injector-webhook
+
+# remove the dist directory used by GoReleaser for builds
+dist
@@ -0,0 +1,152 @@
+version: 2
+project_name: spiffe-enable
+
+before:
+  hooks:
+    - go mod tidy
+    - go generate ./...
+
+builds:
+  - id: spiffe-enable
+    binary: spiffe-enable
+    main: ./cmd/manager
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.ShortCommit}} -X main.date={{.Date}}
+
+  - id: spiffe-enable-ui
+    binary: spiffe-enable-ui
+    main: ./ui/server
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.ShortCommit}} -X main.date={{.Date}}
+
+archives:
+  - name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    formats: tar.gz
+    ids:
+      - spiffe-enable
+      - spiffe-enable-ui
+    files:
+      - README.md
+
+checksum:
+  name_template: '{{ .ProjectName }}_{{ .Version }}_checksums.txt'
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+      - 'Merge pull request'
+      - 'Merge branch'
+
+kos:
+  - repositories: 
+    - ghcr.io/cofide/spiffe-enable
+    tags:
+      - "{{.Version}}"
+      - latest
+    bare: true
+    preserve_import_paths: false
+    platforms:
+      - linux/amd64
+      - linux/arm64
+
+dockers:
+  - goarch: arm64
+    use: buildx
+    dockerfile: Dockerfile.ui
+    ids:
+      - spiffe-enable-ui
+    build_flag_templates:
+      - "--platform=linux/arm64/v8"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}-ui"
+      - "--label=org.opencontainers.image.description=UI for spiffe-enable"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/cofide/spiffe-enable"
+    image_templates:
+      - "ghcr.io/cofide/spiffe-enable-ui:{{ .Version }}-arm64v8"
+      - "ghcr.io/cofide/spiffe-enable-ui:latest-arm64v8"
+
+  - goarch: amd64
+    use: buildx
+    dockerfile: Dockerfile.ui
+    ids:
+      - spiffe-enable-ui
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}-ui"
+      - "--label=org.opencontainers.image.description=UI for spiffe-enable"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/cofide/spiffe-enable"
+    image_templates:
+      - "ghcr.io/cofide/spiffe-enable-ui:{{ .Version }}-amd64"
+      - "ghcr.io/cofide/spiffe-enable-ui:latest-amd64"
+
+  - goarch: arm64
+    use: buildx
+    dockerfile: Dockerfile.nftables
+    build_flag_templates:
+      - "--platform=linux/arm64/v8"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}-init"
+      - "--label=org.opencontainers.image.description=Init container for spiffe-enable"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/cofide/spiffe-enable"
+    image_templates:
+      - "ghcr.io/cofide/spiffe-enable-init:{{ .Version }}-arm64v8"
+      - "ghcr.io/cofide/spiffe-enable-init:latest-arm64v8"
+
+  - goarch: amd64
+    use: buildx
+    dockerfile: Dockerfile.nftables
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}-init"
+      - "--label=org.opencontainers.image.description=Init container for spiffe-enable"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/cofide/spiffe-enable"
+    image_templates:
+      - "ghcr.io/cofide/spiffe-enable-init:{{ .Version }}-amd64"
+      - "ghcr.io/cofide/spiffe-enable-init:latest-amd64"
+
+docker_manifests:
+  - name_template: "ghcr.io/cofide/spiffe-enable-ui:{{ .Version }}"
+    image_templates:
+      - "ghcr.io/cofide/spiffe-enable-ui:{{ .Version }}-amd64"
+      - "ghcr.io/cofide/spiffe-enable-ui:{{ .Version }}-arm64v8"
+  - name_template: "ghcr.io/cofide/spiffe-enable-ui:latest"
+    image_templates:
+      - "ghcr.io/cofide/spiffe-enable-ui:latest-amd64"
+      - "ghcr.io/cofide/spiffe-enable-ui:latest-arm64v8"
+  - name_template: "ghcr.io/cofide/spiffe-enable-init:{{ .Version }}"
+    image_templates:
+      - "ghcr.io/cofide/spiffe-enable-init:{{ .Version }}-amd64"
+      - "ghcr.io/cofide/spiffe-enable-init:{{ .Version }}-arm64v8"
+  - name_template: "ghcr.io/cofide/spiffe-enable-init:latest"
+    image_templates:
+      - "ghcr.io/cofide/spiffe-enable-init:latest-amd64"
+      - "ghcr.io/cofide/spiffe-enable-init:latest-arm64v8"
@@ -1,4 +1,4 @@
-FROM alpine:latest
+FROM --platform=$TARGETPLATFORM alpine:latest
 
 # Install nftables
 RUN apk add --no-cache nftables
@@ -1,27 +1,6 @@
-# Build the UI binary
-FROM cgr.dev/chainguard/go:latest AS builder
-ARG TARGETOS
-ARG TARGETARCH
-
-WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.sum ./
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-COPY ui/server ui/server
-
-# Build
-# the GOARCH has not a default value to allow the binary be built according to the host where the command
-# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
-# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
-# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o spiffe-enable-ui ui/server/main.go
-
 FROM cgr.dev/chainguard/static:latest
 WORKDIR /
-COPY --from=builder /workspace/spiffe-enable-ui .
+COPY spiffe-enable-ui .
 # The Chainguard image has a single user 'nonroot' with uid '65532', belonging to gid '65532'.
 USER nonroot