goreleaser #417

Workflow file for this run

.github/workflows/goreleaser.yml at 1652c40

	name: goreleaser

	on:
	push:
	tags:
	- '*'
	workflow_dispatch:
	inputs:
	skip-publish:
	description: 'Skip publishing to releases.mondoo.com?'
	type: boolean
	required: false
	default: false
	use-test-cert:
	description: "Use test certificate profile (not publicly trusted)"
	required: false
	default: false
	type: boolean
	goreleaser-snapshot:
	description: 'Run goreleaser in snapshot mode, which will not publish and bypass tag checks.'
	required: false
	default: false
	type: boolean
	upload-artifacts:
	description: "Uploading artifacts to workflow"
	required: false
	default: false
	type: boolean

	env:
	REGISTRY: docker.io

	jobs:
	goreleaser:
	permissions:
	# Add "contents" to write release
	contents: 'write'
	# Add "id-token" for google-github-actions/auth
	id-token: 'write'

	runs-on: self-hosted
	timeout-minutes: 120
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Dump all inputs
	run: echo "${{ toJSON(inputs) }}"

	- name: Skip Publish for Alpha and Beta Tags
	id: skip-publish
	if: contains(github.ref, 'alpha') \|\| contains(github.ref, 'beta') \|\| contains(github.ref, 'rc') \|\| inputs.skip-publish == true
	run: \|
	echo "Skipping publish for alpha and beta tags"
	echo "skip-publish=true" >> $GITHUB_OUTPUT
	echo "skip-publish=true" >> $GITHUB_ENV

	- name: Import environment variables from file
	run: cat ".github/env" >> $GITHUB_ENV

	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version: ">=${{ env.golang-version }}"
	cache: false

	- name: Install Protoc
	uses: arduino/setup-protoc@v3
	with:
	repo-token: ${{ secrets.GITHUB_TOKEN }}
	version: ${{ env.protoc-version }}

	- name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/auth@v2'
	with:
	workload_identity_provider: ${{ secrets.GCP_WIP }}
	service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

	- id: 'gcp_secrets'
	uses: 'google-github-actions/get-secretmanager-secrets@v2'
	with:
	secrets: \|-
	code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64
	code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge

	- name: "Write RPM Signing Cert"
	run: \|
	gpgkey="$(mktemp -t gpgkey.XXX)"
	base64 -d <<<"$GPG_KEY" > "$gpgkey"
	echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV
	env:
	GPG_KEY: '${{ secrets.GPG_KEY}}'

	# - name: "Write Windows Signing Cert"
	# run: \|
	# cert="$(mktemp -t cert.XXX)"
	# base64 -d <<<"$CERT_CONTENTS" > "$cert"
	# echo "CERT_FILE=$cert" >> $GITHUB_ENV
	# env:
	# CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}'
	#
	# - name: Configure DigiCert Signing Variables
	# shell: bash
	# run: \|
	# # CertLocker Authentication Certifiate
	# CERT_PATH="$(mktemp -t cert.XXX)"
	# echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" \| base64 --decode > ${CERT_PATH}
	# echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV"
	# echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
	# # CertLocker API Key & Host
	# echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
	# echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
	# # DigiCert CertLocker Code Signing Certificate
	# echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
	# echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV"
	#

	# jsign and azure-cli are both requirements for Azure Trusted Signing and these actions to authenticate
	# These packages have been installed on the self-hosted runner using ansible from the private repo

	- name: Log in to Azure for Code Signing
	uses: azure/login@v2
	with:
	creds: >-
	{
	"clientId": "${{ secrets.TSIGN_AZURE_CLIENT_ID }}",
	"clientSecret": "${{ secrets.TSIGN_AZURE_CLIENT_SECRET }}",
	"tenantId": "${{ vars.TSIGN_AZURE_TENANT_ID}}",
	"subscriptionId": "${{ vars.TSIGN_AZURE_SUBSCRIPTION_ID }}"
	}

	- name: Get Azure AD Access Token to trusted signing
	id: get_token
	run: \|
	set -e # Stop on first error
	TSIGN_ACCESS_TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv)

	if [ -z "$TSIGN_ACCESS_TOKEN" ]; then
	echo "Error: Access token is empty"
	exit 1
	fi
	PREFIX="${TSIGN_ACCESS_TOKEN:0:8}"
	echo "Access token prefix: ${PREFIX}..."
	echo "TSIGN_ACCESS_TOKEN=$TSIGN_ACCESS_TOKEN" >> $GITHUB_OUTPUT


	- name: Install Quill for Mac Signing and Notarization
	run: \|
	curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh \| sh -s -- -b /tmp
	/tmp/quill help

	- name: Log in to the Container registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Run GoReleaser (w/ Docker Release)
	if: ${{ inputs.skip-publish != true }}
	uses: goreleaser/goreleaser-action@v6
	with:
	distribution: goreleaser
	version: v2.11.2
	args: >
	release
	--config .goreleaser.yml
	--clean
	--timeout 120m
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
	NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
	QUILL_SIGN_PASSWORD: ''
	QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
	QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
	QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
	QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
	TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }}
	TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
	TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME \|\| vars.TSIGN_CERT_PROFILE_NAME }}
	TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}

	- name: Run GoReleaser (w/o Docker Release)
	if: ${{ inputs.skip-publish == true }}
	uses: goreleaser/goreleaser-action@v6
	with:
	distribution: goreleaser
	version: v2.11.2
	args: >
	release
	${{ inputs.goreleaser-snapshot == true && '--snapshot' \|\| '' }}
	--config .github/.goreleaser-unstable.yml
	--clean
	--timeout 120m
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
	NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
	QUILL_SIGN_PASSWORD: ''
	QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
	QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
	QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
	QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
	TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }}
	TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
	TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME \|\| vars.TSIGN_CERT_PROFILE_NAME }}
	TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}

	- name: Check RPMs
	run: \|
	rpm -qpi dist/*.rpm

	- name: Output Quill Logs
	if: ${{ failure() }}
	run: \|
	for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do
	echo "=== $f ==="
	ls -l $f
	cat $f
	done

	- name: Upload artifacts
	if: ${{ inputs.upload-artifacts == true }}
	uses: actions/upload-artifact@v4
	with:
	name: windows-artifacts
	path: dist/*.zip
	retention-days: 7

	# At this point we know the docker container is published.
	# We can now trigger the cnquery bump in cnspec, which will also trigger the release of cnspec.
	# The docker container is a pre-requisite for cnspec release.
	- name: Trigger cnquery bump in cnspec
	if: ${{ ! steps.skip-publish.outputs.skip-publish }}
	uses: peter-evans/repository-dispatch@v3
	with:
	token: ${{ secrets.RELEASR_ACTION_TOKEN }}
	repository: "mondoohq/cnspec"
	event-type: update-cnquery
	client-payload: '{
	"version": "${{ github.ref_name }}"
	}'

	- name: Cleanup
	if: always()
	run:
	rm -f ${CERT_PATH}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

goreleaser #417

Workflow file

goreleaser #417

Uh oh!

Workflow file for this run