goreleaser #420
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: goreleaser | |
| on: | |
| push: | |
| tags: | |
| - '*' | |
| workflow_dispatch: | |
| inputs: | |
| skip-publish: | |
| description: 'Skip publishing to releases.mondoo.com?' | |
| type: boolean | |
| required: false | |
| default: false | |
| use-test-cert: | |
| description: "Use test certificate profile (not publicly trusted)" | |
| required: false | |
| default: false | |
| type: boolean | |
| goreleaser-snapshot: | |
| description: 'Run goreleaser in snapshot mode, which will not publish and bypass tag checks.' | |
| required: false | |
| default: false | |
| type: boolean | |
| upload-artifacts: | |
| description: "Uploading artifacts to workflow" | |
| required: false | |
| default: false | |
| type: boolean | |
| env: | |
| REGISTRY: docker.io | |
| jobs: | |
| goreleaser: | |
| permissions: | |
| # Add "contents" to write release | |
| contents: 'write' | |
| # Add "id-token" for google-github-actions/auth | |
| id-token: 'write' | |
| runs-on: self-hosted | |
| timeout-minutes: 120 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Dump all inputs | |
| run: echo "${{ toJSON(inputs) }}" | |
| - name: Skip Publish for Alpha and Beta Tags | |
| id: skip-publish | |
| if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == true | |
| run: | | |
| echo "Skipping publish for alpha and beta tags" | |
| echo "skip-publish=true" >> $GITHUB_OUTPUT | |
| echo "skip-publish=true" >> $GITHUB_ENV | |
| - name: Import environment variables from file | |
| run: cat ".github/env" >> $GITHUB_ENV | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ">=${{ env.golang-version }}" | |
| cache: false | |
| - name: Install Protoc | |
| uses: arduino/setup-protoc@v3 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| version: ${{ env.protoc-version }} | |
| - name: 'Authenticate to Google Cloud' | |
| uses: 'google-github-actions/auth@v2' | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_WIP }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| - name: "Write RPM Signing Cert" | |
| run: | | |
| gpgkey="$(mktemp -t gpgkey.XXX)" | |
| base64 -d <<<"$GPG_KEY" > "$gpgkey" | |
| echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV | |
| env: | |
| GPG_KEY: '${{ secrets.GPG_KEY}}' | |
| # jsign and azure-cli are both requirements for Azure Trusted Signing and these actions to authenticate | |
| # These packages have been installed on the self-hosted runner using ansible from the private repo | |
| - name: Log in to Azure for Code Signing | |
| uses: azure/login@v2 | |
| with: | |
| creds: >- | |
| { | |
| "clientId": "${{ secrets.TSIGN_AZURE_CLIENT_ID }}", | |
| "clientSecret": "${{ secrets.TSIGN_AZURE_CLIENT_SECRET }}", | |
| "tenantId": "${{ vars.TSIGN_AZURE_TENANT_ID}}", | |
| "subscriptionId": "${{ vars.TSIGN_AZURE_SUBSCRIPTION_ID }}" | |
| } | |
| - name: Get Azure AD Access Token to trusted signing | |
| id: get_token | |
| run: | | |
| set -e # Stop on first error | |
| TSIGN_ACCESS_TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv) | |
| if [ -z "$TSIGN_ACCESS_TOKEN" ]; then | |
| echo "Error: Access token is empty" | |
| exit 1 | |
| fi | |
| PREFIX="${TSIGN_ACCESS_TOKEN:0:8}" | |
| echo "Access token prefix: ${PREFIX}..." | |
| echo "TSIGN_ACCESS_TOKEN=$TSIGN_ACCESS_TOKEN" >> $GITHUB_OUTPUT | |
| - name: Install Quill for Mac Signing and Notarization | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp | |
| /tmp/quill help | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Run GoReleaser (w/ Docker Release) | |
| if: ${{ inputs.skip-publish != true }} | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser | |
| version: v2.11.2 | |
| args: > | |
| release | |
| --config .goreleaser.yml | |
| --clean | |
| --timeout 120m | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} | |
| NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| QUILL_SIGN_PASSWORD: '' | |
| QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }} | |
| QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} | |
| QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} | |
| QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} | |
| TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }} | |
| TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }} | |
| TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }} | |
| TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }} | |
| - name: Run GoReleaser (w/o Docker Release) | |
| if: ${{ inputs.skip-publish == true }} | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser | |
| version: v2.6.0 | |
| args: > | |
| release | |
| ${{ inputs.goreleaser-snapshot == true && '--snapshot' || '' }} | |
| --config .github/.goreleaser-unstable.yml | |
| --clean | |
| --timeout 120m | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} | |
| NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| QUILL_SIGN_PASSWORD: '' | |
| QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }} | |
| QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} | |
| QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} | |
| QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} | |
| TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }} | |
| TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }} | |
| TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }} | |
| TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }} | |
| - name: Check RPMs | |
| run: | | |
| rpm -qpi dist/*.rpm | |
| - name: Output Quill Logs | |
| if: ${{ failure() }} | |
| run: | | |
| for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do | |
| echo "=== $f ===" | |
| ls -l $f | |
| cat $f | |
| done | |
| - name: Upload artifacts | |
| if: ${{ inputs.upload-artifacts == true }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: windows-artifacts | |
| path: dist/*.zip | |
| retention-days: 7 | |
| # At this point we know the docker container is published. | |
| # We can now trigger the cnquery bump in cnspec, which will also trigger the release of cnspec. | |
| # The docker container is a pre-requisite for cnspec release. | |
| - name: Trigger cnquery bump in cnspec | |
| if: ${{ inputs.skip-publish != true }} | |
| uses: peter-evans/repository-dispatch@v3 | |
| with: | |
| token: ${{ secrets.RELEASR_ACTION_TOKEN }} | |
| repository: "mondoohq/cnspec" | |
| event-type: update-cnquery | |
| client-payload: '{ | |
| "version": "${{ github.ref_name }}" | |
| }' |