Skip to content
goreleaser

goreleaser #508

Sign in to view logs

goreleaser

goreleaser #508

Workflow file for this run

.github/workflows/goreleaser.yml at 1b1a0ea
name: goreleaser
on:
push:
tags:
- "*"
workflow_dispatch:
inputs:
skip-publish:
description: "Skip publishing to releases.mondoo.com?"
type: boolean
required: false
default: false
use-test-cert:
description: "Use test certificate profile (not publicly trusted)"
required: false
default: false
type: boolean
goreleaser-snapshot:
description: "Run goreleaser in snapshot mode, which will not publish and bypass tag checks."
required: false
default: false
type: boolean
upload-artifacts:
description: "Uploading artifacts to workflow"
required: false
default: false
type: boolean
env:
REGISTRY: docker.io
permissions:
contents: read
jobs:
goreleaser:
permissions:
# Add "contents" to write release
contents: "write"
# Add "id-token" for google-github-actions/auth
id-token: "write"
runs-on:
group: Default
environment: prod
timeout-minutes: 120
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Dump all inputs
run: echo "${{ toJSON(inputs) }}"
- name: Skip Publish for Alpha and Beta Tags
id: skip-publish
if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == true
run: |
echo "Skipping publish for alpha and beta tags"
echo "skip-publish=true" >> $GITHUB_OUTPUT
echo "skip-publish=true" >> $GITHUB_ENV
- name: Import environment variables from file
run: cat ".github/env" >> $GITHUB_ENV
- name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: ">=${{ env.golang-version }}"
cache: false
- name: Install Protoc
uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
version: ${{ env.protoc-version }}
- name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093" # v3.0.0
with:
workload_identity_provider: ${{ secrets.GCP_WIP }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- name: "Write RPM Signing Cert"
run: |
gpgkey="$(mktemp -t gpgkey.XXX)"
base64 -d <<<"$GPG_KEY" > "$gpgkey"
echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV
env:
GPG_KEY: "${{ secrets.GPG_KEY}}"
# jsign and azure-cli are both requirements for Azure Trusted Signing and these actions to authenticate
# These packages have been installed on the self-hosted runner using ansible from the private repo
- name: Azure login
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
with:
client-id: ${{ secrets.TSIGN_AZURE_CLIENT_ID }}
tenant-id: ${{ vars.TSIGN_AZURE_TENANT_ID}}
subscription-id: ${{ vars.TSIGN_AZURE_SUBSCRIPTION_ID }}
- name: Get Azure AD Access Token to trusted signing
id: get_token
run: |
set -e # Stop on first error
TSIGN_ACCESS_TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv)
if [ -z "$TSIGN_ACCESS_TOKEN" ]; then
echo "Error: Access token is empty"
exit 1
fi
PREFIX="${TSIGN_ACCESS_TOKEN:0:8}"
echo "Access token prefix: ${PREFIX}..."
echo "TSIGN_ACCESS_TOKEN=$TSIGN_ACCESS_TOKEN" >> $GITHUB_OUTPUT
- name: Install Quill for Mac Signing and Notarization
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp
/tmp/quill help
- name: Log in to the Container registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
# Run GoReleaser
# This will build the binaries, create the docker images, and publish the release to Git
# we used to be pinned to v2.5.1 because of a bug in v2.6.0 that causes the release to fail
# specifically with the signing of the RPM packages
# if you upgrade then when validating the signatures 'rpm -qpi dist/*.rpm' it will error with
# Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
# We were never able to get to the bottom of this issue, in the we have stopped goreleaser from signing the RPM packages,
# and instead we sign them in a separate step after go releaser is done. This is not ideal but rpm-sign is defacto standard for signing RPM packages
# and it works, so we are sticking with this approach for now.
- name: Run GoReleaser (w/ Docker Release)
if: ${{ inputs.skip-publish != true }}
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
with:
distribution: goreleaser
version: v2.13.3
args: >
release
--config .goreleaser.yml
--clean
--timeout 120m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
QUILL_SIGN_PASSWORD: ""
QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }}
TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }}
TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}
- name: Run GoReleaser (w/o Docker Release)
if: ${{ inputs.skip-publish == true }}
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
with:
distribution: goreleaser
version: v2.13.3
args: >
release
${{ inputs.goreleaser-snapshot == true && '--snapshot' || '' }}
--config .github/.goreleaser-unstable.yml
--clean
--timeout 120m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
QUILL_SIGN_PASSWORD: ""
QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }}
TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }}
TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}
- name: Check RPMs
run: |
rpm -qpi dist/*.rpm
- name: Output Quill Logs
if: ${{ failure() }}
run: |
for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do
echo "=== $f ==="
ls -l $f
cat $f
done
- name: Upload artifacts
if: ${{ inputs.upload-artifacts == true }}
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: cnquery-release-artifacts
path: |
dist/*.tar.gz
dist/*.zip
dist/*.rpm
dist/*.deb
dist/*.sig
dist/*_SHA256SUMS
dist/metadata.json
retention-days: 7
# At this point we know the docker container is published.
# We can now trigger the cnquery bump in cnspec, which will also trigger the release of cnspec.
# The docker container is a pre-requisite for cnspec release.
- name: Trigger cnquery bump in cnspec
if: ${{ inputs.skip-publish != true }}
uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
with:
token: ${{ secrets.RELEASR_ACTION_TOKEN }}
repository: "mondoohq/cnspec"
event-type: update-cnquery
client-payload: '{
"version": "${{ github.ref_name }}"
}'