mql/.github/workflows/goreleaser.yml at 1b1a0ea8f952dfb3787dfac2ba63c96c5c4f78fb · mondoohq/mql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
name: goreleaser

on:
  push:
    tags:
      - "*"
  workflow_dispatch:
    inputs:
      skip-publish:
        description: "Skip publishing to releases.mondoo.com?"
        type: boolean
        required: false
        default: false
      use-test-cert:
        description: "Use test certificate profile (not publicly trusted)"
        required: false
        default: false
        type: boolean
      goreleaser-snapshot:
        description: "Run goreleaser in snapshot mode, which will not publish and bypass tag checks."
        required: false
        default: false
        type: boolean
      upload-artifacts:
        description: "Uploading artifacts to workflow"
        required: false
        default: false
        type: boolean

env:
  REGISTRY: docker.io

permissions:
  contents: read

jobs:
  goreleaser:
    permissions:
      # Add "contents" to write release
      contents: "write"
      # Add "id-token" for google-github-actions/auth
      id-token: "write"

    runs-on:
      group: Default
    environment: prod
    timeout-minutes: 120
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

      - name: Dump all inputs
        run: echo "${{ toJSON(inputs) }}"

      - name: Skip Publish for Alpha and Beta Tags
        id: skip-publish
        if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == true
        run: |
          echo "Skipping publish for alpha and beta tags"
          echo "skip-publish=true" >> $GITHUB_OUTPUT
          echo "skip-publish=true" >> $GITHUB_ENV

      - name: Import environment variables from file
        run: cat ".github/env" >> $GITHUB_ENV

      - name: Set up Go
        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version: ">=${{ env.golang-version }}"
          cache: false

      - name: Install Protoc
        uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.protoc-version }}

      - name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093" # v3.0.0
        with:
          workload_identity_provider: ${{ secrets.GCP_WIP }}
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

      - name: "Write RPM Signing Cert"
        run: |
          gpgkey="$(mktemp -t gpgkey.XXX)"
          base64 -d <<<"$GPG_KEY" > "$gpgkey"
          echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV
        env:
          GPG_KEY: "${{ secrets.GPG_KEY}}"

      # jsign and azure-cli are both requirements for Azure Trusted Signing and these actions to authenticate
      # These packages have been installed on the self-hosted runner using ansible from the private repo

      - name: Azure login
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
          client-id: ${{ secrets.TSIGN_AZURE_CLIENT_ID }}
          tenant-id: ${{ vars.TSIGN_AZURE_TENANT_ID}}
          subscription-id: ${{ vars.TSIGN_AZURE_SUBSCRIPTION_ID }}

      - name: Get Azure AD Access Token to trusted signing
        id: get_token
        run: |
          set -e  # Stop on first error
          TSIGN_ACCESS_TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv)

          if [ -z "$TSIGN_ACCESS_TOKEN" ]; then
            echo "Error: Access token is empty"
            exit 1
          fi
          PREFIX="${TSIGN_ACCESS_TOKEN:0:8}"
          echo "Access token prefix: ${PREFIX}..."
          echo "TSIGN_ACCESS_TOKEN=$TSIGN_ACCESS_TOKEN" >> $GITHUB_OUTPUT

      - name: Install Quill for Mac Signing and Notarization
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp
          /tmp/quill help

      - name: Log in to the Container registry
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      # Run GoReleaser
      # This will build the binaries, create the docker images, and publish the release to Git
      # we used to be pinned to v2.5.1 because of a bug in v2.6.0 that causes the release to fail
      # specifically with the signing of the RPM packages
      # if you upgrade then when validating the signatures 'rpm -qpi dist/*.rpm' it will error with
      # Header RSA signature: BAD (package tag 268: invalid OpenPGP signature)
      # We were never able to get to the bottom of this issue, in the we have stopped goreleaser from signing the RPM packages,
      # and instead we sign them in a separate step after go releaser is done. This is not ideal but rpm-sign is defacto standard for signing RPM packages
      # and it works, so we are sticking with this approach for now.

      - name: Run GoReleaser (w/ Docker Release)
        if: ${{ inputs.skip-publish != true }}
        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          distribution: goreleaser
          version: v2.13.3
          args: >
            release
            --config .goreleaser.yml
            --clean
            --timeout 120m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
          NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
          QUILL_SIGN_PASSWORD: ""
          QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
          QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
          QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
          QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
          TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }}
          TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
          TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }}
          TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}

      - name: Run GoReleaser (w/o Docker Release)
        if: ${{ inputs.skip-publish == true }}
        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          distribution: goreleaser
          version: v2.13.3
          args: >
            release
            ${{ inputs.goreleaser-snapshot == true && '--snapshot' || '' }}
            --config .github/.goreleaser-unstable.yml
            --clean
            --timeout 120m
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
          NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
          QUILL_SIGN_PASSWORD: ""
          QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
          QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
          QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
          QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
          TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }}
          TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }}
          TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }}
          TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }}

      - name: Check RPMs
        run: |
          rpm -qpi dist/*.rpm

      - name: Output Quill Logs
        if: ${{ failure() }}
        run: |
          for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do
            echo "=== $f ==="
            ls -l $f
            cat $f
          done

      - name: Upload artifacts
        if: ${{ inputs.upload-artifacts == true }}
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: cnquery-release-artifacts
          path: |
            dist/*.tar.gz
            dist/*.zip
            dist/*.rpm
            dist/*.deb
            dist/*.sig
            dist/*_SHA256SUMS
            dist/metadata.json
          retention-days: 7

      # At this point we know the docker container is published.
      # We can now trigger the cnquery bump in cnspec, which will also trigger the release of cnspec.
      # The docker container is a pre-requisite for cnspec release.
      - name: Trigger cnquery bump in cnspec
        if: ${{ inputs.skip-publish != true }}
        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
        with:
          token: ${{ secrets.RELEASR_ACTION_TOKEN }}
          repository: "mondoohq/cnspec"
          event-type: update-cnquery
          client-payload: '{
            "version": "${{  github.ref_name }}"
            }'