Merge pull request #11 from pjbgf-forks/fixes

pjbgf · web-flow · commit b655e5e04aea · 2024-12-05T23:33:24.000Z
Add release workflow
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,45 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions: {}
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # create GH releases
+      id-token: write # ephemeral keys (a.k.a. "keyless") signing
+      attestations: write # write GH attestations
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        with:
+          go-version: stable
+
+      - uses: anchore/sbom-action/download-syft@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
+      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Attest release artefacts
+        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
+        with:
+          subject-path: "dist/slsactl*"
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 .vscode/
 build/
+dist/
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,51 @@
+version: 2
+project_name: slsactl
+builds:
+  - id: slsactl
+    binary: slsactl
+    main: main.go
+    flags:
+    - -trimpath
+    ldflags:
+      - -s -w
+      - -X github.com/slsactl/cmd/cmd.version={{.Version}}
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    env:
+      - CGO_ENABLED=0
+
+archives:
+  - id: default
+    format: binary
+
+signs:
+  - cmd: cosign
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--yes'
+      - '--output-signature=${signature}'
+      - '--output-certificate=${certificate}'
+      - '--bundle=${artifact}.bundle'
+      - '${artifact}'
+    artifacts: checksum
+    output: true
+
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}_source'
+
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - '{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json'
+
+release:
+  extra_files:
+    - glob: ./**/*.bundle
diff --git a/Makefile b/Makefile
@@ -11,4 +11,4 @@ test:
 verify: verify-lint verify-dirty ## Run verification checks.
 
 verify-lint: $(GOLANGCI)
-	$(GOLANGCI) run --timeout 2m
+	$(GOLANGCI) run --timeout 10m
