Release artifacts and helm plugin hooks (#5)

Signed-off-by: Andrew Block <[email protected]>

Author: sabre1041

.github/workflows/ci.yml

@@ -3,8 +3,6 @@ on:
   push:
     branches:
       - "main"
-    tags:
-      - "*"
   pull_request:
     branches:
       - "*"

.github/workflows/release.yml

@@ -0,0 +1,76 @@
+name: Release
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Go 1.16
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+        id: go
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Verify go.mod is sane
+        run: go mod tidy && git diff --no-patch --exit-code
+
+      - name: Install dependencies
+        run: go mod download
+
+      - name: Build
+        run: make
+
+      - name: Test
+        run: make test
+
+      - name: golangci-lint
+        uses: golangci/[email protected]
+        with:
+          version: v1.39.0
+          skip-go-installation: true
+          skip-pkg-cache: true
+
+      - name: Make release binaries
+        run: make dist
+        env:
+          MAKEFILE_SHELL: /bin/bash
+
+      - name: Get the version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" |tee -a $GITHUB_ENV
+
+      - name: Generate Changelog
+        run: |
+          LATEST_TAG=$(git tag --sort=creatordate | sed '$!d')
+          PREVIOUS_TAG=$(git tag --sort=creatordate | sed 'x;$!d')
+          if [ -z "${PREVIOUS_TAG}" ]; then
+            REV_RANGE=HEAD
+          else
+            REV_RANGE=${PREVIOUS_TAG}..${LATEST_TAG}
+          fi
+          git log --pretty=format:"- %s %H (%aN)" --no-merges ${REV_RANGE} > ${VERSION}-CHANGELOG.txt
+          cat ${VERSION}-CHANGELOG.txt
+
+      - name: Create release
+        uses: softprops/action-gh-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          body_path: ${{ env.VERSION }}-CHANGELOG.txt
+          draft: false
+          prerelease: false
+
+      - name: Upload release binaries
+        uses: svenstaro/upload-release-action@v2
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: dist/*
+          tag: ${{ github.ref }}
+          overwrite: true
+          file_glob: true

Makefile

@@ -14,6 +14,9 @@
 # limitations under the License.
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifdef MAKEFILE_SHELL
+SHELL=$(MAKEFILE_SHELL)
+endif
 ifeq (,$(shell go env GOBIN))
 GOBIN=$(shell go env GOPATH)/bin
 else
@@ -25,6 +28,8 @@ DISTDIR    := $(CURDIR)/dist
 BINNAME    := helm-sigstore
 
 # Set version variables for LDFLAGS
+GO := go
+CGO_ENABLED := 0
 GIT_VERSION ?= $(shell git describe --tags --always --dirty)
 GIT_HASH ?= $(shell git rev-parse HEAD)
 DATE_FMT = +'%Y-%m-%dT%H:%M:%SZ'
@@ -66,11 +71,19 @@ lint: golangci-lint ## Runs golangci-lint linter
 PLATFORMS=darwin linux windows
 ARCHITECTURES=amd64
 
+define buildartifacts
+if [ "$(1)" == "windows" ]; then \
+	PLATFORM_EXT=".exe"; \
+fi
+mkdir -p $(DISTDIR);
+GOOS=$(1) GOARCH=$(2) CGO_ENABLED=$(CGO_ENABLED) $(GO) build \
+	 -ldflags $(LDFLAGS) -o $(DISTDIR)/$(BINNAME)-$(GOOS)-$(GOARCH)$$(if [ "$(1)" == "windows" ]; then echo ".exe"; fi) main.go;
+sha256sum $(DISTDIR)/$(BINNAME)-$(1)-$(2)$$(if [ "$(1)" == "windows" ]; then echo ".exe"; fi) | awk '{print $$1}' > $(DISTDIR)/$(BINNAME)-$(1)-$(2)$$(if [ "$(1)" == "windows" ]; then echo ".exe"; fi).sha256;
+endef
+
 dist:
 	$(foreach GOOS, $(PLATFORMS),\
-		$(foreach GOARCH, $(ARCHITECTURES), $(shell export GOOS=$(GOOS); export GOARCH=$(GOARCH); \
-	go build -ldflags $(LDFLAGS) -o $(DISTDIR)/$(BINNAME)-$(GOOS)-$(GOARCH) main.go)))
-	shasum -a 256 $(DISTDIR)/$(BINNAME)-* > $(DISTDIR)/$(BINNAME).sha2556
+		$(foreach GOARCH, $(ARCHITECTURES), $(call buildartifacts,$(GOOS),$(GOARCH))))
 
 test:
 	go test ./...

README.md

@@ -39,7 +39,7 @@ The plugin binary will be available in the `bin` directory
 Before installing `helm-sigstore` as a Helm plugin, ensure that Helm is installed and configured on your machine. Then install the plugin.
 
 ```shell
-$ helm plugin install .
+$ helm plugin install https://github.com/sigstore/helm-sigstore
 ```
 
 Confirm the plugin is available in Helm

plugin.yaml

@@ -4,3 +4,6 @@ usage: "Integrates Helm into Sigstore"
 description: |-
   This plugin integrates Helm into the Sigstore ecosystem.
 command: "$HELM_PLUGIN_DIR/bin/helm-sigstore"
+hooks:
+  install: "$HELM_PLUGIN_DIR/scripts/install-binary.sh"
+  update: "$HELM_PLUGIN_DIR/scripts/install-binary.sh"

scripts/install-binary.sh

@@ -0,0 +1,138 @@
+#!/usr/bin/env sh
+
+echo "Installing helm sigstore plugin"
+
+PROJECT_NAME="helm-sigstore"
+PROJECT_ORG="${PROJECT_ORG:-sigstore}"
+PROJECT_GH="$PROJECT_ORG/$PROJECT_NAME"
+export GREP_COLOR="never"
+
+HELM_MAJOR_VERSION=$("${HELM_BIN}" version --client --short | awk -F '.' '{print $1}')
+
+: ${HELM_PLUGIN_DIR:="$("${HELM_BIN}" home --debug=false)/plugins/helm-diff"}
+
+# Convert the HELM_PLUGIN_DIR to unix if cygpath is
+# available. This is the case when using MSYS2 or Cygwin
+# on Windows where helm returns a Windows path but we
+# need a Unix path
+
+if type cygpath >/dev/null 2>&1; then
+  HELM_PLUGIN_DIR=$(cygpath -u $HELM_PLUGIN_DIR)
+fi
+
+if [ "$SKIP_BIN_INSTALL" = "1" ]; then
+  echo "Skipping binary install"
+  exit
+fi
+
+# initArch discovers the architecture for this system.
+initArch() {
+  ARCH=$(uname -m)
+  case $ARCH in
+  armv5*) ARCH="armv5" ;;
+  armv6*) ARCH="armv6" ;;
+  armv7*) ARCH="armv7" ;;
+  aarch64) ARCH="arm64" ;;
+  x86) ARCH="386" ;;
+  x86_64) ARCH="amd64" ;;
+  i686) ARCH="386" ;;
+  i386) ARCH="386" ;;
+  esac
+}
+
+# initOS discovers the operating system for this system.
+initOS() {
+  OS=$(uname | tr '[:upper:]' '[:lower:]')
+
+  case "$OS" in
+  # Msys support
+  msys*) OS='windows' ;;
+  # Minimalist GNU for Windows
+  mingw*) OS='windows' ;;
+  darwin) OS='darwin' ;;
+  esac
+}
+
+# verifySupported checks that the os/arch combination is supported for
+# binary builds.
+verifySupported() {
+  supported="linux-amd64\ndarwin-amd64\nwindows-amd64"
+  if ! echo "${supported}" | grep -q "${OS}-${ARCH}"; then
+    echo "No prebuild binary for ${OS}-${ARCH}."
+    exit 1
+  fi
+
+  if ! type "curl" >/dev/null && ! type "wget" >/dev/null; then
+    echo "Either curl or wget is required"
+    exit 1
+  fi
+}
+
+# getDownloadURL checks the latest available version.
+getDownloadURL() {
+  #version=$(git -C "$HELM_PLUGIN_DIR" describe --tags --exact-match 2>/dev/null || :)
+  version="$(cat plugin.yaml | grep "version" | cut -d '"' -f 2)"
+  if [ -n "$version" ]; then
+    DOWNLOAD_URL="https://github.com/$PROJECT_GH/releases/download/v$version/$PROJECT_NAME-$OS-$ARCH"
+  else
+    # Use the GitHub API to find the download url for this project.
+    url="https://api.github.com/repos/$PROJECT_GH/releases/latest"
+    if type "curl" >/dev/null; then
+      DOWNLOAD_URL=$(curl -s $url | grep $OS-$ARCH\" | awk '/\"browser_download_url\":/{gsub( /[,\"]/,"", $2); print $2}')
+    elif type "wget" >/dev/null; then
+      DOWNLOAD_URL=$(wget -q -O - $url | grep $OS-$ARCH\" | awk '/\"browser_download_url\":/{gsub( /[,\"]/,"", $2); print $2}')
+    fi
+  fi
+
+}
+
+# downloadFile downloads the latest binary package and also the checksum
+# for that binary.
+downloadFile() {
+  BINDIR="$HELM_PLUGIN_DIR/bin"
+  rm -rf "$BINDIR"
+  mkdir -p "$BINDIR"
+  echo "Downloading $DOWNLOAD_URL"
+  if type "curl" >/dev/null; then
+    HTTP_CODE=$(curl -sL --write-out "%{http_code}" "$DOWNLOAD_URL" --output "$BINDIR/$PROJECT_NAME")
+    if [ ${HTTP_CODE} -ne 200 ]; then
+      exit 1
+    fi
+  elif type "wget" >/dev/null; then
+    wget -q -O "$BINDIR/$PROJECT_NAME" "$DOWNLOAD_URL"
+  fi
+
+  chmod +x "$BINDIR/$PROJECT_NAME"
+
+}
+
+# fail_trap is executed if an error occurs.
+fail_trap() {
+  result=$?
+  if [ "$result" != "0" ]; then
+    echo "Failed to install $PROJECT_NAME"
+    printf "\tFor support, go to https://github.com/$PROJECT_GH.\n"
+  fi
+  exit $result
+}
+
+# testVersion tests the installed client to make sure it is working.
+testVersion() {
+  set +e
+  echo "$PROJECT_NAME installed into $HELM_PLUGIN_DIR/$PROJECT_NAME"
+  "${HELM_PLUGIN_DIR}/bin/$PROJECT_NAME" version
+  set -e
+}
+
+
+# Execution
+
+#Stop execution on any error
+trap "fail_trap" EXIT
+set -e
+initArch
+initOS
+verifySupported
+getDownloadURL
+downloadFile
+testVersion