-
Notifications
You must be signed in to change notification settings - Fork 23
145 lines (127 loc) · 4.76 KB
/
goreleaser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: goreleaser
on:
push:
tags:
- '*'
workflow_dispatch:
inputs:
skip-publish:
description: 'Skip publishing to releases.mondoo.com?'
type: boolean
required: false
default: false
env:
REGISTRY: docker.io
jobs:
goreleaser:
permissions:
# Add "contents" to write release
contents: 'write'
# Add "id-token" for google-github-actions/auth
id-token: 'write'
runs-on: self-hosted
timeout-minutes: 120
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ">=1.21.0"
cache: false
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
workload_identity_provider: ${{ secrets.GCP_WIP }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- id: 'gcp_secrets'
uses: 'google-github-actions/get-secretmanager-secrets@v1'
with:
secrets: |-
code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64
code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge
- name: "Write RPM Signing Cert"
run: |
gpgkey="$(mktemp -t gpgkey.XXX)"
base64 -d <<<"$GPG_KEY" > "$gpgkey"
echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV
env:
GPG_KEY: '${{ secrets.GPG_KEY}}'
- name: "Write Windows Signing Cert"
run: |
cert="$(mktemp -t cert.XXX)"
base64 -d <<<"$CERT_CONTENTS" > "$cert"
echo "CERT_FILE=$cert" >> $GITHUB_ENV
env:
CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}'
- name: Configure DigiCert Signing Variables
shell: bash
run: |
# CertLocker Authentication Certifiate
CERT_PATH="$(mktemp -t cert.XXX)"
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH}
echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
# CertLocker API Key & Host
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
# DigiCert CertLocker Code Signing Certificate
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV"
# - name: Install jSign (Windows Signing Tool) -- Required for public runners
# run: |
# curl -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
# sudo dpkg -i ./jsign_5.0_all.deb
- name: Install Quill for Mac Signing and Notarization
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp
/tmp/quill help
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v4
with:
distribution: goreleaser
version: latest
args: release --clean --timeout 120m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
QUILL_SIGN_PASSWORD: ''
QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
- name: Check RPMs
run: |
rpm -qpi dist/*.rpm
- name: Output Quill Logs
if: ${{ failure() }}
run: |
for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do
echo "=== $f ==="
ls -l $f
cat $f
done
- name: Publish Release to releases.mondoo.com
if: ${{ ! inputs.skip-publish }}
uses: peter-evans/repository-dispatch@v2
with:
token: ${{ secrets.RELEASR_ACTION_TOKEN }}
repository: "mondoohq/releasr"
event-type: publish-release
client-payload: '{
"repository": "${{ github.event.repository.name }}",
"version": "${{ github.ref_name }}"
}'
- name: Cleanup
if: always()
run:
rm -f ${CERT_PATH}