-
Notifications
You must be signed in to change notification settings - Fork 23
171 lines (151 loc) · 6.03 KB
/
goreleaser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
name: goreleaser
on:
push:
tags:
- '*'
workflow_dispatch:
inputs:
skip-publish:
description: 'Skip publishing to releases.mondoo.com?'
type: boolean
required: false
default: false
env:
REGISTRY: docker.io
jobs:
goreleaser:
permissions:
# Add "contents" to write release
contents: 'write'
# Add "id-token" for google-github-actions/auth
id-token: 'write'
runs-on: self-hosted
timeout-minutes: 120
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Skip Publish for Alpha and Beta Tags
id: skip-publish
if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == 'true'
run: |
echo "Skipping publish for alpha and beta tags"
echo "skip-publish=true" >> $GITHUB_OUTPUT
echo "skip-publish=true" >> $GITHUB_ENV
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: ">=1.21.0"
cache: false
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v1'
with:
workload_identity_provider: ${{ secrets.GCP_WIP }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- id: 'gcp_secrets'
uses: 'google-github-actions/get-secretmanager-secrets@v1'
with:
secrets: |-
code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64
code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge
- name: "Write RPM Signing Cert"
run: |
gpgkey="$(mktemp -t gpgkey.XXX)"
base64 -d <<<"$GPG_KEY" > "$gpgkey"
echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV
env:
GPG_KEY: '${{ secrets.GPG_KEY}}'
- name: "Write Windows Signing Cert"
run: |
cert="$(mktemp -t cert.XXX)"
base64 -d <<<"$CERT_CONTENTS" > "$cert"
echo "CERT_FILE=$cert" >> $GITHUB_ENV
env:
CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}'
- name: Configure DigiCert Signing Variables
shell: bash
run: |
# CertLocker Authentication Certifiate
CERT_PATH="$(mktemp -t cert.XXX)"
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH}
echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
# CertLocker API Key & Host
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
# DigiCert CertLocker Code Signing Certificate
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV"
# - name: Install jSign (Windows Signing Tool) -- Required for public runners
# run: |
# curl -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
# sudo dpkg -i ./jsign_5.0_all.deb
- name: Install Quill for Mac Signing and Notarization
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp
/tmp/quill help
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Run GoReleaser (w/ Docker Release)
if: ${{ ! steps.skip-publish.outputs.skip-publish }}
uses: goreleaser/goreleaser-action@v4
with:
distribution: goreleaser
version: latest
args: release --clean --timeout 120m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
QUILL_SIGN_PASSWORD: ''
QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
- name: Run GoReleaser (w/o Docker Release)
if: ${{ steps.skip-publish.outputs.skip-publish == 'true' }}
uses: goreleaser/goreleaser-action@v4
with:
distribution: goreleaser
version: latest
args: release --clean --timeout 120m --skip-docker
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
QUILL_SIGN_PASSWORD: ''
QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
- name: Check RPMs
run: |
rpm -qpi dist/*.rpm
- name: Output Quill Logs
if: ${{ failure() }}
run: |
for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do
echo "=== $f ==="
ls -l $f
cat $f
done
- name: Publish Release to releases.mondoo.com
if: ${{ ! steps.skip-publish.outputs.skip-publish }}
uses: peter-evans/repository-dispatch@v2
with:
token: ${{ secrets.RELEASR_ACTION_TOKEN }}
repository: "mondoohq/releasr"
event-type: publish-release
client-payload: '{
"repository": "${{ github.event.repository.name }}",
"version": "${{ github.ref_name }}"
}'
- name: Cleanup
if: always()
run:
rm -f ${CERT_PATH}