Use Goreleaser, and publish arm64

Signed-off-by: peterdeme <[email protected]>
spacelift-io · Nov 25, 2023 · 52da9f0 · 52da9f0
1 parent 8d8dd75
commit 52da9f0
Show file tree

Hide file tree

Showing 7 changed files with 123 additions and 155 deletions.
diff --git a/.github/workflows/build-binary.yml b/.github/workflows/build-binary.yml
@@ -2,31 +2,33 @@ name: Build Binary
 
 on: { push: { branches-ignore: [main, production] } }
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
-  preprod-agent-deployment:
-    name: Build and upload agent
+  build-binary:
+    name: Build binary
     runs-on: ubuntu-latest
     container: golang:1.20
 
-    env:
-      BASE_NAME: spacelift-vcs-agent
-      BIN_DIR: build
-
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
+      - name: Mark source directory as safe.
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - name: parse short SHA
         id: vars
         run: |
           echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
 
-      - name: Build Spacelift VCS Agent
-        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --snapshot
         env:
           BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }}
-          CGO_ENABLED: 0
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
diff --git a/.github/workflows/preprod-deployment.yml b/.github/workflows/preprod-deployment.yml
@@ -1,20 +1,16 @@
 name: Preprod deployment
 
-on:
-  push: 
-    branches:
-      - main
+on: [push]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 
 jobs:
   preprod-agent-deployment:
     name: Build and upload agent
     runs-on: ubuntu-latest
-    outputs:
-      deployment_id: ${{ steps.deployment.outputs.deployment_id }}
     container: golang:1.20
-    env:
-      BASE_NAME: spacelift-vcs-agent
-      BIN_DIR: build
     permissions:
       id-token: write
       contents: read
@@ -24,34 +20,30 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
+      - name: Mark source directory as safe.
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
-      - uses: chrnorm/deployment-action@releases/v1
-        name: Create GitHub deployment
-        if: ${{ github.ref == 'refs/heads/main' }}
-        id: deployment
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          environment: preprod/vcs-agent
-
-      - name: parse short SHA
+      - name: Parse short SHA
         id: vars
-        run: |
-          echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
+        run: echo "sha=$(git rev-parse --short=8 ${{ github.sha }})" >> $GITHUB_OUTPUT
 
-      - name: Build Spacelift VCS Agent
-        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+      - name: Fake tag for GoReleaser
+        if: ${{ github.ref == 'refs/heads/main' }}
+        run: git tag -a v0.0.0
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --snapshot=${{ github.ref != 'refs/heads/main' }}
         env:
           BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }}
-          CGO_ENABLED: 0
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
 
       - name: Install dependencies
         run: |
           apt-get update -y
-          apt-get install -y awscli zip
+          apt-get install -y awscli
 
       - name: Import the PGP key
         run: |
@@ -66,69 +58,48 @@ jobs:
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
 
       - name: Sign Spacelift VCS Agent Binary
-        run: ./scripts/sign.sh $BIN_DIR $BASE_NAME
+        run: |
+          chmod 755 ./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent
+          ./scripts/sign.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent
+          ./scripts/verify.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent
+
+          chmod 755 ./dist/vcs-agent_linux_arm64/spacelift-vcs-agent
+          ./scripts/sign.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent
+          ./scripts/verify.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent
         env:
           GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-          SHORT_SHA: ${{ steps.vars.outputs.sha }}
-
-      - name: Verify Checksum Spacelift VCS Agent Binary
-        run: ./scripts/verify.sh $BIN_DIR $BASE_NAME
-        env:
-          SHORT_SHA: ${{ steps.vars.outputs.sha }}
-
-      - name: Upload the VCS Agent binary
-        uses: actions/upload-artifact@v3
-        with:
-          name: vcs-agent-binary
-          path: build/
-          retention-days: 1
-
-      - name: Update deployment status (failure)
-        uses: chrnorm/deployment-status@releases/v1
-        if: failure() && ${{ github.ref == 'refs/heads/main' }}
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          state: "failure"
-          deployment_id: ${{ steps.deployment.outputs.deployment_id }}
-
-  publish-preprod-agent-deployment:
-    name: Upload VCS agent binary and container image
-    needs: ["preprod-agent-deployment"]
-    runs-on: ubuntu-latest
-
-    env:
-      BIN_DIR: build
-    permissions:
-      id-token: write
-      contents: read
-      deployments: write
-
-    steps:
-      - name: Check out repository code
-        uses: actions/checkout@v4
-
-      - name: Download the VCS Agent binary
-        uses: actions/download-artifact@v3
-        with:
-          name: vcs-agent-binary
-          path: ./build
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
-        if: ${{ github.ref == 'refs/heads/main' }}
         with:
           aws-region: eu-west-1
           role-to-assume: ${{ secrets.PREPROD_AWS_ROLE_TO_ASSUME }}
           role-duration-seconds: 900
 
-      - name: Upload the VCS Agent binary to downloads.spacelift.dev
-        if: ${{ github.ref == 'refs/heads/main' }}
+      - name: Put the binaries to the right place
+        run: |
+          mkdir -p build
+          cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent build/spacelift-vcs-agent
+          cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS build/spacelift-vcs-agent_SHA256SUMS
+          cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS.sig build/spacelift-vcs-agent_SHA256SUMS.sig
+
+          cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent build/spacelift-vcs-agent-amd64
+          cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS build/spacelift-vcs-agent-amd64_SHA256SUMS
+          cp dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS.sig build/spacelift-vcs-agent-amd64_SHA256SUMS.sig
+
+          cp dist/vcs-agent_linux_arm64/spacelift-vcs-agent build/spacelift-vcs-agent-aarch64
+          cp dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS build/spacelift-vcs-agent-aarch64_SHA256SUMS
+          cp dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS.sig build/spacelift-vcs-agent-aarch64_SHA256SUMS.sig
+
+          # In case you're interested:
+          ls -l build
+
+      - name: Upload the VCS Agent binaries to downloads.spacelift.dev
         run: >-
           aws s3 sync
-          ${BIN_DIR} s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/
-          --no-progress
+          build/ s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}
+          --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
 
       - name: Invalidate downloads.spacelift.dev cache
         if: ${{ github.ref == 'refs/heads/main' }}
@@ -141,36 +112,18 @@ jobs:
         if: ${{ github.ref == 'refs/heads/main' }}
         run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
 
-    # This will be needed in the future for adding multi architecture build support
-    #  - name: Set up QEMU
-    #    uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: linux/amd64,linux/arm64
+
       - name: Build and push the image
         uses: docker/build-push-action@v5
         with:
-          context: .
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.ref == 'refs/heads/main' }}
           tags: |
             ${{ secrets.PREPROD_PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest
-
-      - name: Update deployment status (success)
-        uses: chrnorm/deployment-status@releases/v1        
-        if: success() && ${{ github.ref == 'refs/heads/main' }}
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          state: "success"
-          deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}
-
-      - name: Update deployment status (failure)
-        uses: chrnorm/deployment-status@releases/v1
-        if: failure() && ${{ github.ref == 'refs/heads/main' }}
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          state: "failure"
-          deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}
diff --git a/.github/workflows/prod-deployment.yml b/.github/workflows/prod-deployment.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
+      - name: Mark source directory as safe.
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - uses: chrnorm/deployment-action@releases/v1

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -13,75 +13,68 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
 
-    env:
-      BASE_NAME: spacelift-vcs-agent
-      BIN_DIR: build
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with: { fetch-depth: 0 }
 
-      - name: Set up Go
+      - name: Mark source directory as safe.
+        run: git config --global --add safe.directory $GITHUB_WORKSPACE
+
+      - name: Setup Go
         uses: actions/setup-go@v4
-        with: { go-version: 1.18 }
+        with: { go-version: "1.20" }
 
       - name: parse short SHA
         id: vars
         run: |
           echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
 
-      - name: Build Spacelift VCS Agent
-        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --snapshot
         env:
           BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }}
-          CGO_ENABLED: 0
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
 
-      - name: Archive artifacts for use in Docker build
-        uses: actions/upload-artifact@v3
-        with:
-          name: build
-          path: |
-            build
-
-  analyze:
-    name: Analyze with Trivy
-    needs: build
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Download build artifacts
-        uses: actions/download-artifact@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
         with:
-          name: build
-          path: build
+          platforms: "linux/amd64,linux/arm64"
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Build Docker image
+        run: |
+          docker build --platform linux/amd64 -t spacelift-vcs-agent:${{ github.sha }}-amd64 .
+          docker build --platform linux/arm64 -t spacelift-vcs-agent:${{ github.sha }}-arm64 .
 
-      - name: Build and push the image
-        uses: docker/build-push-action@v5
+      - name: Run Trivy vulnerability scanner (amd64)
+        uses: aquasecurity/trivy-action@master
         with:
-          context: .
-          push: false
-          load: true
-          tags: "spacelift-vcs-agent:${{ github.sha }}"
+          image-ref: "spacelift-vcs-agent:${{ github.sha }}-amd64"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results-amd64.sarif"
+          severity: "CRITICAL,HIGH"
 
-      - name: Run Trivy vulnerability scanner
+      - name: Run Trivy vulnerability scanner (arm64)
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "spacelift-vcs-agent:${{ github.sha }}"
+          image-ref: "spacelift-vcs-agent:${{ github.sha }}-arm64"
           format: "template"
           template: "@/contrib/sarif.tpl"
-          output: "trivy-results.sarif"
+          output: "trivy-results-arm64.sarif"
           severity: "CRITICAL,HIGH"
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload Trivy scan results to GitHub Security tab (amd64)
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results-amd64.sarif"
+          category: "Trivy (amd64)"
+
+      - name: Upload Trivy scan results to GitHub Security tab (arm64)
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: "trivy-results.sarif"
-          category: "Trivy"
+          sarif_file: "trivy-results-arm64.sarif"
+          category: "Trivy (arm64)"
diff --git a/.gitignore b/.gitignore
@@ -20,3 +20,5 @@
 
 # Binary
 cmd/spacelift-vcs-agent/spacelift-vcs-agent
+
+dist/
Original file line number	Diff line number	Diff line change
Expand Up		@@ -20,3 +20,5 @@

		# Binary
		cmd/spacelift-vcs-agent/spacelift-vcs-agent

		dist/