Use Goreleaser, and publish arm64

Signed-off-by: peterdeme <[email protected]>

.github/workflows/build-binary.yml

@@ -2,31 +2,33 @@ name: Build Binary
 
 on: { push: { branches-ignore: [main, production] } }
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
-  preprod-agent-deployment:
-    name: Build and upload agent
+  build-binary:
+    name: Build binary
     runs-on: ubuntu-latest
     container: golang:1.20
 
-    env:
-      BASE_NAME: spacelift-vcs-agent
-      BIN_DIR: build
-
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
+      - name: Mark source directory as safe.
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - name: parse short SHA
         id: vars
         run: |
           echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
 
-      - name: Build Spacelift VCS Agent
-        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --snapshot
         env:
           BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }}
-          CGO_ENABLED: 0
           SHORT_SHA: ${{ steps.vars.outputs.sha }}

.github/workflows/preprod-deployment.yml

@@ -1,20 +1,16 @@
 name: Preprod deployment
 
-on:
-  push: 
-    branches:
-      - main
+on: [push]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 
 jobs:
   preprod-agent-deployment:
     name: Build and upload agent
     runs-on: ubuntu-latest
-    outputs:
-      deployment_id: ${{ steps.deployment.outputs.deployment_id }}
     container: golang:1.20
-    env:
-      BASE_NAME: spacelift-vcs-agent
-      BIN_DIR: build
     permissions:
       id-token: write
       contents: read
@@ -24,28 +20,21 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
+      - name: Mark source directory as safe.
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
-      - uses: chrnorm/deployment-action@releases/v1
-        name: Create GitHub deployment
-        if: ${{ github.ref == 'refs/heads/main' }}
-        id: deployment
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          environment: preprod/vcs-agent
-
       - name: parse short SHA
         id: vars
         run: |
           echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
 
-      - name: Build Spacelift VCS Agent
-        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --snapshot=${{ github.ref != 'refs/heads/main' }}
         env:
           BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }}
-          CGO_ENABLED: 0
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
 
       - name: Install dependencies
@@ -66,54 +55,17 @@ jobs:
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
 
       - name: Sign Spacelift VCS Agent Binary
-        run: ./scripts/sign.sh $BIN_DIR $BASE_NAME
+        run: |
+          chmod 755 ./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent
+          ./scripts/sign.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent
+          ./scripts/verify.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent
+
+          chmod 755 ./dist/vcs-agent_linux_arm64/spacelift-vcs-agent
+          ./scripts/sign.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent
+          ./scripts/verify.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent
         env:
           GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-          SHORT_SHA: ${{ steps.vars.outputs.sha }}
-
-      - name: Verify Checksum Spacelift VCS Agent Binary
-        run: ./scripts/verify.sh $BIN_DIR $BASE_NAME
-        env:
-          SHORT_SHA: ${{ steps.vars.outputs.sha }}
-
-      - name: Upload the VCS Agent binary
-        uses: actions/upload-artifact@v3
-        with:
-          name: vcs-agent-binary
-          path: build/
-          retention-days: 1
-
-      - name: Update deployment status (failure)
-        uses: chrnorm/deployment-status@releases/v1
-        if: failure() && ${{ github.ref == 'refs/heads/main' }}
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          state: "failure"
-          deployment_id: ${{ steps.deployment.outputs.deployment_id }}
-
-  publish-preprod-agent-deployment:
-    name: Upload VCS agent binary and container image
-    needs: ["preprod-agent-deployment"]
-    runs-on: ubuntu-latest
-
-    env:
-      BIN_DIR: build
-    permissions:
-      id-token: write
-      contents: read
-      deployments: write
-
-    steps:
-      - name: Check out repository code
-        uses: actions/checkout@v4
-
-      - name: Download the VCS Agent binary
-        uses: actions/download-artifact@v3
-        with:
-          name: vcs-agent-binary
-          path: ./build
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -124,11 +76,54 @@ jobs:
           role-duration-seconds: 900
 
       - name: Upload the VCS Agent binary to downloads.spacelift.dev
-        if: ${{ github.ref == 'refs/heads/main' }}
         run: >-
+          ######## AMD 64 old path ######## 
+
+          aws s3 sync
+          dist/vcs-agent_linux_amd64_v1/*
+          s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}
+          --no-progress
+          ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          ######## AMD 64 new path ######## 
+
+          aws s3 sync
+          dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent
+          s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64
+          --no-progress
+          ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          aws s3 sync
+          dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS
+          s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64_SHA256SUMS
+          --no-progress
+          ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          aws s3 sync
+          dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS.sig
+          s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64_SHA256SUMS.sig
+          --no-progress
+          ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          ######## ARM 64 new path ######## 
+
           aws s3 sync
-          ${BIN_DIR} s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/
+          dist/vcs-agent_linux_arm64/spacelift-vcs-agent
+          s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64
           --no-progress
+          ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          aws s3 sync
+          dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS
+          s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64_SHA256SUMS
+          --no-progress
+          ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          aws s3 sync
+          dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS.sig
+          s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64_SHA256SUMS.sig
+          --no-progress
+          ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
 
       - name: Invalidate downloads.spacelift.dev cache
         if: ${{ github.ref == 'refs/heads/main' }}
@@ -141,36 +136,16 @@ jobs:
         if: ${{ github.ref == 'refs/heads/main' }}
         run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
 
-    # This will be needed in the future for adding multi architecture build support
-    #  - name: Set up QEMU
-    #    uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Build and push the image
         uses: docker/build-push-action@v5
         with:
-          context: .
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.ref == 'refs/heads/main' }}
           tags: |
             ${{ secrets.PREPROD_PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest
-
-      - name: Update deployment status (success)
-        uses: chrnorm/deployment-status@releases/v1        
-        if: success() && ${{ github.ref == 'refs/heads/main' }}
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          state: "success"
-          deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}
-
-      - name: Update deployment status (failure)
-        uses: chrnorm/deployment-status@releases/v1
-        if: failure() && ${{ github.ref == 'refs/heads/main' }}
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          state: "failure"
-          deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}

.github/workflows/prod-deployment.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
+      - name: Mark source directory as safe.
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - uses: chrnorm/deployment-action@releases/v1

.github/workflows/trivy.yml

@@ -12,61 +12,36 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
-
-    env:
-      BASE_NAME: spacelift-vcs-agent
-      BIN_DIR: build
+    container: golang:1.20
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with: { fetch-depth: 0 }
 
-      - name: Set up Go
-        uses: actions/setup-go@v4
-        with: { go-version: 1.18 }
+      - name: Mark source directory as safe.
+        run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - name: parse short SHA
         id: vars
         run: |
           echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
 
-      - name: Build Spacelift VCS Agent
-        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --snapshot
         env:
           BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }}
-          CGO_ENABLED: 0
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
 
-      - name: Archive artifacts for use in Docker build
-        uses: actions/upload-artifact@v3
-        with:
-          name: build
-          path: |
-            build
-
-  analyze:
-    name: Analyze with Trivy
-    needs: build
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Download build artifacts
-        uses: actions/download-artifact@v3
-        with:
-          name: build
-          path: build
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build and push the image
+      - name: Build the image
         uses: docker/build-push-action@v5
         with:
-          context: .
           push: false
           load: true
           tags: "spacelift-vcs-agent:${{ github.sha }}"

.gitignore

@@ -20,3 +20,5 @@
 
 # Binary
 cmd/spacelift-vcs-agent/spacelift-vcs-agent
+
+dist/

.goreleaser.yaml

@@ -0,0 +1,17 @@
+builds:
+  - main: ./cmd/spacelift-vcs-agent
+    binary: spacelift-vcs-agent
+    env: [CGO_ENABLED=0]
+    goos: [linux]
+    goarch: [amd64, arm64]
+    flags: [-trimpath]
+    tags: [netgo]
+    ldflags:
+      - "-s -w -extldflags '-static' -X main.VERSION={{.Env.SHORT_SHA}} -X main.BugsnagAPIKey={{.Env.BUGSNAG_API_KEY}}"
+
+changelog:
+  skip: true
+
+archives:
+  # This disables the archive step entirely
+  - format: binary

Dockerfile

@@ -1,11 +1,12 @@
 FROM alpine:3.18
 
+ARG TARGETARCH
 
 RUN apk add --no-cache ca-certificates
 RUN apk upgrade --update-cache --available
 RUN adduser --disabled-password --no-create-home --uid=1983 spacelift
 
-COPY build/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent
+COPY dist/vcs-agent_linux_${TARGETARCH}*/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent
 
 RUN chmod +x /usr/bin/spacelift-vcs-agent